What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-05-19 16:45:00 | Forrester Tech Tide for Threat Intelligence Recognizes Anomali (lien direct) | Threat Intelligence Increasingly Viewed as Adding High Business Value and Increased Resiliency, According to Leading Cybersecurity Report Adversaries will eventually compromise every organization. When the world woke to the news that the Colonial Pipeline was the latest major enterprise to join the ransomware victims’ club, we once again had to accept this notion. With this fact of digital life now almost universally recognized, CISOs are starting to look for technologies and services that can help them build a higher resiliency level across their infrastructures. When trying to decide how and where to invest their scarce security budgets, leaders can find themselves uncertain as they sort through overwhelming amounts of marketing content available to them. To provide our customers and prospects with a better understanding of our role in helping them achieve their security and risk goals, we frequently engage with analyst organizations that provide objective, third-party information about what we offer and how we add value. Recently, Anomali was recognized in the Forrester Tech Tide™: Threat Intelligence, Q2 2021. We believe readers will find the report particularly useful in understanding why threat intelligence is now a key driver of resiliency and why it has moved from the “nice to have” to the “must-have” column. According to the report: Threat intelligence is increasingly critical to firms’ ability to manage cyber risk and build resilient security programs. To accelerate their threat intelligence performance, firms are evaluating and adopting multiple services and technologies. This Forrester Tech Tide™ report presents an analysis of the maturity and business value of the 15 service and technology categories that enable an effective threat intelligence-driven security program. Security and risk pros should read this report to shape their firm’s investment approach to these technologies. Forrester analysts positioned Anomali in the “Intelligence Management Solutions” section, which they ranked as “high” in business value and designated with an “invest” rating. According to the report: Security professionals can become overwhelmed with the amount of data and alerts they receive. Intelligence management solutions provide processes for intelligence professionals to manage stakeholder requirements, automate intelligence collection, maximize data analysis, and operationalize the intelligence. Although the full range of capabilities and strategic security advantages we offer extend beyond this evaluation, this positioning further validates how the Anomali product suite of intelligence-driven cybersecurity solutions addresses the key benefits outlined. No cybersecurity vendor is an island, which is why a layered approach to security will always be needed to ensure protection against the rising level of sophisticated and stealthy attacks organizations face. In addition to validating more deeply several of the security areas that Anomali helps its customers to address, the report also provides insights into the wide range of threat intelligence technologies on the market today, which includes a look at several of our key partners in the Anomali ecosystem — the deepest and widest available on the market today. To read more about how the essential solutions that Anomali provides can help your organization to minimize the risk of falling victim to damaging cyberattacks, download the full Forrester Tech Tide™: Threat Intelligence, Q2 2021. | Ransomware Threat Guideline | ||
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-12 21:55:00 | Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Fileless Malware, Malspam, Phishing, Ransomware, Rootkits, Targeted Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Darkside Ransomware Caused Major US Pipeline Shutdown
(published: May 8, 2021)
DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment.
Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064
Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline
Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader
(published: May 7, 2021)
Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla.
Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055
Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT
Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs
(published: May 7, 2021)
The Lemon Duck cryptomining group has been active since at least |
Ransomware Malware Threat | APT 29 APT 29 | |
|
2021-05-04 15:25:00 | Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data Theft, Backdoor, Ransomware, Targeted Ransomware Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Python Also Impacted by Critical IP Address Validation Vulnerability
(published: May 1, 2021)
Researchers have recently discovered that a bug previously discovered in netmask (a tool to assist with IP address scoping) is also present in recent versions of Python 3. The bug involves the handling of leading zeroes in decimal represented IP addresses. Instead of interpreting these as octal notation as specified in the standard, the python ipaddress library strips these and interprets the initial zero and interprets the rest as a decimal. This could allow unauthenticated remote attackers to perform a number of attacks against programs that rely on python's stdlib ipdaddress library, including Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI).
Analyst Comment: Best practices for developers include input validation and sanitization, which in this case would avoid this bug by validating or rejecting IP addresses. Additionally regular patch and update schedules will allow for rapid addressing of bugs as they are discovered and patches delivered. Proper network monitoring and policies are also an important part of protecting against these types of attacks.
Tags: CVE-2021-29921, python
Codecov Begins Notifying Affected Customers, Discloses IOCs
(published: April 30, 2021)
Codecov has disclosed multiple IP addresses as IOCs that were used by the threat actors to collect sensitive information (environment variables) from the affected customers. The company disclosed a supply-chain breach on April 15, 2021, and has now begun notifying customers. The breach went undiscovered for 2 months, and leveraged the Codecov Bash Uploader scripts used by a large number of projects.
Analyst Comment: In light of the increasing frequency and sophistication of supply chain attacks, companies should carefully audit, examine, and include in their threat modelling means of mitigating and detecting third party compromises. A resilient and tested backup and restore policy is an important part of the overall security strategy.
Tags: North America, Codecov, supply chain
FBI Teams up with ‘Have I Been Pwned’ to Alert Emotet Victims
(published: April 30, 2021)
The FBI has shared more than 4.3 million email addresses with data breach tracking site Have I Been Pwned. The data breach notification site allows you to check if your login credentials may have been compromised by Emotet. In total, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies.
Analyst Comment: Frequently updated endpoint detection policies as well as network security |
Ransomware Data Breach Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
|
2021-04-20 19:12:00 | Anomali Cyber Watch: Criminals Target Would Be Hackers for Cryptocurrency Theft, A Zero Day Vulnerability in Windows Desktop Manager is in the Wild, US Blames Russia for SolarWinds, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android Malware, Dependency Confusion, Ransomware, Russia, SaintBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
HackBoss Malware Poses as Hacker Tools on Telegram to Steal Digital Coins
(published: April 16, 2021)
The authors of a cryptocurrency-stealing malware are distributing it over Telegram to aspiring cybercriminals under the guise of free malicious applications. Researchers have named the malware HackBoss and say that its operators likely stole more than $500,000 from wannabe hackers that fell for the trick. The malware is designed to simply check the clipboard for a cryptocurrency wallet and replace it with one belonging to the attacker.
Analyst Comment: Messages that attempt to get a user to click a link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Users should be educated on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Software Packing - T1045
Tags: Dogecoin, Cryptocurrency, Cryptostealer, Telegram, HackBoss
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
(published: April 15, 2021)
The recently discovered and patched Microsoft Exchange vulnerabilities have garnered considerable attention due to their mass exploitation and the severity of impact each exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East and Africa) region. The actor then compressed the files associated with the information gathering and credential harvesting.
Analyst Comment: Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Compressed - T1002 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] PowerShell - T1086 | |
Ransomware Malware Vulnerability Threat | ||
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-03-30 17:07:00 | Anomali Cyber Watch: Malware, Phishing, Ransomware and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackKingdom, Chrome Extensions, Microsoft, REvil, PurpleFox, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google removes privacy-focused ClearURLs Chrome extension
(published: March 24, 2021)
Researchers at Cato Networks have discovered two dozen malicious Google Chrome browser extensions and 40 associated malicious domains that were previously unidentified. Some extensions were found to steal users’ names and passwords, whilst others were stealing financial data. Spoofed extensions posing as legitimate ones were common, amongst them a fake ‘Postman’ extension harvesting companies API credentials to target company applications. The security vendor discovered the extensions on networks belonging to hundreds of its customers and found that they were not being flagged as malicious by endpoint protection tools and threat intelligence systems. Malicious extensions have been previously used in malicious campaigns, in 2020 researchers from Awake Security discovered over 100 malicious extensions engaged in a global campaign to steal credentials, take screenshots, and carry out other malicious activity. It was estimated that there were at least 32 million downloads of the malicious extensions.
Analyst Comment: This story illustrates the complexities of using modern life as Google is a monolithic corporation that is integrated into everyone’s daily lives, both personal and business. Whilst many may find it difficult to do much without Google, the cost of using this software can often be your own privacy. Users should be aware that Google’s policies and usage of your data is not malicious and is perfectly legal but you are giving up your information. If something is free, you are the product.
Tags: Google, Chrome, browser extension, privacy, Firefox, ClearURL
Purple Fox Malware Targets Windows Machines With New Worm Capabilities
(published: March 24, 2021)
Purple Fox, which first appeared in 2018, is an active malware campaign that targeted victims through phishing and exploit kits, it required user interaction or some kind of third-party tool to infect Windows machines. However, the attackers behind the campaign have now upped their game and added new functionality that can brute force its way into victims' systems on its own, according to new research from Guardicore Labs. The researchers identified a new infection vector through Server Message Block (SMB) password brute force and the addition of a rootkit, allowing the actors to hide the malware on a machine making it more difficult to detect and remove. Purple Fox is believed to have compromised around 3,000 servers, the vast majority of which were old versions of Windows Server IIS version 7.5. It was very active in Spring and Summer 2020 before going quiet and then ramping up activity in early 2021.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-03-23 14:00:00 | Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Bogus Android Clubhouse App Drops Credential-Swiping Malware
(published: March 19, 2021)
Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.
Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105
Tags: LokiBot, BlackRock, Banking, Android, Clubhouse
Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers
(published: March 18, 2021)
Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.
Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
(published: March 18, 2021)
Cybereason detected a new campaig |
Ransomware Malware Tool Threat Patching Medical | APT 38 APT 28 | |
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 | |
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
|
2021-02-10 16:34:00 | Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies (lien direct) | ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs Authored by: Gage Mele, Winston Marydasan, and Yury Polozov Key Findings Anomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. We assess that Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.[1] The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw). Another sample, including only MOFA (mfa.gov), could be used for broader government targeting. Overview Anomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East.[2] This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. We found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.[3] Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side.[4] In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.[5] Details We identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect. The delivery URLs found to be part of this campaign are: ws.onehub[.]com/files/7w1372el ws.onehub[.]com/files/94otjyvd File names in this campaign include: تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe الدرا | Ransomware Malware Tool Threat Studies Guideline | ||
|
2021-02-02 23:04:00 | Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs (lien direct) | Key Findings
Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).
Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.
Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.
Overview
Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.
New Discoveries
The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.
Details
1. Targeted Supply Chain Attacks
On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.” That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.[1]
Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).[2] On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.[3]
Figure 1 – Screenshot of the Files in the EMA Vaccine Breach
The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”[4]
2. Non-targeted Adoption by Phishing Campaigns
Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic. As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for so |
Ransomware Spam Malware Threat Guideline | ||
|
2020-10-15 14:00:00 | COVID-19 Attacks – Defending Your Organization (lien direct) | Overview The Coronavirus 2019 (COVID-19) global pandemic has caused widespread fear of the unknown and deadly aspects of this novel virus, generated growth in certain industries to combat it, and created a shift toward remote work environments to slow the spread of the disease. Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks. Pandemic Background COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity. COVID Attack Timeline December 2019 - January 2020 At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China. Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns. February 2020 In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344). With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives. March 2020 In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), | Ransomware Spam Malware Threat | APT 36 | ★★★ |
|
2020-10-06 14:00:00 | Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities, and XDSpy. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Grindr Fixed a Bug Allowing Full Takeover of Any User Account
(published: October 3, 2020)
Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.
Recommendation: If your account has been breached, you can reset the password using the reset link sent to the associated email address.
Tags: Browser, Exposed tokens, Grindr, Sensitive Info
XDSpy: Stealing Government Secrets Since 2011
(published: October 2, 2020)
Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery |
Ransomware Malware Vulnerability Threat Medical | APT 38 | ★★★★★ |
|
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
|
2020-09-15 15:00:00 | Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal
(published: September 14, 2020)
A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system.
Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online.
Tags: China, spying
US Criminal Court Hit by Conti Ransomware; Critical Data at Risk
(published: September 11, 2020)
The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns.
Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks.
Tags: conti, ryuk, ransomware
|
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 28 APT 31 | ★★★ |
|
2020-09-09 16:24:00 | Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
‘Baka’ Javascript Skimmer Identified
(published: September 6, 2020)
Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.
Tags: Baka, Javascript, Skimmer
Netwalker Ransomware Hits Argentinian Government, Demands $4 Million
(published: September 6, 2020)
The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Argentina, Government, Netwalker, Ransomware
No Rest for the Wicked: Evilnum Unleashes PyVil RAT
(published: September 3, 2020)
Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 APT 28 | ★★★★ |
To see everything:
Our RSS (filtrered)
