What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-03-16 15:07:00 | An Intelligence-Driven Approach to Extended Detection and Response (XDR) (lien direct) | Threat detection isn’t getting any easier. Today’s threat actors are escalating the number of attacks they launch, going after more targets, using increasingly sophisticated techniques, and achieving their goals through surreptitiousness – not notoriety. With more than 2,000 security vendors catalogued and organizations reporting an average of 45 security solutions deployed, why aren’t we any closer to solving the threat detection gap? To answer this question, we first need to ask, what are we trying to achieve? For years now, we have known that the “whack-a-mole” approach of detecting discrete threats is at best a stopgap for the next inevitable attack. At a high level, most would likely agree that the always-shifting nature of adversaries, emergence of new vulnerabilities and exploits, and the all-menacing “zero day” leads to the continued proliferation of incidents ranging across data breaches, ransomware, and cyberespionage, etc. As soon as we close one door to attackers, they find and open another. This has always been the case. There’s more to this though. We think some of the answer can be found in the failure to fully optimize and connect existing tools, processes, and people to give them broader visibility over traffic and threats moving in and out of their networks while seamlessly layering in detection and response capabilities. As we were told in a recent discussion with an industry analyst, “We’ve reached an inflection point.” Enterprises know that the resources needed to greatly improve their security operations exist, they are now hungry to start using them to their maximum potential.” In other words, “We know the goods are available, how do we start using them to better find and neutralize the bad actors?” Enter Extended Detection and Response (XDR) You may have noticed lately that XDR is white hot in the security world. Scores of vendors are entering the fray — ranging across small startups to established 800-pound gorillas. Dozens of industry analysts are quickly validating XDR as more than just a buzzword, with Garter adding XDR to the “innovation trigger” on the newly created Security Operations Hype Cycle. As a long-time member of the security technology community, I can add that while we have certainly seen enthusiasm for trends at different periods, the level that XDR is generating reminds me of three other significant movements that changed the course of computing and security. The first was for Security Event and Information Management (SIEM), which I experienced during my time as a founder at ArcSight. The second was during the “big data” era. The third was for “cloud,” which in many ways has been reinvigorated due to COVID. XDR: What is it? Multiple definitions exist. We think of XDR as an architecture and in terms of how enterprises can leverage it to maximize the performance of their overall security investment (people, technologies, services) to take action against threats at the fastest possible speed. As leaders in the threat intelligence market and with deference to the essential role that global threat intelligence plays in accelerating detection and response, we offer up the following working definition: Organizations that run on top of XDR architectures are able to move closer to managing their security infrastructure as an integrated, unified platform. With XDR, Security Operations Centers (SOCs) can break silos to converge all security data and telemetry collected and generated by security technologies they’ve deployed (tech that includes firewalls, EDR, CASB, SIEM, SOAR, TIP etc.). With this information, they can generate strategic threat intelligence that empowers | Vulnerability Threat Patching Guideline | ||
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
|
2021-03-02 14:59:00 | Anomali February Product Release: Moving Beyond Tactical Intelligence (lien direct) | We are happy to announce the Anomali Product Release for February 2021. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to supporting security teams in their further move beyond a reliance on tactical, technical intelligence to a holistic, threat-model-driven approach by allowing them to work with threat models like the MITRE ATT&CK framework inside Anomali ThreatStream easily and productively. A further highlight directed at augmenting collaboration across teams and with external peers, leveraging our popular Trusted Circles capabilities, is the advent of full-featured chat within the Anomali ThreatStream threat intelligence platform, while maintaining privacy controls.
Enhancements in this latest release include:
MITRE ATT&CK Framework Integration
As a follow-up to the recent release of support for MITRE ATT&CK framework techniques, we’ve added the ability to import content from the MITRE ATT&CK Navigator tool and store your framework capabilities inside ThreatStream. Users can use the MITRE capability in ThreatStream's Investigations feature to help prioritize investigative activity and decision-making, making security teams more efficient and responsive.
Advanced Search Functionality for Threat Models
This month we’ve extended advanced search to Threat Model content in ThreatStream - providing the same flexibility and features for finding and refining content in our platform as for observable content. Users can now create advanced search queries with conditions and operators, and some additional capabilities specific to our Threat Model content, to find relevant intelligence quickly, as well as save their complex searches for future use at a click.
Collaboration via Full-Featured ThreatStream Chat
Customers now have the benefit of real-time, protected communication within ThreatStream for their internal teams and with Trusted Circle collaborators via the use of a full-featured chat client. With this built-in chat functionality, analysts can communicate and share tactical information as well as more strategic aspects of analysis and response quickly and easily with colleagues and peers at organizations that are members of common Trusted Circles--from inside the ThreatStream platform, where it can be easily shared and investigated. Most importantly, the collaboration remains anonymized and privacy is ensured.
Clone Custom Themed Dashboards
Extending the custom themed dashboards developed by the Anomali Threat Research (ATR) team and released in December, we are now offering the ability to not only access a custom themed dashboard (for COVID, Sunburst or other specific themes), but also to clone (or create a copy) of that dashboard, which you can now further customize or tailor to your specific needs and preferences. Once a dashboard is cloned a user can change, for a given widget, the saved query upon which the widget is based, as well as add their own custom widgets.
Intelligence Enrichment Inside of Investigations
We continue to refine the display of critical information to the user at the appropriate point of their research in order to ensure analysts have the right intelligence |
Tool Threat | Solardwinds Solardwinds | |
|
2021-02-22 21:21:00 | An Intelligent, New Approach to Old Cybersecurity Challenges (lien direct) | How to Optimize SIEM Performance With Threat Intelligence and IOC Matching The nature of information technology is such that it is always expanding and being innovated at a pace that can be daunting to keep up with. The cybersecurity market in particular is constantly updating itself with the development of new technologies, methodologies, and best practices to deal with equally evolving cyberthreats. The security challenges faced by enterprise clients, however, have changed very little over the past couple of decades. They still want better visibility into the threats targeting them, they still struggle with data overload, and they still suffer from a shortage of human resources. The question is, why do these challenges still exist despite the progress we’ve made in establishing security standards and building better technologies? Challenge 1: Integration By taking a closer look at the cybersecurity deployments amongst large corporations, I have spotted some trends that lead to these challenges. Most of the enterprise clients I assist have many different security products in their environment. They address different use cases but are rarely cross-integrated. You could call these clients’ infrastructures ‘heterogenous’, given how the technologies and staff using them are effectively siloed. These silos slow down cross-communication, hinder response attack times, and leave legacy systems overlooked and often under-utilized. Challenge 2: Data Overload, Staffing Shortfall The advent of SIEM1 technology in the early 2000s has been a positive game changer for the cybersecurity industry. It also put a glaring spotlight on security challenges. When properly configured and manned, SIEMs keep users aware of all kinds of malicious activity occurring within their networks. However, ever-expanding IT environments mean ever-expanding log volumes, which require more storage space, more processing power, and more analysts to triage the high number of alerts that SIEMs generate every day. Why more analysts? Because a classic SOC model has Tier 1 analysts who triage alerts, Tier 2 analysts who perform incident response and remediation, and Tier 3 analysts running forensics and pentesting2… And a fair share of these tasks are performed manually! Challenge 3: Technology Advances Faster than We Can Hire In the last decade, the democratization of cyber threat intelligence has added an extra strain on SIEMs as clients want to use them to compare external threat data to internal logs. In terms of order of magnitude, we’re talking about comparing tens, if not hundreds of millions of indicators of compromise (IOCs) to billions, if not trillions of events in a SIEM in real-time. Though it’s possible in theory, it’s nowhere near efficient in practice—try querying your SIEM if a small list of just 1,000 Command & Control IP addresses were contacted by your assets in the past year and then tell me how many hours that search will take. The flood of data combined with staff restraints leaves organizations at a disadvantage, despite the advancements SIEMs continue to make. Meeting the Challenges, Supercharging the SIEM SIEMs aren’t going anywhere, and they shouldn’t — they’ve proven their value. When it comes to optimizing their capabilities, threat intelligence can make a major difference. For example, filtering a subset (fraction) of the total number of IOCs that are linked to threats most likely to target a company, and then comparing that data to the most recent SIEM event logs (e.g., last 90 days), enables more effective detection. However, a limited query such as this does not cover threat actors’ typical dwell time, and by omitting the majority of the IOCs from the query, its effectiveness is lessened. So now that we have a better understanding of why enterprise clients are still struggling with the challenges of threat visibility, data overload | Threat Guideline | ||
|
2021-02-10 16:34:00 | Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies (lien direct) | ScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs Authored by: Gage Mele, Winston Marydasan, and Yury Polozov Key Findings Anomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. We assess that Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.[1] The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw). Another sample, including only MOFA (mfa.gov), could be used for broader government targeting. Overview Anomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East.[2] This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. We found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.[3] Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side.[4] In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.[5] Details We identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on relations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static Kitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to host a file containing ScreenConnect. The delivery URLs found to be part of this campaign are: ws.onehub[.]com/files/7w1372el ws.onehub[.]com/files/94otjyvd File names in this campaign include: تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.ZIP تحليل ودراسة تطبيع العلاقات الدول العربية واسرائيل httpsmod[.]gov.kw.exe الدرا | Ransomware Malware Tool Threat Studies Guideline | ||
|
2021-02-02 23:04:00 | Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs (lien direct) | Key Findings
Malicious actors have targeted the vaccine supply chain and leaked materials stolen from the European Medicines Agency (EMA).
Phishing campaigns have evolved alongside the pandemic, with the latest observed themes being vaccine-related topics.
Users should remain cautious of possible phishing attacks via email, text messages (SMS), or just click through search results.
Overview
Threat actors change and adapt their campaigns to mirror themes prevalent in the public eye. When they leverage high-urgency trends, their success levels rise. Since the beginning of the pandemic, Anomali has focused resources to detect malicious cyber campaigns using COVID-19 themes. In this blog, Anomali Threat Research presents several malicious samples that represent simple tactics, techniques, and procedures (TTPs) used by actors in COVID-themed malspam campaigns. Less-sophisticated threat actors can be easier to monitor and block if the TTPs utilized by the actors are well known.
New Discoveries
The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.
Details
1. Targeted Supply Chain Attacks
On December 28, 2020, the US Treasury Department's Financial Crimes Enforcement Network (FinCEN) published a notice entitled, “COVID-19 Vaccine-Related Scams and Cyberattacks.” That report provided evidence of actors conducting scams asking for a fee to provide potential victims with the vaccine sooner than permitted. Furthermore, FinCEN assessed that cybercriminals will likely continue to exploit the COVID-19 pandemic to target financial institutions, vaccine delivery operations, and vaccine manufacture supply chains. FinCEN is aware of ransomware directly targeting vaccine research and has pushed for awareness of these phishing schemes luring victims with fraudulent information about COVID-19 vaccines.[1]
Other threats to vaccine research have been reported by US and European intelligence agencies. In December 2020, threat actors breached the European Medicines Agency (EMA) whilst it was in the COVID-19 vaccine evaluation process. On January 12, 2021, threat actors leaked a portion of the stolen materials with regards to Pfizer/BioNTech vaccine (Figure 1).[2] On the same day in an unrelated event, the Director of the National Counterintelligence and Security Center (NCSC), William Evanina, confirmed the existence of threats from China and Russia to disrupt the US coronavirus vaccine supply chain.[3]
Figure 1 – Screenshot of the Files in the EMA Vaccine Breach
The publication of the EMA vaccine breach on RaidForums was taken down by forum administrators only to resurface on other platforms. Later, the EMA claimed that at least some of the leaked correspondence had “been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”[4]
2. Non-targeted Adoption by Phishing Campaigns
Below are three examples of COVID-19 vaccine-related phishing campaigns utilizing different delivery methods: email, SMS, and search engine traffic. As COVID-19 vaccination is a newsworthy topic, it would be consistent with observed activity for so |
Ransomware Spam Malware Threat Guideline | ||
|
2020-12-29 21:22:00 | Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds (lien direct) | On Dec. 13, FireEye published a detailed analysis about the attack carried out against SolarWinds, which appears to have compromised its Orion IT monitoring and management platform to spread the Sunburst Backdoor malware. As part of the attack, which started in March, the Orion platform started sending out the digitally-signed trojanized malware via regular updates. According to SolarWinds, the compromised update may have been installed by fewer than 18,000 of its customers, including many U.S. federal agencies and Fortune 500 firms that use Orion to monitor the health of their IT networks. In a related blog post, FireEye also announced that a highly sophisticated state-sponsored adversary penetrated its network and stole FireEye Red Team tools used to test customers’ security. In response to the attacks, Anomali has collected, curated, and distributed clear and concise open-source intelligence (OSINT) to help organizations determine if they have been impacted. Two key resources released include a SolarWinds Breach Threat Bulletin and a FireEye Red Team Tools Breach Threat Bulletin. These continually updated resources, for use inside Anomali ThreatStream, include threat analysis, signature threat models, and over 2,000 operationalized indicators of compromise (IOCs) for automated distribution to security controls. Both are available now to Anomali’s 1,500 customers. What Can I Do with This Threat Intelligence?...and How to Do It Our intent in aggregating and curating this threat intelligence is to provide organizations with high-fidelity IOCs that can immediately be pushed into their security stacks for rapid, proactive blocking and alerting. Security products that can take advantage of this actionable threat intelligence include security information and event management (SIEM), endpoint detection and response platforms, firewalls, domain name system (DNS) servers, security orchestration, automation, and response (SOAR) platforms, and other operational security products. These Anomali threat bulletins are designed to be used in conjunction with Anomali ThreatStream, a threat intelligence platform that allows organizations to aggregate, curate, analyze, and distribute multiple sources of threat intelligence to their operational security systems. Inside of the SolarWinds Breach Threat Bulletin, all of these IOCs have been tagged with “solarwinds”, “sunburst backdoor”, “unc2452”, or “avsvmcloud.com.” This enables ThreatStream users to create a simple rule to automatically push IOCs to their security systems, enabling real-time defense against both attacks. For example, if a compromised server inside the organization attempts to connect to a command and control (C2) server outside of the organization, Anomali customers that have activated this research will automatically block the C2 URL, avoiding risk of further compromise and data exfiltration. How Can I Get This Intelligence? The Anomali SolarWinds and FireEye Threat Bulletins are automatically available to Anomali’s ThreatStream customers, and all organizations participating in Anomali-powered threat intelligence sharing communities (ISACs). Anomali Threat Research also created a | Malware Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-29 20:12:00 | Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack (lien direct) | SolarWinds, a provider of IT management and monitoring software deployed by thousands of global customers, was breached between March and June of 2020 by an Advanced Persistent Threat (APT) that cybersecurity company FireEye is tracking as UNC2452. As part of the supply chain attack, the APT compromised the company’s Orion business software with trojanized malware known as Sunburst, which opens a backdoor into the networks of customers who executed Orion updates.
Immediately following news of the attack, Anomali Threat Research launched a custom threat intelligence dashboard called Sunburst Backdoor. Now available to Anomali ThreatStream customers, the dashboard is accessible via the user console. It is preconfigured to provide immediate access and visibility into all known Sunburst Backdoor indicators of compromise (IOCs) that are made available through commercial and open-source threat feeds that users manage on ThreatStream.
Customers using ThreatStream, Anomali Match, and Anomali Lens can immediately detect any IOCs present in their environments, quickly consume threat bulletins containing machine readable IOCs to operationalize threat intelligence across their security infrastructures, and communicate to all stakeholders how they have been impacted.
As part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts, Anomali recently added thematic dashboards that respond to significant global events. In addition to Sunburst Backdoor, ThreatStream customers currently have access to additional dashboards announced as part of our December quarterly product release.
Customers can integrate Sunburst Backdoor and other dashboards via the “+ Add Dashboard” tab in the ThreatStream console:
After integration, users will have immediate access to the Sunburst Backdoor dashboard, which continually updates IOCs as they become available:
Organizations interested in learning more about Anomali ThreatStream and our custom dashboard capabilities can request a demo here.
For organizations interested in gaining wider visibility and detection capabilities for the Sunburst cyberattack, Anomali Threat Research has compiled and curated an initial threat bulletin and downloadable set of OSINT IOCs available here. |
Malware Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-21 20:00:00 | Anomali Threat Research Warns Consumers: Don\'t Use Bitcoin to Buy “Hatched” German Shepherds This Holiday Season (lien direct) | Key Findings
In early December 2020, Anomali Threat Research identified a website engaging in fraudulent dog sales, specifically for German Shepherds.
The analysis revealed 17 additional websites also engaging in pet fraud activities for birds and cats, as well as one phone number match for a Facebook page car fraud scheme, and one number for an essential oils scam.
The actor(s) behind this campaign are not sophisticated, and aim to receive non-refundable deposits for fraudulent pet sales and services; payment methods include Bitcoin, PayPal, Zelle, etc.
The actor(s) have been active since at least November 2018.
Overview
Threat actor(s) engaging in fraudulent pet-selling activities appear to have increased their recent efforts as the Holiday Season continues. The actors are scamming victims into believing that birds, cats, and dogs are available for purchase.
The COVID-19 pandemic has increased pet purchases as stay-at-home policies and remote work makes people seek companionship from their animal friends, a condition that may amplify the bad actors’ ability to run a more successful scam. Furthermore, these scams focus on purebred dogs, which again are increasingly difficult to find.
The fraud scheme works as shown in Figure 1 below.
  
  
Figure 1 - Fraud Chain
Details
In early December 2020, Anomali Threat Research discovered a suspicious website (darlinggermanshepherds[.]com) purporting to be selling German Shepherd puppies, shown in Figure 2 below. The website is designed with a modicum of skill where actors took images and text from open sources (Facebook, legitimate websites, Wikipedia) to make their site appear more authentic.
Figure 2 - darlinggermanshepherds[.]com Homepage
Anomali Threat Research analyzed the website and was able to find 17 additional websites engaging in pet fraud. The websites all share similar and sometimes identical text in their reviews/testimonials pages. There are also numerous typos in the testimonials with one post discussing how a German Shepherd had “hatched” and was available, which is a clear copy-and-paste error from the actors’ bird fraud websites. The analysis revealed a pet fraud campaign spanning multiple websites and shared hosting providers.
Text Analysis
Anomali Threat Research found commonalities amongst the text throughout the websites. Obvious words were incorrect, such as testimonials with extra spaces where the actor changed the type of animal or forgot to change to the appropriate pet as advertised on the site. Table 1 below shows a small sample of how the actors are using identical and modified versions of the same testimonials located on multiple websites.
Table 1 - Re-use of Testimonials / Reviews
darlinggermanshepherds.com
saparrotsbreeders.com
gorgeousgentlepuppies.com
|
Threat | ||
|
2020-12-17 18:00:00 | FireEye, SolarWinds Hacks Show that Detection is Key to Solid Defense (lien direct) | Several years back, industry analyst firm Gartner began circulating the idea that almost every major enterprise and government agency was either compromised or would be compromised at some point in time. This week, when we woke up to the news that FireEye and SolarWinds had joined the ranks of the hacked, we learned once again that Gartner was right. Even companies with advanced security expertise and expansive resources can’t escape this inevitable fact of digital life.
Forensic experts and news outlets are now following the trail of digital clues, trying to make sense of how both companies ended up on the hacked side of the equation. At a high level, we know that FireEye was compromised by a state-sponsored adversary. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the Kremlin.
There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit.
Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time.
To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at general@anomali.com.
To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s Anomali Detect Podcast.
Key Findings
Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date.
An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence.
Actor(s) were also interested in FireEye customers, specifically, government entities.
The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages.
The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools.
|
Malware Threat Guideline | APT 29 | |
|
2020-12-17 15:00:00 | Anomali December Release: The Need for Speed (lien direct) | We are happy to announce the Anomali Quarterly Release for December 2020. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to further improving the speed of threat intelligence operations. As organizations mature in their threat intelligence programs and seek to leverage ever-larger quantities of threat intelligence inputs and security telemetry data, the need for capabilities that enhance the efficiency of threat intelligence and SOC analysts becomes paramount. So we worked (and will continue to work) to reduce friction in the moment-to-moment workday of our users and add velocity to overall workflows in a way that improves their organizations’ overall security posture. Examples of enhancements in this latest release include:
Pre-Built Themed Dashboards
The addition of pre-customized, themed dashboards allow analysts to quickly focus on new and relevant intelligence investigations about specific events impacting their organizations. Anomali Threat Research analysts applied their expertise to aid in the design and development of these dashboards for real-world investigation scenarios. Now available via the Anomali ThreatStream threat intelligence platform (TIP), new dashboard themes include COVID-19 indicators of compromise (IOC’s), relevant global cyberthreat activities, and a view to vulnerabilities and exploits that adversaries are using to compromise your systems and data.
Figure 1 - Example Covid-19 IOCs focused dashboard
Figure 2 - Example Global Threat Activity dashboard
Flexible MITRE ATT&CK Framework Coverage — With this new capability, threat intelligence analysts can configure their security coverage levels for each technique in the framework. This allows them to align their work more precisely with targeted organizational security response strategies, which removes friction and increases the speed of overall workflows.
Figure 3 - Analysts can tune security coverage for each Mitre Attack technique
Faster Investigations
To continue making threat analysts’ lives easier and more productive, we’ve added a Threat Card feature that allows users to gain deeper insights into threats without having to navigate to additional pages, and have also improved collaboration in active investigations by introducing visibility and access controls. Analysts will be able to mark their Investigations until completed as “Private,” and optionally increase the visibility to their workgroups or their organization. While users are editing their Investigation, it can be locked so that other team members do not duplicate efforts. Threat analysts also now have greater control over the UI via added mouse functionality, the type of utility that helps them move more quickly through an investigation.
Figure 4 - Active investigations benefit from Threat Cards and privacy controls
Faster Finished Intelligence
Anomali ThreatStream now offers multiple default templates for the creation of finished intelligence products, giving analysts the ability to apply their organizations’ branding to reports and then distribute them directly from ThreatStream to all relevant stakeholders. This added feature gives analysts a more simplified, intuitive and faster way to format and distribute insights and findings they’ve developed.
 |
Tool Threat Guideline | ||
|
2020-12-07 21:32:00 | California Launches COVID-19 CA Notify App, Anomali Reminds Consumers to Remain Vigilant When Participating in Digital Contact Tracing (lien direct) | When it comes to COVID-19, everyone wants to do their part to help the world win the battle against the virus. At Anomali, we are doing everything in our power to contribute to the cause. Our global workforce is personally committed to stopping the spread of the virus and we’ve shifted to a remote-work model that allows all of our employees to remain safe in their homes, as much as possible. We’ve also committed to standing on the frontlines of the second battle raging, the COVID-19 cyberwar. Within the first few days of the start of the pandemic, Anomali Threat Research identified a dozen nefarious groups that had launched malicious email phishing campaigns that used lures themed around COVID-19. By the end of March, our research crew had detected more than 6,000 indicators of compromise (IOCs) about cyberattacks taking place. In the threat intelligence field, an IOC is evidence that an attack is taking place. Download: Anomali infographic detailing COVID-19 pandemic cyberattacks and threat actors To help speed progress in the fight to stop the spread of the virus, many government organizations have partnered with Apple, Google, and other smartphone providers to enable digital contact tracing and exposure alerting. Anyone who opts-in can utilize their devices’ Bluetooth capability to receive an alert when they come into contact with someone who has either tested positive or been exposed to COVID-19. Designed to be anonymous and fully confidential, most agencies using these technologies promise that no personal information or location data will be captured or stored by them. All data is supposed to be kept on users’ devices. Anyone who receives an alert can then take the proper steps to quarantine and get tested. Today, the State of California became the latest to announce a contact tracing and alerting app, CA Notify. Read: Governor Newsom Announces Statewide Expansion of CA Notify, a Smart Phone Tool Designed to Slow the Spread of COVID-19 Anomali applauds government agencies and consumers who turn to every means available to help end the pandemic. We are optimistic that mobile contact tracing apps may help. We acknowledge that the struggle against COVID-19 is an urgent one. We also want to make sure the world understands that when it comes to online activities, security demands vigilance, and consideration. In June, we detected the existence of fake contact tracing apps designed to infect smartphones that used the Android operating system. Although the attack did not happen in the United States, it is worth knowing that anyone who downloaded one of these apps made themselves vulnerable to having banking credentials or other personal information stolen and subjected their device to remote surveillance. Read: Anomali Threat Research Detects Fake COVID-19 Contact Tracing Apps Spreading Malware If you decide to participate in digital contact tracing and alerting, remember that cybercriminals are lurking. Make sure that any apps you download are genuine, and only engage with apps that are present on official platforms such as the Apple App Store and Google Play Store. Don’t, under any circumstances, click on links in emails or text messages urging you to download apps from random sources. With the news that vaccines are on the way, the world is headed into 2021 hopeful that COVID-19 can be brought under control and eventually eradicated. We encourage everyone to do their part to bring this devastating period to an end while remaining vigilant in the face of cybe | Tool Threat | ||
|
2020-11-18 19:58:00 | Detect LIVE Virtual Event Series Kicks Off Tomorrow, Showcasing the Latest in Threat Intelligence, Detection, and Response (lien direct) | The world may be on pause due to the COVID-19 pandemic, but threat actors haven’t slowed down. Don’t worry, neither has Anomali … Four years ago, we recognized that public and private sector organizations had developed a healthy appetite for solutions and strategies that could help them to improve their threat detection and response capabilities. Most had become aware of how threat intelligence could help, but many were still searching for ways to maximize its potential. To provide enterprises and government agencies with a place to come together and share insights and expertise on the subject, we started Detect. Through the years, the event grew to become an important destination for security professionals and analysts from all over the world. It eventually emerged as a place where they gathered to share insights and expertise on how to use threat intelligence solutions to defend against the most serious threats they faced. The tradition continues … Now known as Detect LIVE, the virtual format will provide the same level of direct knowledge to everyone who has a stake in defending their organizations’ data, systems, and people. Detect LIVE kicks off on Thursday, November 19. The first event will feature an executive interview with Valentina Soria, Head of Global Intelligence, Morgan Stanley. “Understanding Business Risk with Threat Intelligence” will explore risks enterprises face today, challenges in understanding them, and provide insights on how to capture and present cyber and other operational risks in a way that can be understood across business environments. Security is by no means an island, and neither is Detect LIVE. As anyone in the industry can tell you, effective programs rely on a mix of solutions, partners, talent, and expertise. This is why we recognize that our customers and supporters are key to the continued success of our annual event. We look forward to hosting you and to helping you to advance your knowledge on how to leverage threat intelligence solutions to build strong, effective, and efficient cybersecurity programs within your organization. Although we are hosting the first presentation tomorrow, there is still plenty of time to register and to get on our event mailing list. To attend the virtual series at no cost, register at Detect LIVE. | Threat | ||
|
2020-11-12 15:00:00 | Fortify Your Cyber Defense with the MITRE ATT&CK Framework (lien direct) | Overview In a recent Anomali webinar, experts AJ Nash, Senior Director of Cyber Intelligence Strategy at Anomali, and Roberto Sanchez, Senior Director, Threat and Sharing Analysis at Anomali, presented the importance of the MITRE ATT&CK framework and showed how to use it to better understand threat actors, campaigns, and associated tactics, techniques, and procedures (TTPs). Major Analytical Frameworks The Cyber Kill Chain, developed by Lockheed Martin in 2011, is one of the best known of the cyber threat intelligence frameworks. Based on the military concept of the kill chain, it breaks down an attack into seven stages, so defenders can pinpoint which stage an attack is in and deploy appropriate countermeasures. In 2013, looking for a way to better understand adversary concerns, The Center for Cyber Intelligence Analysis and Threat Research (CCIATR) developed The Diamond Model. This model helps defenders track four aspects of an attack: the attacker, the victims, the attacker’s capabilities, and the infrastructure the attacker uses. Each of the points on the diamond is a pivot point that defenders can use during an investigation to connect one aspect of an attack with the others. Also in 2013, MITRE - a unique United States corporation responsible for managing federal funding for research projects across multiple federal agencies - released the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework as a means of tracking adversarial behavior over time. ATT&CK builds on the Cyber Kill Chain, but rather than describe a single attack, it focuses on the indicators and tactics associated with specific adversaries. MITRE ATT&CK MITRE ATT&CK can provide a better understanding of adversaries by quantifying and categorizing them. Universal nomenclature and taxonomy of specific tactics, techniques, and procedures enable a shared understanding of threat actors. Recognizing these advantages, Anomali has integrated this framework into their platform. There are four main issues that MITRE ATT&CK is designed to address: Adversary Behaviors – Tactics, techniques, and procedures (TTPs) are tracked, which are more durable than indicators of compromise (IOCs). Improved Lifecycle Model - MITRE ATT&CK has the ability to map specific behaviors back to an organization’s defenses to understand how it relates to that specific environment. Real-World Applicability - TTPs are based on observed incidents. Common Taxonomy – TTPs need to be comparable across adversary groups using the same terminology. It enables the comparison of adversaries from different nation-states, etc. MITRE ATT&CK’s approach uses behavioral methodology guided by five principles: Include Post-compromise Detection – This is necessary for when threats bypass established defenses or use new means to enter a network. Focus on Behavior - Signatures become unreliable, as they change frequently. Behaviors tend to remain more stable, enabling better profiling of adversaries. Use of Threat-based Model - An accurate and well-scoped threat model that captures adversaries’ tools and how they overlap with each other enables preventative actions. Iterate by Design - Constant | Malware Tool Threat | ||
|
2020-10-15 14:00:00 | COVID-19 Attacks – Defending Your Organization (lien direct) | Overview The Coronavirus 2019 (COVID-19) global pandemic has caused widespread fear of the unknown and deadly aspects of this novel virus, generated growth in certain industries to combat it, and created a shift toward remote work environments to slow the spread of the disease. Defending Your Organization Against COVID-19 Cyber Attacks. In this webinar, AJ, and I describe COVID-19 attacks in January through March, the groups behind them, and key MITRE ATT&CK techniques being employed. We then discuss ways an organization can keep themselves safe from these types of attacks. Pandemic Background COVID-19 is a pandemic viral respiratory disease, originally identified in Wuhan, China in December 2019. At the time of the webinar, it had infected around 1.5 million people worldwide. Within the first month, cyber actors capitalized on the opportunity. COVID Attack Timeline December 2019 - January 2020 At the end of December 2019, China alerted the World Health Organization (WHO) that there was an outbreak in Wuhan, China. Within a month, the first cyber events were being recorded. Around January 31, 2020, malicious emails (T1566.001) using the Emotet malware (S0367) and a phishing campaign (T1566.001) using LokiBot (S0447) were tied to TA542 alias Mummy Spider. Emotet, in particular, was prolific. It originally started as a banking Trojan, then evolved into a delivery mechanism for an initial payload that infected systems to download additional malware families such as TrickBot (S0266). Around this same time, there was a marked increase in the registration of domain names with COVID-19 naming conventions, a key indicator of an uptick in phishing campaigns. February 2020 In early February, the progression of adversaries using uncertainty about and thirst for information regarding the COVID-19 pandemic became apparent. New malware variants and malware families were reported employing coronavirus related content, including NanoCore RAT (S0336) and Parallax RAT, a newer remote-access Trojan, to infect unsuspecting users. Throughout February, cybercrime actors launched several phishing campaigns (T1566.001) to deliver information stealer AZORult (S0344). With worldwide government health agencies giving advice on cyber and physical health, threat actors aligned with nation-states such as Russia (Hades APT), China (Mustang Panda), and North Korea (Kimsuky - G0094) used this messaging to lure individuals to download and/or execute malicious files disguised as legitimate documents. These state-sponsored groups used convincing lures to impersonate organizations such as the United Nations (UN), the World Health Organization (WHO), and various public health government agencies to achieve short- and long-term national objectives. March 2020 In March, we observed a flurry of nation-state and cybercrime attributed malicious activity seeking to exploit the COVID-19 pandemic. Cybercrime actors distributed a range of malware families, including NanoCore (S0336), | Ransomware Spam Malware Threat | APT 36 | ★★★ |
|
2020-10-06 14:00:00 | Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities, and XDSpy. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Grindr Fixed a Bug Allowing Full Takeover of Any User Account
(published: October 3, 2020)
Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.
Recommendation: If your account has been breached, you can reset the password using the reset link sent to the associated email address.
Tags: Browser, Exposed tokens, Grindr, Sensitive Info
XDSpy: Stealing Government Secrets Since 2011
(published: October 2, 2020)
Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery |
Ransomware Malware Vulnerability Threat Medical | APT 38 | ★★★★★ |
|
2020-10-01 22:15:00 | Cybersecurity Awareness Month Starts Today, #BECYBERSMART (lien direct) | Welcome to National Cybersecurity Awareness Month (NCSAM)! The meaning of the month has been obscured from its original purpose, somewhat, due to it having been hijacked by marketing and PR teams. It is worth pointing out that it remains a worthy cause. NCSAM is a collaboration between the United States Cybersecurity and Infrastructure Agency (CISA) and National Cyber Security Alliance (NCSA). It is designed to influence government, business, and consumers to consider the cybersecurity implications that are inherent in their connected activities and lives. This year’s theme is “Do Your Part. #BECYBERSMART.” “This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” according to CISA and the NCSA. At Anomali, the purpose of NCSAM is, of course, our daily focus. We constantly deliver on customer-centric product improvements. We provide the security community with gratis threat research and analysis used broadly to reduce risk. We strive to ensure that public and private sector organizations can leverage intelligence that helps them to know and detect their adversaries. Over the past several months, we have accomplished many achievements we believe are worth noting in light of the month. By naming these, are we guilty of doing a bit of hijacking ourselves? Yes. However, some of what’s listed are also critical security resources available to any organization that is interested in reducing its risk to cyberattacks and learning more about how it can operationalize intelligence. Here’s a look at our record since March: October 1 – The State of Oklahoma’s Office of Management and Enterprise Services (OMES) activated its new Information Sharing and Analysis Center (ISAC). Powered by Anomali ThreatStream Community Edition, it’s providing the state’s government and corporate-partner entities with immediate access to intelligence about the most serious threats targeting their operations. All agencies are under constant assault from massive waves of cyberattacks that impact citizens, police departments, municipalities, election precincts, and remote workers. With the ability to share information about adversaries, essential state services can reduce their risk of falling victim to disruptive and costly attackers. September 24 – With threat intelligence now recognized as critical to security and risk, global analyst firm Frost & Sullivan produced the Frost Radar: Global Threat Intelligence Platform Market, 2020, a report highlighting eight key players in the market as well as its overall size. Anomali was recognized as the leader, with 40 percent market share and as such, named the Frost Radar: 2020 Innovation Excellence Award winner in the space. September 21 –Anomali was recognized as part of the Gartner Market Guide for Security Orchestration, Automation and Response Solutions (SOAR). SOAR is described as a market made up of solutions that combine incident response, orchestration, and automation, and threat intelligence (TI) management capabilities in a single platform. Anomali ThreatStream, our leading Threat Intelligence Platform (TIP) solution, was recognized for its recently added SOAR capabilities. August 25 – With an ear wide open to customers, our product team delivered on the next phase of what’s needed in the market. With our | Malware Threat Guideline | ★★★★★ | |
|
2020-09-29 14:00:00 | Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cyber Espionage, FinSpy, Magento, Taurus Project and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
(published: September 25, 2020)
Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware
Magento Credit Card Stealing Malware: gstaticapi
(published: September 25, 2020)
Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132
T |
Data Breach Malware Vulnerability Threat | APT 19 | ★★★★★ |
|
2020-09-22 15:00:00 | Weekly Threat Briefing: Android Malware, APT Groups, Election Apps, Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cerberus Source Code Leak, Chinese APT, Mrbminer Malware, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
US 2020 Presidential Apps Riddled with Tracking and Security Flaws
(published: September 17, 2020)
The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Tags: APK, Android, Campaign, Election, Joe Biden, PII
German Hospital Attacked, Patient Taken to Another City Dies
(published: September 17, 2020)
A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Germany, Healthcare, Hospital, Ransomware
|
Ransomware Malware Vulnerability Threat Patching Guideline | APT 41 | ★★★★★ |
|
2020-09-15 15:00:00 | Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal
(published: September 14, 2020)
A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system.
Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online.
Tags: China, spying
US Criminal Court Hit by Conti Ransomware; Critical Data at Risk
(published: September 11, 2020)
The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns.
Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks.
Tags: conti, ryuk, ransomware
|
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 28 APT 31 | ★★★ |
|
2020-09-09 16:24:00 | Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
‘Baka’ Javascript Skimmer Identified
(published: September 6, 2020)
Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.
Tags: Baka, Javascript, Skimmer
Netwalker Ransomware Hits Argentinian Government, Demands $4 Million
(published: September 6, 2020)
The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Argentina, Government, Netwalker, Ransomware
No Rest for the Wicked: Evilnum Unleashes PyVil RAT
(published: September 3, 2020)
Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 APT 28 | ★★★★ |
To see everything:
Our RSS (filtrered)
