What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
|
2021-06-02 15:00:00 | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
Ransomware Malware Threat Medical | Solardwinds APT 38 APT 28 | |
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-03-02 14:59:00 | Anomali February Product Release: Moving Beyond Tactical Intelligence (lien direct) | We are happy to announce the Anomali Product Release for February 2021. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to supporting security teams in their further move beyond a reliance on tactical, technical intelligence to a holistic, threat-model-driven approach by allowing them to work with threat models like the MITRE ATT&CK framework inside Anomali ThreatStream easily and productively. A further highlight directed at augmenting collaboration across teams and with external peers, leveraging our popular Trusted Circles capabilities, is the advent of full-featured chat within the Anomali ThreatStream threat intelligence platform, while maintaining privacy controls.
Enhancements in this latest release include:
MITRE ATT&CK Framework Integration
As a follow-up to the recent release of support for MITRE ATT&CK framework techniques, we’ve added the ability to import content from the MITRE ATT&CK Navigator tool and store your framework capabilities inside ThreatStream. Users can use the MITRE capability in ThreatStream's Investigations feature to help prioritize investigative activity and decision-making, making security teams more efficient and responsive.
Advanced Search Functionality for Threat Models
This month we’ve extended advanced search to Threat Model content in ThreatStream - providing the same flexibility and features for finding and refining content in our platform as for observable content. Users can now create advanced search queries with conditions and operators, and some additional capabilities specific to our Threat Model content, to find relevant intelligence quickly, as well as save their complex searches for future use at a click.
Collaboration via Full-Featured ThreatStream Chat
Customers now have the benefit of real-time, protected communication within ThreatStream for their internal teams and with Trusted Circle collaborators via the use of a full-featured chat client. With this built-in chat functionality, analysts can communicate and share tactical information as well as more strategic aspects of analysis and response quickly and easily with colleagues and peers at organizations that are members of common Trusted Circles--from inside the ThreatStream platform, where it can be easily shared and investigated. Most importantly, the collaboration remains anonymized and privacy is ensured.
Clone Custom Themed Dashboards
Extending the custom themed dashboards developed by the Anomali Threat Research (ATR) team and released in December, we are now offering the ability to not only access a custom themed dashboard (for COVID, Sunburst or other specific themes), but also to clone (or create a copy) of that dashboard, which you can now further customize or tailor to your specific needs and preferences. Once a dashboard is cloned a user can change, for a given widget, the saved query upon which the widget is based, as well as add their own custom widgets.
Intelligence Enrichment Inside of Investigations
We continue to refine the display of critical information to the user at the appropriate point of their research in order to ensure analysts have the right intelligence |
Tool Threat | Solardwinds Solardwinds | |
|
2020-12-29 21:22:00 | Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds (lien direct) | On Dec. 13, FireEye published a detailed analysis about the attack carried out against SolarWinds, which appears to have compromised its Orion IT monitoring and management platform to spread the Sunburst Backdoor malware. As part of the attack, which started in March, the Orion platform started sending out the digitally-signed trojanized malware via regular updates. According to SolarWinds, the compromised update may have been installed by fewer than 18,000 of its customers, including many U.S. federal agencies and Fortune 500 firms that use Orion to monitor the health of their IT networks. In a related blog post, FireEye also announced that a highly sophisticated state-sponsored adversary penetrated its network and stole FireEye Red Team tools used to test customers’ security. In response to the attacks, Anomali has collected, curated, and distributed clear and concise open-source intelligence (OSINT) to help organizations determine if they have been impacted. Two key resources released include a SolarWinds Breach Threat Bulletin and a FireEye Red Team Tools Breach Threat Bulletin. These continually updated resources, for use inside Anomali ThreatStream, include threat analysis, signature threat models, and over 2,000 operationalized indicators of compromise (IOCs) for automated distribution to security controls. Both are available now to Anomali’s 1,500 customers. What Can I Do with This Threat Intelligence?...and How to Do It Our intent in aggregating and curating this threat intelligence is to provide organizations with high-fidelity IOCs that can immediately be pushed into their security stacks for rapid, proactive blocking and alerting. Security products that can take advantage of this actionable threat intelligence include security information and event management (SIEM), endpoint detection and response platforms, firewalls, domain name system (DNS) servers, security orchestration, automation, and response (SOAR) platforms, and other operational security products. These Anomali threat bulletins are designed to be used in conjunction with Anomali ThreatStream, a threat intelligence platform that allows organizations to aggregate, curate, analyze, and distribute multiple sources of threat intelligence to their operational security systems. Inside of the SolarWinds Breach Threat Bulletin, all of these IOCs have been tagged with “solarwinds”, “sunburst backdoor”, “unc2452”, or “avsvmcloud.com.” This enables ThreatStream users to create a simple rule to automatically push IOCs to their security systems, enabling real-time defense against both attacks. For example, if a compromised server inside the organization attempts to connect to a command and control (C2) server outside of the organization, Anomali customers that have activated this research will automatically block the C2 URL, avoiding risk of further compromise and data exfiltration. How Can I Get This Intelligence? The Anomali SolarWinds and FireEye Threat Bulletins are automatically available to Anomali’s ThreatStream customers, and all organizations participating in Anomali-powered threat intelligence sharing communities (ISACs). Anomali Threat Research also created a | Malware Threat Mobile | Solardwinds Solardwinds | |
|
2020-12-29 20:12:00 | Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack (lien direct) | SolarWinds, a provider of IT management and monitoring software deployed by thousands of global customers, was breached between March and June of 2020 by an Advanced Persistent Threat (APT) that cybersecurity company FireEye is tracking as UNC2452. As part of the supply chain attack, the APT compromised the company’s Orion business software with trojanized malware known as Sunburst, which opens a backdoor into the networks of customers who executed Orion updates.
Immediately following news of the attack, Anomali Threat Research launched a custom threat intelligence dashboard called Sunburst Backdoor. Now available to Anomali ThreatStream customers, the dashboard is accessible via the user console. It is preconfigured to provide immediate access and visibility into all known Sunburst Backdoor indicators of compromise (IOCs) that are made available through commercial and open-source threat feeds that users manage on ThreatStream.
Customers using ThreatStream, Anomali Match, and Anomali Lens can immediately detect any IOCs present in their environments, quickly consume threat bulletins containing machine readable IOCs to operationalize threat intelligence across their security infrastructures, and communicate to all stakeholders how they have been impacted.
As part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts, Anomali recently added thematic dashboards that respond to significant global events. In addition to Sunburst Backdoor, ThreatStream customers currently have access to additional dashboards announced as part of our December quarterly product release.
Customers can integrate Sunburst Backdoor and other dashboards via the “+ Add Dashboard” tab in the ThreatStream console:
After integration, users will have immediate access to the Sunburst Backdoor dashboard, which continually updates IOCs as they become available:
Organizations interested in learning more about Anomali ThreatStream and our custom dashboard capabilities can request a demo here.
For organizations interested in gaining wider visibility and detection capabilities for the Sunburst cyberattack, Anomali Threat Research has compiled and curated an initial threat bulletin and downloadable set of OSINT IOCs available here. |
Malware Threat Mobile | Solardwinds Solardwinds |
1
We have: 6 articles.
We have: 6 articles.
To see everything:
Our RSS (filtrered)
