What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-03-08 10:23:46 | Security Affairs newsletter Round 254 (lien direct) | A new round of the weekly newsletter arrived! The best news of the week with Security Affairs 49 million unique email addresses of Straffic Marketing firm exposed online Russian spies are attempting to tap transatlantic undersea cables $1B to help telecom carriers to rip and replace Huawei and ZTE equipment Karkoff 2020: a new APT34 […] | APT 34 | ||
|
2020-03-03 18:48:42 | The North Korean Kimsuky APT threatens South Korea evolving its TTPs (lien direct) | Cybaze-Yoroi ZLab analyzed a new implant employed by a North Korea-linked APT group, tracked as Kimsuky, in attacks on South Korea. Introduction Recently we have observed a significant increase in state-sponsored operations carried out by threat actors worldwide. APT34, Gamaredon, and Transparent Tribe are a few samples of the recently uncovered campaigns, the latter was spotted after four […] | Threat | APT 34 APT 36 | |
|
2020-03-02 19:19:39 | Karkoff 2020: a new APT34 espionage operation involves Lebanon Government (lien direct) | Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group.Experts from Cybaze/ Yoroi Zlab spotted a new sample of the Karkoff implant that was employed in past campaigns associated with Iran-linked APT34 group. Introduction In November 2018, researchers from Cisco Talos […] | APT 34 | ||
|
2020-01-31 07:53:00 | Iran-linked APT34 group is targeting US federal workers (lien direct) | Iran-linked APT34 group has targeted a U.S.-based research company that provides services to businesses and government organizations. Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations. “Our researchers Paul Litvak and Michael Kajilolti have discovered a new campaign conducted by APT34 employing an updated toolset. Based […] | APT 34 | ||
 |
2019-12-17 14:40:28 | Poison Frog Malware Samples Reveal OilRig\'s Sloppiness (lien direct) | An analysis of a new backdoor called “Poison Frog” revealed that the OilRig threat group was sloppy in its development of the malware. Kaspersky Lab came across Poison Frog while scanning its archives using its YARA rule to hunt for new and old malware samples employed by OilRig. It launched this investigatory effort shortly after […]… Read More | Malware Threat | APT 34 | |
 |
2019-12-05 01:07:48 | ZeroCleare: New Iranian Data Wiper Malware Targeting Energy Sector (lien direct) | Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East.
Dubbed ZeroCleare, the data wiper malware has been linked to not one but two Iranian state-sponsored hacking groups-APT34, also known as ITG13 and Oilrig, and Hive0081, |
Malware | APT 34 | |
 |
2019-10-22 13:25:29 | Iranian Spying Operation Russian Hijack (lien direct) | A group of Russian cyber attackers dubbed 'Turla' have hacked another Iran-based group of cyber actors, known as 'OilRig' to spy on multiple countries, according to advisories by published today by the UK's NCSC and the US' NSA. According to reports, attacks were discovered against more than 35 countries, many of which were located in the … The ISBuzz Post: This Post Iranian Spying Operation Russian Hijack | APT 34 | ||
 |
2019-10-21 15:29:10 | Russian Hackers Use Iranian Threat Group\'s Tools, Servers as Cover (lien direct) | The Russian-backed Turla cyber-espionage group used stolen malware and hijacked infrastructure from the Iranian-sponsored OilRig to attack targets from dozens of countries according to a joint United Kingdom's National Cyber Security Centre (NCSC) and U.S. National Security Agency (NSA) advisory published today. [...] | Malware Threat | APT 34 | |
|
2019-08-07 13:47:02 | OilRig APT group: the evolution of attack techniques over time (lien direct) | Security researcher Marco Ramilli presents a comparative analysis of attacks techniques adopted by the Iran-Linked OilRig APT group. Today I'd like to share a comparative analysis of OilRig techniques mutation over time. In particular I will refer to great analyses made by Paloalto UNIT 42 plus my own ones (HERE, HERE, HERE, etc..) and more personal thoughts. I would define this group […] | APT 34 | ||
|
2019-07-23 14:40:03 | Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware (lien direct) | U.S. cybersecurity firm FireEye has warned of a malicious phishing campaign that it has attributed to the Iranian-linked APT34-whose activity has been reported elsewhere as OilRig and Greenbug. The campaign has been targeting LinkedIn users with plausible but bogus invitations to join a professional network and emailed attachments laced with malware that seeks to infect systems with a hidden backdoor … The ISBuzz Post: This Post Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware | Malware | APT 34 | |
 |
2019-07-22 12:56:04 | FireEye identifie une nouvelle campagne de cyber-espionnage du groupe iranien APT34 (lien direct) |  Compte tenu des tensions géopolitiques croissantes au Moyen-Orient, FireEye s'attend à ce que l'Iran augmente considérablement le volume et la portée de ses campagnes de cyber-espionnage. |
APT 34 | ||
|
2019-07-22 08:04:00 | New APT34 campaign uses LinkedIn to deliver fresh malware (lien direct) | The APT24 group continues its cyber espionage activity, its members were posing as a researcher from Cambridge to infect victims with three new malware. Experts at FireEye have uncovered a new espionage campaign carried out by APT34 APT group (OilRig, and HelixKitten. Greenbug) through LinkedIn. Members of the cyberespionage group were posing as a researcher from Cambridge […] | Malware | APT 24 APT 34 | |
 |
2019-07-19 17:46:01 | Iranian Hackers Use New Malware in Recent Attacks (lien direct) | The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports. | Malware | APT 34 | ★★★ |
 |
2019-07-18 10:00:00 | Hard Pass: invitation déclinante APT34 \\ à rejoindre leur réseau professionnel Hard Pass: Declining APT34\\'s Invite to Join Their Professional Network (lien direct) |
arrière-plan
Avec des tensions géopolitiques croissantes au Moyen-Orient, nous nous attendons à ce que l'Iran augmente considérablement le volume et la portée de ses campagnes de cyber-espionnage.L'Iran a un besoin critique d'intelligence stratégique et est susceptible de combler cette lacune en effectuant un espionnage contre les décideurs et les organisations clés qui peuvent avoir des informations qui renforcent les objectifs économiques et de sécurité nationale de l'Iran.L'identification de nouveaux logiciels malveillants et la création d'une infrastructure supplémentaire pour permettre de telles campagnes met en évidence l'augmentation du tempo de ces opérations à l'appui des intérêts iraniens.
fi
Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran\'s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests. Fi |
Malware | APT 34 APT 34 | ★★★★ |
|
2019-06-27 05:32:05 | Similarities and differences between MuddyWater and APT34 (lien direct) | Security expert Marco Ramilli analyzed similarities and differences between the MuddyWater and APT34 cyberespionage groups. Many state sponsored groups have been identified over time, many of them have different names (since discovered by different organizations) and there is no an agreed standardization on the topic but many victims and some interests look very tight together. […] | APT 34 | ||
|
2019-06-21 13:01:04 | Russia-Linked Turla APT group Hijacked C2 of the Iranian OilRig (lien direct) | Russia-Linked cyberespionage group Turla uses a new toolset and hijacked command and control infrastructure operated by Iran-Linked OilRig APT. Russia-linked Turla cyberspies used a new set of tools in new attacks and hijacked command and control infrastructure operated by Iran-Linked OilRig APT. Recent campaigns demonstrate that Turla continues to evolve its arsenal and adopt news […] | APT 34 | ||
|
2019-06-20 18:11:01 | Russia-Linked Hackers Hijack Infrastructure of Iranian Threat Group (lien direct) | Russia-Linked Hackers Use New Toolset and Likely Took Over Servers Operated by Iran-Linked "OilRig" Threat Group | Threat | APT 34 | |
|
2019-06-20 12:34:02 | Turla Espionage Group Hacks OilRig APT Infrastructure (lien direct) | Security researchers tracking activities of various nation-state cyber-espionage groups found evidence suggesting that the Turla group hijacked the infrastructure of OilRig hackers to compromise a target both actors were interested in. [...] | APT 34 | ★★★★★ | |
 |
2019-06-20 10:00:00 | Russian APT hacked Iranian APT\'s infrastructure back in 2017 (lien direct) | Turla APT hacked Iran's APT34 group and used its C&C servers to re-infect APT34 victims with its own malware. | APT 34 | ||
|
2019-06-06 11:00:05 | Analyzing the APT34\'s Jason project (lien direct) | Security expert Marco Ramilli has analyzed the recently leaked APT34 hacking tool tracked as Jason – Exchange Mail BF. Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked […] | Tool | APT 34 | |
|
2019-06-04 13:55:05 | OilRig\'s Jason email hacking tool leaked online (lien direct) | A few hours ago, a new email hacking tool dubbed Jason and associated with the OilRig APT group was leaked through the same Telegram channel used to leak other tools. A new email hacking tool associated with the Iran-linked OilRig APT group was leaked through the same Telegram channel that in April leaked the source […] | Tool | APT 34 | |
|
2019-06-03 12:56:01 | New Email Hacking Tool from OilRig APT Group Leaked Online (lien direct) | A tool for hijacking Microsoft Exchange email accounts allegedly used by the OilRig hacker group has been leaked online. The utility is called Jason and it is not detected by antivirus engines on VirusTotal. [...] | Tool | APT 34 | |
|
2019-04-19 15:45:02 | Explained – APT34 Code Leak (lien direct) | Hackers, going by the online name of Lab Dookhtegan, have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government. Alexander Heid, White Hat Hacker and Chief Research Officer at SecurityScorecard: “Now that these scripts are public, they will likely be leveraged by cybercriminal groups … The ISBuzz Post: This Post Explained – APT34 Code Leak | APT 34 | ||
|
2019-04-19 12:07:04 | Source code of tools used by OilRig APT leaked on Telegram (lien direct) | Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools. A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten. OilRig is an Iran-linked APT group that has been […] | APT 34 | ||
|
2019-04-18 20:47:05 | Analyzing OilRig\'s malware that uses DNS Tunneling (lien direct) | Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals. Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals. OilRig is an Iran-linked APT group that has been […] | Malware | APT 34 | |
|
2019-04-18 10:10:01 | Hacker Group Exposes Iranian APT Operations and Members (lien direct) | Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government. [...] | APT 34 | ||
|
2019-04-17 23:24:00 | Source code of Iranian cyber-espionage tools leaked on Telegram (lien direct) | APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month. | APT 34 | ||
|
2018-11-20 09:31:03 | Experts analyzed how Iranian OilRIG hackers tested their weaponized documents (lien direct) | Security experts at Palo Alto Networks analyzed the method used by Iran-linked OilRig APT Group to test weaponized docs before use in attacks. Security researchers Palo Alto Networks have analyzed the techniques adopted by Iran-linked APT group OilRig (aka APT34) to test the weaponized documents before use in attacks. The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly […] | APT 34 | ||
|
2018-11-19 14:26:03 | Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs (lien direct) | Researchers Analyzed How the Iran-linked "OilRig" Hacking Group Tests Malicious Documents Before Use in Attacks | APT 34 | ||
|
2018-09-14 13:15:04 | Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation (lien direct) | Researchers from the Unit42 at Palo Alto Networks observed Iran-Linked OilRig APT group targeting high-ranking office in a Middle Eastern nation The Iran-linked APT group OilRig continues to very active, it continues to improve the weapons in its arsenal. The OilRig hacker group has been around since at least 2015, since then it targeted mainly organizations in the financial and government […] | APT 34 | ||
 |
2018-09-13 21:19:00 | OilRig APT Continues Its Ongoing Malware Evolution (lien direct) | The Iran-linked APT appears to be in a state of continuous tool development, analogous to the DevOps efforts seen in the legitimate software world. | Malware Tool | APT 34 | |
|
2018-09-13 11:16:00 | OilRig Launching Attack Campaigns With Updated BONDUPDATER Trojan (lien direct) | The OilRig group conducted at least one attack campaign containing an updated variant of the BONDUPDATER trojan as its final payload. In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common […]… Read More | Threat | APT 34 | |
 |
2018-09-06 13:00:00 | Malware Analysis using Osquery Part 2 (lien direct) |
In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables.
Registry Persistence
In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back.
https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707
Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system.
If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds.
Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters.
|
Malware Threat | APT 34 | ★★★ |
|
2018-09-06 07:44:04 | New OilRig APT campaign leverages a new variant of the OopsIE Trojan (lien direct) | The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities. Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan. The OilRig hacker group is an Iran-linked APT that has been around […] | APT 34 | ||
|
2018-09-05 21:04:04 | OilRig Sends an OopsIE to Mideast Government Targets (lien direct) | The Iran-linked group is using a variant of the data-exfiltration OopsIE trojan to attack a Mideast government entity. | APT 34 | ||
|
2018-09-05 14:16:03 | Iranian Hackers Improve Recently Used Cyber Weapon (lien direct) | The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports. | APT 34 | ||
|
2018-04-04 14:00:03 | Breaches Increasingly Discovered Internally: Mandiant (lien direct) | >Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant.
The company's M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016.
On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016.
Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days).
Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation.
In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor.
Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region.
When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups.
Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten).
|
Conference | APT33 APT 35 APT 33 APT 32 APT 34 | |
|
2018-03-22 15:30:01 | (Déjà vu) Iran-linked Hackers Adopt New Data Exfiltration Methods (lien direct) | An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered. The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in | Guideline | APT 34 | |
|
2018-02-24 09:18:03 | Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks (lien direct) | According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE. The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East. […] | APT 34 | ||
|
2018-02-23 18:38:01 | Iranian Hackers Use New Trojan in Recent Attacks (lien direct) | The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports. | APT 34 | ||
|
2018-02-04 11:38:46 | Security Affairs newsletter Round 148 – News of the week (lien direct) | >A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Once again thank you! ·Â Â Â Â Â Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected ·Â Â Â Â Â Download URLs for two packages of the phpBB forum software were compromised ·Â Â Â Â Â Iran-linked APT OilRig target IIS Web Servers […] | APT 34 | ||
|
2018-01-30 13:40:00 | OTX Trends Part 3 - Threat Actors (lien direct) |
By Javvad Malik and Chris Doman
This is the third of a three part series on trends identified by AlienVault in 2017.
Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.
Which threat actors should I be most concerned about?
Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation.
Which threat actors are most active?
The following graph describes the number of vendor reports for each threat actor over the past two years by quarter:
For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy.
Caveats
There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report.
Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017.
The global targeted threat landscape
There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily?
Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison.
Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights:
A rough chart of the activity and capability of notable threat actors in the last year
Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”.
A review of the most reported on threat actors
The threat actor referenced i |
APT 38 APT 28 APT 10 APT 3 APT 1 APT 34 | ||
|
2018-01-28 10:51:00 | Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor (lien direct) | >The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and […] | APT 34 | ||
|
2018-01-26 12:35:16 | Iranian Hackers Target IIS Web Servers With New Backdoor (lien direct) | 
|
APT 34 | ||
|
2018-01-16 14:00:00 | OTX Trends Part 1- Exploits (lien direct) |
By Javvad Malik and Christopher Doman
Introduction
Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform.
We have combined these two data-sets to help provide a blueprint for how to prioritise the response to varied threats. You can find the scripts we used to get this data from our free APIs on GitHub.
Executive Summary
Some of the standout findings from our data covering 2017 are:
The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery.
njRat malware variants were the most prevalent malware we saw persisting on networks.
Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech.
Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China.
OTX Trends: Exploits
This is the first of a three part series on the trends we identified in 2017:
Part 1 focuses on exploits
Part 2 will talk about the malware of concern and trends
Part 3 will discuss threat actors and patterns
Which exploits should I be most concerned about?
There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported. If you’re responsible for an organisation’s security, it’s important to know:
Which ones are the most important to patch quickly?
Which ones are being actively exploited in the wild?
What exploits are being reported in vendor reports?
The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX:
A CVE 2017-0199 sample used by criminals
This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights:
Effective exploits proliferate quickly
The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig).
It has also been heavily abused by criminal gangs such as some of those deploying Dridex.
|
APT 34 | ||
|
2017-12-07 17:00:00 | Nouvelle attaque ciblée au Moyen-Orient par APT34, un groupe de menaces iranien présumé, en utilisant le CVE-2017-11882 Exploiter New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit (lien direct) |
Moins d'une semaine après que Microsoft a publié un correctif pour CVE-2017-11882 Le 14 novembre 2017, Fireeye a observé un attaquant utilisant un exploit pour la vulnérabilité de Microsoft Office pour cibler une organisation gouvernementale au Moyen-Orient.Nous évaluons que cette activité a été réalisée par un groupe de menaces de cyber-espionnage iranien présumé, que nous appelons APT34, en utilisant une porte dérobée PowerShell personnalisée pour atteindre ses objectifs.
Nous pensons que l'APT34 est impliqué dans une opération de cyber-espionnage à long terme largement axé sur les efforts de reconnaissance au profit des intérêts iraniens de l'État-nation et est opérationnel depuis
Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at |
Vulnerability Threat | APT 34 APT 34 | ★★★★ |
|
2017-10-10 13:38:53 | Iran-linked OilRig hacked group use a new Trojan in Middle East Attacks (lien direct) | >The Iran-Linked cyberespionage group OilRig has been using a new Trojan in attacks aimed at targets in the Middle East. Experts from Palo Alto Networks spotted a new campaign launched by the notorious APT group OilRig against an organization within the government of the United Arab Emirates (UAE). The OilRig hacker group is an Iran-linked APT that has been around since at least […] | APT 34 | ||
|
2017-07-27 14:57:39 | Iranian Cyberspy Groups Share Malware Code (lien direct) | Two cyberspy groups believed to be operating out of Iran, tracked by security firms as OilRig and Greenbug, have apparently shared malware code, according to researchers at Palo Alto Networks. | APT 34 | ||
|
2017-07-27 14:00:36 | APT Group Uses Catfish Technique To Ensnare Victims (lien direct) | APT Cobalt Gypsy or OilRig, used a fake persona called "Mia Ash" to ensnare tech-savvy workers in the oil and gas industry into downloading PupyRAT malware. | APT 34 | ||
 |
2017-07-27 12:00:20 | OilRig uses ISMDoor variant; Possibly Linked to Greenbug Threat Group (lien direct) | New research from Unit 42: OilRig uses ISMDoor variant; possibly linked to Greenbug threat group. | APT 34 |
To see everything:
Our RSS (filtrered)
