One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8583096 |
| Date de publication | 2024-09-23 16:05:03 (vue: 2024-09-23 16:18:15) |
| Titre | Faits saillants hebdomadaires OSINT, 23 septembre 2024 Weekly OSINT Highlights, 23 September 2024 |
| Texte | ## Snapshot Last week\'s OSINT reporting reveals a landscape dominated by complex, multi-layered attacks targeting critical infrastructure, financial sectors, and cloud environments. Nation-state actors, like China\'s Flax Typhoon and Iran\'s UNC1860, leverage botnets, IoT exploits, and sophisticated backdoors to infiltrate government, military, and industrial targets. The emergence of groups such as Earth Baxia highlights the continued exploitation of vulnerabilities like CVE-2024-36401 and spear-phishing tactics in the Asia-Pacific region. Meanwhile, cybercriminals, including SCATTERED SPIDER (Octo Tempest) and those behind the Lumma Stealer campaigns, utilize social engineering, fake CAPTCHA pages, and WebDAV for malware distribution to evade detection and deploy ransomware and infostealers. Exploits underscore the increasing use of open-source vulnerabilities, with attackers targeting a diverse range of industries, including IT, telecommunications, and finance. These attacks highlight evolving tactics, advanced persistence mechanisms, and stealthy malware being used to target sensitive data globally. ## Description 1. [Raptor Train Botnet Operated by Flax Typhoon](https://sip.security.microsoft.com/intel-explorer/articles/9118dcb6): Black Lotus Labs uncovered the massive Raptor Train botnet, operated by Chinese nation-state group Flax Typhoon. This IoT botnet, consisting of compromised routers, cameras, and other devices, has targeted U.S. and Taiwanese entities across sectors like military and government, making it one of the largest Chinese state-sponsored botnets to date. 2. [Exploitation of GeoServer Vulnerability (CVE-2024-36401)](https://sip.security.microsoft.com/intel-explorer/articles/e7a82171): Threat actors are exploiting a remote code execution (RCE) vulnerability in GeoServer to deliver malware such as GOREVERSE, SideWalk, and CoinMiner. Campaigns have targeted IT, telecom, and government sectors across multiple countries, using sophisticated backdoors and botnets to compromise systems. 3. [WebDAV Used to Distribute Emmenthal Loader](https://sip.security.microsoft.com/intel-explorer/articles/6dec4139): Cybercriminals are using WebDAV servers to distribute the Emmenthal loader (aka PeakLight), which delivers infostealers via malicious .lnk files. This infrastructure is likely part of a larger cybercrime operation offering infrastructure as a service (IaaS), and its stealthy, memory-only execution technique poses a significant threat to global cybersecurity. 4. [Iran\'s UNC1860 Targets Middle Eastern Networks](https://sip.security.microsoft.com/intel-explorer/articles/e882507d): Mandiant assesses UNC1860 is likely linked to Iran\'s Ministry of Intelligence and Security (MOIS) and focuses on persistent access to government and telecom organizations in the Middle East. The group leverages sophisticated tools, such as TEMPLEPLAY and VIROGREEN, and exploits internet-facing servers to evade detection. 5. [Cuckoo Spear Campaign Tied to APT10](https://sip.security.microsoft.com/intel-explorer/articles/8f34c36c): Cybereason discovered the "Cuckoo Spear" campaign, attributed to APT10, targeting Japanese manufacturing and political sectors. The attackers used advanced tools like LODEINFO and NOOPLDR to maintain long-term espionage operations, employing tactics like DLL side-loading and phishing. 6. [PondRAT Campaign Linked to North Korean Group](https://sip.security.microsoft.com/intel-explorer/articles/906408c8): Unit 42 identified the PondRAT campaign, attributed to Gleaming Pisces (Citrine Sleet), which targets Linux and macOS systems through infected PyPI packages. The goal is to compromise the supply chain, particularly in the cryptocurrency sector, by delivering backdoor malware to developers\' machines. 7. [Phishing Campaign Distributes Lumma Stealer](https://sip.security.microsoft.com/intel-explorer/articles/3cb5d189): A phishing campaign abuses GitHub repositories by filing false security vulnerability reports to lure users into downloading the Lumma Stealer malware. The |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 0861 200 2024 2024** 36401 496d ability about abuse abuses access across actions activity actor actors ad3c additional administrators ads advanced aerospace affected against agencies agendas aimed aiming all allows amadey amos analysis android anti any apa apac api apk applications apps apt apt10 aqua are artificial asia assesses associated atomic attack attackers attacking attacks attempting attributed avoid azerbaijan backdoor backdoors banking base64 based baxia began behind being bitlockertogo black blackcat/alphv blog: botnet botnets boxes brazilian browser browsers bulletin bypass c6a795a33c27/analystreport called calls cameras campaign campaigns can capabilities captcha chain channels check china chinese citrine clever cloud cobalt code coinminer collaborates collects com/ com/intel com/threatanalytics3/05658b6c command community companies company complex complicates complicating compromise compromised compromising conducts conference consisting contained content continued control cookies coordinate coordinated copyright countries covert cracked credential credentials critical cron cryptocurrency cryptominer crystal cuckoo customer customers customized cve cyber cybercrime cybercriminals cybereason cybersecurity cyble data date dc62 defender defense deleting deliver delivered delivering delivers deploy deploying deployment description designed detect detected detection developed developers devices diamond difficult directories disabling discovered discussed disguised distribute distributed distributes distribution diverse diversified dll domains dominated download downloading drops dual eagledoor earth east eastern eclecticiq ecuador efforts elections emails emergence emerging emmenthal employees employing employs encoded encrypted encryption encrypts energy engineering enhancing enterprise entities entra environments environments: escape esentire espionage estate evade evading evasion evolving exe executes executing execution exfiltrates exfiltrating exfiltration exploit exploitation exploiting exploits explorer/articles/0b9a0c3c explorer/articles/0d8ef9ca explorer/articles/0eb6df67 explorer/articles/1e95ecf1 explorer/articles/25a3d547 explorer/articles/2a1274ec explorer/articles/30229cf7 explorer/articles/30a8326f explorer/articles/3cb5d189 explorer/articles/407246fb explorer/articles/51658f70 explorer/articles/5c17f620 explorer/articles/63e754dc explorer/articles/687fdb34 explorer/articles/6dec4139 explorer/articles/71969847 explorer/articles/8f34c36c explorer/articles/906408c8 explorer/articles/9118dcb6 explorer/articles/93374d49 explorer/articles/9c8e0b72 explorer/articles/9e3529fc explorer/articles/a59d561c explorer/articles/abd92865 explorer/articles/be74d7d7 explorer/articles/cd1365e6 explorer/articles/e7a82171 explorer/articles/e882507d explorer/articles/e895b684 explorer/articles/ecbc3699 explorer/articles/fd913854 extortion facing fake false family features file files filing finance financial flax focuses folder following forces foreign found framework from frustrated full game gateway generating generative geographically geoserver get gigabud github gleaming global globally goal gomorrah google goreverse government granting group groups hadooken harder has havetargeted header hides hiding high highlight highlights hijackloader hosted http https://aka https://security https://sip human hybrid iaas identified illicit images impacting impersonating imposed includes including increasing indirect individuals industrial industries industry infected infiltrate influence influencers influencing information infostealers infrastructure injected injection injector innovative input install installs institutions insurance intelligence internet iot iran islikely italian its japanese java job jobs kaspersky keys kiosk korean labs landscape languages larger largest last laterally latest layered leading learn legitimate level leverage leverages leveraging like likely linked links linux lnk loader loading locking lodeinfo login logs loki long lotus lumma lure lures maas machines macos maintain maintaining mak |
| Tags | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction Cloud Conference |
| Stories | APT 10 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.