What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-02-09 09:45:00 | Transforming Threat Data into Actionable Intelligence (lien direct) | Introduction In today's digital age, the threat of cyber-attacks is greater than ever. Traditional security operations, which have focused on reactive measures such as patching vulnerabilities and responding to breaches, are no longer sufficient to meet the challenges of the modern threat landscape. As a result, security organizations are shifting their focus to proactive measures to stay ahead of emerging threats. This shift towards proactive security operations is the focus of a new five-article series written by analysts at TAG Cyber. The series examines the latest trends and challenges for cybersecurity teams and explores the cutting-edge solutions that are helping security organizations become more proactive in their defense against cyber-attacks. Anomali's solutions are important in helping security operations (secops) teams move from a reactive to a proactive security program. Anomali, a leading threat intelligence provider and incident management software, offers a viable solution. Anomali's platform enables security teams to quickly and easily identify and respond to emerging threats by providing real-time visibility into the latest cyber threats and vulnerabilities, allowing organizations to take proactive measures to protect themselves from potential attacks instead of simply reacting to breaches after they have occurred. The series also delves into the strategies and technologies that can help CISOs and secops teams improve their operations. Anomali's platform is a key element in integrating threat intelligence with other technologies, such as Extended Detection and Response (XDR) and Attack Surface Management (ASM), to enhance the overall security posture of an organization. Additionally, Anomali's solutions assist with digital risk protection (DRP) in identifying and mitigating the risks associated with third-party vendors and partners. In summary, the series provides an in-depth look at the latest strategies and technologies to help CISOs and security teams become more proactive in their defense against cyber attacks. Anomali's solutions play a crucial role in this shift and assist organizations in identifying and mitigating emerging threats, integrating with other technologies, while addressing the skills gap. Article 1: Transforming Threat Data into Actionable Intelligence Christopher R. Wilder, TAG Cyber This article is the first in a series of guest blogs written by TAG Cyber analysts in conjunction with our colleagues at Anomali. Our five-part series of blogs focus on how threat-intelligence management integrates with extended detection and response (XDR) to increase operational efficiencies in an enterprise security operations environment and drive actionable prevention, detection, and response. The commercial Anomali platform demonstrates how integration between threat intelligence and XDR can work in the field. Threat intelligence is divided into three main categories: strategic, operational, and tactical. Strategic threat intelligence focuses on understanding the overall threat landscape and identifying long-term trends. It informs strategic decisions and helps organizations understand the potential risks they face. Operational threat intelligence identifies and responds to specific threats in real-time. It informs an organization’s day-to-day operations and helps protect against immediate threats. Tactical threat intelligence provides detailed information about specific threats, such as the tools, techniques, and procedures used by attackers. It also apprises tactical decisions and helps organizations respond to incidents. Threat intelligence is essential to any security program, providing organizations with the information they need to identify and respond to potential threats proactively. Threat intelligence provides operational and tactical threat intelligence to help organizations respond to specific dangers in real-time an | Malware Threat Patching Guideline | ★★★ | |
|
2023-01-04 16:30:00 | Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use |
Malware Tool Vulnerability Threat Patching Medical | APT 38 LastPass | ★★ |
|
2022-12-20 20:46:00 | Anomali Cyber Watch: APT5 Exploited Citrix Zero-Days, Azov Data Wiper Features Advanced Anti-Analysis Techniques, Inception APT Targets Russia-Controlled Territories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Belarus, China, Data wiping, Russia, Ukraine and Zero-days. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12 |
Malware Tool Vulnerability Threat Patching Prediction | APT 5 | ★★★ |
|
2022-09-07 15:00:00 | Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
Ragnar Locker Ransomware Targeting the Energy Sector
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste |
Ransomware Malware Tool Threat Patching Guideline | Yahoo | |
|
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
|
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
|
2022-06-21 18:28:00 | Cyber Threats Are as Bad as You Imagine, But Different Than You May Think (lien direct) | The Global Threat Landscape is Novel and Requires a Novel Response From Russia to China to South Korea, the global threat landscape continues to mature, often confounding the assumptions of those who must defend against the attacks. Novel techniques are the norm, such as criminals posing as job seekers to infiltrate networks or attacking non-obvious networks. This results in attacks that are harder to predict, adversaries that are harder to detect, and breaches that are harder to address. Harder, but not impossible. While we are certainly living in a more dangerous cyber age, we also find ourselves at a point of inflection. XDR is a significant evolution, and we believe that adversary detection and response (ADR) is not far behind, particularly with more collaboration between the public and private sectors. Perhaps most importantly, we are getting closer and closer to realizing the full promise of Big Data in a cybersecurity context. At Anomali, much of our energy is put towards closing that gap. We believe it is the key to unlocking adversary defense as a truly viable and scalable approach to securing companies and people. At the RSA Conference 2022, cyber threat experts gave attendees a virtual trip around the world during a panel presentation examining threat actor activity from both nation-states and criminal groups. The panelists revealed the latest global threat activity, as well as the best strategies to thwart increasingly sophisticated attacks. They detailed adversary behavior that should both concern and energize us, and we share it here in the hopes of generating energy amongst our community, our partners, our customers, and all those who see an understanding of adversary behavior as a critical mission. Attacks Go Beyond Traditional Platforms China, while not as flashy and flamboyant as Russia, is reshaping the cyber threat landscape as well. Its attacks are moving beyond traditional platforms such as Microsoft and Linux malware to esoteric systems, like Huawei routers and Solaris implants. As panelists noted, the attack surface is shifting, widening, and morphing in many different ways. For example, China exploited a vulnerability in software that tracks diseases in cattle to gain a foothold into 18 state and local governments in the U.S. that use the software. Often, threat actors can exploit vulnerabilities within hours. The implication, according to the panel? Defenders must look beyond traditional assets and accelerate the patching of critical systems. It’s no longer a matter of simply matching every so often. Instead, it’s imperative to have hard conversations with the business about downtime and schedule patching regularly. Ransomware as Harassment Iran has become an innovator in government-backed ransomware. Iranian attackers are becoming more patient, sometimes having 10 interactions with a victim before doing anything malicious. The panelists referred to them as “big-game hunters at scale,” and I couldn’t agree more. We’re not talking about just targeting one system within the network to lock it up. This is a network-wide ransomware endeavor to get as much ransom as possible. Add to this the practice of leaking data to harass organizations. Cyber Criminals are Posing as Job Seekers North Korea, whose cyber activities have been mostly on hold during the pandemic, is returning in a vengeful – and creative way. Among the newest developments: A focus on cryptocurrency schemes. Panelists recounted examples of stolen crypto wallets. If one doesn’t store cryptocurrency offline, they will likely lose al | Ransomware Malware Vulnerability Threat Patching | ||
|
2022-06-06 21:34:00 | Welcome to RSA – How boards and management teams are stopping attackers amidst macro headwinds, the year of great resignation, digital expansion, and escalated cybersecurity activities (lien direct) | RSA has finally arrived in person. We look forward to seeing our customers, partners, and many others in the broader security ecosystem. At Anomali, we exist to stop attackers and given the current environment, we want to share relevant insight from the ecosystem and the excitement around our unique delivery of open XDR. In fact, we feel compelled to make it available to test for free. Let’s start at the top of the lighthouse, and then distill the best way to navigate the infinite chess game with adversaries, including ransomware and exploits. While doing so, we will also focus on automation, reducing response time and ultimately making security spend more efficient. Boards and management teams are navigating a complex new terrain of macro headwinds (including inflation), geopolitical uncertainty, and escalated cybersecurity activities at a time when digital transformation is paramount and talent scarcity is at an all-time high. What is unequivocal is that management teams must continue their laser focus on the efficacy of their security posture and in tandem, they must optimize cost and efficiency. More than ever, management teams need relevant business insight to swiftly protect themselves and their stakeholders from cyber-attacks. That is our obsession at Anomali – our open XDR solution is helping management teams amplify visibility, enrich with relevant context and in turn, stop the attackers and predict their next move. We deliver unique use cases, starting with a proprietary attack surface management report after ingesting all relevant telemetries including cloud platforms and correlating literally hundreds of trillions of telemetry events times cyber threats per second. In tandem, we are automating processes, reducing response time and optimizing security spend across the environment. The advent of the Cloud, digital transformation at large, and the dynamic of remote workforce have collectively expanded the attack surface of organizations to exponentially new levels. Today’s attack surface comprises all the entry points where there is unauthorized access to digital assets. These assets can be externally facing such as a web application server or an API server, or inadvertently exposed due to a misconfigured firewall such as a network storage device, etc. According to Gartner, External Attack Surface Management (EASM) is an emerging cybersecurity discipline that identifies and manages the risks presented by internet-facing assets and systems. EASM refers to the processes and technology necessary to discover external-facing assets and effectively manage the vulnerabilities of those assets. Anomali XDR is a unique solution to identify your attack surface and highly targeted assets. With proprietary big data technology, you will be able to ingest all security telemetries (SIEM, EDR, NDR and public clouds), distill what’s relevant by correlating with the largest repository of global intelligence to deliver actionable insight across your entire security environment. Our XDR solution provides continuous detection of exposed assets and identifies threat actors that are attempting to breach them. Additionally, our XDR solution identifies assets that need urgent patches or other remediation for known vulnerabilities allowing additional insights into the criticality of the exposed asset. Following is summary of recent attack scenarios and how the Anomali Platform has been used in quickly and efficiently detecting and blocking adversaries. Before we start, let us summarize the initial reconnaissance that we have developed with CIOs, CISOs and their team. Do you know your organization’s Attack Surface? Even more importantly, what assets in your organization are highly targeted and who are the actors behind these targeted attacks? Can you continuously monitor the ever-changing landscape of actors and proactively block them? Are you constantly trying to reduce your attack surface? Are you able to quickly take prioritized act | Ransomware Vulnerability Threat Patching | ||
|
2022-04-12 19:06:00 | Anomali Cyber Watch: Zyxel Patches Critical Firewall Bypass Vulnerability, Spring4Shell (CVE-2022-22965), The Caddywiper Malware Attacking Ukraine and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Caddywiper, Colibri Loader, Gamaredon, SaintBear, SolarMaker and Spring4Shell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
(published: April 8, 2022)
Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution.
Analyst Comment: Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning
Google is on Guard: Sharks shall not Pass!
(published: April 7, 2022)
Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even i |
Malware Tool Vulnerability Threat Patching | APT-C-23 | |
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
|
2021-10-19 15:00:00 | Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-10-11 14:30:00 | Selecting a Threat Intelligence Platform (TIP) (lien direct) | Do You Need a TIP? Many organizations struggle with managing threat intelligence. There is too much data noise, reliance on manual processes that make it harder to correlate relevant intelligence, and difficulties in producing and distributing actionable reports to the right people. Organizations turn to a Threat Intelligence Platform or TIP to help alleviate some of these problems. A TIP is like a nerve center that pulls raw data and intelligence from multiple sources into a central repository. Using automation, it sifts through and correlates that data to find relevant intelligence through curation, normalization, enrichment, and risk scoring. A TIP can create a feedback loop that integrates with existing security systems by analyzing and sharing relevant, actionable threat intelligence across an organization. Key benefits of a TIP are reducing time to detection, enabling collaboration, and producing actionable information for stakeholders. Top Considerations When Selecting a TIP Stakeholders The search for a TIP should begin with a clear understanding of the audience it will be serving. The most frequent users of a TIP are threat intelligence analysts, SOC analysts, cyber threat hunters, IR analysts, and CISOs, each with different needs and expectations they hope to garner from the TIP. For example, threat intelligence analysts can use the curated information to create adversary dossiers, while CISOs can execute on strategic goals and keep costs down through time saved by automation. Collaboration Collaboration and threat intelligence sharing between groups is a core benefit of a TIP. In selecting a TIP, it is fundamental to understand organizational structure and how communications flow. Different teams should be able to share knowledge from anywhere at any time and with the ability to integrate the TIP into existing security systems. Choose your TIP based on the collaboration you require. Another factor in collaboration is the reporting capabilities of a TIP. Complete reports will be automated, including real-time alerts and summaries customized for different stakeholders and your specific industry. Data Aggregation and Curation within Context The ability of a TIP to ingest customized imports of data from internal and external sources is at the heart of its functionality. The flexibility of setting up customized data imports while also automatically pulling information from vendors or trusted third parties empowers security analysts to be more efficient. They will also have the ability to parse and index both structured (e.g., STIX/TAXII) and unstructured data (e.g., blogs, whitepapers, etc.). Another critical function of a TIP is curating the information it takes in. Optimizing curated data is vital when clarifying the context within your platform. Malicious actors that directly affect your industry and organization will get targeted using the intelligence produced by your TIP. Therefore, how you import vendor data and modify it to your organization’s specific needs is critical. Machine learning algorithms should sort the information and weigh the individual indicators of compromise (IoCs) based on context and user-defined scoring and relevance. Vulnerabilities native to the organization are the other side of the context equation. A TIP needs to match high-scoring IoCs with "crown jewels" and other essential assets. Patching is utilized to protect the most critical infrastructure. Determining the vulnerability context upfront will help determine the feedback loop that a TIP needs to facilitate. Deployment | Vulnerability Threat Patching | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-06-29 16:29:00 | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching | APT 30 | |
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-05-04 15:25:00 | Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Python Also Impacted by Critical IP Address Validation Vulnerability
(published: May 1, 2021)
Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).
Analyst Comment: Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.
Tags: CVE-2021-29921, python
Codecov Begins Notifying Affected Customers, Discloses IOCs
(published: April 30, 2021)
Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.
Analyst Comment: In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.
Tags: North America, Codecov, supply chain
FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims
(published: April 30, 2021)
The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.
Analyst Comment: Frequently updated endpoint detection policies as well as network security |
Ransomware Data Breach Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-03-23 14:00:00 | Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Bogus Android Clubhouse App Drops Credential-Swiping Malware
(published: March 19, 2021)
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.
Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105
Tags: LokiBot, BlackRock, Banking, Android, Clubhouse
Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers
(published: March 18, 2021)
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.
Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
(published: March 18, 2021)
Cybereason detected a new campaig |
Ransomware Malware Tool Threat Patching Medical | APT 38 APT 28 | |
|
2021-03-16 15:07:00 | An Intelligence-Driven Approach to Extended Detection and Response (XDR) (lien direct) | Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors catalogued and organizations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap? To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing “zero day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There’s more to this though. We think some of the answer can be found in the failure to fully optimize and connect existing tools, processes, and people to give them broader visibility over traffic and threats moving in and out of their networks while seamlessly layering in detection and response capabilities. As we were told in a recent discussion with an industry analyst, “We’ve reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?” Enter Extended Detection and Response (XDR) You may have noticed lately that XDR is white hot in the security world. Scores of vendors are entering the fray — ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Garter adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle. As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Event and Information Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID. XDR: What is it? Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition: Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers | Vulnerability Threat Patching Guideline | ||
|
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
1
We have: 20 articles.
We have: 20 articles.
To see everything:
Our RSS (filtrered)
