One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8310132 |
| Date de publication | 2023-02-14 17:48:00 (vue: 2023-02-14 18:09:05) |
| Titre | Anomali Cyber Watch: Hospital Ransoms Pay for Attacks on Defense, Nodaria Got Upgraded Go-Based Infostealer, TA866 Moved Screenshot Functionality to Standalone Tool |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Infostealers, Malicious packages, Malicious redirects, North Korea, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
(published: February 9, 2023)
The US and South Korea issued a joint advisory on ongoing, North Korea-sponsored ransomware activity against healthcare and other critical infrastructure. The proceedings are used to fund North Korea’s objectives including further cyber attacks against the US and South Korean defense and defense industrial base sectors. For initial access, the attackers use a trojanized messenger (X-Popup) or various exploits including those targeting Apache log4j2 and SonicWall appliances. Despite having two custom ransomware crypters, Maui and H0lyGh0st, the attackers can portray themselves as a different ransomware group (REvil) and/or use publicly-available crypters, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
Analyst Comment: Organizations in the healthcare sector should consider following the Cross-Sector Cybersecurity Performance Goals developed by the U.S. Cybersecurity and Infrastructure Security Agency and the U.S. National Institute of Standards and Technology. Follow the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts. Turn off weak or unnecessary network device management interfaces.
MITRE ATT&CK: [MITRE ATT&CK] T1583 - Acquire Infrastructure | [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1133 - External Remote Services | [MITRE ATT&CK] T1195 - Supply Chain Compromise | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1021 - Remote Services | [MITRE ATT&CK] T1486: Data Encrypted for Impact
Tags: malware-type:Ransomware, source-country:North Korea, source-country:DPRK, source-country:KP, target-industry:Healthcare, target-sector:Critical infrastructure, target-industry:Defense, target-industry:Defense Industrial Base, Log4Shell, SonicWall, CVE-2021-44228, CVE-2021-20038, CVE-2022-24990, X-Popup, malware:Maui, malware:H0lyGh0st, malware:BitLocker, malware:Deadbolt, malware:ech0raix, malware:GonnaCry, malware:Hidden Tear, malware:Jigsaw, malware:LockBit 2.0, malware:My Little Ransomware, malware:NxRansomware, malware:Ryuk, malware:YourRansom
|
| Envoyé | Oui |
| Condensat | #stopransomware: “enable 001 001: 002 003 004 005 0056 009 10gb 20038 2019 2020 2021 2022 2023 24990 2fa 404 44228 443 600 aabquerys abused access accounts acquire active activities activity actor actor:c5pider actor:newspenguin actor:nodaria actor:ta866 actor:uac actors added adding additional additionally admin administrative administrators ads adsense advanced advised advisory aes affairs against agency agent ahk along already also analyst and/or anomali anti any apache appear appliances application applications approach apt are asks associated att&ck att&ck: attached attachment attachments attack attackers attacks attention attribution autohotkey autoit autostart available aware awareness back base based basic because been being best between bing bit bitlocker bitly block blocking bogus boot bot bring browsers but campaign campaign:aabquerys can capture chain chains channel channel: charts check checking checks: clear client code command commands comment: communicates communication communication: companies component components compromise compromise: compromised conference consider contact content control cookie correct country:de country:dprk country:germany country:kp country:north country:pakistan country:pk country:ru country:russia country:ua country:ukraine country:united country:us credentials critical cross crypters cryptography custom customers cve cyber cyberespionage cybersecurity data date ddns ddos deadbolt debugger defense deletion deobfuscate/decode dependencies deployed depth designed despite detected detection:downloader detection:infostealer developed developers development device different difficult directories directory discover discovery discuss discussed distribution dll document doing domain domains download downloaded downloader downloading downloads dprk drive dubbed earlier ech0raix editing” education email emails employees employs enable encoding encoding: encrypted ending espionage evasion evasion: evolve example exe executable execute executes execution execution: exfiltrate exfiltration exhibitor explained exploit exploitation exploits expo external facing february feels figure file files final financially flow: focused folder follow following framework fraud from functionality fund further generated gettickcount glimpse goals going golang gonnacry google got government graphiron graphiron: group group’s guard guardrails h0lygh0st hacked hard has having havoc healthcare hidden hijack hijacking hospital host host: identified impact included including incorporating indicator indicators industrial industry:defense industry:government industry:healthcare industry:maritime infection information infostealer infostealers infostealing infrastructure infrastructure: ingress initial injection injection: innosetup ins inside installations installer instead institute instrumentation intelligence inter interfaces internal international internet interpreter: involve ioc iocs irfanview issued iteration its january javascript jigsaw joint june keep keys known korea korea’s korean later layer least legitimate levels: like link little loading local location lockbit log4j2 log4shell logon logs macro macros magazine make maldoc malicious malware malware:ahk malware:bitlocker malware:deadbolt malware:ech0raix malware:gonnacry malware:graphiron malware:h0lygh0st malware:havoc malware:hidden malware:jigsaw malware:lockbit malware:maui malware:my malware:nxransomware malware:rhadamanthys malware:ryuk malware:screentime malware:updates malware:wasabiseed malware:yourransom management manual maritime masquerading masquerading: match maui may messenger ministry minutes mitre mobi model modification modify modules monitor more mostly motivated moved msi multiple name names national navy network new newly news newspenguin nodaria north npm number nxransomware obfuscated obfuscation obfuscator object objectives observed october off often one ones ongoing open organizations organized other over own package packages pakistan panels party password pay payload payloads performance phishing |
| Tags | Ransomware Malware Tool Threat Industrial |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.