What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-23 19:13:59 | How to deploy the Redash data visualization dashboard with the help of Docker (lien direct) | Jack Wallen shows you how easily you can deploy the powerful data visualization tool Redash as a Docker container. | Tool | ||
 |
2022-03-23 00:26:45 | Joint CyberSecurity Advisory Alert on AvosLocker Ransomware (lien direct) | FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world. Why is this Significant?This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.What is AvosLocker?AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them. AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.How Widespread is AvosLocker Ransomware?The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".What Vulnerabilities are Exploited by AvosLocker?The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.What Tools is AvosLocker Known to Utilize?The advisory references the following tools:Cobalt StrikeEncoded PowerShell scriptsPuTTY Secure Copy client tool "pscp.exe"RcloneAnyDeskScannerAdvanced IP ScannerWinLister What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:W32/Cryptor.OHU!tr.ransomW32/Filecoder.OHU!tr.ransomELF/Encoder.A811!tr.ransomLinux/Filecoder_AvosLocker.A!trPossibleThreatFortiGuard Labs provides the following AV coverage against ProxyShell:MSIL/proxyshell.A!trMSIL/proxyshell.B!trFortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privil | Ransomware Malware Tool Vulnerability Threat Patching | ★★ | |
|
2022-03-22 21:41:49 | LogRhythm vs. Splunk: SIEM tool comparison (lien direct) | LogRhythm and Splunk are security information and event management solutions with many similarities. Check out this features comparison of LogRhythm and Splunk to help you decide between these SIEM tools. | Tool | ||
|
2022-03-22 21:00:40 | 5 kanban boards to help you better manage big projects (lien direct) | A kanban board is an excellent visualization project management tool that makes it easier to track progress and collaborate. These five kanban board options are ideal to use when managing large projects. | Tool | ||
|
2022-03-22 17:05:52 | How to take screenshots in Windows 11 with the Snipping Tool (lien direct) | Here's how to capture, edit and save screenshots in Windows 11 using the Snipping Tool, which is a lot simpler than you think. | Tool | ||
 |
2022-03-22 16:58:00 | Anomali Cyber Watch: Russia Targets Ukraine with New Malware, Targeted Phishing Campaigns Give Way to Wizard Spider, Certificates Stolen by Lapsus$ Are Being Abused, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Code signing, Naver, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Double Header: IsaacWiper and CaddyWiper
(published: March 18, 2022)
Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation.
Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485
Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations
(published: March 18, 2022)
The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module.
Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] User Execution - T1204
Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Exposing Initial Access Broker with Ties to Co |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
 |
2022-03-21 15:15:07 | CVE-2020-24772 (lien direct) | In Dreamacro 1.1.0, an attacker could embed a malicious iframe in a website with a crafted URL that would launch the Clash Windows client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). | Tool | ||
 |
2022-03-19 10:51:07 | Emsisoft releases free decryptor for the victims of the Diavol ransomware (lien direct) | Cybersecurity firm Emsisoft released a free decryptor that allows the victims of the Diavol ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. In January, the FBI officially linked the Diavol ransomware operation to the infamous TrickBot […] | Ransomware Tool | ||
|
2022-03-18 12:00:05 | How to keep one window always on top with Microsoft PowerToys (lien direct) | A PowerToys tool known as Always on Top will keep any specific window visible when you're juggling multiple windows. | Tool | ||
|
2022-03-18 06:32:57 | (Déjà vu) Microsoft releases open-source tool for checking MikroTik Routers compromise (lien direct) | Microsoft released an open-source tool to secure MikroTik routers and check for indicators of compromise for Trickbot malware infections. Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections. “This analysis has enabled us to develop a […] | Malware Tool | ||
|
2022-03-17 18:07:18 | LokiLocker Ransomware with Built-in Wiper Functionality (lien direct) | FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC's are blocked by the FortiGuard WebFiltering client. | Ransomware Malware Tool | ||
|
2022-03-17 17:38:52 | Zabbix vs. Paessler PRTG network monitoring (lien direct) | When considering a network monitoring tool for your IT infrastructure, Zabbix and Paessler PRTG are two prominent options, and we'll explore which one is right for your needs. | Tool | ||
 |
2022-03-17 16:48:08 | Microsoft Releases Open Source Tool for Securing MikroTik Routers (lien direct) | Microsoft this week released an open source tool that can be used to secure MikroTik routers and check for signs of abuse associated with the Trickbot malware. | Tool | ||
|
2022-03-16 16:02:02 | How to install one of the best system monitors for the Linux desktop (lien direct) | Looking for the last, best system monitor you could ever imagine for the Linux desktop? Jack Wallen is certain he's found that tool in System Monitoring Center. | Tool | ||
 |
2022-03-16 00:00:00 | Cybersécurité - la valeur et le besoin de formation pratique Cyber Security -The Value and Need for Practical Training (lien direct) |
Whenever we are trying to master a new skill, we have all heard about the importance of practise. The associated attention, rehearsal and repetition leads to the acquisition of new knowledge or skills that can later be developed into more complex skillsets. This sentiment has been seen throughout history, where some of the world\'s most masterful people have shared a similar philosophy that is still true today: Bruce Lee - “Practice makes perfect. After a long time of practising, our work will become natural, skillfull, swift and steady” Abraham Lincoln - “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” Japanese Proverb – “Tomorrow\'s battle is won during todays practice” Vincent Van Gough – “As practise makes perfect, I cannot but make progress, each drawing one makes, each study one paints is a step forward” Marshawn Lynch - “When you get to practice against the best, it brings the best out of you.” Martha Graham – “Practice means to perform, over and over again in the face of all obstacles, some act of vision, of faith, of desire. Practice is a means of inviting the perfection desired” Unknown - “Don\'t practise until you get it right, practice until you can\'t get it wrong” Others might disagree slightly: Vince Lombardi – “Practise does not make perfect. Only perfect practise makes perfect” So, the message is clear, to master a skill, we need to practise but we need to practise against the best and in the best most realistic possible environment. In terms of cybersecurity, as the cyber threat environment grows more intense, cyber defence groups require more and more skilled professionals to help with the onslaught of cyberattacks. However, they are finding it increasingly difficult to recruit and hire trained security professionals as having a degree in cybersecurity is usually not enough to give an individual the skills required for mitigating sophisticated attacks. For Cyber Security professionals, the required practise involves realistic breach scenarios or cyberattacks. These breaches or cyberattacks are any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. The aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems. Day-to-day work in cybersecurity offers few opportunities for such training on the job, resulting in the required practise being an extremely difficult thing to achieve. When you think about it, cyberattacks are seemingly in the news every day, which seems to contradict my previous statement. However, the results of a cyberattack can range from causing inconvenience to dire consequences. A cyberattack on critical infrastructure and/or healthcare sectors don\'t just affect data or computer systems, they can wreak havoc in the physical world. This was seen all too well in Ireland in the not so distant past. So, cyberattacks are prevalent but the consequences mean we aim to prevent as many breaches as possible and reduce the impact, contain and eradicate any attack that exploits a system. There lies the problem, cyber security professionals require realistic breach scenarios and cyberattacks to train and become sufficiently skilled but cyber professionals are consistently working hard to prevent such attacks in the real-world. So the question is, “how do we train cyber security professionals to deal with the challenging ever-changing cyber environment?”. The answer is a Cyber Range! A Cyber Range provides a secure, sandboxed virtual interactive training environment that can simulate real-world feel scenarios and environments, including complex IT environments and attacks on IT infrastructure, networks, software platforms and applications. As a result, a cyber range infrastructure provides the required training and practise elements of realistic breach scenarios and cyberattacks. A Cyber Range enables students to practice newly acquire | Tool Threat Studies Mobile Industrial Medical Cloud | ★★ | |
|
2022-03-15 20:30:03 | Top Power BI alternatives: Compare Power BI competitors (lien direct) | Business intelligence drives decisions that enable companies to thrive, and Microsoft's Power BI is a popular tool for the job – but it's worth considering the alternatives. See what the BI space has to offer. | Tool | ||
|
2022-03-15 20:01:34 | How to create a project template in the ONLYOFFICE Project Management tool (lien direct) | You can use ONLYOFFICE as a project management tool. Here's how to set up a template so you can easily access the work on your projects. Jack Wallen shows you how. | Tool | ||
|
2022-03-15 16:46:00 | Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Excel add-ins, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Webinar on Cyberattacks in Ukraine – Summary and Q&A
(published: March 14, 2022)
As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.
Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.
MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Alert (AA21-265A) Conti Ransomware (Updated)
(published: March 9, 2022)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.
Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t |
Ransomware Malware Tool Vulnerability Threat | APT 28 | |
 |
2022-03-14 18:43:28 | A Detailed Guide on httpx (lien direct) | Introduction httpx is a fast web application reconnaissance tool coded in go by www.projectidscovery.io. With a plethora of multiple modules effective in manipulating HTTP requests | Tool | ||
 |
2022-03-14 13:26:58 | Detecting malicious macros is a vital tool in the fight against malware (lien direct) | >by Bhabesh Raj Rai, Security ResearchEven the most sophisticated and advanced state-sponsored attackers leave digital traces and detecting these anomalies is key to protecting organizations against malware. One common method threat actors use to initiate malware campaigns is by phishing with a malicious Word document. When a user opens the document, it's likely to trigger [...] | Malware Tool Threat | ||
 |
2022-03-11 02:33:12 | DeepMind\'s new AI tool helps resolve debate over ancient Athenian decrees (lien direct) | Ithaca system restores text, can also ID location and date of damaged inscriptions | Tool | ||
|
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
|
2022-03-10 21:51:37 | Crooks target Ukraine\'s IT Army with a tainted DDoS tool (lien direct) | Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army. Cisco Talos researchers have uncovered a malware campaign targeting Ukraine’s IT Army, threat actors are using infostealer malware mimicking a DDoS tool called the “Liberator.” The Liberator tool is circulating among pro-Ukraina hackers that use it to target Russian […] | Malware Tool Threat | ||
 |
2022-03-10 19:54:00 | Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers (lien direct) | Be careful when downloading a tool to cyber-target Russia: It could be an infostealer wolf dressed in sheep's clothing that grabs your cryptocurrency info instead. | Tool | ||
|
2022-03-10 18:36:26 | Malwarebytes vs. ESET: Which anti-malware solution is best for you? (lien direct) | If you've been trying to decide which anti-malware tool is best for your needs, you've come to the right place. This resource summarizes two of the top anti-malware solutions: Malwarebytes and ESET. | Tool | ||
|
2022-03-09 23:15:08 | CVE-2022-24753 (lien direct) | Stripe CLI is a command-line tool for the Stripe eCommerce platform. A vulnerability in Stripe CLI exists on Windows when certain commands are run in a directory where an attacker has planted files. The commands are `stripe login`, `stripe config -e`, `stripe community`, and `stripe open`. MacOS and Linux are unaffected. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the current user. The update addresses the vulnerability by throwing an error in these situations before the code can run.Users are advised to upgrade to version 1.7.13. There are no known workarounds for this issue. | Tool Vulnerability | ||
|
2022-03-09 22:50:59 | Biden considers digital dollar-here\'s how it could differ from regular money (lien direct) | Digital currency may have advantages but could also be tool for surveillance. | Tool | ||
|
2022-03-09 16:43:32 | How to quickly deploy a Linux distribution with GUI applications via a container (lien direct) | If you need to spin up a quick Linux desktop for development or testing purposes, one of the easiest is with a new tool called Distrobox. Jack Wallen shows you how. | Tool | ||
|
2022-03-08 18:54:00 | Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Belarus, China, Data breach, Data leak, Oil and gas, Phishing, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen
(published: March 7, 2022)
South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company.
Analyst Comment: Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data.
Tags: Lapsus$, South Korea, South America, Data breach
Beware of Malware Offering “Warm Greetings From Saudi Aramco”
(published: March 5, 2022)
Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer.
Analyst Comment: Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221
Tags: FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template
Paying a Ransom Doesn’t Put an End to the Extortion
(published: March 2, 2022)
Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom.
Analyst Comment: This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on t |
Ransomware Malware Tool Threat | ||
|
2022-03-08 18:53:00 | Task management vs. project management: Which is best for your team? (lien direct) | If your teams are struggling to meet deadlines, you might need to consider either a project management or task management platform to keep them on track. Jack Wallen explains each and helps you understand which tool is the best fit. | Tool | ||
|
2022-03-08 17:21:15 | Network monitoring tools every admin should know (lien direct) | Network monitors are an absolute must-have for any network administrator. But which tool, out of the thousands, should you consider for your tool kit? Jack Wallen offers up his five favorites. | Tool | ||
|
2022-03-08 15:01:20 | U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool (lien direct) | A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability. | Tool Threat | ||
|
2022-03-04 17:15:07 | CVE-2022-24727 (lien direct) | Weblate is a web based localization tool with tight version control integration. Prior to version 4.11.1, Weblate didn't properly sanitize some arguments passed to Git and Mercurial, allowing them to change their behavior in an unintended way. Instances where untrusted users cannot create new components are not affected. The issues were fixed in the 4.11.1 release. | Tool | ||
 |
2022-03-04 10:50:16 | Telegram now favoured by hacktivists, cybercriminals (lien direct) | As the conflict in Ukraine progresses, Telegram messaging has emerged as a favourite tool for both hacktivists and cybercriminals alike. Research from the cybersecurity company Check Point suggests that there are six times as many groups on the messaging apps since February 24. Some topic-specific groups have grown significantly, some even reaching more than 250,000 members. […] | Tool | ★★★ | |
|
2022-03-03 23:52:51 | A 40,000-year-old Chinese stone tool culture unlike any other (lien direct) | Not every culture left a mark on those around it. | Tool | ||
|
2022-03-01 17:55:46 | Daxin Espionage Backdoor Ups the Ante on Chinese Malware (lien direct) | Via node-hopping, the espionage tool can reach computers that aren't even connected to the internet. | Malware Tool | ||
|
2022-03-01 16:01:00 | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-01 15:50:29 | How to configure the ONLYOFFICE CRM for your business needs (lien direct) | The ONLYOFFICE CRM tool can help you improve your customer relations, and it only takes a few minutes to get it set up to meet the needs of your business. Jack Wallen shows you how. | Tool | ||
|
2022-03-01 12:00:00 | Anomali February Quarterly Product Release (lien direct) | Anomali has made its mark delivering Threat Intelligence powered detection and response with its ThreatStream, Match, and Lens portfolio. Now, we've expanded upon that leadership position by continuing to innovate and deliver the essential capabilities and XDR solutions our customers have been wanting. Key Highlights for this Quarter Include: Introducing Match in the Cloud Announcing The Anomali Platform Increased Insights with Intelligence Initiatives Extended Rules Engine Supporting Advanced Search Queries On-Prem 5.3 Release with Intelligence Initiatives and More Cybersecurity Insights Report and Blog Series Read more below to see what our incredible team has been working on this quarter. Introducing Match in the Cloud At the core of this new release is the hard work the team has done to introduce Match, Anomali’s big data threat detection engine, as a cloud-native deployment. By moving Match to the cloud, we’ve introduced new cloud capabilities that work together with existing ThreatStream and Lens capabilities in a cloud-native environment. With Match Cloud, we have unlocked our capability to ingest data from any telemetry source and access our global repository of threat intelligence to deliver high-performance indicator correlation at a rate of 190 trillion EPS. With Match Cloud, customers can add internal log sources and telemetry freely, leveraging the power of resource-intensive technologies that improve overall effectiveness and efficiencies. Match is available in both cloud and on-premise deployment options. Take our interactive tour to learn more. Announcing the Anomali Platform As I mentioned above, moving Match to the cloud created synergistic threat detection and response capabilities in a cloud-native environment across the entire Anomali portfolio. With that, we’re able to offer fully cloud-native multi-tenant solutions that easily integrate into existing security tech stacks. We’re excited to introduce The Anomali Platform, a cloud-native extended detection and response (XDR) solution. The Anomali Platform is made up of critical components that work together to ingest security data from any telemetry source and correlate it with our global repository of threat intelligence to drive detection, prioritization, analysis, and response. Included in the Anomali Platform are: Anomali Match Anomali ThreatStream Anomali Lens By combining big data management, machine learning, and the world’s largest global threat intelligence repository, organizations can understand what’s happening inside and outside their network within seconds. Read the Enterprise Management Associates (EMA) Impact Brief to see what they had to say about The Anomali Platform or take our interactive tour to learn more. And keep an eye out for our live event coming in Mid-April. Increased Insights with | Tool Threat Guideline | ||
|
2022-03-01 09:16:53 | Remote Utilities Software Distributed in Ukraine via Fake Evacuation Plan Email (lien direct) | FortiGuard Labs is aware that a copy of Remote Manipulator System (RMS) was submitted from Ukraine to VirusTotal on February 28th, 2022. The RMS is a legitimate remote administration tool that allows a user to remotely control another computer. The file name is in Ukrainian and is "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" in translation to English. The SSU likely stands for the Security Service of Ukraine. Why is this Significant?This is significant because given its file name, the country where the file was submitted to VirusTotal and the current situation in Ukraine, the file may have been distributed to Ukrainians.What does the File Do?The file silently installs a copy of legitimate Remote Utilities software to the compromised machine. The software allows a remote user to control the compromised machine.Based on the telemetry FortiGuard Labs collected, there is one IP address in Ukraine that connected to the remote IP that likely belongs to the attacker. How was the File Distributed to the Targets?Most likely via links in email.CERT-UA published a warning today that "the representatives of the Center for Combating Disinformation began to receive requests for information from the mail of the Ukrainian Security Service. Such notifications are fake and are a cyberattack". The email below is reported have been used in the attack.Machine translation:Email subject: Evacuation plan from: SBU (Urgent) -28.02.2022 day off: 534161WARNING! This is an external sheet: do not click on the links or open a tab if you do not trust the editor.Report a suspicious list to ib@gng.com.ua.Security Service of UkraineGood afternoon, you need to have acquainted with the electronic evacuation plan until 01.03.2022, to give data on the number of employees, fill in the document in accordance with Form 198\00-22SBU-98.To ensure confidentiality of the transferred data, the password: 2267903645 is set on the deposit.See the document on:hxxps://mega.nz/file/[reducted]Mirror 2: hxxps://files.dp.ua/en/[reducted]Mirror 3: hxxps://dropmefiles.com/[reducted]While the remote files were not available at the time of the investigation, the email and "Evacuation Plan (approved by the SSU on 28.02.2022 by Order No. 009363677833).exe" are likely connected based on the email content and the file name. Can the File Attributed to a Particular Threat Actor?It's possible that a threat actor distributed the file to target Ukraine. However, while the Remote Utilities software is silently installed on the compromised machine, it displays an icon in Windows's taskbar. Since most threat actors aim to hide their activities, this is potentially an act of novice attacker who tries to take advantage of the current situation in Ukraine.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the files involved in this attack:Riskware/RemoteAdmin_RemoteUtilities | Tool Threat | ||
 |
2022-03-01 00:01:03 | China-linked Daxin Malware Targeted Multiple Governments in Espionage Attacks (lien direct) | A previously undocumented espionage tool has been deployed against selected governments and other critical infrastructure targets as part of a long-running espionage campaign orchestrated by China-linked threat actors since at least 2013. Broadcom's Symantec Threat Hunter team characterized the backdoor, named Daxin, as a technologically advanced malware, allowing the attackers to carry out a | Malware Tool Threat | ||
 |
2022-02-28 15:00:00 | Prêt, définissez, allez - les internes de Golang et la récupération des symboles Ready, Set, Go - Golang Internals and Symbol Recovery (lien direct) |
golang (go) est une langue compilée introduite par Google en 2009. Le langage, l'exécution et l'outillage ont évolué considérablement depuis lors.Ces dernières années, les fonctionnalités GO telles que la compilation croisée facile à utiliser, les exécutables autonomes et l'excellent outillage ont fourni aux auteurs malveillants un nouveau langage puissant pour concevoir des logiciels malveillants multiplateformes.Malheureusement pour les indexes, l'outillage pour séparer le code d'auteur malware du code d'exécution GO a pris du retard.
Aujourd'hui, Mandiant publie un outil nommé Goresym Pour analyser les informations sur les symboles GO et autres métadonnées intégrées.Ce billet de blog
Golang (Go) is a compiled language introduced by Google in 2009. The language, runtime, and tooling has evolved significantly since then. In recent years, Go features such as easy-to-use cross-compilation, self-contained executables, and excellent tooling have provided malware authors with a powerful new language to design cross-platform malware. Unfortunately for reverse engineers, the tooling to separate malware author code from Go runtime code has fallen behind. Today, Mandiant is releasing a tool named GoReSym to parse Go symbol information and other embedded metadata. This blog post |
Malware Tool | ★★★★ | |
|
2022-02-28 11:50:14 | File Transfer Filter Bypass: Exe2Hex (lien direct) | Introduction Exe2hex is a tool developed by g0tmilk which can be found here. The tool transcribes EXE into a series of hexadecimal strings which can | Tool | ||
|
2022-02-26 00:15:08 | CVE-2022-21706 (lien direct) | Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:security@zulip.com). | Tool Vulnerability | ||
|
2022-02-24 21:53:39 | CISA adds two Zabbix flaws to its Known Exploited Vulnerabilities Catalog (lien direct) | US CISA added two flaws impacting Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities impacting the Zabbix infrastructure monitoring tool to its Known Exploited Vulnerabilities Catalog. Threat actors are actively exploiting the two vulnerabilities that are reported in the following table: CVE ID Vulnerability Name Due […] | Tool Vulnerability Threat | ||
|
2022-02-24 19:15:08 | CVE-2020-14481 (lien direct) | The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE. | Tool | ||
|
2022-02-24 15:00:00 | LITE SUR LECTURE: Télégramme malveillant repéré dans la dernière activité de cyber-espionnage iranienne Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity (lien direct) |
En novembre 2021, Défense gérée mandiante détecté et répondu à un UNC3313 Intrusion chez un client du Moyen-Orient.Au cours de l'enquête, Mandiant a identifié de nouveaux logiciels malveillants ciblés, gramdoor et Starwhale , qui implémentent les fonctionnalités de porte-portefeuille simples.Nous avons également identifié UNC3313 Utiliser un logiciel d'accès à distance accessible au public pour maintenir l'accès à l'environnement.UNC3313 a initialement eu accès à cette organisation par le biais d'un e-mail de phishing ciblé et des outils de sécurité offensifs open-source modifiés et à effet de levier pour identifier les systèmes accessibles et se déplacer latéralement.Unc3313 déplacé
In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities. We also identified UNC3313 use publicly available remote access software to maintain access to the environment. UNC3313 initially gained access to this organization through a targeted phishing email and leveraged modified, open-source offensive security tools to identify accessible systems and move laterally. UNC3313 moved |
Malware Tool | ★★★★ | |
|
2022-02-23 23:15:07 | CVE-2022-23653 (lien direct) | B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use (TOCTOU) race condition. The command line tool saves API keys (and bucket name-to-id mapping) in a local database file (`$XDG_CONFIG_HOME/b2/account_info`, `~/.b2_account_info` or a user-defined path) when `b2 authorize-account` is first run. This happens regardless of whether a valid key is provided or not. When first created, the file is world readable and is (typically a few milliseconds) later altered to be private to the user. If the directory is readable by a local attacker and the user did not yet run `b2 authorize-account` then during the brief period between file creation and permission modification, a local attacker can race to open the file and maintain a handle to it. This allows the local attacker to read the contents after the file after the sensitive information has been saved to it. Users that have not yet run `b2 authorize-account` should upgrade to B2 Command-Line Tool v3.2.1 before running it. Users that have run `b2 authorize-account` are safe if at the time of the file creation no other local users had read access to the local configuration file. Users that have run `b2 authorize-account` where the designated path could be opened by another local user should upgrade to B2 Command-Line Tool v3.2.1 and remove the database and regenerate all application keys. Note that `b2 clear-account` does not remove the database file and it should not be used to ensure that all open handles to the file are invalidated. If B2 Command-Line Tool cannot be upgraded to v3.2.1 due to a dependency conflict, a binary release can be used instead. Alternatively a new version could be installed within a virtualenv, or the permissions can be changed to prevent local users from opening the database file. | Tool Vulnerability | ||
|
2022-02-23 18:46:00 | Anomali Cyber Watch: EvilPlayout: Attack Against Iran\'s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, \'Ice phishing\' on the blockchain and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Emotet, Ice Phishing, Iran, Trickbot and Zoho. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilPlayout: Attack Against Iran’s State Broadcaster
(published: February 18, 2022)
Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication.
Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113
Tags: Iran, IRIB, Ava, Telewebion
Microsoft Teams Targeted With Takeover Trojans
(published: February 17, 2022)
Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse.
Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Trusted Relationship - T1199
Tags: Microsoft Teams, trojan, phishing
Red Cross: State Hackers Breached our Network Using Zoho bug
(published: February 16, 2022)
The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual's PII, linked to their Restoring Family Links pro |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-02-23 12:38:05 | CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) this week expanded its Known Exploited Vulnerabilities Catalog with two critical flaws in the Zabbix enterprise monitoring solution. | Tool |
To see everything:
Our RSS (filtrered)
