What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-01 14:00:00 | Uncharmed: Untangling Iran\'s APT42 Operations (lien direct) | Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 ( |
Malware Tool Threat Cloud | Yahoo APT 35 APT 42 | ★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
 |
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
 |
2023-10-31 19:45:32 | From Albania to the Middle East: The Scarred Manticore is Listening (lien direct) | #### Description
Check Point Research (RCR) surveille une campagne d'espionnage iranienne en cours par Scarred Manticore, un acteur affilié au ministère du renseignement et de la sécurité (MOIS).Les attaques reposent sur Liontail, un cadre de logiciel malveillant passif avancé installé sur les serveurs Windows.À des fins de furtivité, les implants liionnal utilisent les appels directs vers Windows HTTP Stack Driver Http.SYS pour charger les charges utiles des résidents de mémoire.
La campagne actuelle a culminé à la mi-2023, passant sous le radar pendant au moins un an.La campagne cible les organisations de haut niveau au Moyen-Orient en mettant l'accent sur les secteurs du gouvernement, des militaires et des télécommunications, en plus des fournisseurs de services informatiques, des organisations financières et des ONG.Scarred Manticore poursuit des objectifs de grande valeur depuis des années, utilisant une variété de déambulations basées sur l'IIS pour attaquer les serveurs Windows.Ceux-ci incluent une variété de shells Web personnalisés, de bornes de dos de DLL personnalisées et d'implants basés sur le pilote.Bien que la principale motivation derrière l'opération de Manticore \\ ne soit que l'espionnage, certains des outils décrits dans ce rapport ont été associés à l'attaque destructrice parrainée par MOIS contre l'infrastructure du gouvernement albanais (appelé Dev-0861).
#### URL de référence (s)
1. https://research.checkpoint.com/2023/from-albania-to-the-middle-East-the-scarred-Manticore-is-Listening/
#### Date de publication
31 octobre 2023
#### Auteurs)
Recherche de point de contrôle
#### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research |
Malware Tool | APT 34 APT 34 | ★★ |
 |
2023-10-31 10:56:45 | Déstaurer la saga Manticore marquée: une épopée fascinante d'espionnage à enjeux élevés qui se déroule au cœur du Moyen-Orient Unraveling the Scarred Manticore Saga: A Riveting Epic of High-Stakes Espionage Unfolding in the Heart of the Middle East (lien direct) |
> Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]
>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] |
Malware Tool Threat | APT 34 | ★★ |
 |
2023-10-27 20:27:00 | Le groupe coréen Lazarus cible le fournisseur de logiciels utilisant des défauts connus N. Korean Lazarus Group Targets Software Vendor Using Known Flaws (lien direct) |
Le groupe de Lazare aligné nord-en Corée a été attribué comme derrière une nouvelle campagne dans laquelle un fournisseur de logiciel sans nom a été compromis par l'exploitation de défauts de sécurité connus dans un autre logiciel de haut niveau.
Selon Kaspersky, les séquences d'attaque ont abouti au déploiement de familles de logiciels malveillants tels que Signbt et Lpeclient, un outil de piratage connu utilisé par l'acteur de menace pour
The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for |
Malware Tool Threat | APT 38 APT 38 | ★★★ |
 |
2023-10-04 07:30:06 | Le groupe de Lazarus de la Corée du Nord améliore ses principaux logiciels malveillants North Korea\\'s Lazarus Group upgrades its main malware (lien direct) |
Lightningcan échappe aux outils Infosec de manière nouvelle et intéressante Le groupe Lazare, le gang de cybercrimes lié au gouvernement nord-coréen, a été nommé auteur d'une attaque contre une entreprise aérospatiale espagnole, en utilisant unNouveau dangereux nouveau logiciel malveillant.…
LightningCan evades infosec tools in new and interesting ways The Lazarus Group, the cybercrime gang linked to the North Korean government, has been named as the perpetrator of an attack against a Spanish aerospace firm, using a dangerous new piece of malware.… |
Malware Tool | APT 38 | ★★ |
 |
2023-09-22 10:26:15 | ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes (lien direct) | ESET découvre que le groupe OilRig a déployé un nouveau malware sur des victimes israéliennes Vue d'ensemble de la chaîne de compromission spatiale d'OilRig • ESET Research a analysé deux campagnes menées par le groupe OilRig en 2021 (Outer Space) et 2022 (Juicy Mix). Ce groupe APT est aligné avec les intérêts de l'Iran. • Les opérateurs ont ciblé exclusivement des organisations israéliennes et compromettaient des sites Web israéliens légitimes afin de les utiliser comme centre de communications et de contrôle (C & C / C2). • Ils ont utilisé une nouvelle porte dérobée inédite dans chaque campagne : Solar in Outer Space, puis son successeur Mango in Juicy Mix. • Une grande variété d'outils a été déployée à la suite des compromissions. Ces outils ont été utilisés pour collecter des informations sensibles à partir des principaux navigateurs et du Gestionnaire de mots de passe de Windows. - Malwares | Malware Tool | APT 34 | ★★★ |
 |
2023-09-19 17:06:25 | Hackers utilisant de fausses applications YouTube pour infecter les appareils Android Hackers Using Fake YouTube Apps To Infect Android Devices (lien direct) |
Le groupe de piratage APT36, également connu sous le nom de \\ 'Tribe Transparent, a été découvert à l'aide d'applications Android malveillantes qui imitent YouTube pour infecter leurs cibles \' avec le Troie (rat) d'accès à distance mobile appelé \\ appelé \'Caprarat \'. Pour les personnes inconscientes, l'APT36 (ou la tribu transparente) est un groupe de piratage présumé lié au Pakistan principalement connu pour avoir utilisé des applications Android malveillantes pour attaquer la défense indienne et les agences gouvernementales, les organisations impliquées dans la région du Cachemire, ainsi que les militants des droits de l'homme travaillant travailsur des questions liées au Pakistan. Sentinelabs, une entreprise de cybersécurité, a pu identifier trois packages d'applications Android (APK) liés à la Caprarat de la tribu transparente, qui a imité l'apparence de YouTube. & # 8220; Caprarat est un outil très invasif qui donne à l'attaquant un contrôle sur une grande partie des données sur les appareils Android qu'il infecte, & # 8221;Le chercheur de sécurité Sentinellabs Alex Delamotte a écrit dans une analyse lundi. Selon les chercheurs, les APK malveillants ne sont pas distribués via Google Play Store d'Android, ce qui signifie que les victimes sont probablement socialement conçues pour télécharger et installer l'application à partir d'une source tierce. L'analyse des trois APK a révélé qu'elles contenaient le Caprarat Trojan et ont été téléchargées sur Virustotal en avril, juillet et août 2023. Deux des Caprarat APK ont été nommés \\ 'YouTube \', et l'un a été nommé \'Piya Sharma \', associée à un canal potentiellement utilisé pour les techniques d'ingénierie sociale basées sur la romance pour convaincre les cibles d'installer les applications. La liste des applications est la suivante: base.media.service moves.media.tubes videos.watchs.share Pendant l'installation, les applications demandent un certain nombre d'autorisations à risque, dont certaines pourraient initialement sembler inoffensives pour la victime pour une application de streaming médiatique comme YouTube et la traiter sans soupçon. L'interface des applications malveillantes tente d'imiter l'application YouTube réelle de Google, mais ressemble plus à un navigateur Web qu'à une application en raison de l'utilisation de WebView à partir de l'application Trojanisée pour charger le service.Ils manquaient également de certaines fonctionnalités et fonctions disponibles dans l'application Android YouTube native légitime. Une fois que Caprarat est installé sur le dispositif de victime, il peut effectuer diverses actions telles que l'enregistrement avec le microphone, les caméras avant et arrière, la collecte de SMS et les contenus de messages multimédias et les journaux d'appels, d'envoi de messages SMS, de blocage des SMS entrants, initier les appels téléphoniques, prendre des captures d'écran, des paramètres système primordiaux tels que GPS & AMP;Réseau et modification des fichiers sur le système de fichiers du téléphone \\ Selon Sentinelabs, les variantes de caprarat récentes trouvées au cours de la campagne actuelle indiquent un développement continu des logiciels malveillants par la tribu transparente. En ce qui concerne l'attribution, les adresses IP des serveurs de commande et de contrôle (C2) avec lesquels Caprarat communique sont codées en dur dans le fichier de configuration de l'application et ont été liés aux activités passées du groupe de piratage. Cependant, certaines adresses IP étaient liées à d'autres campagnes de rats, bien que la relation exacte entre ces acteurs de menace et la tribu transparente reste claire. | Malware Tool Threat | APT 36 | ★★ |
|
2023-09-19 12:26:00 | Transparent Tribe utilise de fausses applications Android YouTube pour répandre Caprarat malware Transparent Tribe Uses Fake YouTube Android Apps to Spread CapraRAT Malware (lien direct) |
L'acteur de menace présumé lié au Pakistan, connu sous le nom de Tribe Transparent, utilise des applications Android malveillantes imitant YouTube pour distribuer le Troie à distance à distance caprarat (rat), démontrant l'évolution continue de l'activité.
"Caprarat est un outil très invasif qui donne à l'attaquant un contrôle sur une grande partie des données sur les appareils Android qu'il infecte", Sentinelone Security
The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security |
Malware Tool Threat | APT 36 | ★ |
 |
2023-09-12 19:53:00 | Nouvel outil de porte dérobée repéré par des cibles au Brésil, en Israël, aux Émirats arabes unis New backdoor tool spotted in use against targets in Brazil, Israel, UAE (lien direct) |
Des pirates présumés de l'État national iranien ont attaqué des organisations au Brésil, en Israël et aux Émirats arabes unis à l'aide de logiciels de porte dérobée non identifiés auparavant, ont découvert des chercheurs.Le groupe de pirates a étiqueté bobcat balistique, également connu sous le nom de Charming Kitten, a déployé la porte dérobée entre mars 2021 et juin 2022 contre au moins 34 victimes, principalement en Israël, selon la société de cybersécurité ESET.
Suspected Iranian nation-state hackers attacked organizations in Brazil, Israel and the United Arab Emirates using previously unidentified backdoor malware, researchers have discovered. The hacker group labeled Ballistic Bobcat, also known as Charming Kitten, deployed the backdoor between March 2021 and June 2022 against at least 34 victims, mostly in Israel, according to cybersecurity company ESET. |
Tool | APT 35 | ★★★ |
|
2023-09-05 15:45:00 | Les chercheurs mettent en garde contre les cyber-armes utilisées par le groupe Andariel du groupe Lazarus \\ Researchers Warn of Cyber Weapons Used by Lazarus Group\\'s Andariel Cluster (lien direct) |
L'acteur de menace nord-coréen connue sous le nom d'Andariel a été observé en utilisant un arsenal d'outils malveillants dans ses cyber-assaut contre les sociétés et les organisations de l'homologue du Sud.
"Une caractéristique des attaques identifiées en 2023 est qu'il existe de nombreuses souches de logiciels malveillants développées dans la langue go", a déclaré le Ahnlab Security Emergency Response Center (ASEC) dans une plongée profonde
The North Korean threat actor known as Andariel has been observed employing an arsenal of malicious tools in its cyber assaults against corporations and organizations in the southern counterpart. “One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language,” the AhnLab Security Emergency Response Center (ASEC) said in a deep dive |
Malware Tool Threat | APT 38 | ★★ |
|
2023-07-20 12:50:00 | Des pirates nord-coréens liés à une tentative d'attaque de chaîne d'approvisionnement sur les clients de JumpCloud North Korean hackers linked to attempted supply-chain attack on JumpCloud customers (lien direct) |
Les pirates nord-coréens étaient à l'origine d'une violation de l'entreprise logicielle JumpCloud qui faisait partie d'une tentative d'attaque de chaîne d'approvisionnement ciblant les sociétés de crypto-monnaie, a-t-il été rapporté jeudi.JumpCloud - qui fournit des outils de gestion de l'identité et de l'accès aux appareils d'entreprise - a annoncé plus tôt ce mois-ci qu'une «nation sophistiquée-Acteur de menace parrainé par l'État »avait réussi
North Korean hackers were behind a breach of the software business JumpCloud that formed part of an attempted supply-chain attack targeting cryptocurrency companies, it was reported on Thursday. JumpCloud - which provides identity and access management tools for enterprise devices - announced earlier this month that a “sophisticated nation-state sponsored threat actor” had managed in |
Tool Threat | APT 38 | ★★ |
 |
2023-05-31 17:19:00 | Anomali Cyber Watch: Shadow Force cible les serveurs coréens, Volt Typhoon abuse des outils intégrés, Cosmicenergy Tests Electric Distribution Perturbation Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption (lien direct) |
Les différentes histoires de l'intelligence des menaces dans cette itération de la cyber-montre anomali discutent des sujets suivants: Chine, chargement de DLL, vivant de la terre, technologie opérationnelle, ransomware, et Russie .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
shadowVictiticoor et Coinmin de Force Group \\
(Publié: 27 mai 2023)
Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor.
Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor |
Ransomware Malware Tool Vulnerability Threat | APT 38 Guam CosmicEnergy | ★★ |
|
2023-05-09 20:02:00 | Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
(published: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information
Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows
Eastern Asian Android Assault – FluHorse
(published: May 4, 2023)
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com |
Malware Tool Threat | APT 37 APT 43 | ★★★ |
|
2023-05-01 23:16:00 | Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct) |
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Réaction en chaîne: Rokrat & rsquo; s.Lien manquant
(Publié: 1er mai 2023)
Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud.
Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32
Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows
|
Ransomware Malware Tool Vulnerability Threat Prediction Cloud | APT 37 APT 37 APT 35 | ★★ |
 |
2023-04-28 01:30:56 | (Déjà vu) Chaton charmant utilisant de nouveaux logiciels malveillants dans des attaques multi-pays Charming Kitten Using New Malware in Multi-Country Attacks (lien direct) |
Charming Kitten, le tristement célèbre groupe iranien de l'État-nation, vise activement les victimes à travers l'Europe, les États-Unis, l'Inde et le Moyen-Orient avec un nouveau logiciel malveillant surnommé Bellaciao.Le malware est le dernier de leur vaste trousse à outils personnalisée.Bellaciao a été découverte par Bitdefender, qui décrivent le malware comme a & # 8220; compte-gouttes personnalisé & # 8221;C'est capable de fournir des charges utiles de logiciels malveillants sur [& # 8230;]
Charming Kitten, the infamous Iranian nation-state group, is actively targeting victims across Europe, U.S., India and Middle East with a new malware dubbed BellaCiao. The malware is the latest in their expansive custom tool kit. BellaCiao was discovered by Bitdefender, who describe the malware as a “personalised dropper” that’s capable of delivering malware payloads onto […] |
Malware Tool | APT 35 APT 35 | ★★ |
|
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
|
2023-04-19 16:58:00 | Les pirates pakistanais utilisent le poseidon de logiciels malveillants Linux pour cibler les agences gouvernementales indiennes Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies (lien direct) |
L'acteur avancé de menace persistante (APT) basée au Pakistan connu sous le nom de Tribe Transparent a utilisé un outil d'authentification à deux facteurs (2FA) utilisé par les agences gouvernementales indiennes comme ruse pour livrer une nouvelle porte dérobée Linux appelée Poséidon.
"Poséidon est un logiciel malveillant en charge utile de deuxième étape associé à la tribu transparente", a déclaré le chercheur en sécurité UptyCS Tejaswini Sandapolla dans un rapport technique publié cette semaine.
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. |
Malware Tool Threat | APT 36 | ★★ |
|
2023-03-28 21:28:00 | Anomali Cyber Watch: Takeover comptable, APT, Banking Trojans, Chine, Cyberespionage, Inde, Malspam, Corée du Nord, Phishing, Skimmers, Ukraine et Vulnérabilités [Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities] (lien direct) | Aucun Sélectionné Sauter vers le contenu à l'aide d'Anomali Inc Mail avec les lecteurs d'écran Yury 1 sur 52 ACW CONSEIL POLOZOV ACCORDS MAR 27 MAR, 2023, 10: 11 & # 8239; AM (1 jour) pour moi, marketing, recherche Cher Jarom etMarketing, ACW est prêt https://ui.thereatstream.com/tip/6397663 - Yury Polozov |Analyste de renseignement sur la menace de Sr. |ATR |www.anomali.com Téléphone: + 1-347-276-5554 3 pièces jointes et taureau;Scanné par gmail
& nbsp;
Anomali Cyber Watch: Spies amer sur l'énergie nucléaire chinoise, Kimsuky prend le contrôle de Google pour infecter les appareils Android connectés, les mauvaises cibles magiques occupées des parties de l'Ukraine, et plus encore.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent des sujets suivants: Takeover, APT, Banking Trojans, China, Cyberspionage, Inde, Malspam, North Corée, Phishing, Skimmers, Ukraine, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
campagne de phishingCible l'industrie chinoise de l'énergie nucléaire
(Publié: 24 mars 2023)
Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection.
Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at |
Malware Tool Threat Cloud | APT 37 APT 43 | ★★ |
|
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-02-28 16:15:00 | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery | |
Ransomware Malware Tool Threat Medical Medical Cloud | APT 38 | ★ |
 |
2023-02-28 14:00:00 | CyberheistNews Vol 13 #09 [Eye Opener] Should You Click on Unsubscribe? (lien direct) |
CyberheistNews Vol 13 #09 | February 28th, 2023
[Eye Opener] Should You Click on Unsubscribe?
By Roger A. Grimes.
Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?"
The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use.
In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
[CONTINUED] at the KnowBe4 blog:https://blog.knowbe4.com/should-you-click-on-unsubscribe
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approac |
Malware Hack Tool Vulnerability Threat Guideline Prediction | APT 38 ChatGPT | ★★★ |
|
2023-02-23 17:17:00 | Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data (lien direct) | A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. | Malware Tool Medical | APT 38 | ★ |
 |
2023-02-23 10:30:19 | WinorDLL64: A backdoor from the vast Lazarus arsenal? (lien direct) | >The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group | Tool | APT 38 | ★★ |
|
2023-02-07 17:23:00 | Anomali Cyber Watch: MalVirt Obfuscates with KoiVM Virtualization, IceBreaker Overlay Hides V8 Bytecode Runtime Interpretation, Sandworm Deploys Multiple Wipers in Ukraine (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
(published: February 2, 2023)
In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.
Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.
MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | |
Malware Tool Threat Medical Medical | APT 38 | ★★★ |
|
2023-01-31 17:27:00 | Anomali Cyber Watch: KilllSomeOne Folders Invisible in Windows, Everything APIs Abuse Speeds Up Ransomware, APT38 Experiments with Delivery Vectors and Backdoors (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cryptocurrency, Data leak, Iran, North Korea, Phishing, Ransomware, and USB malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese PlugX Malware Hidden in Your USB Devices?
(published: January 26, 2023)
Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it.
Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name.
MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer
Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows
Abraham's Ax Likely Linked to Moses Staff
(published: January 26, 2023)
Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware.
Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
|
2023-01-04 16:30:00 | Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Data breaches, North Korea, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays
(published: January 1, 2023)
Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.
Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux
Linux Backdoor Malware Infects WordPress-Based Websites
(published: December 30, 2022)
Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.
Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use |
Malware Tool Vulnerability Threat Patching Medical | APT 38 LastPass | ★★ |
 |
2022-12-22 00:00:00 | Le rapport Threat Lab de WatchGuard révèle que la principale menace emprunte exclusivement des connexions chiffrées (lien direct) | Paris, le 4 janvier 2023 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, publie son dernier Rapport trimestriel sur la sécurité Internet, qui présente les grandes tendances en matière de malwares et de menaces pour la sécurité des réseaux et des endpoints analysées par les chercheurs du Threat Lab de WatchGuard au 3ème trimestre 2022. Ses conclusions clés révèlent notamment que la principale menace du trimestre en matière de logiciels malveillants a été détectée exclusivement via des connexions chiffrées, que les attaques ICS conservent leur popularité, que le logiciel malveillant LemonDuck évolue au-delà du cryptominage, et qu'un moteur de triche Minecraft diffuse une charge utile malveillante. " Nous ne saurions trop insister sur l'importance d'activer l'inspection HTTPS, même si elle nécessite quelques réglages et exceptions pour fonctionner correctement. La majorité des logiciels malveillants utilisent le protocole chiffré HTTPS, et ces menaces ne sont pas détectées en l'absence d'inspection ", a déclaré Corey Nachreiner, Chief Security Officer chez WatchGuard Technologies. " À juste titre, les plus grands objets de convoitise des cybercriminels, comme les serveurs Exchange ou les systèmes de gestion SCADA, méritent également un maximum d'attention. Lorsqu'un correctif est disponible, il est important de procéder immédiatement à la mise à jour, car les cybercriminels finiront par tirer profit de toute organisation qui n'a pas encore mis en œuvre le dernier correctif. " Le rapport sur la sécurité Internet du 3ème trimestre contient d'autres résultats clés, notamment : La grande majorité des logiciels malveillants empruntent des connexions chiffrées – Bien qu'il soit arrivé 3ème dans la liste classique des 10 principaux malwares du 3ème trimestre, Agent.IIQ a pris la tête de la liste des logiciels malveillants chiffrés pour cette même période. De fait, en regardant les détections de ce malware sur ces deux listes, il apparaît que toutes les détections d'Agent.IIQ proviennent de connexions chiffrées. Au 3ème trimestre, si une appliance Firebox inspectait le trafic chiffré, 82 % des logiciels malveillants détectés passaient par une connexion chiffrée, ce qui correspond à seulement 18 % de détections sans chiffrement. Si le trafic chiffré n'est pas inspecté sur Firebox, il est très probable que ce ratio moyen s'applique et que l'entreprise passe à côté d'une énorme partie des logiciels malveillants. Les systèmes ICS et SCADA restent les cibles d'attaques les plus courantes – Ce trimestre, une attaque de type injection SQL ayant touché plusieurs fournisseurs a fait son apparition dans la liste des dix principales attaques réseau. Advantech fait partie des entreprises concernées. Son portail WebAccess est utilisé pour les systèmes SCADA dans une variété d'infrastructures critiques. Un autre exploit sérieux au 3ème trimestre, également classé parmi les cinq principales attaques réseau en termes de volume, a visé les versions 1.2.1 et antérieures du logiciel U.motion Builder de Schneider Electric. Un rappel brutal du fait que les cybercriminels ne se contentent pas d'attendre tranquillement la prochaine opportunité, mais qu'ils cherchent activement à compromettre les systèmes chaque fois que cela est possible. Les vulnérabilités des serveurs Exchange continuent de poser des risques – La C | Ransomware Malware Tool Threat | APT 3 | ★★★ |
|
2022-12-13 16:00:00 | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
|
2022-12-06 17:09:00 | Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization, and Signed malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese Gambling Spam Targets World Cup Keywords
(published: December 2, 2022)
Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).
Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou
Leaked Android Platform Certificates Create Risks for Users
(published: December 2, 2022)
On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.
Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.
Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware
Blowing Cobalt Strike Out of the Water With Memory Analysis
(published: December 2, 2022)
The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me |
Spam Malware Tool Threat Medical | APT 38 | ★★★ |
|
2022-11-22 23:47:00 | Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Signed malware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads
(published: November 17, 2022)
From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.
Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment
(published: November 16, 2022)
From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.
Analyst Comment: Evasion through URI fragmentation hides the token value from traff |
Ransomware Malware Tool Threat Guideline Medical | APT 38 | ★★★★ |
|
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
 |
2022-10-05 12:15:00 | North Korea\'s Lazarus group uses vulnerable Dell driver to blind security solutions (lien direct) | The notorious North Korean state-sponsored hacker group Lazarus has begun exploiting a known vulnerability in an OEM driver developed by Dell to evade detection by security solutions. This is a prime example of why it's important to always keep third-party PC manufacturer software, which is often neglected, up to date, as well as to add vulnerable versions to blocklists.“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”To read this article in full, please click here | Tool Vulnerability | APT 38 | |
|
2022-10-04 18:08:00 | Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia, and Social engineering. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Royal Ransomware Emerges in Multi-Million Dollar Attacks
(published: September 29, 2022)
AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.
Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566
Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering
ZINC Weaponizing Open-Source Software
(published: September 29, 2022)
Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.
Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Threat Medical | APT 38 | |
|
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
 |
2022-09-08 08:39:42 | Lazarus and the tale of three RATs (lien direct) |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern |
Malware Tool Vulnerability Threat Medical | APT 38 | |
|
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
 |
2022-08-23 11:57:26 | Charming Kitten APT Wields New Scraper to Steal Email Inboxes (lien direct) | Google researchers say the nation-state hacking team is now employing a data-theft tool that targets Gmail, Yahoo!, and Microsoft Outlook accounts using previously acquired credentials. | Tool | Yahoo APT 35 | |
|
2022-08-23 07:50:00 | Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (lien direct) | The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known | Malware Tool Threat Conference | Yahoo APT 35 | |
|
2022-08-16 15:06:00 | Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, China, Cyberespionage, India, Malspam, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT-C-35: New Windows Framework Revealed
(published: August 11, 2022)
The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules.
Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows |
Ransomware Malware Tool Vulnerability Threat Guideline Medical | APT 38 | |
|
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
 |
2022-06-24 15:00:00 | What is iOS Hermit spyware? (lien direct) | >iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe. | Tool Cloud | APT 37 | |
|
2022-06-21 15:03:00 | Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT35, CrescentImp, Follina, Gallium, Phosphorous, and Sandworm. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Update: The Phish Goes On - 5 Million Stolen Credentials and Counting
(published: June 16, 2022)
PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads.
Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204
Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo
F5 Labs Investigates MaliBot
(published: June 15, 2022)
F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services.
Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204
Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES
Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa
(published: June 15, 2022)
On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | Yahoo APT 35 | |
|
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
|
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
|
2022-04-26 16:24:00 | Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
(published: April 25, 2022)
Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables.
Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | |
Ransomware Malware Tool Vulnerability Threat Guideline Medical | Uber APT 38 APT 28 | |
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 |
To see everything:
Our RSS (filtrered)
