One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 8331005 |
| Date de publication | 2023-04-25 18:22:00 (vue: 2023-04-25 19:07:39) |
| Titre | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server |
| Texte |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
| Envoyé | Oui |
| Condensat | network 001 001: 002 003 004 2013 2020 2022 2023 256 3900 399 3cx 3cx/x about abuse abused: abused:anydesk abused:base64 abused:chatgpt abused:cisco abused:citrix abused:dameware abused:docker abused:ftp abused:google abused:powershell abused:ps2exe abused:pyarmor abused:pyinstaller abused:python abused:zoom access according account acquire active activity actor actor:apt43 actor:kodex actor:n1nj4sec actor:unc4736 actors additional addresses adoption ads advanced advised aes affected against aging all allowed already also alternative always america analyst andpshashes anomali anomalous anti any anyconnect anydesk api applejeus appliances application approach appropriately apps april apt apt43 aquasec archived archiving are around arsenal ask asns assessed asset associated asymmetric att&ck att&ck: attached attachment attachments attack attacker’s attackers attacks available avoid awareness back backdoor based batch been before being berberoka best better binding block both browser buckets bumblebee buster but called campaign can capabilities capabilities: capture case caution centered certificate certificates chain chained channel channel: charts chatgpt check checking checks cipher cisco citrix clear click clicking cloud cluster clusterrole clusterrolebinding clusters cobalt code comment: commodity communication company complex component compromise compromise: compromise; compromised confidence configured confirmation connection consider console contained containing control cookie counter country:kp country:north create created creating credentials critical cryptocurrency cryptography cryptomining custom customers cyber daemonset dameware data database daveshell debugger decoy decrypting defense deleting deletion delivered delivering deobfuscate/decode dependencies deployed deployment deployments depth detect detected detection detection:linux/patpooty detection:pua detection:trojan:linux/pupy detection:w32/evilextractor developer digital directory discontinued discovery discovery: discuss discussed displaying distributed dll dns docker dog domain domains download downloads dubbed dumping dynamically earliest early earth education emails encrypted encrypts end energy engines ensure enterprise especially europe evasion evasion: event ever evilextractor examining exclusively exe execution exfiltrates exfiltration exhibit exhibits existing explained exploit exploitation exploiting exposed extra facing fail figure file files filetype:elf financially finding first flow flow: follow following forge form found from ftp gain gaining galois gathering get glimpse goes good google group groups gui has have help high highly hijack hijacking honeypot host host: hub hunt: identifiable identified image impact impersonate impersonating important include includes including incoming increased independent indicator indicators infection infoblox information infostealer infostealers infrastructure infrastructure: infrequent ingress initiated inject injection install installation installer installing instance integrity intelligence invalid investigation involved ioc iocs issues iteration its k8s kerberoasting kerberos key kinds kodex korea korean kubernetes language layer layering lazarus led legitimate level leveraging links linux loader loading loads local location logs low magazine malicious malvertising malware malware:pupy malware:bumblebee malware:cobalt malware:coldcat malware:decoy malware:evilextractor malware:iconicstealer malware:kodex malware:poolrat malware:taxhaul malware:veiledsignal management mandiant manipulation manipulation: many march markets masquerading masquerading: mechanisms medium memory mining misconfigured misspelled mitigated mitigation mitre mode modify modular module modules monero monitored mostly motivated msi multi must name named net netscanold network networks never new news nodes north not number obfuscated observed obtain october often one ones ongoing onhost: open operations order organization’s organizations over package packets page party password patch |
| Tags | Ransomware Spam Malware Tool Threat Cloud |
| Stories | Uber APT 38 ChatGPT APT 43 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.