What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-10-12 18:06:00 | Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Brazil, China, Data loss, Infostealers, and Loaders. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Report Exposes Emotet Malware’s Supply Chain
(published: October 10, 2022)
VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers.
Analyst Comment: For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure. Block known network-based indicators available via Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Signed Script Proxy Execution - T1216 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Email Collection - T1114
Tags: mitre-software:Emotet, mitre-group:Wizard Spider, SMB, Proxy, Botnet, Malware-as-a-service, Windows
LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM
(published: October 7, 2022)
Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it.
Analyst Comment: Developers should be extra cautious and sensitized to the growing exploitation of the open source eco |
Ransomware Malware Tool Threat | ||
|
2022-10-06 10:28:00 | Getting Value with the MITRE ATT&CK Framework (lien direct) | In 2013, researchers at MITRE Corporation published the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. This framework describes how attackers operate within an organization and offers a common language for describing these attacks. The framework describes both adversaries’ behaviors and their attempts to compromise systems and provides a set of indicators for measuring the effectiveness of security measures.
Recent ESG Research found that the MITRE ATT&CK framework has grown in popularity to the point that nearly nine in ten organizations use it today. As SOC managers look into the future, they see even greater MITRE utilization. 97% of security professionals believe that MITRE ATT&CK (and derivative projects) will be critically important to their organization’s security operations strategy.
If you missed our recent webinar, here’s an excerpt on how to explain Mitre ATT&CK to executives:
|
Malware Vulnerability Threat Guideline | ||
|
2022-10-04 18:08:00 | Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia, and Social engineering. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Royal Ransomware Emerges in Multi-Million Dollar Attacks
(published: September 29, 2022)
AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.
Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566
Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering
ZINC Weaponizing Open-Source Software
(published: September 29, 2022)
Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.
Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Threat Medical | APT 38 | |
|
2022-09-27 16:51:00 | Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Fraud, Inbound connectors, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Multimillion Dollar Global Online Credit Card Scam Uncovered
(published: September 23, 2022)
ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment.
Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing.
Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52
Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam
(published: September 22, 2022)
Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers.
Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam
NFT Malware Gets New Evasion Abilities
(published: September 22, 2022)
Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user |
Ransomware Spam Malware Tool Threat | ||
|
2022-09-21 14:55:00 | Why Organizations are Investing in XDR Solutions to Detect Advanced Threats (lien direct) | Recent ESG research found that organizations are interested in extended detection and response (XDR) technology because current tools struggle to detect and investigate advanced threats. Today’s threats are more advanced than ever, with attackers more sophisticated, better funded, and well equipt to inflict damage. Despite investments, SOC teams are still struggling, chasing false positives and performing manual tasks to detect and investigate alerts accurately. XDR solutions, like The Anomali Platform, can help address these challenges by aggregating alerts, surfacing relevant threats, and integrating intelligence to present a timeline of events related to cyber-kill chains that improve threat detection while streamlining investigations. The report found that security professionals are interested in using XDR to help them address several threat detection and response challenges. The common XDR use cases analyses have in mind are: Help prioritize alerts based on risk Improved detection of advanced threats More efficient threat/ forensic investigations A layered addition to existing threat detection tools Improve threat detection to reinforce security controls and prevent future similar attacks Users want XDR to fill gaps within their security stack while improving the efficacy and efficiency of threat detection and response. So, how does XDR do that? Let’s look at the common XDR use cases security teams are looking for. Help prioritize alerts based on risk A Security Operations Center’s primary responsibility is monitoring security events and investigating and responding promptly. SOC Analysts need to act quickly when threats arise. They must ensure that threats with elevated risk scores get elevated for further research, investigation, and analysis. Unfortunately, most analysts suffer from alert fatigue and cannot process the overload of alerts to determine what’s real and false. This can also result in some alerts being ignored and missed. Research by Invicti's found that SOCs waste an average of 10,000 hours and some $500,000 annually on validating unreliable and incorrect alerts. An effective XDR solution integrates automation and machine learning to minimize false positives and enable security analysts to focus on the highest priority events to respond quickly. This helps increase efficiencies and enables organizations to quickly experience the key benefits of an XDR solution. With XDR solutions that integrate threat intelligence, like Anomali’s, you can uplevel your analysts with a critical understanding of the threat and what’s needed to remove it from the environment. Improved detection of advanced threats Threat actors continue to evolve, and cyber-attacks increase in complexity. Keeping up with an ever-changing threat landscape to identify complex attacks is challenging. Threat intelligence needs to be at the foundation of any security program. Threat intelligence enhances detection capabilities and informs security professionals of potential cyber risks with real-time information to help them better understand their adversaries and attack vectors that affect the security of my business. Extended detection and response solutions collect telemetry from security tools in real-time to eliminate security gaps and provide an integrated platform for effective threat detection. Through one platform, they provide increased visibility across multiple security tools (Big Data Lake, UEBA, SOAR, TIP, NDR, or EDR). But not all XDR solutions integrate threat intelligence. Anomali takes the data collection p | Threat | ||
|
2022-09-20 15:00:00 | Anomali Cyber Watch: Uber and GTA 6 Were Breached, RedLine Bundle File Advertises Itself on YouTube, Supply-Chain Attack via eCommerce Fishpig Extensions, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Iran, Ransomware, Stealers, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hacker Pwns Uber Via Compromised VPN Account
(published: September 16, 2022)
On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.
Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer
Self-Spreading Stealer Attacks Gamers via YouTube
(published: September 15, 2022)
Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”
Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub |
Ransomware Malware Tool Vulnerability Threat Guideline | Uber Uber APT 41 APT 15 | |
|
2022-09-14 18:38:00 | August 2022 Quarterly Product Release (lien direct) | The Anomali team continues to work with our customers to add their needed capabilities. With our August release, we’ve introduced new capabilities that continue our Focus to Enable Enterprise Organizations to Stay A Step Ahead of Adversaries.
Key Highlights for this Quarter Include:
Creating Extended Visibility with Anomali and MITRE ENGENUITY
Routine task automation accelerating analyst mean-time-to-respond
Scheduled Retrospective Search
Automated Response for The Anomali Platform
Lens + Support for MITRE ATT&CK Enterprise v10 and v11
Simplified installation of Integrator 8.1
Anomali Attack Pattern Detection and MITRE ATT&CK®:
In 2021, Anomali joined MITRE Engenuity’s Center for Threat-Informed Defense to collaborate on the Attack Flow Project to better understand adversary behavior and improve defensive capabilities. This partnership culminated with the public release of the project in March 2022.
The Attack Flow project will provide context around adversary behavior and help security teams expertly profile the adversary. It will also enable them to protect the organization better before an attack, detect it in real-time, and respond post-attack.
I’m excited about this project and the things to come. Listen below to an excerpt from our recent webinar explaining the project.
Screenshot: Configuring a Routine Task Automation - running multiple (up to 20) enrichments with one button click
Scheduled Retrospective Search
One of the critical features of our cloud XDR solution is the ability to search for matches in an environment retrospectively. Customers can schedule automated retrospective searches to correlate against new intelligence findings automatically.
This automated process will enable security teams to detect real-time threats in their environment and provides insights into new threat actors, bulletins, and other threat models.
Screenshot: Showing a list of already configured Retrospective Searches, scheduled to run at specific cadences
Automated Response for The Anomali Platform
Alerts within The Anomali Platform identify malicious IoCs within a customer’s environment that trigger a series of actions that enable an effective response. The key is distributing IOCs to clients’ security tools within appropriate |
Threat | ||
|
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-07 15:00:00 | Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
Ragnar Locker Ransomware Targeting the Energy Sector
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste |
Ransomware Malware Tool Threat Patching Guideline | Yahoo | |
|
2022-09-01 16:50:00 | Security Operations are More Difficult Now More Than Ever. Buy Why? (lien direct) | According to recent research by ESG, 52% of respondents believe security operations are more difficult today than they were two years ago. Responses stated this was due to multiple factors, such as the increasingly dangerous threat landscape, a growing attack surface, the volume and complexity of security alerts, and public cloud proliferation. Today’s threats are more sophisticated than ever, making them more challenging to defend against. Security teams must constantly do more with less, protecting more data, endpoints, and applications. And, as the threat landscape evolves, so will they, but chances are they must do so with fewer resources. The growing list of challenges is never-ending. So what tops the list? An Ever-Growing Attack Surface Organizations are collecting and storing more data than ever, driven by more cloud-based applications and services. This new on-prem/off-prem environment has created more potential entry points for attackers. Additionally, many organizations lose track of their assets, failing to update policies and their security infrastructure, leaving them vulnerable to attacks that exploit known vulnerabilities. Another reason security teams face more challenges today is the increasing number of mobile devices and cloud apps used by employees. These devices and apps can provide a convenient way for employees to access company data, but they can also be a security risk if they are not adequately secured. The Evolving Threat Landscape As the attack surface grows, so does the number of potential threats. Security teams must now contend with a broader range of threats, including sophisticated malware, zero-day exploits, and ransomware. Additionally, attackers are becoming more brazen and are targeting high-profile organizations with well-funded security operations. In addition, the rise of social media has created new opportunities for hackers to launch cyber attacks. Social media platforms can spread malware or gather information about people’s online habits, used to launch targeted attacks and infiltrate enterprise organizations. Increasing Compliance Requirements Organizations must comply with an ever-growing number of regulations, such as the EU’s General Data Protection Regulation (GDPR), that require security teams to put in place additional controls and processes, which can be costly and time-consuming. Additionally, compliance failures can result in heavy fines and strain an already tight budget. Limited Resources According to (ISC)²'s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to defend organizations’ critical assets effectively. While the number of professionals required to fill the gap has decreased, the number of qualified cyber professionals will fall even further due to the growing demand for highly skilled individuals. Complex Tech Stack Enterprises frequently deploy new security tools and services to address changing needs and increased threats. As previously mentioned, a typical enterprise SOC may use a combination of twenty or more technologies, making it difficult to customize each solution for its environment. The interoperability issues caused by the possibility of using multiple vendors make it very challenging to get a complete picture of your overall security environment. The Need to Adapt Despite these challenges, security teams must find ways to adapt to protect their organizations effectively against ever-evolving threats. So what c | Malware Tool Threat Guideline | ||
|
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
|
2022-08-23 17:35:00 | Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Reservations Requested: TA558 Targets Hospitality and Travel
(published: August 18, 2022)
Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR).
Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570
Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments
(published: August 18, 2022)
On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes.
Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I |
Ransomware Malware Tool Threat | APT 27 | |
|
2022-08-16 15:06:00 | Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, China, Cyberespionage, India, Malspam, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT-C-35: New Windows Framework Revealed
(published: August 11, 2022)
The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules.
Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows |
Ransomware Malware Tool Vulnerability Threat Guideline Medical | APT 38 | |
|
2022-08-10 16:42:00 | Open XDR vs. Native XDR Solutions: Which solution is right for you? (lien direct) | According to ESG Research, XDR momentum continues to build despite there being confusion about what XDR is.
Extended Detection & Response (XDR) is one of those solutions that everyone knows about, but few understand. Extended Detection and Response (XDR) solutions provide increased visibility into security threats by collecting data across all security telemetry, including networks, clouds, endpoints, and applications to detect, analyze, hunt, and mitigate threats, in real-time.
Watch this quick video from Gartner® on all you need to know about XDR.
There are two types of XDR solutions: Open XDR and Native XDR. But what are the differences between these two options, and which is right for your organization? This blog post will take a closer look at both Open XDR and Native XDR solutions and compare their pros and cons. By the end of this post, you'll be able to make an informed decision about which option is best for your business.
Comparing Open XDR vs. Native XDR Solutions
What is open XDR?
Open XDR is a vendor-agnostic approach to XDR that easily integrates into a customer's existing tech stack to incorporate all of their investments and security tools as part of the platform.
How does open XDR work?
Open XDR is designed to ingest security data from all available telemetry sources in a security environment, using machine learning and artificial intelligence to collect and correlate data and drive detection and response.
An Open XDR solution utilizes an organization's existing security infrastructure, aggregating data across on-prem, cloud, and hybrid sources. Instead of ripping and replacing current security tools, Open XDR solutions connect with existing infrastructure to provide a unified extended detection and response platform.
OpenXDR security solutions are designed to collect, streamline, and consolidate data for organizations so they can save money and improve their security insights by using them.
Key Benefits of Open XDR:
Unification of the Security Stack,: AI powered detection and response translates a faster, better approach to security operations by consolidating complex security stacks.
Playing the Field: Open XDR solutions allow you to work with multiple vendors as they offer third-party integrations with tools into which organizations have already invested capital and effort. This enables security teams to continue to leverage those technologies going forward without needing to replace them.
Increased Efficiencies,: Open XDR can leverage multiple security tools, vendors and telemetry types, all integrated into a single detection and response platform that centralizes behavior analysis.
What is Native XDR?
A Native XDR solution integrates security tools from one vendor to collect data and perform threat detection and response activities.
Since some organizations have already made significant investments in their tech stack, with products from a single vendor, it might make sense to use that vendor's XDR platform.
Key Benefits of Native XDR
Familiarity: Security teams might be more comfortable using a particular vendor for certain things, including event management and response capabilities.
Time to Value: Because of the familiarity mentioned above, it might take less time to deploy and experience the benefits of a security platform with a standard UI
Economies of Scale: Bundling might be an option, with tight integration and potential discounts or perks from using |
Threat | ||
|
2022-08-09 15:01:00 | Anomali Cyber Watch: RapperBot Persists on SSH Servers, Manjusaka Attack Framework Tested in China, BlackCat/DarkSide Ransom Energy Again, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, China, Data breach, DDoS, Phishing, Ransomware, and Taiwan. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
So RapperBot, What Ya Bruting For?
(published: August 3, 2022)
RapperBot, a new Internet of things (IoT) botnet, is rapidly evolving despite appearing in the wild just two months ago (June 2022). Fortinet researchers discovered that RapperBot heavily reuses parts of the Mirai source code, but changed the attack vector (brute-forcing SSH instead of Telnet), command and control (C2) protocol, and added persistence capabilities. RapperBot maintains remote access by adding the attacker's public key to ~/.ssh/authorized_keys. The latest RapperBot samples also started adding the root user "suhelper” to /etc/passwd and /etc/shadow/, and continue to add the root user account every hour. Top targeted IPs were from Taiwan, USA, and South Korea, in that order. RapperBot has basic DDoS capabilities such as UDP and TCP STOMP flood copied from Mirai source code.
Analyst Comment: Despite sharing a significant amount of source code with Mirai variants, RapperBot appears to be developed by a persistent actor and not a novice motivated by notoriety. It is possible that the actors will add new impact functionality after the RapperBot botnet grows substantially. SSH server administrators should adhere to secure password practices. It is also important to note that simply restarting the device, changing SSH credentials or even disabling SSH password authentication does not remove the RapperBot infection.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Scheduled Task - T1053
Tags: RapperBot, Taiwan, target-country:TW, USA, target-country:US, South Korea, target-country:KR, SSH brute force, DDoS, IoT, ARM, MIPS, SPARC, x86, Linux, UDP flood, TCP STOMP, port:4343, port:4344, port:4345, port:48109, Mirai
Woody RAT: A New Feature-Rich Malware Spotted in the Wild
(published: August 3, 2022)
Malwarebytes researchers have identified a new Remote Access Trojan (RAT) dubbed Woody Rat. It has been used by unidentified attackers for at least one year targeting Russian organizations in the aerospace industry. Two kinds of spearphishing attachment were used. Initially, Woody Rat was delivered via archived executable with double extension .DOC.EXE. More recently, the attackers switched to Microsoft Office documents leveraging the Follina (CVE-2022-30190) vulnerability. Woody Ra |
Ransomware Malware Tool Vulnerability Threat | ||
|
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
|
2022-07-28 12:24:00 | The Need for Maintaining a Pulse on Emerging Global Cybersecurity Threats (lien direct) | Welcome to the final blog in the series where I’ve been diving deeper into the Top 10 Cybersecurity Challenges Organizations Face as found in our Cybersecurity Insights Report. If you’ve followed along and kept up with me, thank you. If you’ve downloaded the report, thank you again. Coming in at number one on our list (drum roll, please): Maintaining a pulse on new and emerging global cybersecurity threats. I think the fact that this came in at number one should come as no surprise to security professionals, especially considering that the threat landscape is constantly changing and evolving at an alarming rate. Today’s attackers are more innovative, adapting and deploying sophisticated attacks daily. According to our research, 62% of organizations use tools and technology to monitor global threats and accelerate their threat intelligence performance. Threat intelligence should be foundational to any security program, as should threat intelligence platforms or threat intelligence management solutions. These tools inform security teams, helping to turn raw data into relevant intelligence. They also help automate processes for intelligence professionals to manage stakeholder requirements, maximize data analysis by understanding adversaries’ intent and objectives, and improve decision making. Cybersecurity Risks are Global The world is changing rapidly, with technology becoming increasingly central to how we live and work. This digital transformation presents challenges and opportunities and requires organizations to think differently about cybersecurity. The threat landscape has never been as complex as today. There are no longer just “traditional” cyber threats. Everything is interconnected, and attacks can come from anywhere. Organizations must look beyond their perimeter to take a holistic view of cyber risks and consider the full range of potential attack vectors, including physical infrastructure, communications networks; software applications; human behavior; and data center operations. The threat environment is evolving quickly, and security professionals must ensure they keep pace. Threat Actors Are Growing More Sophisticated In today’s world, hacking is a multi-billion-dollar business. Gone is the traditional stereotype of the lone hacker in a hoodie, working solo. Cybercrime as a service, modeled after the Software as a Service (SaaS) business model, is stronger than ever. For example, ransomware attacks can be purchased via an affiliate program. Affiliates can use already-developed tools to execute ransomware attacks. And earn a percentage for each successful ransom payment. Even customer care centers field ransomware victims’ inquiries, instructing them on how to procure the bitcoins attackers demand in exchange for a decryption key for unlocking a forcibly encrypted PC or server. Keeping Pace with Attackers As attackers develop new ways to exploit critical vulnerabilities, the number of threats continues to rise. Cybersecurity professionals face various threats from multiple groups, including nation-states, organized crime, hacktivism, and human error. In addition to the traditional security concerns of data breaches, financial loss, identity theft, and fraud, security teams now face challenges related to the speed and sophistication of modern attacks. These include: Attacks that target critical infrastructure Sophisticated forms of social engineering Zero-day exploits Targeted phishing campaigns Automated lateral movement The Past Informs the Future Technology is constantly evolving, mak | Ransomware Threat | ||
|
2022-07-26 17:10:00 | Anomali Cyber Watch: Cozy Bear Abuses Google Drive API, Complex Lightning Framework Targets Linux, Google Ads Hide Fraudulent Redirects, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Bots, China, Linux, Malspam, Mobil, Russia, and Spearhishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware
(published: July 21, 2022)
Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it.
Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229
Google Ads Lead to Major Malvertising Campaign
(published: July 20, 2022)
Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac |
Malware Tool Threat Guideline | APT 29 | |
|
2022-07-19 15:10:00 | Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, North Korea, Obfuscation, Phishing, Ransomware, Russia, Trojans, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Digium Phones Under Attack: Insight Into the Web Shell Implant
(published: July 15, 2022)
Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones. The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor. The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence.
Analyst Comment: Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: CVE-2021-45461, Digium Asterisk, PHP Web Shell, Binary padding, Rest Phone Apps, restapps, FreePBX, Elastix
North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware
(published: July 14, 2022)
Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools.
Analyst Comment: Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Vulnerability Threat Guideline | ||
|
2022-07-14 10:04:00 | Key Research Findings of the ESG Report: SOC Modernization and the Role of XDR (lien direct) | If you attended the RSA conference, you were sure to notice that the conversation around Extended Detection and Response (XDR) continues to gain momentum. Security teams are still struggling with multiple challenges and overcoming obstacles threatening their security posture. As IT environments become increasingly dispersed, Security Operations Centers (SOC) are dealing with an ever-increasing barrage of advanced threats and malicious activity. This creates multiple challenges that security analysts deal with daily, including: Securing a Remote Work Force An expanding attack surface due to digital transformation Cybersecurity skills shortage New Security Vulnerabilities Securing Cloud Applications Multiple Tools Increasing Security Complexity Anomali sponsored new research from ESG to understand the role XDR solutions play in modern SOC. The study found that enterprise organizations increasingly turn to extended detection and response (XDR) solutions to help defend their growing attack surface against today’s modern threats. What is Extended Detection and Response? Extended detection and response (XDR) helps provide increased visibility and actionable insights across networks, clouds, endpoints, and applications to help Security Operation Center (SOC) teams to detect, investigate, and remediate threats. XDR solutions offer advanced threat detection capabilities by ingesting security telemetry from all security products installed in an environment to create a unified detection and response platform. This enables security operations teams to automate routine tasks, prioritize their investigations and response capabilities, and focus on what’s most critical. What Were the Key Findings? The ESG report dove into multiple areas around XDR to uncover its role and how it can help SOC operations. Here are some of the key findings: 1. Security Operations Remains Challenging: Security operations have become increasingly difficult due to the growing attack surface, dangerous threat landscape, and increasing use of cloud computing. 2, Security Professionals Want More Data and Better Detection Rules: Security teams struggle with surfacing relevant threats from the massive amount of security data they collect, requiring better detection rules. 3. SecOps Process Automation Investments Are Proving Valuable to Organizations: Investments in automation are paying off, helping to increase efficiencies and productivity. 4. MITRE ATT&CK Framework is Proving Valuable for Most Organizations: The MITRE ATT&CK Framework is used by most security operations teams for multiple use cases, including understanding the tactics, techniques, and procedures of threat actors. 5. XDR Momentum Continues to Build: While everyone is still trying to understand what XDR is, the investment in support of advanced threat detection is significant. 6. Managed Detection and Response (MDR) is Mainstream and Expanding: Organizations are increasingly turning to managed service providers to deal with the lack of skilled security resources that organizations face today. There’s no denying the momentum and traction XDR solutions are making, as organizations are looking for a big data solution that helps them better detect and respond to threats. Anomali provides an intelligence-driven extended detection and response solution fueled by big data management, machine learning, and the world’s largest intelligence repository to stop breaches and attackers. Download the ESG research to learn how XDR is modernizing security operations. Or contact us to see how an intelligence-driven XDR solution can help your organization. | Threat | ||
|
2022-07-13 15:56:00 | Tag Cyber interviews Anomali about Our Intelligence Driven Approach to XDR (lien direct) | AN INTERVIEW WITH MARK ALBA, CHIEF PRODUCT OFFICER, ANOMALI and TAG CYBER The purpose of any extended detection and response platform is to support the translation of data collection into actionable prevention, detection and response. This objective benefits from an intelligence-driven emphasis where all-sourced threat intelligence is analyzed and correlated into proactive defensive actions that optimize returns on investment. Anomali offers a commercial solution that consists of an intelligence-driven, cloud-native XDR solution for global enterprises. We wanted to learn more about how Anomali supports customer engagement by utilizing all-sourced telemetry to stop breaches and repel cyber threats. TAG Cyber: What is meant exactly by XDR and how does it relate to threat intelligence? ANOMALI: An effective XDR solution is vendor agnostic and brings a proactive approach to threat detection and response. It easily integrates into existing environments to deliver visibility across all security telemetry—including endpoint, network, and cloud data—while applying analytics and automation to address today’s increasingly sophisticated threats. Our cloud-native open XDR platform provides increased visibility across an organization and its threat landscape to help quickly identify threats in real-time by automatically correlating all security telemetry against active threat intelligence to expose known and unknown threats. By correlating the world’s largest repository of global actor, technique, and indicator intelligence with our nearly infinite detection capabilities, we can deliver a one-of-a-kind extended detection and response solution that continuously detects threats and prevents attacks before they happen. TAG Cyber: How does The Anomali Platform work? ANOMALI: Anchored by big data management and refined by artificial intelligence, our platform is made up of three key components that work together to gather security data from any telemetry source. We then correlate it with our global repository of threat intelligence to deliver high-performance threat detection. First, there is our ThreatStream Intelligence Management system that automates the collection and processing of raw data, transforming it into actionable threat intelligence for security teams. Next is Anomali Lens, a powerful natural language processing engine that helps operationalize threat intelligence and empower analysts with real-time context to inform their organization and accelerate decision making. Finally, there is Anomali Match, which provides precision threat detection to help a SOC identify and respond to threats in real-time by automatically correlating all security telemetry against active threat intelligence, thereby quickly and effectively stopping breaches and attackers. Our platform’s suite of components empowers security-operation teams by detecting threats with precision, optimizing response and achieving resiliency. Our SaaS-based solutions easily integrate into existing security tech stacks through native-cloud, multi-cloud, on-premises and hybrid deployments to solve security use cases that aren’t addressed by any other solutions on the market. TAG Cyber: How does your solution support incident response? ANOMALI: Our platform helps reduce false positives, enabling analysts to cut through the noise by only analyzing, validating and responding to relevant threats. We deliver an increased understanding of the attacker, as well as its techniques and tools, to enable an optimized response. In addition, analysts and incident responders can investigate via an integrated workbench to increase security-analyst productivity | Threat | ||
|
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
|
2022-07-11 19:19:00 | The Evolution of Anomali: How Anomali\'s ThreatStream has evolved into delivering a differentiated approach to XDR (lien direct) | As a cybersecurity innovator, Anomali’s founder, Hugh Njemanze, looks at an unsolved problem through the combined lens of technical, business and end user requirements. When he founded Anomali, then called ThreatStream, he saw a critical need to make threat intelligence relevant and ultimately actionable. Hugh has continued to apply his entrepreneurial approach, now delivering a big data solution that helps security teams quickly understand threats, determine the impact, and respond quickly to solve for the extended detection and response needs of the business. Hugh recently joined Mitch Ashley at RSA 2022 to discuss Anomali’s intelligence-driven extended detection and response (XDR) cybersecurity solutions. Listen as Hugh discusses how the early days of SIEMs and Anomali’s ThreatStream has culminated in an offering that is now focused on delivering a differentiated approach to XDR. You’ll hear more about: Why threat intelligence is a key component of an in-depth security program Why organization's need to gain a better understanding of what adversaries are doing and their intent Hugh’s thoughts on what XDR is and should be How XDR breaks down silos and ties information about attacks and attackers together Before XDR was XDR, we were extending the ability to collect and manage unlimited levels of threat data, making it available for investigations, enabling internal threat detection by matching it against all telemetry, and ultimately helping to power faster response by operationalizing intelligence across security infrastructures. Hugh Njemanze Today - Anchored by big data management and refined by artificial intelligence, The Anomali Platform, a differentiated XDR solution, delivers unique proprietary capabilities that correlates the largest repository of global intelligence with telemetry from customer-deployed security solutions. This combination empowers security operations teams to detect threats with precision, optimize response, achieve resiliency and ultimately stop attackers and breaches. Listen to the interview and read Hugh’s blog to learn more. | Threat | ||
|
2022-07-06 15:01:00 | Anomali Cyber Watch: Russian KillNet DDoSed Lithuania, Building Automation Systems Targeted to Install ShadowPad, China-Sponsored Group Jumps from Home Routers to Connected Machines, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Industrial Control Systems, Phishing, Russia, Toll fraud, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Toll Fraud Malware: How an Android Application Can Drain Your Wallet
(published: June 30, 2022)
Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities.
Analyst Comment: Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing
ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
(published: June 28, 2022)
Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon.
Analyst Comment: SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Component Object Model Hijacking - T1122 |
Malware Tool Vulnerability Threat | ||
|
2022-07-05 15:38:00 | Increased Microsoft Sentinel benefits Using Anomali ThreatStream (lien direct) | This blog was co-written by Richard Phillips, Product Manager at Anomali and Rijuta Kapoor, Microsoft.
Microsoft Sentinel is a cloud-native SIEM that offers various options to import threat intelligence data and use them for hunting, investigation, analytics etc. Some of the ways to import rich threat intelligence data into Microsoft Sentinel include the Threat Intelligence - TAXII data connector and Threat Intelligence Platforms (TIP) connector.
Microsoft Sentinel was one of the early adopters of STIX/TAXII as the preferred way to import threat intelligence data. Microsoft Sentinel “Threat Intelligence -TAXII” connector uses the TAXII protocol for sharing data in STIX format. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Anomali ThreatStream offered integrations with Microsoft Sentinel in the past using the ThreatStream integrator and leveraging the power of the Graph Security API and TIP data connector of Microsoft Sentinel.
Today we are announcing our integration with Anomali ThreatStream, which allows you to get threat intelligence data from Anomali ThreatStream into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector.
Microsoft Sentinel benefits with Anomali ThreatStream
Anomali ThreatStream is a threat intelligence management solution that allows you to automate data collection from hundreds of threat sources, including commercial vendors, OSINT, ISACs, and more, to operationalize threat intelligence at scale.
Utilizing Anomali Macula, our built-in proprietary machine learning engine, intelligence is aggregated, scored, and categorized for real-time intelligence distribution to security controls across your entire security ecosystem. Users can choose between configuring integrations to send only high confidence, high severity observables, or observables associated with known threat actors, active malware campaigns, or a number of other Threat Models.
Pushing these filtered, prioritized observables to Sentinel via TAXII enables you to proactively correlate events within your network against high fidelity intelligence to identify threats against your organization.
Connecting Microsoft Sentinel to Anomali ThreatStream TAXII Server
To connect Microsoft Sentinel to Anomali ThreatStream’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Anomali.
ThreatStream allows you to configure Saved Searches against your observables set, and these are automatically provided as TAXII collections for consumption by TAXII clients.
Once you’ve configured a saved search, navigate to the Manage Observable Searches page, and identify the ID of the desired search.
You can then use the following details to configure the TAXII data connector:
API Root: https://api.threatstream.com/api/v1/taxii21/search_filters/
Collection ID:
Username & Password: The ThreatStream Username & Password of the user who configured the saved search.
For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation.
Put Anomali ThreatStream to use with Microsoft Sentinel
Once the threat intelligence from Anomali ThreatStream is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These c |
Malware Threat | ||
|
2022-06-30 10:00:00 | Dealing with the Cybersecurity Challenges of Digital Transformation (lien direct) | We’re back after a little hiatus with this week’s blog in the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number two on our list: Dealing with the speed and complexity of digital transformation. During the COVID-19 crisis, digital transformation became even more critical. To describe digital transformation in economic terms means integrating digital technologies into every aspect of a business, resulting in fundamental changes to how companies operate and provide value to their customers. Technology has changed from supporting business processes to becoming integral to a company’s customer value proposition. A study by McKinsey found that companies accelerated their digital transformation efforts by three to seven years within just months, fearing that they would lose their competitive advantage and be left behind by competitors already ahead. Organizations need to rethink what they mean when saying “digital transformation.” It’s not just about making your website responsive, adding digital capabilities, or creating a mobile app for your business. It’s about changing your mindset when thinking about your customers, empowering your staff, and powering business. And ensuring your security program can adapt to that mindset to ensure the security of your enterprise. Digital Transformation Increases Cyber Risk Security teams continue to face unique challenges daily. Their organization’s digital transformation initiatives continue to increase the complexity, expanding their attack surface with a distributed infrastructure. Because of this, cybersecurity postures should be updated and adjusted to support transformation goals to defend against this new level of complexity. In addition to the ever-changing threat landscape, security teams face more concerns due to a more distributed workforce. They also need to evaluate the risks associated with a growing number of connected devices and the disappearing perimeter. The increased adoption of cloud infrastructures also poses unique challenges to organizations, forcing them to transform their security posture to protect against cloud infrastructure vulnerabilities. Securing a Remote Work Force Remote work is here to stay and will only increase. Global Workplace Analytics calculates that 22% of the workforce (i.e., 36.2 million Americans) will work remotely by 2025. The significant uptick in remote work setups and digital business is pushing organizations to apply for secure access no matter where their users, applications, or devices are located. To provide the level of security necessary to protect the variety of new systems implemented, many enterprises are shifting to more cloud-friendly and behavior-based security approaches. New Challenges and Security Vulnerabilities As mentioned above, studies show that a large portion of those working from home will likely stay that way for the long term. Corporate leaders attempting to coax employees back to the office have broadly accepted the inevitability of the hybrid work model. To ensure their defensive measures remain in place and to maintain business as usual safely, it’s critical for IT teams to develop strategic plans to safeguard employees, facilities, data, | Tool Threat Studies Guideline | ||
|
2022-06-28 19:11:00 | Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: API hammering, APT, China, Phishing, Ransomware, Russia, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed
(published: June 24, 2022)
ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.
Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware
There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families
(published: June 24, 2022)
Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.
Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: malware:BazarLoad |
Ransomware Spam Malware Tool Vulnerability Threat | APT 28 APT 23 | |
|
2022-06-23 12:00:00 | Anomali Launches Differentiated Cloud-Native XDR SaaS Solution with Support from AWS SaaS Factory (lien direct) | Click here for more information on AWS Partner Network blog. By Ranjith Raman, Sr. Partner Solutions Architect – AWS By Oded Rosenmann, Global Practice Lead, SaaS Partners – AWS Organizations are increasingly looking for new ways to defend themselves against cyber threats, fraud, and ransomware attacks. Many enterprises and government agencies turn to cyber security solutions that provide efficient and effective detection and response capabilities to proactively prevent attackers from breaching their networks and applications. To help organizations overcome these challenges, Anomali, a leader in intelligence-driven cybersecurity solutions, has recently launched its Cloud-Native extended detection and response (XDR) solution, The Anomali Platform. Building upon its leadership position in the cyber threat intelligence space, The Anomali Platform provides customers with a new dimension of security visibility across all log telemetry from endpoints to the cloud. The Anomali Platform provides precision detection and optimized response capabilities that extends across their entire security infrastructure. With the support of AWS SaaS Factory, Anomali has built the Anomali Cloud-Native XDR offering as a software-as-a-services (SaaS) solution that helps improve organizational efficiencies, providing security teams with the tools and insights needed to detect relevant threats, make informed decisions, and respond effectively. “The AWS SaaS Factory team was instrumental in helping us identify appropriate service options aligned with our enterprise customer requirements. Working with the team, we saved months of engineering efforts to build a powerful platform that meets our current needs and allows us to scale.” Mark Alba, Chief Product Officer, Anomali Mark Alba, Chief Product Officer, Anomali The cloud-native XDR solution is fueled by big data management, machine learning, and the world’s largest repository of global intelligence. With the new SaaS model, The Anomali Platform can be easily integrated with existing security infrastructures, enabling CIOs, CISOs, and other business leaders to optimize their overall security investments and create more efficient and effective detection and response programs that proactively address advanced cyber threats. The SaaS Factory team spoke with Mark Alba, Chief Product Officer at Anomali, to learn more about Anomali Cloud-Native XDR SaaS, the value its new solution brings to customers, and the key lessons learned from the journey to SaaS on AWS. Check out the new Anomali Cloud-Native XDR SaaS solution >> Q&A with Anomali AWS SaaS Factory: Mark, thank you for taking the time to speak with us today. Could you share a bit about your background and role at Anomali? Mark Alba: My name is Mark Alba, and I’m the Chief Product Officer at Anomali. I’ve been with Anomali since April 2020 and am responsible for product management, user experience, threat research, and technology incubator functions. My background includes over 20 years of experience building, managing, and marketing disruptive products and services. I brought to market the security industry’s first fully-integrated applian | Ransomware Tool Threat Guideline | ||
|
2022-06-22 13:00:00 | RSA 2022: Cyber Attacks Continue to Come in Ever-Shifting Waves (lien direct) | Supply chains, trust, and the Internet itself remain prime targets. When Russia launched wide-ranging cyber-attacks while its army invaded Ukraine, it also deployed waves of wiper malware to destroy data. The first wave targeted the data on the disks. As Ukraine fortified its defenses in that area, the second wave left the data on the disks alone and went after the metadata. The third wave bypassed the two previous targets and attacked the file systems. As depicted in global news and during sessions of the RSA conference, this was a very methodical and effective approach designed to inflict maximum amounts of damage, and it reflects the methodical, often relentless, attack approaches shaping the threat landscape. In particular, as organizations fortify their defenses, adversaries will continue to focus on trust to gain access, using your partners, your vendors, and your employees against you. What does this mean for enterprise users? As we discussed in our previous post on cyber threats, organizations must find new and novel defenses against adversaries who increasingly shift tactics. As adversaries become more nuanced, we must understand their moves and motivations to try to get one step ahead of them. Let’s Recap: Several high-profile security incidents in the recent past altogether grimly encapsulate the myriad challenges companies now face. NotPetya, the most expensive cyber incident in history, demonstrated how attackers are masquerading their efforts. NotPetya targeted a tax software company in Ukraine in 2017. At first, the effort appeared to be ransomware. However, its intent was purely destructive as it was designed to inflict damage as quickly and effectively as possible. The C Cleaner attack, a few months later, demonstrated how complex and patient actors who were focused on IP level threats had become. The targets were system administrative tools that, if compromised, already had an increased level of access. C Cleaner showed that all software supply chain attacks aren’t created equal. It’s dependent on the level of access of the systems and the users that you’re compromising. Some 3 million versions of the compromised C Cleaner software were downloaded. However, only 50 of the downloaded software received additional payloads. This was an adversary that was willing to compromise more than 3 million systems to just get a foothold into 50. This gives you a clear idea of the challenges that we face as enterprises from these types of sophisticated actors. Attackers are also being more flagrant and doing a better job of covering their tracks. In the past, nation states focused on covert activities. Olympic Destroyer, which targeted the 2018 Olympics in South Korea, showed how attacks are now being brought to the public eye. False flags, tactics applied to deceive or misguide attribution attempts, were also put into Olympic Destroyer. Six months after the attack, it was attributed to multiple different nations, because such care had been put into throwing off attribution. More recently, VPN Filter/Cyber Blink demonstrated how adversaries are targeting different types of equipment. While attacks have historically focused on office equipment, these incidents shifted to home routers, in tandem with the increase in remote work. At home, people often use combination modem routers. These devices challenge detection capabilities. A foothold into home routers also allows actors to analyze all traffic moving in and out of the network. It’s incredibly difficult to detect an attack. You have to treat a home Wi-Fi like a public Wi-Fi at a coffee shop. Threat actors are targeting the foundational infrastructure of the internet as well. Sea T | Malware Tool Threat | NotPetya NotPetya | |
|
2022-06-21 18:28:00 | Cyber Threats Are as Bad as You Imagine, But Different Than You May Think (lien direct) | The Global Threat Landscape is Novel and Requires a Novel Response From Russia to China to South Korea, the global threat landscape continues to mature, often confounding the assumptions of those who must defend against the attacks. Novel techniques are the norm, such as criminals posing as job seekers to infiltrate networks or attacking non-obvious networks. This results in attacks that are harder to predict, adversaries that are harder to detect, and breaches that are harder to address. Harder, but not impossible. While we are certainly living in a more dangerous cyber age, we also find ourselves at a point of inflection. XDR is a significant evolution, and we believe that adversary detection and response (ADR) is not far behind, particularly with more collaboration between the public and private sectors. Perhaps most importantly, we are getting closer and closer to realizing the full promise of Big Data in a cybersecurity context. At Anomali, much of our energy is put towards closing that gap. We believe it is the key to unlocking adversary defense as a truly viable and scalable approach to securing companies and people. At the RSA Conference 2022, cyber threat experts gave attendees a virtual trip around the world during a panel presentation examining threat actor activity from both nation-states and criminal groups. The panelists revealed the latest global threat activity, as well as the best strategies to thwart increasingly sophisticated attacks. They detailed adversary behavior that should both concern and energize us, and we share it here in the hopes of generating energy amongst our community, our partners, our customers, and all those who see an understanding of adversary behavior as a critical mission. Attacks Go Beyond Traditional Platforms China, while not as flashy and flamboyant as Russia, is reshaping the cyber threat landscape as well. Its attacks are moving beyond traditional platforms such as Microsoft and Linux malware to esoteric systems, like Huawei routers and Solaris implants. As panelists noted, the attack surface is shifting, widening, and morphing in many different ways. For example, China exploited a vulnerability in software that tracks diseases in cattle to gain a foothold into 18 state and local governments in the U.S. that use the software. Often, threat actors can exploit vulnerabilities within hours. The implication, according to the panel? Defenders must look beyond traditional assets and accelerate the patching of critical systems. It’s no longer a matter of simply matching every so often. Instead, it’s imperative to have hard conversations with the business about downtime and schedule patching regularly. Ransomware as Harassment Iran has become an innovator in government-backed ransomware. Iranian attackers are becoming more patient, sometimes having 10 interactions with a victim before doing anything malicious. The panelists referred to them as “big-game hunters at scale,” and I couldn’t agree more. We’re not talking about just targeting one system within the network to lock it up. This is a network-wide ransomware endeavor to get as much ransom as possible. Add to this the practice of leaking data to harass organizations. Cyber Criminals are Posing as Job Seekers North Korea, whose cyber activities have been mostly on hold during the pandemic, is returning in a vengeful – and creative way. Among the newest developments: A focus on cryptocurrency schemes. Panelists recounted examples of stolen crypto wallets. If one doesn’t store cryptocurrency offline, they will likely lose al | Ransomware Malware Vulnerability Threat Patching | ||
|
2022-06-21 15:03:00 | Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT35, CrescentImp, Follina, Gallium, Phosphorous, and Sandworm. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Update: The Phish Goes On - 5 Million Stolen Credentials and Counting
(published: June 16, 2022)
PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads.
Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204
Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo
F5 Labs Investigates MaliBot
(published: June 15, 2022)
F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services.
Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204
Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES
Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa
(published: June 15, 2022)
On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | Yahoo APT 35 | |
|
2022-06-14 15:15:00 | Anomali Cyber Watch: Symbiote Linux Backdoor is Hard to Detect, Aoqin Dragon Comes through Fake Removable Devices, China-Sponsored Groups Proxy through Compromised Routers, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Hooking, Ransomware, Stealthiness, Vulnerabilities, and Web skimming. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
(published: June 9, 2022)
Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074
Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2
Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
(published: June 8, 2022)
Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan.
Analyst Comment: When planning your company |
Ransomware Malware Tool Vulnerability Threat Guideline | CCleaner | |
|
2022-06-13 16:46:00 | Malware Intelligence Dashboards (lien direct) | Anomali Threat Research has released two, Malware Intelligence focused dashboards to assist cybersecurity and cyber threat intelligence professionals in organizing IOCs and strategic intelligence on relevant threats. These two dashboards are titled:
Malware Intelligence - Ransomware
Malware Intelligence - Remote Access Tools and Trojans
Ransomware and remote access tools and trojans are malware types used by threat actors spanning all levels of sophistication, from cybercriminal to advanced persistent threat to nation-state. Ransomware threat actors continue to be highly active and generate significant amounts of illicit funds, and learning more about how these threat actors operate can assist in taking proactive measures against such attacks.
Remote access tools are persistently abused by threat actors for malicious purposes. Knowing which tools the actors use and how they are used is important when making cybersecurity decisions to protect against this malware type; among numerous other variables.
These Malware Intelligence dashboards help amalgamate relevant information into a centralized location to assist in providing crucial contextual information in addition to the most recent IOCs made available through commercial and open-source threat feeds that users manage on ThreatStream.
Dashboards in ThreatStream provide a quick, digestible and timely source of key metrics on threat intelligence indicators. In ThreatStream you can access a number of different dashboard types: standard dashboards available out of the box; themed dashboards developed by the Anomali Threat Research Team; custom dashboards defined by by you; and specialized dashboards to support our Intelligence Initiatives or Lens+ specific data. From this month we greatly improve how an individual user can organize their dashboard views, enabling them to easily hide or show any dashboards available to them. Users show or hide any of the standard dashboards, as well as up to 10 other dashboards at any time. Management and ordering is now simplified so users can drag and drop visible dashboards to reorder according to priority and preference.
Key Capabilities
Users can now granularly manage their dashboards from across their organization and supplementary sources
Dashboards can be drawn from a library created by / visible to the user
Users can show / hide any standard ThreatStream dashboards
User can develop up to 10 custom dashboards for display.
Users will be able to drag and drop to edit the dashboard order and specify the user’s default dashboard (from April).
Customers can still avail of the Custom and ATR themed dashboards as previously
Benefits
Easy management of the rich set of dashboards available in ThreatStream
Quickly and easily access the right insights at the right time, in the right display order
Note: This screen now uses our new user interface design style - we hope you like it!
Malware Intelligence - Ransomware
Pulls OSINT and primary intelligence feeds related to ransomware samples, actors who use ransomware, and TTPs associated with known ransomware families, among others, and displays the data in 10 widgets.
Observables, IOCs, and threat models related to ransomware.
Malware Intelligence - Remote Access Tools and Trojans
Pulls OSINT and primary intelligence feeds related to remote access tool and trojan samples, actors who use these tools and trojans, and TTPs associated with known remote access tool and trojan families, among others, and displays the data in 10 widgets.
|
Ransomware Malware Tool Threat | ||
|
2022-06-10 16:59:00 | RSA 2022: The Strategy Behind Using Critical Threat Intelligence Strategically (lien direct) | Getting intel into the right hands – early and fast – is part of a new approach in adversary detection When one walks the floor of a major security trade show such as RSA 2022, it’s hardly a shock to find the concept of “intelligence” – or intel, as a consistent theme – getting so much attention. But the topic is even more pressing at this year’s confab given the pickup in the intensity and sophistication of attacks. It’s also why some of the heavy hitters in the security world gathered at RSA to participate in a panel discussion centered around “Using Critical Threat Intelligence Strategically.” The discussion focused on the growing collaboration between the private and public sector and how the different application of intelligence information is helping enterprises mitigate potential issues before they become incidents. The panelists extended kudos – rightfully – to the public and private bodies who helped bring about the formation of the Joint Cyber Defense Collaborative last year. This collaboration between federal agencies and the private sector, led by the Cybersecurity and Infrastructure Security Agency (CISA), marks an important advance in making the nation’s cyber defenses more robust through closer planning, preparation, and information sharing. Information sharing is part of Anomali’s DNA, particularly in our industry-centric communities where security professionals from around the world can engage safely, without fear of compromise. While this concept is still being developed and vetted with internal and external stakeholders, we are committed to a “rising tide” view of safety and security. During the panel discussion, an NSA panelist lauded the combination of experts and “in the trenches” knowledge to generate context around the data. The pairing of insight and human intel surely is all to the good. For example, the CISA panelist marked the JCDC’s response to Log4j as a significant milestone in private-public collaboration. In addition to creating a public-facing website so organizations could see if any of the software/hardware they run was susceptible to Log4j, the panelist noted that behind the scenes, they were also tracking adversaries who were looking to exploit Log4j, and examining what sectors were targeted. At Anomali, we see adversaries working in concert on a daily basis to further their ends, and we believe it’s impossible to truly secure companies and the people that rely on them without doing the same. Moving from Reactive to Proactive When we consider adversary detection and response, which we believe will fulfill the ultimate promise of XDR, it becomes clear that relevant intelligence is key to the security of every company and every individual. Why? Because critical threat intelligence should do more than inform and remediate. To secure the future, the promise of big data in cybersecurity cannot stop at understanding. It must extend all the way to the identification of adversaries and the prevention of attacks. And it must be relevant to those using it, when they need it. How do we get there? Intelligence is only as good as the data that informs it. Add to this siloed systems and the traditional separation between public and private sectors in sharing information. Yet the results of collaborations like that of the JCDC, as discussed during the RSA panel session, show that more detailed preparation and prevention is possible. We’ve said many times in this blog that we at Anomali believe in shifting the cybersecurity emphasis from the attack to the attacker. Savvy security professionals understand this. And so, as they make investments in intelligence, they are looking to become more strategic in their detection approach&m | Threat | ★★★★★ | |
|
2022-06-09 02:40:00 | RSA 2022: You\'re the New CISO. Want to Fix the Problem? Start by Simply Listening! (lien direct) | The new security boss needs to listen if they hope to win over a myriad of new constituencies in their first 90 days You just took over as the CISO, ready to dig in and make the most of this fantastic opportunity. With so much needing to be fixed, where do you start first? This topic received attention during the RSA 2022 security conference this week at a session that featured CISOs from Reddit, Amplitude and Robinhood. The CISOs recounted their first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures. Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact. All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response. That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour. The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats. For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team. It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way. Winning Over the Board Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors. In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact. Going even further, the CISO at some point early in their tenure will need to report progress t | Tool Threat Guideline | ||
|
2022-06-07 22:18:00 | Why it\'s Time to Rethink Adversary Detection and Response - Now (lien direct) | In the First World War, British soldiers faced a real threat – a 750-pound shell shot from behind enemy lines from an unseen attacker. British intelligence analysts devised an innovative system of detection and response that included microphones recording sound blast waves and advanced math for triangulation. Calculations were performed by soldiers sitting in muddy trenches, using pencils, paper, and protractors. The result? While under attack, they spent more time investigating the threat than stopping the attacker. Contemporary artillery detection systems, based on the same principles, offer far better visibility thanks to advances in automation. These modern systems automate correlation of acoustic data with global intelligence, including attacker patterns and global attacker activity, giving soldiers a simple point on the map of an impending attack Cybersecurity has similarly had to evolve to address more sophisticated threats over the years. For instance, we started with signature-based detection technologies to stop payloads before execution and rules-based security like firewalls that blocked bad traffic. Attacks then evolved in sophistication with the ability to evade signature-based protection. Detection and Response picked up where protection failed and using EDR, an analyst could manually determine if an endpoint, application or user activity looked suspicious. But analysts had to laboriously pore through suspicious activity data to pinpoint true threats. Like those WWI soldiers in the trenches, they toiled under attack to detect a threat – delaying any response. In retrospect, it marked a good first step – but it also led to badly overworked security teams. That led to the emergence of SIEM, allowing analysts to better manage this data. But while protection, detection and monitoring solutions have proved effective, all these approaches are reactive, focused on the victim – either the device, the application or the user. Time to Shift to Proactive Attacker Detection I don’t think any security practitioner would object to taking a new approach if it would make their job easier and strengthen their defenses. In the last year alone, we witnessed a major ransomware attack that took down the Colonial Pipeline, disrupting energy supplies up and down the East Coast, and an attack on Costa Rica resulting in its president declaring a state of emergency. Elsewhere, critical infrastructure in Asia was targeted in a “low and slow” attack that lasted over a year – with attackers using “live off the land” techniques to steal credentials and move laterally from less protected IT systems to highly critical operational infrastructure. These were all attacks that had a real-life impact on people's lives, underscoring the urgency of moving beyond reactive threat detection to proactive attacker response. This much is understood: We need to extend our attack visibility across the entirety of the digital ecosystem. That means not just detecting attacks that have occurred but also preventing those that are likely to occur in the future. In my conversations with security professionals, it’s clear they want to be more proactive. They make investments in intelligence in an attempt to become more strategic in their detection approach. But static intelligence puts analysts on a hamster wheel cycle of investigation without conclusion and provides CEOs and boards with a dangerous false sense of security | Ransomware Threat | ||
|
2022-06-07 17:41:00 | Anomali Cyber Watch: Man-on-the-Side Attack Affects 48,000 IP Addresses, Iran Outsources Cyberespionage to Lebanon, XLoader Complex Randomization to Contact Mostly Fake C2 Domains, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Confluence, Iran, Lebanon, Sandbox evasion, Signed files, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinDealer Dealing on the Side
(published: June 2, 2022)
Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom.
Analyst Comment: Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups.
MITRE ATT&CK: [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN.
Analysis of the Massive NDSW/NDSX Malware Campaign
(published: June 2, 2022)
Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading |
Malware Tool Vulnerability Threat | ||
|
2022-06-06 21:34:00 | Welcome to RSA – How boards and management teams are stopping attackers amidst macro headwinds, the year of great resignation, digital expansion, and escalated cybersecurity activities (lien direct) | RSA has finally arrived in person. We look forward to seeing our customers, partners, and many others in the broader security ecosystem. At Anomali, we exist to stop attackers and given the current environment, we want to share relevant insight from the ecosystem and the excitement around our unique delivery of open XDR. In fact, we feel compelled to make it available to test for free. Let’s start at the top of the lighthouse, and then distill the best way to navigate the infinite chess game with adversaries, including ransomware and exploits. While doing so, we will also focus on automation, reducing response time and ultimately making security spend more efficient. Boards and management teams are navigating a complex new terrain of macro headwinds (including inflation), geopolitical uncertainty, and escalated cybersecurity activities at a time when digital transformation is paramount and talent scarcity is at an all-time high. What is unequivocal is that management teams must continue their laser focus on the efficacy of their security posture and in tandem, they must optimize cost and efficiency. More than ever, management teams need relevant business insight to swiftly protect themselves and their stakeholders from cyber-attacks. That is our obsession at Anomali – our open XDR solution is helping management teams amplify visibility, enrich with relevant context and in turn, stop the attackers and predict their next move. We deliver unique use cases, starting with a proprietary attack surface management report after ingesting all relevant telemetries including cloud platforms and correlating literally hundreds of trillions of telemetry events times cyber threats per second. In tandem, we are automating processes, reducing response time and optimizing security spend across the environment. The advent of the Cloud, digital transformation at large, and the dynamic of remote workforce have collectively expanded the attack surface of organizations to exponentially new levels. Today’s attack surface comprises all the entry points where there is unauthorized access to digital assets. These assets can be externally facing such as a web application server or an API server, or inadvertently exposed due to a misconfigured firewall such as a network storage device, etc. According to Gartner, External Attack Surface Management (EASM) is an emerging cybersecurity discipline that identifies and manages the risks presented by internet-facing assets and systems. EASM refers to the processes and technology necessary to discover external-facing assets and effectively manage the vulnerabilities of those assets. Anomali XDR is a unique solution to identify your attack surface and highly targeted assets. With proprietary big data technology, you will be able to ingest all security telemetries (SIEM, EDR, NDR and public clouds), distill what’s relevant by correlating with the largest repository of global intelligence to deliver actionable insight across your entire security environment. Our XDR solution provides continuous detection of exposed assets and identifies threat actors that are attempting to breach them. Additionally, our XDR solution identifies assets that need urgent patches or other remediation for known vulnerabilities allowing additional insights into the criticality of the exposed asset. Following is summary of recent attack scenarios and how the Anomali Platform has been used in quickly and efficiently detecting and blocking adversaries. Before we start, let us summarize the initial reconnaissance that we have developed with CIOs, CISOs and their team. Do you know your organization’s Attack Surface? Even more importantly, what assets in your organization are highly targeted and who are the actors behind these targeted attacks? Can you continuously monitor the ever-changing landscape of actors and proactively block them? Are you constantly trying to reduce your attack surface? Are you able to quickly take prioritized act | Ransomware Vulnerability Threat Patching | ||
|
2022-06-01 17:47:00 | Anomali Cyber Watch: TURLA\'s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Credit Card Stealer Targets PsiGate Payment Gateway Software
(published: May 25, 2022)
Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX
How the Saitama Backdoor uses DNS Tunneling
(published: May 25, 2022)
MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling
|
Ransomware Malware Tool Threat | APT 19 | |
|
2022-05-31 13:18:00 | May 2022 Quarterly Product Release (lien direct) |
Anomali continues to innovate with our intelligence-driven solutions. We’re pleased to announce our May Quarterly release, adding direct integrations and enhancements for The Anomali Platform, our cloud XDR solution, and its solutions to ensure our customers can maximize capabilities to receive the full benefits of our detection capabilities.
Key Highlights for this Quarter Include:
Expanding Cloud XDR support with New Direct Telemetry Sources
Enhanced Dashboards for The Anomali Platform
Extended TAXII 2.1 client support for sharing indicators
Granular Dashboard Management in ThreatStream
Health Status Notifications for Threat Intelligence Feeds
Unified Filtering Language across ThreatStream and Integrator
Direct Integrations with Key Endpoint Partners
With this quarterly release, we continue to leverage the power of cloud-to-cloud modern telemetry. We have expanded support for direct integrations with key endpoint vendors, including Microsoft Defender, Crowdstrike, and Carbon Black and Amazon Web Services Virtual Private Network .
Users can set up these and many other log sources quickly using the setting interface in The Anomali Platform. The Platform will provide a default data mapping from the log source to our XDR schema which can be easily updated to optimize threat detection.
.png) Screenshot - How a user would map their log source data to the Cloud XDR schema to optimize correlation efficiency
Enhanced Dashboards
This release also introduces key dashboards that provide multi-dimensional views using our advanced search to provide an instant snapshot of your environment. New dashboards include:
Multi-Dimensional View: presents a number of visualizations showing the occurrence of IOC matches over time, whether by Source Host, Indicator, iType, Severity, Confidence, and more.
Match Analysis View: provides analytics about the threat intelligence feeds, indicator types, indicators, and DGA domains that match events in your network, such as Matches Over Time, Matches by iType, Matches by Indicator, Matches by DGA
You can also schedule and distribute reports based on these dashboards to decision-makers who do not regularly access the Platform, providing key insights and snapshots to executives and key stakeholders.
.png)
Screenshot: Enhance Dashboard Example
Extended TAXII 2.1 client support for sharing indicators
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging intelligence over HTTPS. ThreatStream hosts a TAXII server instance that enables the sharing of observables with external applications, enabling out-of-the-box integration with security controls and other threat intelligence-consuming products.
We’ve updated our ThreatStream TAXII client to ensure that any applications or products attempting to gather indicators using a TAXII 2.1 client will be able to receive intelligence without any issues.
Easy configuration of new TAXII 2.x sites allows for out-of-the-box integration with intelligence providers running TAXII 2.x servers. Customers are also able to choose between TAXII 1.1, 2.0, and 2.1 when configuring a new site for IoC collection.
Full Granular Dashboard Management in ThreatStream
Dashboards provide quick snapshots into relevant data for users to keep tabs on what's going on in their environment.
Now, ThreatStream customers can granularly manage their dashboards to further customize the |
Threat | ||
|
2022-05-26 10:42:00 | Understanding the Latest Cybersecurity Solutions To Keep Up With Today\'s Threats (lien direct) | Welcome to this week’s blog. We’re getting close to the end of the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience.
Coming in at number three on our list: Identifying and Utilizing the Latest Cybersecurity Solutions This is not surprising, as just under half of security decision-makers strongly agree that their cybersecurity teams can quickly prioritize threats based on trends, severity, and potential impact.
Cybersecurity Analysts use various tools in their jobs, which can be organized into a few categories: network security monitoring, encryption, web vulnerability, penetration testing, antivirus software, network intrusion detection, and packet sniffers.
Types of Tools
Network security monitoring tools
These tools are used to analyze network data and detect network-based threats.
Encryption tools
Encryption protects data by scrambling text so that it is unreadable to unauthorized users.
Web vulnerability scanning tools
These software programs scan web applications to identify security vulnerabilities, including cross-site scripting, SQL injection, and path traversal.
Penetration testing
Penetration testing, also known as “pen test”, simulates an attack on a computer system to evaluate the security of that system.
Antivirus software
This software is designed to find viruses and harmful malware, including ransomware, worms, spyware, adware, and Trojans.
Network intrusion detection
An Intrusion Detection System (IDS) monitors network and system traffic for unusual or suspicious activity and notifies the administrator if a potential threat is detected.
Packet sniffers
A packet sniffer, also called a packet analyzer, protocol analyzer or network analyzer, is used to intercept, log, and analyze network traffic and data.
Firewall tools
Monitor incoming and outgoing network traffic and permit or block data packets based on security rules.
Detection and Response Platforms
Detection and response services analyze and proactively detect and eventually eliminate cyber threats. Alerts are investigated to determine if any action is required.
As I pointed out in a previous blog, enterprise organizations have deployed over 130 security tools. Here's a look at the current technology security teams use or plan to invest in.
What's even crazier is this stat: CyberDB claims to have more than 3,500 cybersecurity vendors listed in the United States alone. So, how are security professionals supposed to keep up with the latest trends or innovations in technology?
Thankfully, we live in the digital age where information is just a click away. I typically start my day by reading news websites and blogs from security experts and check the twitter. You can also attend webinars and conferences or communicate directly with someone well-versed in the field.
Get Social
Social media networks are excellent sources for finding new content. (Shameless plug, make sure you're following us on LinkedIn and Twitter)
Twitter is particularly useful if you know what hashtags to search for or who to follow. You can see discussions in real-time to get yourself into the conversation; create feed lists to weed out the noise by specifying what security vendors, influencers, and developers you |
Tool Vulnerability Threat | ★★★★★ | |
|
2022-05-24 17:29:00 | Anomali Cyber Watch: Conti\'s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Conti Ransomware, Disinformation, Internet of things, Phishing, VMware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
(published: May 20, 2022)
In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation.
Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
(published: May 20, 2022)
Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity |
Ransomware Malware Tool Vulnerability Threat | ||
|
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
|
2022-05-12 11:00:00 | Dealing with the Cybersecurity Skills Gap (lien direct) | Welcome to this week’s blog. We’re getting close to the end of the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number four on the list is “Lack of skilled cybersecurity professionals.” I’m a little surprised this wasn’t number one on our list, but organizations have adapted to alleviate this constraint. Understanding the Cybersecurity Skills Shortage The cybersecurity skills shortage is nothing new, but it was exacerbated by the pandemic, which accelerated digital transformation, expanded attack surfaces, and increased security. According to the latest statistics from (ISC)², there will be approximately 1.8 million unfilled cybersecurity jobs by 2022. Even though that is a significant drop compared to the 3.5 million cybersecurity workforce shortage in 2021, it still leaves a substantial gap in the market. Why the cybersecurity skills gap exists – and persists I’m always in awe when I watch SOC Analysts, Threat Hunters, and Reverse Engineers work. There’s a lot of discipline involved in what they do, taking a specific mindset. According to Gartner, there is a persistent cybersecurity skills shortage because the cybersecurity industry covers several different disciplines, ranging from secure code practices and full-stack knowledge of IT infrastructure to regulatory and legal compliance. Others say it reflects skills shortages across the broader IT market. However, the growing size and intensity of cyber-attacks mean that demand for cybersecurity professionals has grown much faster than in other sectors of the IT job market. It’s challenging to find and recruit multidisciplinary IT staff in the first place, so finding someone who has the additional focus on security is even more challenging. Working in cybersecurity requires an extensive range of soft and technical skills and a suitable personality for the job. Despite the massive demand for cyber security jobs, IT candidates are less inclined to pursue careers because of the stress involved. What’s Required? The shortage of cybersecurity skills lies within this tangled web of requirements: to become the person who can protect organizations from cyber attacks, you need many years’ worth of applied experience far beyond any formal education. In speaking with colleagues, successful cybersecurity candidates today must first be a general security expert who has a good grasp of physical and technical cybersecurity issues. You also need at minimum one or two specific domains in deep IT expertise with a grasp on the evolution of technology and an understanding of how organizations and their people use technology to achieve their goals. Taking a quick look at job reqs, most companies hiring an entry-level SOC analyst are looking for someone with: 3 to 5 years or more of information security-related experience. Technical expertise in IT technology: Cybersecurity, cloud computing, networking, and software development Experience-based familiarity with the auditing discipline of information security. Knowledge of security and regulatory compliance frameworks: PCI DSS, SOC, NIST, HIPAA, GDPR, etc. Holds the CISA or other information security certifications I came across an old stat on cybersecurityventures.com that said only 3 Percent Of US Bachelor’s Degree Grads Have Cybersecurity Related Skills. If more students don’t enroll to get the necessary skills, who knows if we’ll ever catch up. Dealin | Threat Guideline | ★★★ | |
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
|
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
|
2022-04-28 11:00:00 | More Tools, More Problems: Why It\'s Important to Ensure Security Tools Work Together (lien direct) | Welcome to blog #six as I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience. In the last blog, I wrote about the challenges that organizations have with disparate tools, highlighted by the fact that mature enterprise organizations deployed over 130 security tools on average. That blog is a perfect introduction to number five on our list of challenges enterprise organizations face: ‘Solutions not customized to the types of risks we face.’ More Tools, More Problems Most security teams use several security management tools to help them manage their security infrastructure. While each tool was acquired for a specific reason and purpose, introducing each tool into an existing security tech stack poses a different challenge. Unfortunately, there’s no one size fits all approach. Every new security tool introduced requires integration to use the tool effectively. It takes a lot of time and effort to implement a tool properly into your environment and processes. There would most likely need training involved for those analysts who would be using the new tools. While necessary, these tasks take time and attention away from everyday activities and can significantly decrease a security team’s effectiveness before they’re fully integrated into their workflow. Increasing in Multiple Tools Increases Security Complexity The increasing adoption of cybersecurity solutions has created more consequences and challenges for organizations and their IT teams. With each addition of a new solution, another problem emerges Tool sprawl. Tool sprawl is when an organization invests in various tools that make it harder for IT teams to manage and orchestrate the solution. Time is a precious commodity, especially in cybersecurity. It takes time to collect information from multiple tools and disparate data sources, then correlate it manually with the necessary intelligence. Instead of responding quickly to an attack, analysts will waste time collecting the data and relevant intelligence needed to understand what kind of attacks they are dealing with and which actions they should take. Instead of fixing a problem, security teams may suddenly find that they’ve added more. How Cybersecurity Tools Grew Out of Control Traditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. It was evident by the mid-1990s that investing in cybersecurity would be necessary. Organizations now had a budget for security and had to figure out which parts of their infrastructure were most vulnerable. As their strategy evolved, organizations began investing in hiring cybersecurity experts but realized people are expensive. They then began buying various tools to complement their security professionals. They soon realized that there was a security tool you could buy that could help resolve the situation for any potential problem. The desire to throw tools at a situation continues today. Cybersecurity budgets have increased since the pandemic sped up digital transformation efforts and increased an organization’s attack surface. Board members and Executives realize the need to invest more in cybersecurity. New security products continue to spring up, promising to solve problems and secure all the various parts of businesses’ technology stacks. Unfortunately, when adding tools, too many organizations make the mistake of looking for a quick fix, working in silos to solve one problem rather than t | Tool Threat Guideline | ||
|
2022-04-26 16:24:00 | Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
(published: April 25, 2022)
Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables.
Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | |
Ransomware Malware Tool Vulnerability Threat Guideline Medical | Uber APT 38 APT 28 | |
|
2022-04-19 15:00:00 | Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lazarus Targets Chemical Sector
(published: April 14, 2022)
In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.
Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector
Old Gremlins, New Methods
(published: April 14, 2022)
Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode |
Ransomware Spam Malware Vulnerability Threat Guideline Medical | APT 38 APT 28 | |
|
2022-04-14 11:00:00 | More is Less: The Challenge of Utilizing Multiple Security Tools (lien direct) | Greetings everyone, and welcome to this week’s blog. This week, I’m diving into number six in our “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience: Lack of integrated cyber-security solutions. To deal with the cyberthreats they face every day, Enterprise Security Decision Makers seek new and well-supported solutions. They look for solutions that are easy to use and integrate with other cybersecurity systems and different parts of their organizations. 44% of those surveyed said that easily integrating with other cybersecurity tools is essential when evaluating cybersecurity solutions. What do you look for? initIframe('62573c84d0742a0929d79352'); So why do almost half of enterprise decision-makers want easily integrated tools? Enterprises frequently deploy new security tools and services to address changing needs and an increase in threats. In fact, according to recent findings, mature security organizations have deployed on average: Small business: 15 and 20 security tools Medium-sized companies: 50 to 60 security tools Enterprises: over 130 tools security tools If you like math, check out these stats: A typical six-layer enterprise tech stack, composed of networking, storage, physical servers, virtualization, management, and application layers, causes enterprise organizations to struggle with 1.6 billion versions of tech installations for 336 products by 57 vendors. Increasing Investments Our research showed that 74% of organizations had increased their cybersecurity budgets to help defend against increasing cyber-attacks. Despite these increasing investments in cybersecurity, only 46% are very confident that their cyber-protection technologies can detect today’s sophisticated attacks. While investment is on the uptake, effectiveness is not. Response efforts have been hindered by the complexity caused by fragmented toolsets, highlighting that investing in too many tools can reduce the effectiveness of security defenses. More Tools, More Problems The wide variety of tools enterprises invest their time and money into to combat security threats can create numerous issues. Security analysts are understandably frustrated. They’re spending most of their time chasing false positives and performing manual processes born from these disparate toolsets. They’re working longer hours and are under more pressure to protect the business. CSO Online provides a good article listing the top challenges of security tool integration: 7 top challenges of security tool integration | CSO Online Too many security tools Lack of interoperability among security tools Broken functionality Limited network visibility Increase in false alarms Failure to set expectations properly Lack of skills You can find the full article here. Source: csoonline.com For this blog, I’ll focus on what I think is the biggest challenge the article did not mention: Disparate tools create siloed organizations. Creating Gaps and Silos In the last | Tool Threat Guideline |
To see everything:
Our RSS (filtrered)
