One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8312556 |
| Date de publication | 2023-02-22 19:12:00 (vue: 2023-02-22 20:06:17) |
| Titre | Anomali Cyber Watch: Earth Kitsune Uses Chrome Native Messaging for Persistence, WIP26 Targets Middle East Telco from Abused Clouds, Azerbaijan-Sponsored Group Geofenced Its Payloads to Armenian IPs |
| Texte | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Abused cloud instances, APT, Armenia, Azerbaijan, Cyberespionage, Phishing, Social engineering, and Watering hole attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Coinbase Cyberattack Targeted Employees with Fake SMS Alert
(published: February 20, 2023)
On February 5th, 2023, several employees at the Coinbase cryptocurrency exchange platform received a fake SMS alert on their mobile phones. The message indicated that they need to urgently log in via the link provided to receive an important message. One employee got phished by the attackers, but they failed to login due to the MFA restrictions. The attackers, likely associated with the previously-documented 0ktapus phishing campaign, proceeded to call the employee and phish him for more information by pretending to be from the corporate IT. Coinbase was able to detect the unusual activity and stop the breach, although the attackers have obtained some contact information belonging to multiple Coinbase employees in addition to the login credentials of the phished user.
Analyst Comment: Network defenders are advised to monitor for access attempts from a third-party VPN provider, such as Mullvad VPN. Monitor for download of remote desktop viewers such as AnyDesk or ISL Online. Set up monitoring for Incoming phone calls / text messages from Bandwidth dot com, Google Voice, Skype, and Vonage/Nexmo. Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. And as always with these types of social engineering attacks employee awareness is key - not just of the threat but how to independently verify the legitimacy of any contact and what to do with anything suspicious.
MITRE ATT&CK: [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1219 - Remote Access Software
Tags: campaign:0ktapus, Coinbase, Social engineering, SMS, Typosquatting, AnyDesk, ISL Online, Mullvad VPN, Google Voice, Skype, Vonage/Nexmo, Bandwidth, Browser extension, EditThisCookie
Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
(published: February 17, 2023)
Since the end of 2022, a new campaign by the state-sponsored Earth Kitsune group targets visitors of pro-North Korea websites. A malicious JavaScript embedded into their video pages prompts a viewer to download a codec installer. Only visitors from particular subnets located in Nagoya, Japan and Shenyang, China, and users of a VPN provider in Brazil are receiving the malicious payload. The legitimate codec installer was patched to increase the PE image size and add an additional section. The attackers employ elliptic cryptography to protect encryption keys and use rare hashing algorithms: 32-bit Fowler-Noll-Vo hash (FNV-1) to compute machine IDs and a 32-bit Murmur3 hash of the 16-byte AES key to compute the |
| Envoyé | Oui |
| Condensat | 001 001: 002 003 004 005 0ktapus 128 148 2015 2022 2023 365 5th 700 ability able abuse abused abusing access achieved activity actor actor:dark actor:earth actors add added adding addition additional addresses advised aes affairs alert algorithms: all allowed although always america analyst anomali anti any anydesk anything api application apt archive are armenia armenian associated att&ck att&ck: attached attack attackers attacks attempts attributed autoit available avoidance aware awareness azerbaijan azeri azure backdoor backdoors bandook bandwidth base64 based basis been began belonging binaries bit block brazil breach browser but byte call calls camera campaign campaign:0ktapus campaign:wip26 campaigns can capable capture caracal case certain certificates chain channel: charts check china chisel chrome close cloud clouds cmd365 cmdember cobalt code codec coinbase com combines comes command commands comment: communicates compiled component: compromise compromised compute computer computers configuration connection consider contact containing control controlling corporate country country:am country:armenia country:az country:azerbaijan country:china country:cn country:do country:dominican country:japan country:jp country:ve country:venezuela credentials cryptocurrency cryptography custom customers cyber cyberattack cyberespionage dark data database defenders defense deletion deliver delivers deobfuscate/decode des desktop detect detection:backdoor detection:trojan digital direct directories discovery discuss discussed dissidents distributor documented documents domain domains dominican dot download downloading drive dropbox dubbed due earth east ecc editthiscookie electronic elliptic embedded employ employee employees encrypted encryption end engineering environments espionage exchange exe executable execution exfiltrating exfiltration existing expanded expired explained extension extensions extensive extracting failed fake features february figure file filemanager filenames files finally firebase fnv focused following foundation fowler from frontier functionality geofenced geofencing glimpse google got graph group has hash hashing have hidden him hole host host: hosted hosting how icons ids image important include including including: incoming increase independently indicate indicated indicator indicators individuals industry:telecom infected infection information infrastructure ingress inside installer instance instances intelligence internal interpreter: invalid ioc iocs ips isl iteration its japan javascript judging just key keys kitsune known korea latin leads least legitimacy legitimate libraries likely limitations limiting link list loader local located log login logs machine magazine mail malicious malware malware:bandook malware:chisel malware:cmd365 malware:cmdember malware:oxtarat malware:pdfelement malware:slub malware:whiskerspy march masquerades masquerading masquerading: mercenary message messages messaging messengers method mfa microsoft middle ministry missing mitre mobile monitor monitoring more mouse mullvad multiple murmur3 nagoya native nativeapp need needed net network networks new news noll north not notifies obfuscated observed obtained official one ongoing online only opened operation other owner/user oxtarat pages particular party patched payload payloads pdf pdfelement performing persistence persistent phish phished phishing phishing: phone phones php picus: platform plink png/jpg polyglot port port:2222 possible potential powershell predominantly premium pretending previously pro proceed proceeded prompts protect provide provided provider providers prudent public published: putty raise rare realtime receive received receiving recognize recording regarding region:latin region:middle registered registration related remote remotely removal removing republic researchers respectively restrictions ripemd sandboxing scanning scheduled scr screen script scripting searching secondary section security self sensitive sent server service services: session set several shell shenyang should signa |
| Tags | Malware Tool Threat Guideline |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.