One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8613484 |
| Date de publication | 2024-11-18 12:22:31 (vue: 2024-11-18 13:08:25) |
| Titre | Weekly OSINT Highlights, 18 November 2024 |
| Texte | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 0194 112 2023 2024 2024** 2311 320462 360251 40711 5560 6b09d1a63811 80d4 about abuse access account across actions activities activity actor actors adaptability adding ads advanced aes against aimed akira algorithm aligned all amazon among analysis anti any api app applications apps apt41 arms array asia asian associated attack attackers attacks attributed attributes autoit avoid aws azure babbleloader backend backup based behaviors bianlian black blackberry blob blog: bluenoroff botnets brass broader browser brute bypass bypasses bypassing c&c campaign campaigns can capabilities certificates chacha20 chain chains changes check checks china chinese cisco civil civilian cloud cobalt code cody collaboration collect collected colombia com/intel commerce communication communications community complex complicating compromised concatenated concatenation configurations connected content continued coordinated copyright credentials cril critical cryptocurrency customer customers cve cyber dark data date ddos deepdata defender defense defenses deletion deliver delivering delivery demonstrate deploy deployed deployment deployments description despite detailed detection developers devices diamond digital discovered discussed disguised disrupting disruptive distributing distribution diverse documents domain donot double downloads drive driven during dynamic dynamically east eclecticiq educational effort efforts election emails emerged emphasizing employing employs encryption encrypts enduring entirely entities environments environments: escalate escalation eset espionage europe european evasion evolution evolving execution exfiltrate exfiltrates exfiltration expansion exploit exploitation exploiting exploits exploration explorer/articles/048b77c8 explorer/articles/0a45faad explorer/articles/11ae4e70 explorer/articles/1444d044 explorer/articles/17c5101d explorer/articles/1a1b4eb7 explorer/articles/25ee972c explorer/articles/500d1bb8 explorer/articles/55885f0b explorer/articles/56791de5 explorer/articles/5f3b842c explorer/articles/62e533f6 explorer/articles/7c6b391d explorer/articles/95253614a explorer/articles/9782a9ef explorer/articles/9b5863f7 explorer/articles/a1778f1d explorer/articles/a52645c5 explorer/articles/a949eba1 explorer/articles/bf4898ee explorer/articles/c4a88c5c explorer/articles/e5c9a08e explorer/articles/f4dfbc65 explorer/articles/f87ebe16 exposed exposing extended extensive extortion fabric fabrice facilitate fakebat features fickle files financial financially findings flutter focused focuses focusing following force found frag framework frameworks friday from functionality gain gaza generation get google government group groups hajime hamas has havoc healthcare hiding highlighted highlighting highlights historically honeypot host https://aka https://security https://sip hyperlinks identified immediate include including increasing individuals industries infection info information infostealers infrastructure initial injection institutions intelligence interest interlock involve israeli its jamf joomla junk kaspersky key korea korean labs largely last lateral latest launched lazarus learn legitimate leverage leveraged leverages leveraging library lightspy like linked links lnk loader localizing lumma lummac2 lure lures maas machines macos maintaining malicious malvertising malware management manufacturing maritime may measures mechanisms memory meta microsoft middle military mimicking mimikatz minority mirai misconfigurations mitigate model modular molerats monitoring more most motivated movement movements ms/threatintelblog multi municipal network new north notable noted notepad notion november obfuscation observed online operation operational operations operators organizations osint other out package pakistan pakistani parser part payload payloads payment pdf performs permission persistence persistent phishing platforms play plugins point political politically possible possibly potential powershell prevent privilege pro professionals profile: profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20 |
| Tags | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical |
| Stories | APT 41 APT 38 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.