What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-08-29 10:00:00 | Lutte contre les logiciels malveillants dans la chaîne d'approvisionnement industrielle Battling malware in the industrial supply chain (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Here\'s how organizations can eliminate content-based malware in ICS/OT supply chains. As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects. A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack: Two distinct types of malware, "Sunburst" and "Supernova," were secretly placed into an authorized software update. Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures. Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection. The C2 traffic was cleverly hidden using steganography, making detection even more challenging. The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations. While this incident led to widespread IT infiltration, it did not directly affect OT systems. In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences. Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems. These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including: Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making. Access control challenges: Proper identity and access management within complex environments are crucial. Compliance with best practices: Adherence to guidelines such as NIST\'s best practices is essential for resilience. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions. Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems. Supply chain defense: The power of content disarm and reconstruction Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious. What does CDR do? In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety. Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while mainta | Malware Vulnerability Threat Industrial Cloud | NotPetya Wannacry Solardwinds | ★★ |
 |
2022-12-14 17:43:30 | Why Managed Threat Hunting Should Top Every CISO\'s Holiday Wish List (lien direct) | With the end of the year fast approaching, many of us are looking forward to a well-deserved break. However, security practitioners and security leaders worldwide are bracing themselves for what has become a peak period for novel and disruptive threats. In 2020, the holiday season was marked by the SUNBURST incident, and in 2021 the […] | Threat Guideline | Solardwinds | ★★ |
|
2022-07-11 10:00:00 | 5 Common blind spots that make you vulnerable to supply chain attacks (lien direct) | This blog was written by an independent guest blogger. Over the past several years, hackers have gone from targeting only companies to also targeting their supply chain. One area of particular vulnerability is company software supply chains, which are becoming an increasingly common method of gaining access to valuable business information. A study by Gartner predicted that by 2025, 45% of companies will have experienced a supply chain attack. Supply chain attacks can come in various ways, whether by malicious code injected into enterprise software or vulnerabilities in software your company uses. To mitigate this risk, companies must learn about the methods used to execute attacks and understand their company’s blind spots. This article will look at 5 recent software supply chain attacks and how third-party partners can pose a security risk to your company. We’ll make recommendations for how to secure your business against supply chain attacks and how you can engage in early detection to respond to threats before they take down your enterprise. What is a software supply chain attack? The CISA or US Cybersecurity and Infrastructure Security Agency defines a software supply chain attack as an attack that “occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.” A software supply chain includes any company you purchase software from and any open-source software and public repositories from which your developers pull code. It also includes any service organizations that have access to your data. In the aggregate, all of these different suppliers exponentially increase the surface area of a potential attack. Software supply chain attacks are particularly dangerous because the software supply chain acts as an amplifier for hackers. This means that when one vendor is impacted, hackers can potentially reach any of their customers, giving them greater reach than if they attacked a single target corporation. Two primary reasons contribute to the danger, according to CISA: Third-party software products usually require privileged access; They often require frequent communication between the vendor’s own network and the vendor’s software on customer networks. Attackers leverage privileged access and a privileged network access channel as their first point of access. Depending on the level of available access, attackers can easily target many devices and levels of an organization. Some industries, like healthcare, are of particular vulnerability because they possess huge volumes of patient data subject to strict compliance regulations and laws. Five major supply chain attacks In recent memory, software supply chain attacks have gathered increased attention from the public because of how damaging they can be to a company and its reputation. The Log4j vulnerability demonstrated just how vulnerable companies can be to relying on third-party software, for example. Other high-profile attacks like the SolarWinds SUNBURST attack and Kaseya VSA (REvil) attack also provided painful reminders of how damaging supply chain attacks can be. The SolarWinds SUNBURST backdoor On December 13th, 2020, the SUNBURST backdoor was first disclosed. The attack utilized the popular SolarWinds Orion IT monitorin | Ransomware Data Breach Vulnerability Threat Patching | Solardwinds | |
 |
2022-06-29 16:25:00 | SolarWinds creates new software build system in wake of Sunburst attack (lien direct) | SolarWinds became the poster child for attacks on software supply chains last year when a group of threat actors injected malicious code known as Sunburst into the company's software development system. It was subsequently distributed through an upgrade to it Orion product to thousands of government and enterprise customers worldwide.SolarWinds learned from the experience and has introduced new software development practices and technology to strengthen the integrity of its build environment. It includes what SolarWinds says is the first-of-its-kind “parallel build” process, where the software development takes place through multiple highly secure duplicate paths to establish a basis for integrity checks.To read this article in full, please click here | Threat | Solardwinds | |
 |
2022-06-09 19:00:00 | #RSAC: Lessons Learned From the Solarwinds Sunburst Attack (lien direct) | A panel discussion explained that businesses must transform in order to meet the cyber threats of tomorrow | Threat | Solardwinds | |
 |
2021-12-06 10:00:00 | Activité russe présumée ciblant le gouvernement et les entités commerciales du monde entier Suspected Russian Activity Targeting Government and Business Entities Around the Globe (lien direct) |
Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29.
comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by |
Threat | Solardwinds APT 29 | ★★★ |
 |
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
|
2021-06-02 15:00:00 | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
Ransomware Malware Threat Medical | Solardwinds APT 38 APT 28 | |
 |
2021-05-28 10:56:54 | Microsoft details new sophisticated spear-phishing attacks from NOBELIUM (lien direct) | Microsoft experts uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind SolarWinds hack. Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign conducted by NOBELIUM APT. The NOBELIUM APT is the threat actor that conducted supply chain attack against SolarWinds which involved multiple families of implants, including the SUNBURST […] | Threat | Solardwinds | ★★ |
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
 |
2021-05-15 12:20:41 | RSAC insights: Deploying SOAR, XDR along with better threat intel stiffens network defense (lien direct) | Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet. Related: The undermining of the global supply chain But there's … (more…) | Malware Threat | Solardwinds Solardwinds | |
|
2021-03-02 14:59:00 | Anomali February Product Release: Moving Beyond Tactical Intelligence (lien direct) | We are happy to announce the Anomali Product Release for February 2021. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to supporting security teams in their further move beyond a reliance on tactical, technical intelligence to a holistic, threat-model-driven approach by allowing them to work with threat models like the MITRE ATT&CK framework inside Anomali ThreatStream easily and productively. A further highlight directed at augmenting collaboration across teams and with external peers, leveraging our popular Trusted Circles capabilities, is the advent of full-featured chat within the Anomali ThreatStream threat intelligence platform, while maintaining privacy controls.
Enhancements in this latest release include:
MITRE ATT&CK Framework Integration
As a follow-up to the recent release of support for MITRE ATT&CK framework techniques, we’ve added the ability to import content from the MITRE ATT&CK Navigator tool and store your framework capabilities inside ThreatStream. Users can use the MITRE capability in ThreatStream's Investigations feature to help prioritize investigative activity and decision-making, making security teams more efficient and responsive.
Advanced Search Functionality for Threat Models
This month we’ve extended advanced search to Threat Model content in ThreatStream - providing the same flexibility and features for finding and refining content in our platform as for observable content. Users can now create advanced search queries with conditions and operators, and some additional capabilities specific to our Threat Model content, to find relevant intelligence quickly, as well as save their complex searches for future use at a click.
Collaboration via Full-Featured ThreatStream Chat
Customers now have the benefit of real-time, protected communication within ThreatStream for their internal teams and with Trusted Circle collaborators via the use of a full-featured chat client. With this built-in chat functionality, analysts can communicate and share tactical information as well as more strategic aspects of analysis and response quickly and easily with colleagues and peers at organizations that are members of common Trusted Circles--from inside the ThreatStream platform, where it can be easily shared and investigated. Most importantly, the collaboration remains anonymized and privacy is ensured.
Clone Custom Themed Dashboards
Extending the custom themed dashboards developed by the Anomali Threat Research (ATR) team and released in December, we are now offering the ability to not only access a custom themed dashboard (for COVID, Sunburst or other specific themes), but also to clone (or create a copy) of that dashboard, which you can now further customize or tailor to your specific needs and preferences. Once a dashboard is cloned a user can change, for a given widget, the saved query upon which the widget is based, as well as add their own custom widgets.
Intelligence Enrichment Inside of Investigations
We continue to refine the display of critical information to the user at the appropriate point of their research in order to ensure analysts have the right intelligence |
Tool Threat | Solardwinds Solardwinds | |
 |
2021-02-26 13:42:41 | Microsoft Releases Open Source Resources for Solorigate Threat Hunting (lien direct) | Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack. | Threat | Solardwinds Solardwinds | |
 |
2021-02-05 18:52:59 | 6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign (lien direct) | 
1. Attackers have a plan, with clear objectives and outcomes in mind. Do you have one? Clearly this was a motivated and patient adversary. They spent many months in the planning and execution of an attack that was not incredibly sophisticated in its tactics, but rather used multiple semi-novel attack methods combined with persistent, stealthy […]
|
Threat | Solardwinds Solardwinds | |
 |
2021-01-21 15:28:30 | How did SolarWind Hackers evade Detection? (lien direct) | A report from the Microsoft 365 Defender Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defence Operations Center (CDOC) details how the SolarWinds hackers managed to remain undetected for so long. The report discloses new details including the steps and tools used to deploy the custom Cobalt Strike loaders (Teardrop, Raindrop, etc.) after the […] | Threat | Solardwinds | |
|
2021-01-19 22:31:27 | Raindrop, a fourth malware employed in SolarWinds attacks (lien direct) | The threat actors behind the SolarWinds attack used malware dubbed Raindrop for lateral movement and deploying additional payloads. Security experts from Symantec revealed that threat actors behind the SolarWinds supply chain attack leveraged a malware named Raindrop for lateral movement and deploying additional payloads. Raindrop is the fourth malware that was discovered investigating the SolarWinds […] | Malware Threat | Solardwinds | |
|
2021-01-19 13:09:32 | SolarWinds Hackers Used \'Raindrop\' Malware for Lateral Movement (lien direct) | The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday. | Malware Threat | Solardwinds | |
|
2020-12-29 21:55:38 | SolarWinds hackers aimed at access to victims\' cloud assets (lien direct) | Microsoft says that SolarWinds hackers aimed at compromising the victims’ cloud infrastructure after deploying the Solorigate backdoor (aka Sunburst). The Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor. “With […] | Threat Mobile | Solardwinds | |
|
2020-12-29 21:22:00 | Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds (lien direct) | On Dec. 13, FireEye published a detailed analysis about the attack carried out against SolarWinds, which appears to have compromised its Orion IT monitoring and management platform to spread the Sunburst Backdoor malware. As part of the attack, which started in March, the Orion platform started sending out the digitally-signed trojanized malware via regular updates. According to SolarWinds, the compromised update may have been installed by fewer than 18,000 of its customers, including many U.S. federal agencies and Fortune 500 firms that use Orion to monitor the health of their IT networks. In a related blog post, FireEye also announced that a highly sophisticated state-sponsored adversary penetrated its network and stole FireEye Red Team tools used to test customers’ security. In response to the attacks, Anomali has collected, curated, and distributed clear and concise open-source intelligence (OSINT) to help organizations determine if they have been impacted. Two key resources released include a SolarWinds Breach Threat Bulletin and a FireEye Red Team Tools Breach Threat Bulletin. These continually updated resources, for use inside Anomali ThreatStream, include threat analysis, signature threat models, and over 2,000 operationalized indicators of compromise (IOCs) for automated distribution to security controls. Both are available now to Anomali’s 1,500 customers. What Can I Do with This Threat Intelligence?...and How to Do It Our intent in aggregating and curating this threat intelligence is to provide organizations with high-fidelity IOCs that can immediately be pushed into their security stacks for rapid, proactive blocking and alerting. Security products that can take advantage of this actionable threat intelligence include security information and event management (SIEM), endpoint detection and response platforms, firewalls, domain name system (DNS) servers, security orchestration, automation, and response (SOAR) platforms, and other operational security products. These Anomali threat bulletins are designed to be used in conjunction with Anomali ThreatStream, a threat intelligence platform that allows organizations to aggregate, curate, analyze, and distribute multiple sources of threat intelligence to their operational security systems. Inside of the SolarWinds Breach Threat Bulletin, all of these IOCs have been tagged with “solarwinds”, “sunburst backdoor”, “unc2452”, or “avsvmcloud.com.” This enables ThreatStream users to create a simple rule to automatically push IOCs to their security systems, enabling real-time defense against both attacks. For example, if a compromised server inside the organization attempts to connect to a command and control (C2) server outside of the organization, Anomali customers that have activated this research will automatically block the C2 URL, avoiding risk of further compromise and data exfiltration. How Can I Get This Intelligence? The Anomali SolarWinds and FireEye Threat Bulletins are automatically available to Anomali’s ThreatStream customers, and all organizations participating in Anomali-powered threat intelligence sharing communities (ISACs). Anomali Threat Research also created a | Malware Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-29 20:12:00 | Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack (lien direct) | SolarWinds, a provider of IT management and monitoring software deployed by thousands of global customers, was breached between March and June of 2020 by an Advanced Persistent Threat (APT) that cybersecurity company FireEye is tracking as UNC2452. As part of the supply chain attack, the APT compromised the company’s Orion business software with trojanized malware known as Sunburst, which opens a backdoor into the networks of customers who executed Orion updates.
Immediately following news of the attack, Anomali Threat Research launched a custom threat intelligence dashboard called Sunburst Backdoor. Now available to Anomali ThreatStream customers, the dashboard is accessible via the user console. It is preconfigured to provide immediate access and visibility into all known Sunburst Backdoor indicators of compromise (IOCs) that are made available through commercial and open-source threat feeds that users manage on ThreatStream.
Customers using ThreatStream, Anomali Match, and Anomali Lens can immediately detect any IOCs present in their environments, quickly consume threat bulletins containing machine readable IOCs to operationalize threat intelligence across their security infrastructures, and communicate to all stakeholders how they have been impacted.
As part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts, Anomali recently added thematic dashboards that respond to significant global events. In addition to Sunburst Backdoor, ThreatStream customers currently have access to additional dashboards announced as part of our December quarterly product release.
Customers can integrate Sunburst Backdoor and other dashboards via the “+ Add Dashboard” tab in the ThreatStream console:
After integration, users will have immediate access to the Sunburst Backdoor dashboard, which continually updates IOCs as they become available:
Organizations interested in learning more about Anomali ThreatStream and our custom dashboard capabilities can request a demo here.
For organizations interested in gaining wider visibility and detection capabilities for the Sunburst cyberattack, Anomali Threat Research has compiled and curated an initial threat bulletin and downloadable set of OSINT IOCs available here. |
Malware Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-24 20:15:00 | Sunburst Détails techniques supplémentaires SUNBURST Additional Technical Details (lien direct) |
Fireeye a découvert des détails supplémentaires sur la porte dérobée Sunburst depuis notre publication initiale le 13 décembre 2020. Avant de plonger dans la profondeur technique de ce logiciel malveillant, nous recommandons aux lecteurs de se familiariser avec notre article de blog sur le Solarwinds Supply Compromis , qui a révélé une campagne d'intrusion mondiale par une campagne sophistiquée sophistiquée Acteur de menace que nous suivons actuellement UNC2452.
Sunburst est une version trojanisée d'un plugin SolarWinds Orion signé numérique appelé solarwinds.orion.core.businesslayer.dll .Le plugin contient une porte dérobée qui communique via HTTP à un tiers
FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated threat actor we are currently tracking as UNC2452. SUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third party |
Threat | Solardwinds | ★★★★ |
|
2020-12-23 23:45:25 | Why SolarWinds-SUNBURST is our Cyber Pearl Harbor (lien direct) | 
On December 13, 2020, FireEye announced that threat actors had compromised SolarWinds's Orion IT monitoring and management software and used it to distribute a software backdoor to dozens of that company's customers, including several high profile U.S. government agencies. Many are referring to the SolarWinds-SUNBURST campaign incidents as the long-prophesied “Cyber Pearl Harbor.” We agree, […]
|
Threat | Solardwinds | |
|
2020-12-22 21:52:57 | Researchers shared the lists of victims of SolarWinds hack (lien direct) | Security experts shared lists of organizations that were infected with the SolarWinds Sunburst backdoor after decoding the DGA mechanism. Security experts started analyzing the DGA mechanism used by threat actors behind the SolarWinds hack to control the Sunburst/Solarigate backdoor and published the list of targeted organizations. Researchers from multiple cybersecurity firms published a list that […] | Hack Threat Mobile | Solardwinds Solardwinds | |
 |
2020-12-22 09:11:33 | SolarWinds victims revealed after cracking the Sunburst malware DGA (lien direct) | Security researchers have shared lists of organizations where threat actors deployed Sunburst/Solarigate malware, after ongoing investigations of the SolarWinds supply chain attack. [...] | Malware Threat | Solardwinds Solardwinds | |
|
2020-12-21 21:32:24 | (Déjà vu) How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise (lien direct) | 
In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds's Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll delivered as part of a digitally-signed Windows Installer Patch. The trojanized file delivers a backdoor, dubbed SUNBURST by FireEye (and Solorigate by Microsoft), that communicates to third-party servers for […]
|
Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-21 02:00:00 | How to prepare for the next SolarWinds-like threat (lien direct) | The insertion of malware into SolarWinds' popular Orion network management software sent the federal government and major parts of corporate America scrambling this week to investigate and mitigate what could be the most damaging breach in US history. The malware, which cybersecurity company FireEye (itself the first public victim of the supply chain interference) named SUNBURST, is a backdoor that can transfer and execute files, profile systems, reboot machines and disable system services. | Malware Threat | Solardwinds | |
|
2020-12-17 23:27:06 | Additional Analysis into the SUNBURST Backdoor (lien direct) | 
Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoCs associated with the Sunburst trojan, the focus within the Advanced Threat Research (ATR) team has been to determine the possibility of additional persistence measures. Our analysis […]
|
Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-17 13:01:01 | Attribution de débunchage: comment mandiant suit les acteurs de menace non classés DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors (lien direct) |
Beaucoup de gens entendent le terme UNC pour la première fois après avoir publié les détails d'un groupe de menaces que nous appelons Un2452 .Groupes «UNC» - ou non «non classés», les groupes sont une analyse d'attribution brute que nous avons auparavant gardée principalement en interne.Nous avons récemment commencé à déployer des informations UNC à Advantage mandiant Clients parce que nous voulons donner aux utilisateurs un accès direct aux matériaux source et brutsAnalyse que les experts mandiants utilisent pour rédiger des renseignements, répondre aux violations et défendre nos clients.À la lumière des événements récents, nous voulons fournir plus de détails au plus grand public sur la désignation UNC.
Many people are hearing the term UNC for the first time after we published details of a threat group we refer to as UNC2452. “UNC” groups-or “uncategorized” groups-are raw attribution analysis that we previously kept primarily in house. We recently began rolling out UNC information to Mandiant Advantage customers because we want to give users direct access to source materials and raw analysis that Mandiant experts use to write intelligence, respond to breaches, and defend our clients. In light of recent events, we want to provide some more details to the greater public on the UNC designation. |
Threat | Solardwinds | ★★★ |
 |
2020-12-16 19:28:13 | SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected (lien direct) | On the week of December 13th , US government offices exposed they were targeted by a series of mega cyber attacks, allegedly related to state-sponsored threat organizations. Those attacks targeted government, technology and enterprise organizations worldwide. This series of attacks was made possible when hackers were able to embed a backdoor into SolarWinds software updates. Over… | Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-16 16:48:26 | SUNBURST Malware and SolarWinds Supply Chain Compromise (lien direct) | 
Part I of II Situation In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds's Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally-signed Windows Installer Patch. Use of a Compromised Software Supply […]
|
Malware Threat | Solardwinds |
1
We have: 30 articles.
We have: 30 articles.
To see everything:
Our RSS (filtrered)
