What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-09-29 17:00:00 | Introducing the Anomali Technology Partner Program (TPP) (lien direct) | Delivering a broad spectrum of threat intelligence and security integrations for the Anomali community
Technology partners have always been an integral part of the value proposition that Anomali brings to our customers. From integrating with leading global research vendors to deliver global threat intelligence at scale, to automated delivery of intelligence to security control products for remediation, our broad partner ecosystem is invaluable. Today we’re announcing the Anomali Technology Partner Program (TPP) – a significant investment that will provide technology partners everything they need to develop innovative and differentiated product and service offerings that complement Anomali’s solution portfolio.
Partner Tiers
The program is designed to reward partners who make the biggest commitment to developing value-added solutions that solve customer problems and drive mutual business. The program is structured around the following partner tiers based on the depth of the partnership:
Partners will have the opportunity to get promoted from the Foundation to the Advanced tier as their integrated solutions get deployed in the marketplace. Participation at the Premier tier comes with the most benefits across technical, marketing and sales activities, and is by invitation only.
Criteria for Participation and Partner Tiering
There are many factors to consider when establishing a technology partnership. At Anomali we’re completely focused on customer satisfaction, so we ask that partners have at least one customer requesting the integration, which ensures we’re meeting a need in the marketplace. Below are the primary criteria used for program participation and how Anomali places partners in the three different tiers:
Partner Integration Tracks
One thing that hasn’t changed is the types of integrations that Anomali will deliver via our partner ecosystem. Intelligence sharing is core to everything we do and is critical for successfully stopping attackers and preventing breaches. Below are the three integration tracks available through the program:
Summary
Heterogeneous environments are a reality and customers need solutions that are integrated and drive value out-of-the-box. The Anomali TPP delivers a broad array of specialized threat intelligence and integrations with leading security technology vendors to speed detection, streamline investigations and increase analyst productivity.
Contact techpartners@anomali.com to learn more or apply for program membership. |
Threat Guideline | ||
|
2021-09-28 15:30:00 | Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious PowerPoint Documents On The Rise
(published: September 22, 2021)
McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance
Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials
(published: September 22, 2021)
According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.
Analyst Comment: Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.
Tags: EU & UK, China
Netgear SOHO Security Bug Allows RCE, Corporate Attacks
(published: September 22, 2021)
Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote c |
Ransomware Spam Malware Vulnerability Threat | ||
|
2021-09-21 16:09:00 | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam Malware Tool Vulnerability Threat | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-09 14:00:00 | Optimizing Your Cybersecurity with Intelligence-Powered Detection (lien direct) | The recent large-scale cyberattacks have shown that any organization, regardless of size or industry, may be targeted at any time. Despite deploying multiple tools, security teams struggle to pinpoint relevant threats, wasting time sifting through incoming data and false positives and cannot act swiftly to real threats facing their business. A recent Dark Reading study revealed that while many organizations have improved their threat detection capabilities over the last few years, they lack threat visibility and are still reliant on too many manual processes. These shortcomings in combating cyber threats result in alert fatigue, smoldering fires, and siloed threat intelligence. The question then becomes: “How can my organization optimize its threat detection system?” Threat Detection as Process There are multiple ways to detect a potential threat. These can include global threat intelligence, human expertise in threat identification, and advanced tools for identifying malicious activity. While all are essential elements, they need to working effectively to create an optimized security program. Too often, the security process goes in one direction, from threat intelligence gathering to analysis and monitoring by the security operations center (SOC) and then on to security engineering to prioritize remediation. Creating a collaborative system with feedback loops between security teams and other key stakeholders is a much more effective way to avoid siloed intelligence and rapidly identify relevant threats. In this security ecosystem approach, the threat intel team automates intelligence gathering, prioritizes against intelligence initiatives, and incorporates any new requirements coming from security engineering. The SOC then monitors and prioritizes the continually updating threat requirements to help the threat team find relevant attacks. Security engineering prioritizes remediation and then feeds the revised intelligence requirements back to the SOC, reflecting any changes in vulnerabilities. Intelligence-Powered Threat Detection Implementing an effective collaborative system with two-way fluid communication requires intelligence-powered threat detection. Detection enables intelligent orchestration through your security organization and ensures that the global intelligence is relevant. Machine learning is leveraged to make sure severity scoring is conducted quickly and effectively. An intelligence-driven platform can process millions of indicators of compromise (IoCs) and billions of internal log entries, operationalizing threat data and automatically showing security teams what is relevant to them and which data are actionable intelligence. The identified indicators of interest can then be fed directly to the endpoints and firewalls for blocking. Extended Detection and Response or XDR Extended detection and response or XDR is a security framework that unifies threat detection and response into a single platform. It collects and correlates data automatically from disparate security components installed in a customer's environment. XDR can provide better security than isolated tools by reducing the complexity of security configuration and incident response. For example, you can extinguish smoldering fires using XDR, as big data support on the backend enables quick indexing and searches going back years. Alert fatigue is relieved by the automated updating of IRs and allowing threat intelligence teams to focus on relevant IoCs. And, because it bridges different tools and systems, XDR can also facilitate feedback loops between cybersecurity teams and stakeholders. Vendor-agnostic XDR platforms | Tool Threat | ||
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-09-02 19:34:00 | Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor (lien direct) | Authored by: Gage Mele, Tara Gould, Rory Gould, and Sean Townsend Key Findings Anomali Threat Research discovered six malicious Windows 11 Alpha-themed Word documents with Visual Basic macros being used to drop JavaScript payloads, including a Javascript backdoor. While we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the attack vector was an email phishing or spearphishing campaign. We assess with moderate confidence that the financially motivated threat group FIN7 is responsible for this campaign. Based on the file names observed in this campaign, the activity likely took place around late-June to late-July 2021. Overview Anomali Threat Research conducted analysis on malicious Microsoft Word document (.doc) files themed after Windows 11 Alpha and assess with moderate confidence that these Word documents were part of a campaign conducted by the threat group FIN7. The group’s goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.[1] FIN7 FIN7 is an Eastern European threat group that has been active since at least mid-2015. They primarily target United States (US)-based companies across various industries but also operate on a global scale. The group is one of the world’s most notorious cybercrime groups and has been credited with the theft of over 15 million payment card records that cost organizations around the world approximately one billion dollars (USD) in losses.[2] In the US alone, the group has targeted over 100 companies and compromised the networks of organizations in 47 states and the District of Columbia.[3] While FIN7’s primary objective is to directly steal financial information, such as credit and debit card data, they will also steal sensitive information to sell on underground marketplaces. There has been a concerted attempt by law enforcement to tackle the group, including the arrest of three members arrested August 2018 and a high-level organizer in April 2021.[4] Despite these personnel losses and media attention, the group has continued a steady stream of documented activity since at least 2015.[5] In early 2021, FIN7 was identified as gaining illicit access to a law firm’s network by using a fake legal complaint themed around Brown-Forman Inc., the parent company of Jack Daniels whiskey.[6] Related Groups FIN7 is closely associated with the threat group referred to as “Carbanak,” with the two groups sharing a significant number of TTPs including the use of the Carbanak backdoor.[7] As such, news media and some intelligence vendors use the names interchangeably. To add to the confusion, different vendors will use their own naming conventions for each group that include: FIN7 - Carbon Spider (Crowdstrike), Gold Niagara (Secureworks), Calcium (Symantec) Carbanak - Carbon Spider (Crowdstrike), Anunak (Group-IB) Trend Micro released a report in April 2021 outlining the differences in TTPs between the two groups and MITRE also track the two groups separately.[8] For clarity, we will treat FIN7 and Carbanak as separate groups; the main distinction being FIN7 focuses on hospitality and retail sectors, while Carbanak targets banking institutions. Technical Analysis Word Document MD5 d60b6a8310373c9b84e6760c24185535 File name Users-Progress-072021-1.doc The infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the next stage of activity, as shown in Figure 1 below. | Ransomware Malware Threat | ||
|
2021-09-02 14:00:00 | What Is a Cyber Fusion Center? (lien direct) | Drive Organization-Wide Visibility, Reduce Time to Detection, and Protect Critical Assets With a Cyber Fusion Center The continual and evolving threats to information systems are a constant battle that prompted the creation of cyber intelligence analysts who provide contextualized data, information, and intelligence to those tasked with detecting and defending against attacks. Cyber defense systems need to become more responsive to internal vulnerabilities and adapt to external threats as attack methods evolve more quickly. It is this intelligence that enables them to do so. The cyber fusion center is the hub for actionable threat intelligence. Structurally, it pulls together information and coordinates efforts across security teams; SOC, IT, physical security, fraud, etc. It also integrates multiple automation tools, collecting data from internal and external sources, curating data, and providing actionable intelligence to stakeholders to make informed decisions. Designing a Cyber Fusion Center Organizational Considerations When Creating Your Cyber Fusion Center The primary goal and advantage of having a cyber fusion center is making cybersecurity an integral part of your organization. It allows you to manage risk holistically. Keeping this in mind, processes that produce actionable intel should be modeled first before creating organizational and system structures. Acknowledging that existing systems are managed by different groups and integrating competing priorities is essential. Systems will also need to be integrated, with redundancies identified and streamlined. Finally, each organization will have its own culture that should be taken into consideration throughout this process. Teams: Is Your Cyber Fusion Center Communicating Cross-Functionally? Resilient cyber fusion centers start with a circular flow of communication with priority intelligence requirement (PIR)-driven inputs. This cyber intelligence provides the most timely and comprehensive intelligence on external threats to the security operations center (SOC) for detection, monitoring, threat hunting, and, when needed, incident response. In return, those acting on the threats can recommend adjustments to PIRs that continually improve the necessary intelligence to inform proactive threat detection and respond better. That feedback ensures that the threat intelligence team remains focused on collecting and delivering threat intelligence aligned to organizational PIRs. In addition, this flow of intelligence should be infused with relevant information from functional areas with high-risk vulnerabilities (e.g., Human Resources, Finance, Fraud, etc.). For example, a cyber intelligence team might discover a new ransomware campaign utilizing a specific tool and architecture. That intelligence is reported to the SOC with additional context of the group most likely responsible for the campaign, their other known tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). The likelihood that the newly discovered campaign could impact the organization is based on a deeper understanding of the culprits’ motives, objectives, and previous actions. This type of intelligence empowers the SOC to prioritize response actions proactively to improve the organization’s security posture against both the immediate threat posed by the indicators of compromise (IOCs) and future threats posed by the same actor and their campaigns. Tools: Managing Your Security Stack With a Cyber Fusion Center While organizational processes are the basis for creating an effective cyber fusion center, automation tools are also essential. The risks of not automating can include missed threats, dormant threats, siloed threat intel, and unaligned intel. You can enrich global threat intelligence through associated intelligence, peer sharing, and local telemetry; this enrichment begins | Ransomware Tool Threat | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-08-31 11:00:00 | Anomali August Quarterly Product Release: Achieving Cyber Fusion (lien direct) | Key Highlights of this Release
As summer winds down and we move into fall, the team has been working hard to close out our quarterly release.
We’re excited to announce our quarterly product release update for August 2021, as we continue integrating XDR capabilities across our threat intelligence driven solutions.
Key highlights for this quarter include:
Introduction of Organizational Intelligence Initiatives
Enhanced STIX 2.1 support
Support for MITRE ATT&CK sub-techniques in Security Controls, Investigations, and Lens+ (BETA)
Lens+ Added Features and Microsoft Office 365 Support
Air Gap 5.1 Expanded support and coverage
Introduction of Intelligence Initiatives to Align Organizational Intelligence Goals
Most organizations continue to work in silos. As other technology and intelligence gets introduced to add detection and response capabilities, priorities may not align.
We’re excited to introduce a new feature within ThreatStream called Intelligence Initiatives that enables customers to track and map their organizational security goals and objectives. Intelligence Initiatives provide foundational support for organizations to integrate the CTI (Cyber Threat Intelligence) lifecycle as part of their working process.
Intelligence Initiatives is included as part of your ThreatStream subscription and configured with out-of-the-box initiatives, including ' Adversary Monitoring', ‘Fraudulent Activity’, ‘Phishing, ‘Threat and Risk Analysis, and others.
Once established, organizational goals can be mapped and users can associate appropriate intelligence collections or feeds by tailoring entities to better align activities as well as enhance the decision-making process. An integrated dashboard also provides quick access to key metrics relating to an Initiative, giving management an immediate overview of activity and the ability to track ongoing Intelligence Initiatives being worked on.
Intelligence Initiatives further increases the value of your investment with Anomali and enables analysts to focus their efforts to complete investigations more efficiently, in less time, with more confidence.
Reach out to your CSM to learn more.
Enhanced STIX 2.1 Support for Establishing Object Relationships
Anomali believes in the importance of threat intelligence sharing and continues to increase support for STIX (Structured Threat Information Expression) from Oasis Open.
In this release, we’ve extended the current capabilities of ThreatStream STIX2.1, enabling users to import, edit, and export STIX compliant relationships from ThreatStream for use in 3rd party systems.
The platform now also allows users to create STIX compliant associations or relationships on existing threat intelligence in the platform, enabling the creation of net-new STIX compliant intelligence for use elsewhere.
Look for additional support in upcoming releases.
Support for MITRE ATT&CK Sub-techniques in Security Controls and Investigations
Anomali continues to increase support for the Mitre ATT&CK Framework, making i |
Threat | ||
|
2021-08-30 14:21:00 | White House Continues to Push for Increased Cybersecurity with Meeting with Tech CEOs (lien direct) | More than two dozen leaders of key groups across a variety of fields met at the White House last week to address escalating cyber threats. This included: CEOs of major tech companies such as Alphabet, Amazon, Apple, IBM, and Microsoft Heads of major financial institutions such as Bank of America and JPMorgan Several energy and water companies will also be included, including the leaders of Duke Energy, PG&E, and Southern Company The leaders of Travelers and the University of Texas system Officials from Duke Energy, Pacific Gas, and Electric, and Southern Company The gathering focused on improving information sharing between government agencies, developing new tools to protect critical infrastructure systems, and creating incentives for businesses to adopt better security practices. While it was originally stressed that there was no specific agenda or list of recommendations coming out of the event and billed as an opportunity for attendees to brainstorm ideas, what came out was much more than originally expected: The White House, big tech firms, cyber insurers, and educational organizations pledged to pour more resources into improving the nation's cybersecurity. A variety of near-term funds and initiatives aimed at improving software supply chain security, expanding the cybersecurity workforce, and improving the cyber hygiene of organizations and the general public were promised by public and private partners. Meeting attendees also promised both free tools and incentives to help individuals and organizations increase their security posture. President Biden has been vocal about his concerns regarding growing cyberthreats since he took office. He warned during his first speech as president. He called it a "cybersecurity emergency" and pledged to work closely with Congress to develop solutions. To prevent future breaches we can't afford not to act. Brainstorming sessions are great, but security leaders need to think outside of the box and not rely on the same old same old. The threat landscape is constantly evolving, but are cybersecurity leaders evolving their approach just as fast? In previous blogs, I've stressed that an optimized threat response requires informed courses of action that can often be acquired through threat intelligence sharing with industry peers. It is clear that secure collaboration is one of the keys to improving the nation's as well as individual organization's cybersecurity defenses. Anomali continues to increase our support for sharing intelligence, providing tools such as Anomali STAXX, a free solution offered that supports sharing indicators through STIX and TAXII. Organizations have long sought to bridge security gaps between technologies and people within their organization. Most enterprises have dozens of cybersecurity tools deployed and access to mass volumes of related information, but they continue to work in silos. By breaking barriers between security information silos and functions, organizations can unify key processes and close significant gaps between detection and response capabilities. But this type of cross-functional collaboration isn’t always easy. It requires trust, transparency, and a shared understanding of business objectives. This way of thinking can also be applied more broadly across the industry. Coming together in brainstorming sessions such as this and pledging resources is a step in the right direction. To learn more about the benefits of sharing threat intelligence, download our whitepaper: The Definitive Guide to Sharing Threat Intelligence | Threat Guideline | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-17 17:56:00 | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | APT 27 APT 27 | |
|
2021-08-12 15:00:00 | Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry (lien direct) | Authored by: Tara Gould and Rory Gould
Key Findings
Spearphishing emails are targeting the manufacturing industry in Taiwan and Korea to spread malware.
Compromised websites are being used to host malicious JavaScript, VBScript and PowerShell scripts; delivering Warzone RAT.
Anomali Threat Research assesses with moderate confidence that this campaign is being conducted by the threat group Aggah.
Overview
Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with the threat group Aggah. Our analysis found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads. Based on the TTPs of this campaign, we assess with moderate confidence this is Aggah.
Aggah
Aggah is an information-motivated threat group that was first identified in March 2019 by researchers from Unit 42.[1] The researchers initially believed the activity was a campaign targeting entities in the United Arab Emirates (UAE). Further investigation by the same team revealed it to be a global phishing campaign designed to deliver RevengeRat.[2]
Unit 42 initially-believed, due to shared high level TTPs as well as the use of RevengeRat, Aggah was associated with the Gorgon Group, a Pakistani group known for targeting Western governments.[3] However, there were prominent Gorgon Group indicators not observed during that investigation, and therefore Unit 42 was unable to formally associate Aggah with the Gorgon Group. Other researchers agree that Aggah is an Urdu speaking Pakistani group due to the use of Urdu words written in Latin script but stress this does not mean they are the Gorgon Group.[4]
Aggah has been consistently active since 2019, generally using the same identifiable TTPs. This past year was a notable year for the group, with a 2020 campaign targeting Italian organizations and manufacturing sectors around the world.[5] Later that same year, Aggah were observed likely selling or loaning malware to lower-level Nigerian actors.[6] Historically the group has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, usually RevengeRAT.[7] The move to using compromised sites is likely due to fact the Internet Archive hosted files are being taken down much quicker and is a notable change for Aggah.
Technical Analysis
Email
The infection process began with a custom spearphishing email masquerading as “FoodHub.co.uk”, an online food delivery service based in the United Kingdom. The body of the email contained order and shipping information along with an attached PowerPoint file named “Purchase order 4500061977,pdf.ppam”. The email in Figure 1 below was sent on July 8, 2021 to Fon-star International Technology, a Taiwan-based manufacturing company. Other spearphishing emails were sent to CSE group, a Taiwanese manufacturing company, FomoTech a Taiwanese engineering company, and to Hyundai Electric, a Korean power company. Spoofed business-to-business (B2B) email addresses against the targeted industry is activity consistent with Aggah.[8]
Figure 1 - Spoofed Spearphishing Email Sent to Fon Star
PowerPoint File
File name Purchase order 4500061977,pdf.ppam
MD5 b5a31dd4a6af746f32149f9706d68f45
When we analyzed the PowerPoint file, we found obfuscated macros (Figure 2) contained in the document that used MSHTA to execute JavaScript from “http://j[.]mp/4545h |
Malware Tool Threat | ||
|
2021-08-10 17:39:00 | Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Actively Exploited Bug Bypasses Authentication On Millions Of Routers
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
Millions of Senior Citizens' Personal Data Exposed By Misconfiguration
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
|
Malware Vulnerability Threat Guideline | APT 41 APT 41 APT 30 APT 27 APT 23 | |
|
2021-08-03 21:45:00 | Answering the Executive Order with Cyber Resilience (lien direct) | Co-written with Jason Burosh As noted previously, President Biden recently signed an Executive Order to improve America's cybersecurity in the wake of major cyberattacks, such as SolarWinds. Although this Executive Order only applies to the federal government and federal government systems. It can also be applied to thousands of government contractors that provide IT goods and services to the US government. The first two sections highlight the need to prioritize detection and response capabilities while sharing threat intelligence. To summarize: Section 1 of the Executive Order covers the Administration’s policy that the prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security. You can read more here. Section 2 discusses the need to share threat information about the incidents they suffer with the federal government, as well as collect and preserve data that could aid threat detection, investigation and response, highligted by: “The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation's cybersecurity as a whole.” You can find out more info by reading the FACT SHEET The Paradigm Shift Historically, organizations have not shared threat information from the incidents they've suffered. Why? No organization wants to share bad news, especially when it comes to their cybersecurity capabilities. They risk damaging their reputation, losing their customers' trust, and making it seem like they wasted money on their current cybersecurity tools if they share information about incidents that they have suffered. With this Executive Order, the federal government is creating a central authority to collect this threat information and share it publicly. But this approach will work only if organizations step up and rapidly share their incident information. Before we share information as an industry, organizations need to break down their own silos as well. Most enterprises have dozens of cybersecurity tools deployed and access to mass volumes of related information. Despite this, many continue to fall victim to attackers who have figured out how to slip through holes that disparate systems and siloed data leave open. By breaking barriers between security information silos and functions, organizations can unify key processes and close significant gaps between detection and response capabilities. To eliminate barriers and build bridges, organizations need to focus on joining threat intelligence and defensive operations internally to effectively share what's needed to win the war against cyber attackers. Becoming Cyber Resilient While we have a long way to go until the Executive Order comes into fruition, we at Anomali believe strengthening cybersecurity begins with cyber resilience. To achieve a state of resilience, organizations need to elevate their security posture by taking a holistic approach to cybersecurity with a security strate | Threat | ||
|
2021-08-03 15:00:00 | Anomali Cyber Watch: LockBit ransomware, Phony Call Centers Lead to Exfiltration and Ransomware, VBA RAT using Double Attack Vectors, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android malware, APT, Data leak, macOS malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware
(published: July 29, 2021)
BazaCall campaigns have forgone malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. Actual humans then provide the callers with step-by-step instructions for installing malware. The BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user's device, which allows for a fast network compromise. The lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.
Analyst Comment: All users should be informed of the risk phishing poses, and how to safely make use of email. They should take notice that a phone number sent to them can be fraudulent too. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: BazaCall, Bazaar, Ransomware
Crimea “Manifesto” Deploys VBA Rat Using Double Attack Vectors
(published: July 29, 2021)
Hossein Jazi has identified a suspicious document named "Манифест". It downloads and executes two templates: one is macro-enabled and the other is an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit is an unusual discovery.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Modify Registry - T1112
Tags: VBA, Russia, RAT, CVE- |
Ransomware Data Breach Spam Malware Threat Guideline | ||
|
2021-07-29 14:55:00 | The COVID-19 Pandemic Changed Everything, Can You Detect the New Normal? (lien direct) | COVID-19 changed our personal and business lives in ways we never imagined, especially on the technology front. Consumers started using online services at monumental rates, as evidenced by explosive growth across Amazon, Netflix, and on-demand delivery apps. Businesses accelerated the pace of digital transformation with never-before seen speeds, reflected in the meteoric rise of video conferencing, remote work, and cloud growth. Governments increased their use of websites and social media to keep citizens updated on the latest developments in the pandemic and to assist with scheduling appointments for tests and vaccines.
Cyber adversaries certainly didn’t overlook the pandemic as an opportunity. This isn’t just speculation. Since March 2020, Anomali Threat Research has tracked pandemic-related malicious cyber activities, which to date include thousands of indicators of compromise (IOCs), numerous distinct campaigns associated with multiple threat actors, dozens of different malware families, and many various MITRE ATT&CK techniques in use.
Some parts of the world are starting to rebound from the pandemic’s impact, but while there is still uncertainty around when we will fully recover, it’s a sure-fire bet that a more cloud-dependent future will be part of our new “normal.” Public and private sector organizations that want to succeed not only have to innovate to fulfill consumer and business demands for digital products and services, but also how to defend them against adversaries that are increasingly sophisticated and stealthy.
Much of the development problem has been solved, with providers like Amazon, Microsoft, and Google providing the foundation for cloud applications and services such as Amazon Web Services (AWS), Azure, and Google Cloud. Global organizations have even, in many cases, built their own private cloud platforms that can easily and rapidly deploy innovations to any connected endpoint. Unfortunately, cybersecurity hasn’t kept pace. It’s no wonder we are experiencing ransomware attacks like the one that hit the Colonial Pipeline, and breaches as unprecedented as SolarWinds.
Recently, we worked with The Harris Poll to ask more than 2,000 American and 1,000 British adults over 18 how they feel about the possibility of using COVID-19 digital vaccine cards, should they become required for participating in activities like traveling, attending sporting events, in-person school participation, entering a store or government building, etc. Our initial goal was to understand more deeply what both groups’ hopes and fears are when it comes to using smartphone applications to get on with normal life. While we learned a lot about individuals’ attitudes, we also gleaned a few insights that organizations attempting to understand the new digital normal should consider.
The Exploding Attack Surface
The survey revealed that almost all adults in the US (93%) and the UK (89%) have smartphones capable of supporting digital vaccination cards, ranging across almost all popular operating systems. While this is great news for anyone who supports the use of digital health verification solutions, it also serves as a warning. With almost all adults in these populations so interconnected, the likely overlap of their private and business digital lives presents threat actors with a large attack surface for compromising both users and their employers. Organizations that want to leverage the digital future should be happy to hear about how easy it is to reach consumers and connect employees. They also need to prepare to mitigate the associated increased threat this presents.
No Shortage of Fakes
The number of Americans and Brits willing to adopt digital vaccine cards if they become a requiremen |
Ransomware Malware Hack Threat | ||
|
2021-07-27 15:00:00 | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
Malware Tool Vulnerability Threat | Uber APT 31 | |
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-07-13 15:00:00 | Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data Theft, Malicious Apps, Middle East, Phishing, Targeted Campaigns, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Global Phishing Campaign Targets Energy Sector and Its Suppliers
(published: July 8, 2021)
Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE).
Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055
Tags: FormBook, AgentTesla, Phishing, Europe, Middle East
SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military
(published: July 7, 2021)
SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | |
Malware Threat | APT 36 | |
|
2021-07-13 15:00:00 | Cyber Threat Intelligence Combined with MITRE ATT&CK Provides Strategic Advantage over Cyber Threats (lien direct) | Many security executives have fundamental familiarity with the MITRE ATT&CK framework, although most perceive it within a narrow set of use cases specific to deeply-technical cyber threat intelligence (CTI) analysts. The truth though, is that when integrated into overall security operations, it can produce profound security and risk benefits. What is MITRE ATT&CK? MITRE ATT&CK serves as a global knowledge base for understanding threats across their entire lifecycle. The framework’s differentiator is its focus on tactics, techniques, and procedures (TTPs) that threats use to operate in the real world, rather than just on typical indicators like IP addresses, file hashes, registry keys, and so on. MITRE ATT&CK offers a rigorous and holistic method for understanding the types of adversaries operating in the wild and their most observed behaviors, and for defining and classifying those behaviors with a common taxonomy. This is an advantage that brings a much-needed level of organization to the chaotic threat landscape organizations face. MITRE ATT&CK has practical applications across a range of security functions when security tooling and processes are mapped to it. By characterizing threats and their TTPs in a standardized way and visualizing them through the MITRE ATT&CK matrix, the framework makes it easier for security leaders and their direct reports to determine and communicate the highest priority threats they are facing and to take more sweeping, strategic actions to mitigate them. In the Weeds? Yes and No At first glance, MITRE ATT&CK can be intimidating. It may even seem too technically in the weeds for executives who are grappling with leadership-level security concerns. However, the truth is that MITRE ATT&CK holds tremendous strategic potential. It can also help accelerate the cybersecurity maturation process. The framework does undoubtedly help security practitioners with their day-to-day technical analysis, making them better at their jobs. However, when used to its full potential, MITRE ATT&CK can help security executives gain better value out of existing technologies, with threat intelligence platforms (TIPs), SIEMs, and other security analytics tools being among these. More importantly, it helps establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. CISOs and other security executives could almost think of it as a tool that automates the creation of a roadmap, showing them precisely where the onramps to threats are located in their networks and what vehicles adversaries are using to enter. Let’s take a closer look at how MITRE ATT&CK works and why those in charge of security shouldn’t wait to adopt it into their strategic arsenals. Programmatic Benefits Having established that MITRE ATT&CK provides value to security leaders, let’s consider a few of the genuine benefits it delivers, as it isn’t just in the day-to-day minutiae of security operations where MITRE ATT&CK shines. Overlay. When an organization overlays its existing security posture and controls on top of MITRE ATT&CK-contextualized CTI, it becomes much easier to identify the riskiest control gaps present in the security ecosystem. Productivity. When looking at workflows and the teams available to respond to the MITRE ATT&CK-delineated TTPs most likely to target the organization, leaders can more easily identify at-risk talent and process gaps and then take steps to better address both. Prioritization. As security leaders go through their regularly scheduled validation of security coverage, they should leverage their CTI to identify the most common TTPs relevant to their environments. MITRE ATT&CK can crisply articulate this. With an understanding of where their biggest risks reside, executiv | Tool Threat Guideline | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-07-01 10:00:00 | Anomali May Quarterly Product Release: Democratizing Intelligence (lien direct) | Anomali’s product team continues to deliver on an aggressive schedule of intelligence-driven cybersecurity solutions, continuing to work in tight unison with our customers and security professionals throughout the product development lifecycle.
We’re excited to announce our quarterly product release update for May 2021. Key highlights for this quarter include:
New Match 4.4 release enhancing Anomali’s extended detection and response capabilities
Custom dashboards aligning global threat intelligence with local SOC threat prioritization activities
Industry news monitoring that leverages Machine Learning to determine global trends
Enhanced STIX 2.1 support with Custom Objects & Relationship Objects
Support for MITRE ATT&CK Framework v9.0 via Attack Patterns
Simplified Integrator upgrade process
Anomali Lens - Outlook for Office 365
Match 4.4 New Features and Improvements
Anomali Match is the first threat detection and response solution that automatically and continuously correlates all your environment logs against all relevant active threat intelligence to expose previously unknown threats that may have already penetrated your enterprise, resulting in faster Mean-Time-To-Detection (MTTD), reduced cost of security incidents, and more efficient security operations.
In this release, we’ve added several new and significant features to improve the value offered by Match to clients, enhancing the fidelity of intelligence we use to identify matches in your environments, and simplifying the normalization of data coming from a variety of different formatted log sources. Furthermore, new alerting capabilities provide enhanced process automation and now support threat model-based alerts.
We’ve also released Universal Link v4.4 and made updates to these dedicated links that enable log event integration with Anomali Match: QRadar, Splunk, and RSA.
.png)
Building Custom Dashboard Widgets Based on Threat Model Data
Dashboards in ThreatStream provide a quick, digestible, and timely source of key metrics on threat intelligence indicators. Custom dashboards can be tailored for a given organization’s or user’s requirements. Users can now develop their own dashboard with widgets based on Threat Model saved searches also, in addition to an Observable saved search. Users can also choose to incorporate out-of-the-box widgets or develop their own, based on an advanced saved search (of Observables or Threat Models). This new feature builds upon features we’ve been adding to ThreatStream over recent releases, i.e. the addition of custom widgets and also the enablement of Threat Model advanced saved searches.
Industry News Trend Widgets in ThreatStream Dashboard
ThreatStream Dashboards provide key decision-making data in an easy-to-digest visual format for all users of ThreatStream - whether research analyst, team manager or CISO. With this release, industry trending news on Actors, Malware and Common Vulnerabilities and Exposures (CVEs) are available as graph widgets within the ThreatStream dashboard. Our trending engine is based on data sourced from a huge array of public and private security news feeds, blogs, and other reputable sources. The graphs provide current lists of trending entities, with pertinent information and graphs showing activity over various timelines. Currently, this feature is exclusive to Anomali Lens+ customers.
MITRE ATT&CK Support for Sub-techniques
The MITRE ATT&CK Security Framework is one of the most widely used tools to help organizations un |
Malware Threat | APT 38 | |
|
2021-06-29 16:29:00 | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching | APT 30 | |
|
2021-06-28 19:00:00 | Cybersecurity Sharing: The Scope and Impact of President Biden\'s Executive Order (lien direct) | Co-written with Austin Stubblefield With cyber threats moving from attacks on private businesses to sweeping strikes on national infrastructure, the federal government is shifting resources and implementing new rules and regulations to address the growing challenge. On May 12, the administration outlined many ways federal agencies should improve their security procedures in an executive order signed by President Joe Biden. After the Solar Winds hack, Colonial Pipeline ransomware attack and a series of other high-stakes, high-profile incidents, Biden's executive order laid the groundwork for improving America's cybersecurity protocols. These included: Removing barriers to information sharing Modernize cybersecurity standards in government Improve software supply chain security Establish a cybersecurity safety review board Create a playbook for cyber incidents For this blog, we'll focus on removing barriers to information sharing and how that can help prevent cybersecurity incidents and breaches. The order reads as follows: Remove Barriers to Threat Information Sharing Between Government and the Private Sector. President Biden’s Executive Order on Improving the Nation’s Cyber Security ensures that IT service providers can share information with government agencies and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be reluctant to share information about their security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole. As cyber threats become more sophisticated, the need to communicate and collaborate effectively has never been more critical. Sharing threat intelligence can help security teams act quickly and effectively. Unfortunately, most cybersecurity executives are reluctant to share information. Steps to start sharing threat intelligence President John F. Kennedy was fond of the saying “the rising tide lifts all the boats.” And while he was specifically speaking to the economy, the saying rings true to the benefit all organizations see from the act of sharing intelligence. Whether your organization is actively sharing intelligence or hasn’t started, here are some tips on where to get started or enhance your sharing strategy: Tools and communities – Choose appropriate tools and communities to share threat intelligence. Possible options are: Email is the most accessible starting point Write, publish and share threat bulletins. Anomali ThreatStream provides easy to use tools for converting investigations into professional threat bulletins Tools such as Anomali STAXX, a free solution offered by Anomali that supports sharing indicators through STIX and TAXII ISACs and other industry organizations, which generally have mechanisms in place for collaboration and sharing Ad hoc sharing with local entities or partners in other industries Anomali ThreatStream users have an existing and very robust solution for sharing indicators of compromise and other intelligence with other organizations, as well as the ability to create and join industry ISACs and unique sharing communities through Anomali Trusted Circles | Ransomware Threat | ||
|
2021-06-23 15:45:00 | Anomali is Investing in Intelligence Powered Cloud XDR (lien direct) | Our Match XDR Use Cases Stop Breaches I want to extend my gratitude to the various CISOs that I have spent time with during my first three months at Anomali, and the many more that I will be talking to soon. You recognize us as the market leader in global threat intelligence that is enriched by being the hub of threat sharing across trusted circles. You also credit our ThreatStream product for seamless integration with your SIEM, Network, EDR and other security technologies. Some of you have adopted our Match product to deliver specific and powerful use cases in extended detection and response (XDR). Coupled with big data ingestion, we use machine learning and AI to help you stop significant breaches. Today, we are excited to announce that Anomali is investing in intelligence powered cloud XDR using our Match product use cases as the starting foundation. We are ready to have conversations with those of you that want to explore our current Match use cases as well as conversations about cloud XDR, which we expect to deliver later in our fiscal year. If you currently use Match, we expect to provide you with a choice of bridging to cloud XDR. Our mission is to help you improve your security posture and build cyber resilience by stopping breaches, which all starts and ends with intelligence. The best outcome is when we have your feedback, and we work together – please reach out to us. | Threat Guideline | ||
|
2021-06-22 18:18:00 | Anomali Cyber Watch: Klingon RAT Holding on for Dear Life, CVS Medical Records Breach, Black Kingdom Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Black Kingdom, Darkside, Go, Klingon Rat, Microsoft PowerApps, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Andariel Evolves to Target South Korea with Ransomware
(published: June 15, 2021)
Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack.
Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security.
MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros
Matanbuchus: Malware-as-a-Service with Demonic Intentions
(published: June 15, 2021)
In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures.
Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America
Black Kingdom ransomware
(published: June 17 |
Ransomware Data Breach Malware Vulnerability Threat Medical | APT 38 APT 28 | |
|
2021-06-15 16:05:00 | Anomali Cyber Watch: TeamTNT Expand Its Cryptojacking Footprint, PuzzleMaker Attack with Chrome Zero-day, NoxPlayer Supply-Chain Attack Likely The Work of Gelsemium Hackers and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:BackdoorDiplomacy, Gelsemium, Gootkit, Siloscape, TeamTNT, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NoxPlayer Supply-Chain Attack is Likely The Work of Gelsemium Hackers
(published: June 14, 2021)
ESET researchers have discovered malicious activity dating back to at least 2014 attributed to the Gelsemium cyberespionage group. The group targets electronics manufacturers, governments, religious entities in multiple countries throughout East Asia and the Middle East. Gelsemium demonstrated sophistication in their infection chain with extensive configurations, multiple implants at each stage, and modifying settings on-the-fly for delivering the final payload. The dropper, called Gelsemine, will drop a loader called Gelsenicine that will deliver the final payload, called Gelsevirine.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Cyberespionage, Gelsemium, Supply Chain
BackdoorDiplomacy: upgrading from Quarian to Turian
(published: June 10, 2021)
A new advanced persistent threat (APT) group, dubbed BackdoorDiplomacy, has been targeting ministries of foreign affairs (MOFAs) and telecommunication companies located in Africa and the Middle East since at least 2017, according to ESET researchers. The group was observed targeting “vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment.” BackdoorDiplomacy’s objective is to access a system, use pentesting tools for lateral movement, and install a custom backdoor called “Turian,” which is based on the Quarian backdoor.
Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: |
Ransomware Malware Vulnerability Threat | Uber | |
|
2021-06-14 15:01:00 | SOAR is an Architecture, Not a Product (lien direct) | Over the past several years, the rising star of security orchestration, automation, and response (SOAR) tools keeps climbing higher. As organizations struggle to handle the crush of alerts surging out of their security controls with not enough cybersecurity professionals to manage the work, SOAR products promise to bring some sanity to the process.
The promise is that SOAR platforms can help security operations teams to sail through the massive volume of alerts they face and better coordinate their security incident response lifecycle with custom playbooks tailored to an organization’s response policies. Many organizations are already starting to reap these benefits.
But as SOAR use cases evolve to real world situations and industry analysts adjust their definition of the market, it's becoming increasingly clear that SOAR is less of a singular platform and more of a comprehensive architecture for tying a lot of threads in the security stack together in a meaningful fashion, including threat intelligence platform (TIP) capabilities.
What is SOAR?
SOAR is part of the cybersecurity industry's long-term push toward improved security automation. As the name suggests, there are three core functions that SOAR products have historically delivered to security teams:
Orchestration: Customized security orchestration helps integrate the dozens of best-of-breed security tools that the typical SOC has accumulated over the years. These tools often do very specialized tasks but teams struggle because they don’t play nicely with one another. Orchestration within a SOAR product is usually used to aggregate data from a number of different sources to enrich alerts, consolidate and deduplicate alert data, and initiate remediation actions on third-party systems.
Automation: In the context of SOAR, security automation executes a sequence of tasks related to a security workflow without requiring much human intervention. It’s typically implemented via ‘playbooks’ that script automated processes to replace time-consuming but relatively simple processes, leaving skilled analysts freed up to carry out more advanced threat mitigation activities.
Response: Incident response consists of alert triage, case management, security incident investigation, threat indicator enrichment, and response actions. For example, a security event or alert should automatically pull in contextual data like IPs, domains, file hashes, user names, and email addresses to provide the analyst a rapid understanding of the security scenario. Then the analyst should be able to issue investigative, containment or response actions against the data.
To accomplish these tasks, SOAR uses threat intelligence to prioritize and enrich the incidents that they manage.
TIP and Gartner's Latest Definition of SOAR
This vital role of threat intelligence management in SOAR has grown to such prominence that many SOAR tools have started building in limited threat intelligence capabilities that mirror some of what a more fully featured TIP would offer.
In fact, Gartner's latest definition of SOAR now names the operationalization of threat intelligence as "table stakes" for SOAR tools. Its 2020 market guide says that SOAR convergence is now not only roping in security incident response platform (SIRP) and security orchestration and automation (SOA) technology, but also TIP technology.
Soar architectures are comprised of a combination of proven technologies, with threat intelligence platforms (TIPs) and the integrations they provide serving as a cornerstone.
But here's the thing, while SOAR is certainly enriched by TIP and while SOAR tools depend on native threat intelligence functionality, true SOAR benefits f |
Tool Threat | ||
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-06-02 15:00:00 | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
Ransomware Malware Threat Medical | Solardwinds APT 38 APT 28 | |
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-05-25 15:00:00 | Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Air India passenger data breach reveals SITA hack worse than first thought
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
BazarCall: Call Centers Help Spread BazarLoader Malware
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if cal |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | ||
|
2021-05-19 16:45:00 | Forrester Tech Tide for Threat Intelligence Recognizes Anomali (lien direct) | Threat Intelligence Increasingly Viewed as Adding High Business Value and Increased Resiliency, According to Leading Cybersecurity Report Adversaries will eventually compromise every organization. When the world woke to the news that the Colonial Pipeline was the latest major enterprise to join the ransomware victims’ club, we once again had to accept this notion. With this fact of digital life now almost universally recognized, CISOs are starting to look for technologies and services that can help them build a higher resiliency level across their infrastructures. When trying to decide how and where to invest their scarce security budgets, leaders can find themselves uncertain as they sort through overwhelming amounts of marketing content available to them. To provide our customers and prospects with a better understanding of our role in helping them achieve their security and risk goals, we frequently engage with analyst organizations that provide objective, third-party information about what we offer and how we add value. Recently, Anomali was recognized in the Forrester Tech Tide™: Threat Intelligence, Q2 2021. We believe readers will find the report particularly useful in understanding why threat intelligence is now a key driver of resiliency and why it has moved from the “nice to have” to the “must-have” column. According to the report: Threat intelligence is increasingly critical to firms’ ability to manage cyber risk and build resilient security programs. To accelerate their threat intelligence performance, firms are evaluating and adopting multiple services and technologies. This Forrester Tech Tide™ report presents an analysis of the maturity and business value of the 15 service and technology categories that enable an effective threat intelligence-driven security program. Security and risk pros should read this report to shape their firm’s investment approach to these technologies. Forrester analysts positioned Anomali in the “Intelligence Management Solutions” section, which they ranked as “high” in business value and designated with an “invest” rating. According to the report: Security professionals can become overwhelmed with the amount of data and alerts they receive. Intelligence management solutions provide processes for intelligence professionals to manage stakeholder requirements, automate intelligence collection, maximize data analysis, and operationalize the intelligence. Although the full range of capabilities and strategic security advantages we offer extend beyond this evaluation, this positioning further validates how the Anomali product suite of intelligence-driven cybersecurity solutions addresses the key benefits outlined. No cybersecurity vendor is an island, which is why a layered approach to security will always be needed to ensure protection against the rising level of sophisticated and stealthy attacks organizations face. In addition to validating more deeply several of the security areas that Anomali helps its customers to address, the report also provides insights into the wide range of threat intelligence technologies on the market today, which includes a look at several of our key partners in the Anomali ecosystem — the deepest and widest available on the market today. To read more about how the essential solutions that Anomali provides can help your organization to minimize the risk of falling victim to damaging cyberattacks, download the full Forrester Tech Tide™: Threat Intelligence, Q2 2021. | Ransomware Threat Guideline | ||
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-17 20:44:00 | Cyber Self-Defense Is Not Complicated (lien direct) | Anomali Sr. Director of Cyber Intelligence Strategy A.J. Nash recently penned a column for United States Cybersecurity Magazine about how few people in the modern world are immune to the threat of a cyber-attack. Hence, the importance of cyber self-defense. In “Cyber Self-Defense Is Not Complicated,” A.J. talks about why self-commitment is an increasingly effective way to minimize the risks that certainly lurk. Whether it be texts that include personal content not meant for public consumption, emails, hard drives, cloud storage containing sensitive business information, or the endless supply of finance transaction data that most of us pass across the Internet daily, few people in the modern world are immune to the threat of a cyber-attack. Hence, the importance of cyber self-defense. The most common avenue of attack for cyber actors continues to be phishing. Phishing enables cybercriminals to gain the access needed for a ransomware attack, cyber extortion, or the theft of personally identifiable information (PII) which is used to steal money or identities. While the threat of compromise may be daunting to many who do not see themselves as very technical, even those with limited knowledge can employ a few simple techniques and tools to greatly reduce the potential for being compromised. Before we talk solutions, let us briefly examine the common threats most of us face and nearly all of us can minimize through simple cyber self-defense. 4 Common Threats Faced in Cyberspace Phishing: Someone poses as a legitimate institution or individual in an email or text to lure victims into providing sensitive data such as PII, banking and credit card details, and passwords. Ransomware: Malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files until a ransom is paid. Theft of PII: The theft of data that may include a Social Security number, date of birth, driver’s license number, bank account and financial information, as well as a passport number. All this data can be assembled into a full financial record file (AKA, “fullz”) for identity theft. These reportedly sell for as little as $8/each on cybercriminal markets across the Dark Web. Cyber Extortion/Blackmail: A crime in which a threat actor demands payment to prevent the release of potentially embarrassing or damaging information. In most cases involving individual victims (not companies), a threat actor pretends to have compromised a victim’s computer or an account tied to something embarrassing. By quoting credentials usually gathered from a previously published breach, the threat actor quotes those credentials as “evidence” of access to the more embarrassing data. Because people commonly use the same credentials for multiple accounts, this bluff often works, leading to the victim being forced to provide more embarrassing content for extortion, pay money, or both. Cyber Self-Defense Practices: Safely Using Wi-Fi and Bluetooth Wireless connectivity to the Internet and other devices is one of the most convenient inventions in recent memory. Unfortunately, these technologies also come with risks many users fail to recognize or mitigate. Thankfully, it only takes a few simple changes to greatly reduce the risk of personal compromise and practice cyber self-defense. Keep Wi-Fi and Bluetooth features turned off on mobile phones and la | Malware Hack Threat Guideline | ||
|
2021-05-13 17:00:00 | Threat Actors Use MSBuild to Deliver RATs Filelessly (lien direct) | Authored by: Tara Gould and Gage Mele
Key Findings
Anomali Threat Research identified a campaign in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine Stealer
This campaign, which has low or zero detections on antivirus tools, appears to have begun in April 2021 and was still ongoing as of May 11, 2021.
We were unable to determine how the .proj files were distributed, and are unable to make a confident assessment on attribution because both RemcosRAT and RedLine Stealer are commodity malware.
Overview
Anomali Threat Research discovered a campaign in which threat actors used MSBuild - a tool used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” - to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.[1] The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, “joxi[.]net.” While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.
Figure 1 - Infection chain
Technical Analysis
MSBuild
MSBuild is a development tool used for building applications, especially where Visual Studio is not installed.[2] MSBuild uses XML project files that contain the specifications to compile the project and, within the configuration file, the “UsingTask” element defines the task that will be compiled by MSBuild. In addition, MSBuild has an inline task feature that enables code to be specified and compiled by MSBuild and executed in memory. This ability for code to be executed in memory is what enables threat actors to use MSBuild in fileless attacks.
A fileless attack is a technique used by threat actors to compromise a machine while limiting the chances of being detected.[3] Fileless malware typically uses a legitimate application to load the malware into memory, therefore leaving no traces of infection on the machine and making it difficult to detect. An analysis by network security vendor WatchGuard released in 2021 showed a 888% increase in fileless attacks from 2019 to 2020, illustrating the massive growth in the use of this attack technique, which is likely related to threat actor confidence that such attacks will be successful.[4]
MSBuild Project File (.proj) Analysis
Analyzed File – imaadp32.proj
MD5 – 45c94900f312b2002c9c445bd8a59ae6
The file we analyzed is called “imaadp32.proj,” and as shown in Figure 2 below, is an MSBuild project file (.proj). For persistence, mshta is used to execute a vbscript that runs the project file, with a shortcut file (.lnk) added to the startup folder (Figure 3).
Figure 2 - MSBuild Project Schema for immadp32.proj
Figure 3 - .lnk Registry Run Key Created in Startup Folder
Following the creation of persistence, two large arrays of decimal bytes were decoded by the function shown in Figure 4.
|
Malware Tool Threat | ||
|
2021-05-12 21:55:00 | Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Fileless Malware, Malspam, Phishing, Ransomware, Rootkits, Targeted Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Darkside Ransomware Caused Major US Pipeline Shutdown
(published: May 8, 2021)
DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment.
Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064
Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline
Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader
(published: May 7, 2021)
Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla.
Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055
Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT
Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs
(published: May 7, 2021)
The Lemon Duck cryptomining group has been active since at least |
Ransomware Malware Threat | APT 29 APT 29 | |
|
2021-05-10 17:56:00 | Rise of the Chief Intelligence Officer (CINO) (lien direct) | Anomali Sr. Director of Cyber Intelligence Strategy A.J. Nash recently penned a column for United States Cybersecurity Magazine about how changing security challenges call for new skillsets and leadership professionals, who can help to develop ad run new programs that keep pace with modern adversaries. In “Rise of the Chief Intelligence Officer (CINO),” A.J. makes a case for why this position is needed and what such a leader’s skill set and experience should include. It is republished here in its entirety and with full permission. In response to growing threats in cyberspace, private sector organizations began creating Intelligence programs nearly a decade ago, usually referred to as Cyber Threat Intelligence (CTI). In theory, the private sector was attempting to replicate what the government has successfully done for generations: gain informational advantage to prevent enemy victories and mitigate damage from enemy successes. While most large enterprises today have some sort of a CTI program, the majority are using the word “intelligence” without the tradecraft, standards, or processes to support the label. “Intelligence” in the private sector is still primarily tactical and technical cybersecurity led by people with backgrounds to match. Best practices for collection, production, and dissemination of intelligence are rarely known by those charged with the responsibilities of an intelligence organization. Moreover, only a handful of companies have integrated intelligence into enterprise-wide processes for optimization of outputs that meet documented organizational goals and objectives. Instead of being intelligence-driven security practices, much of the private sector remains underinvested and underprepared. Worse yet, most organizations with CTI programs, even effective ones, restrict their own ability to capitalize on the time and money invested in CTI because their vision for Intelligence is limited to the Security Operations Center (SOC). The root cause for these challenges is a fundamental misunderstanding of intelligence, borne out of ignorance for the differences between Cybersecurity and Intelligence as independent career fields. Instead of being focused on Indicators Of Compromise (IOCs), signatures, and response actions, Intelligence should be a means of countering threats, cybersecurity or otherwise, and driving enterprise-wide improvements in risk reduction. The answer to this challenge is to capitalize on the lessons learned by the U.S. Government (USG) regarding Intelligence. Just as there is a Director of National Intelligence (DNI) who reports directly to the President and leads the U.S. Intelligence Community “in intelligence integration, forging a community that delivers the most insightful intelligence possible,”[1] private sector enterprises each need a single Intelligence leader reporting directly to the CEO, President, or Board of Directors. Instead of the sole intelligence function of a company being a CTI team buried inside the SOC and focused on defensive cyber operations or the needs of the Chief Information Security Officer (CISO), establishment of the Chief Intelligence Officer (CINO) will enable companies to maximize the value of their investments, eliminate redundancies, and reduce risk. In the 1980’s, as C-suites expanded to include Chief Information Officers (CIO),and in the 2010’s, to include Chief Security Officers (CSO) and Chief Human Resources Officers (CHRO), it is time to open a new seat at the table for the first Chief Intelligence Officer (CINO). The Ideal CINO Candidate When adding a chair in the boardroom, it is important to assess what unique value the new addition will bring to the Executive Staff (E-Staff). The skills and experiences needed for the newly minted CINO start with a deep knowledge of traditional intelligence standards and practices as well as impeccable integrity and judgement. This will be the senior expert on Intelligence a | Threat Guideline | ||
|
2021-05-04 15:25:00 | Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Python Also Impacted by Critical IP Address Validation Vulnerability
(published: May 1, 2021)
Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).
Analyst Comment: Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.
Tags: CVE-2021-29921, python
Codecov Begins Notifying Affected Customers, Discloses IOCs
(published: April 30, 2021)
Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.
Analyst Comment: In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.
Tags: North America, Codecov, supply chain
FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims
(published: April 30, 2021)
The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.
Analyst Comment: Frequently updated endpoint detection policies as well as network security |
Ransomware Data Breach Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
|
2021-04-20 19:12:00 | Anomali Cyber Watch: Criminals Target Would Be Hackers for Cryptocurrency Theft, A Zero Day Vulnerability in Windows Desktop Manager is in the Wild, US Blames Russia for SolarWinds, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android Malware, Dependency Confusion, Ransomware, Russia, SaintBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
HackBoss Malware Poses as Hacker Tools on Telegram to Steal Digital Coins
(published: April 16, 2021)
The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications. Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.
Analyst Comment: Messages that attempt to get a user to click a link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Users should be educated on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Software Packing - T1045
Tags: Dogecoin, Cryptocurrency, Cryptostealer, Telegram, HackBoss
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
(published: April 15, 2021)
The recently discovered and patched Microsoft Exchange vulnerabilities have garnered considerable attention due to their mass exploitation and the severity of impact each exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East and Africa) region. The actor then compressed the files associated with the information gathering and credential harvesting.
Analyst Comment: Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] PowerShell - T1086 | |
Ransomware Malware Vulnerability Threat | ||
|
2021-04-19 16:55:00 | Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes (lien direct) | Russia-Sponsored Group Employs Apparently Legitimate Documents Aligned to Growing Hostilities Between Russia and Ukraine
Authored by: Gage Mele, Yury Polozov, and Tara Gould
Key Findings
Anomali Threat Research discovered a campaign targeting Ukrainian government officials with malicious files that could be repurposed to target government officials of other countries.
We assess with high confidence that this activity was conducted by Russia-sponsored cyberespionage group Primitive Bear (Gamaredon).
Primitive Bear was observed distributing .docx files that attempted to download a .dot file via remote templates.
The campaign appears to have taken place from January through at least late March 2021, and used decoy documents themed around current events. These documents also showed that Primitive Bear likely used unauthorized access or illicit purchase of private documents prior to their publication.
The final objective of this campaign remains unclear because the remote template domains were down at the time of discovery.
Overview
Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs).[1] The group was distributing .docx files that attempted to download .dot files from remote templates. The final objective of this campaign remains unclear as the remote template domains were down at the time of discovery. We observed Primitive Bear activity in late 2019, and again in April 2020, during which time they used similar TTPs and Ukrainian government-themed decoys.[2] In those campaigns, Primitive Bear’s decoys loaded a remote template to drop a .dot file that would determine if the compromised machine was worthy of a second-stage payload.[3]
Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples we found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Social Republic (USSR) countries.
Details
Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. Most of the .docx decoy files were written in Ukrainian, and a minority written in Russian, and contained content discussing multiple Ukrainian government agencies, institutions, and public entities, as well as Russian intelligence agencies in the context of occupied Crimea. Primitive Bear was using specific names of individuals and entities in their files, relevant to the January through mid-March 2021 timeframe, to make their malicious files appear more legitimate. This highlights the group’s use of authentic events to craft likely phishing themes more likely to be effective.
Figure 1 – Observed Infection Chain
Technical Analysis
The .docx files distributed by Primitive Bear used template injection to add a remote domain that contained a .dot (Word template) file. In Figure 2, the template injection can be seen with the TargetMode set to “External,” indicating the file was reaching out to a remote location. If the connection was made, the .dot file was subsequently downloaded.
Figure 2 – автореферат Тертичнk |
Threat | ||
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-04-01 06:52:00 | Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign (lien direct) | Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov
Key Findings
Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.
This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.
We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.
Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.
Overview
Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that contained a shared bundled component with another .docx file that was communicating via template injection with lobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it follows is provided in subsequent sections below.
The header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from NACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action Financière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism funding.[2] Additionally, in June 2020, between the 9th and 15th, the United Arab Emirates (UAE) and Pakistan conducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended passengers from Pakistan, until more COVID-19-related facilities could be created.[3] While the timing may be coincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for targeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in the Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with the targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.[4]
Details
Anomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability (CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021. The actors used at least three files with generic names: List1.docx, List for Approval.docx, and report.doc, and one appearing to employ a NACTA theme with a typo: Screeshot from NACTA Website.docx. (Figure 1)
Figure 1 – Infection Chain
Technical Analysis
Threat actors distributed .docx files with the objective of dropping a rich text format (RTF) file |
Malware Vulnerability Threat | Bahamut | |
|
2021-03-30 17:07:00 | Anomali Cyber Watch: Malware, Phishing, Ransomware and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google removes privacy-focused ClearURLs Chrome extension
(published: March 24, 2021)
Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
(published: March 24, 2021)
Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-03-23 14:00:00 | Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Bogus Android Clubhouse App Drops Credential-Swiping Malware
(published: March 19, 2021)
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.
Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105
Tags: LokiBot, BlackRock, Banking, Android, Clubhouse
Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers
(published: March 18, 2021)
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.
Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
(published: March 18, 2021)
Cybereason detected a new campaig |
Ransomware Malware Tool Threat Patching Medical | APT 38 APT 28 | |
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 |
To see everything:
Our RSS (filtrered)
