What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-28 19:11:00 | Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: API hammering, APT, China, Phishing, Ransomware, Russia, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed
(published: June 24, 2022)
ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.
Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware
There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families
(published: June 24, 2022)
Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.
Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: malware:BazarLoad |
Ransomware Spam Malware Tool Vulnerability Threat | APT 28 APT 23 | |
 |
2022-06-23 18:40:55 | Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor (lien direct) | >China-linked APT group Tropic Trooper has been spotted previously undocumented malware written in Nim language. Check Point Research uncovered an activity cluster with ties to China-linked APT Tropic Trooper (aka Earth Centaur, KeyBoy, and Pirate Panda) which involved the use of a previously undescribed loader (dubbed “Nimbda”) written in Nim language. The Tropic Trooper APT has been active at least […] | Malware Tool | APT 23 | |
 |
2022-06-22 23:14:08 | Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside (lien direct) | A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign. The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity | Malware Tool Threat | APT 23 | |
 |
2022-06-22 14:28:14 | Chinese hackers target script kiddies with info-stealer trojan (lien direct) | Cybersecurity researchers have discovered a new campaign attributed to the Chinese "Tropic Trooper" hacking group, which employs a novel loader called Nimbda and a new variant of the Yahoyah trojan. [...] | APT 23 | ||
|
2021-12-21 04:40:36 | Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector (lien direct) | Transportation industry and government agencies related to the sector are the victims of an ongoing campaign since July 2020 by a sophisticated and well-equipped cyberespionage group in what appears to be yet another uptick in malicious activities that are "just the tip of the iceberg." "The group tried to access some internal documents (such as flight schedules and documents for financial plans | APT 23 | ||
 |
2021-12-17 19:43:13 | Trend Micro Spots Chinese Hackers Targeting Transportation Sector (lien direct) | Since the middle of 2020, a Chinese state-sponsored threat actor called 'Tropic Trooper' has been targeting transportation organizations and government entities related to transportation sector, Trend Micro reports. | Threat | APT 23 | |
 |
2021-12-16 19:16:06 | \'Tropic Trooper\' Reemerges to Target Transportation Outfits (lien direct) | Analysts warn that the attack group, now known as 'Earth Centaur,' is honing its attacks to go after transportation and government agencies. | APT 23 | ||
|
2021-08-10 17:39:00 | Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Actively Exploited Bug Bypasses Authentication On Millions Of Routers
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
Millions of Senior Citizens' Personal Data Exposed By Misconfiguration
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
|
Malware Vulnerability Threat Guideline | APT 41 APT 41 APT 30 APT 27 APT 23 | |
|
2020-05-15 20:54:30 | Chinese APT Tropic Trooper target air-gapped military Networks in Asia (lien direct) | Chinese threat actors, tracked as Tropic Trooper and KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines. Chinese APT group Tropic Trooper, aka KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines, Trend Micro researchers reported. The Tropic Trooper APT that has been active at least since 2011, it was first spotted in 2015 […] | Threat | APT 23 | |
 |
2018-12-20 14:00:00 | Let\'s Chat: Healthcare Threats and Who\'s Attacking (lien direct) |
Healthcare is under fire and there’s no sign of the burn slowing.
Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.
Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.
So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.
.png)
And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.
SamSam attackers are known to:
Gain remote access through traditional attacks, such as JBoss exploits
Deploy web-shells
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading |
Threat | Wannacry APT 19 APT 18 APT 22 APT 23 | |
|
2018-12-17 14:00:00 | AlienVault Monthly Product Roundup October / November 2018 (lien direct) |
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum.
Let’s take a look at the highlights from our October and November releases:
Mac OS Support for the AlienVault Agent
In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements.
In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts.
.png)
AlienVault Agent Queries as Response Actions
USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.)
To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule.
.png)
Launch AlienVault Agent Queries from Agents Page
In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed.
|
Threat Guideline | APT 23 | |
|
2018-10-10 17:01:03 | KeyBoy Abuses Popular Office Exploits for Malware Delivery (lien direct) | A group of hackers believed to be operating out of China was observed using popular Microsoft Office exploits for the delivery of malware. | Malware | APT 23 | |
|
2018-10-08 17:09:00 | Delivery (Key)Boy (lien direct) |
Introduction
Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believe to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy sector.
Malware Delivery through Open Source Exploit Kits
KeyBoy sent the following email to India's Ambassador to Ethiopia from an email address at nic[.]in, India's National Informatics Centre.
Boy_Open_Source_Exploit_Kits.png)
The file f43f60b62002d0700ccbcbd9334520b6
The attached malicious document downloads and executes a script that installs the final payload:
Boy_final_payload.png)
This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-0199 exploit available on GitHub.
We’ve seen other malicious documents where KeyBoy have tested another exploit generator. In that case KeyBoy didn’t change the default settings so the document meta-data provides some obvious hints that the document is malicious:
Boy_Tested.png)
Delivered Malware
The next stage in these attacks is typically a malware family known as TSSL. This malware originally identified by PwC and more recently described by Trend Micro and CitizenLab.
Most samples are built on the attackers machine fr |
APT 23 | ||
 |
2018-03-14 14:01:00 | Tropic Trooper\'s New Strategy (lien direct) |  Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network.
|
APT 23 | ||
|
2017-11-15 10:00:45 | November\'s Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange (lien direct) | Microsoft rolled out fixes for over 50 security issues in this month's Patch Tuesday. The updates cover vulnerabilities and bugs in the Windows operating system, Internet Explorer (IE), Edge, ASP .NET Core, Chakra Core browsing engine, and Microsoft Office. Microsoft also released a security advisory providing defense-in-depth mitigations against attacks abusing the Dynamic Data Exchange (DDE) protocol in light of recent attacks misusing this feature. Abusing DDE isn't new, but the method has made a resurgence with reports of cyberespionage and cybercriminal groups such as Pawn Storm, Keyboy, and FIN7 leveraging it to deliver their payloads. Post from: Trendlabs Security Intelligence Blog - by Trend Micro November's Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange | APT 28 APT 23 | ||
 |
2017-11-08 23:15:06 | Keyboy Targeting US Companies (lien direct) | The ISBuzz Post: This Post Keyboy Targeting US Companies | APT 23 | ||
 |
2016-11-26 12:00:30 | Palo Alto Networks News of the Week – November 26, 2016 (lien direct) | Did you miss any of this week's Palo Alto Networks action? Don't worry, we've rounded up the top news right here. Unit 42 investigated Tropic Trooper, a campaign targeting the Taiwanese government and a fossil fuel provider. New Customer Spotlight: Maine Township High School District 207 keeps their students safely connected. Brian Kelly reviewed Cybersecurity and Cyberwar: What everyone Needs to Know for the Cybersecurity Canon. This week's episode of People of Palo Alto Networks highlights Joy Osborne, Sr. Manager of University Relations and Recruitment. Check out her story below: … | APT 23 | ||
|
2016-11-23 09:52:05 | Cyberspies Target Taiwan Government, Energy Sector (lien direct) | The threat group behind the cyber espionage campaign dubbed “Tropic Trooper†continues to target Taiwan, including government organizations and the country's energy sector, Palo Alto Networks reported on Tuesday. | APT 23 | ||
|
2016-11-22 11:30:24 | Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy (lien direct) | Taiwan has been a regular target of cyber espionage threat actors for a number of years. Reasons for Taiwan being targeted range from being one of the sovereign states of the disputed South China Sea region to its emerging economy and growth with Taiwan being one of the most innovative countries in the High-Tech industry in Asia. In early August, Unit 42 identified two attacks using similar techniques. The more interesting one was a targeted attack towards the Secretary General of Taiwan’s Government office – Executive Yuan. The Executive Yuan … | APT 23 |
.png){kind=link}
1
We have: 19 articles.
We have: 19 articles.
To see everything:
Our RSS (filtrered)
