One Article Review
Accueil - L'article:
Source Anomali.webp Anomali
Identifiant 8316353
Date de publication 2023-03-07 16:30:00 (vue: 2023-03-07 17:06:29)
Titre Anomali Cyber Watch: Mustang Panda Adopted MQTT Protocol, Redis Miner Optimization Risks Data Corruption, BlackLotus Bootkit Reintroduces Vulnerable UEFI Binaries
Texte The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Cryptojacking, Phishing, Ransomware, Secure boot bypass, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT (published: March 2, 2023) In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe. Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives. MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion |
Envoyé Oui
Condensat #stopransomware: $11 000 001 001: 002 002: 003 004 005 007 009 012 0674 100 2014 2020 2021 2022 2023 21894 26411 API Access Acquire Application Asia Att Attachment Australia Autostart Bidirectional Boot Boot: Bootkit Bulgaria Bypass CAPABILITIES: Capabilities Capabilities: Certificates Channel: Clear Client Code Communication Control Country: Create Cryptography Data Defenses Develop Encoding Encoding: Encrypted Europe Evasion Execution Execution: Exploitation Explorers File Flow Folder Guardrails Hijack Host: Impair Indicator Industry:government Infrastructure Infrastructure: Ingress Inter Keys Layer Legitimate Link Location Logon Longer Malicious Malware Manipulation: Masquerade Masquerading: Match Mitre Name Native OBTAIN Obtain Persistence Phishing: Pre Private Process Protocol Receiving Region: Registry Removal Removal: Server Service Service: Signing Spearphishing Stage Standard Startup Symmetric T1036 T1070 T1071 T1078 T1102 T1105 T1106: T1132 T1134 T1203 T1204 T1480 T1542 T1547 T1548 T1559 T1562: T1566 T1572 T1573 T1574 T1583 T1587 T1588 T1608 Tags: Taiwan Target Task Token Tool Transfer Tunneling Tyte Tyte:Country: Updates Upload User Validaccounts: Web able about abrdn access account accounts accounts: achieving acquire active activity actor: actors added additionally adopted advised advisory affiliate agency alipay all allowing among amp; analysis analyst and/or anomali antivirus api app application approach apt archive archives are asia asking assets associated asymmetric att&ck att&ck: attached attack attackers attacks attempt attention attribution australia authentication authenticity automated available avoid away backdoor backdoors bank based basis baxter been began behind being between binaries bitcoin black blacklotus blackrock block boot bootkit bootkit: bootloaders bulgaria bureau business but bypass bypassing cache caches cado campaign can capable card careful cell chain channel channel: charts check checks china cigna ck: clear client cloaking cobalt codes collection collects command comment: common communication communications companies compromise compromised concerned configuration confirmed connection considered consistently continue control controllers corporation corruption countries country:in country:india country:it country:malaysia country:md country:uk country:us cpu critical cron crypter cryptocurrencies cryptocurrency cryptography cryptojacking cryptomining custom customers cve cyber cybersecurity daily data date debugger debugging defenders defense deletion deliver delivered demanding depends depth desktop detected detection:xmrig devices digital disable discovered discovery discovery: discuss discussed disrupted disrupts distributes dji dns domain domains double downloader dozens dridex drive drop dropped dubbed dynamic early eaton educated education embedded employs enable enabled encoding encoding: encrypted encryption end enhanced ensure enterprise eset establish europe evasion evasion: even event evolve exact example executable execution exfiltration existing experimenting explained exploit exploitation exploited exploits explorer exploring extent external extortion extremely facing feature featuring february federal ferrari figure file files filesystem filtration final finance financial following forced forework forums framework fraud fraudulent free from ftp fully funds glimpse global good government gozi ground group group: hacking has healthcare hidden hide hides high hijacking hit hole hollowing host host: hosted hosting hotels identified impact impersonated impersonating implement including india india’s indian indicator indicators industries industry:communications industry:education industry:healthcare industry:manufacturing infection information information: infostealers infrastructure infrastructure: ingress injection injection: installer installing instances instant instructions integrated intelligence interface internet interpreter introduction investigation investment investors invitation invite involves ioc iocs iot issued italy itc iteration its january
Tags Ransomware Malware Tool Vulnerability Threat Medical
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: