This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-30T09:16:07+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces événement de sécurité mondiale anomali Intel - Progress Software Vulnerabilities & ndash;Moveit & amp;DataDirect Connect (Publié: 16 juin 2023) Après la découverte de CVE-2023-34362 et son exploitation antérieure par un affilié des ransomwares CLOP, plusieurs vulnérabilités supplémentaires ont été découvertes dans Moveit Transfer (CVE-2023-35036 et CVE-2023-35708) et d'autres produits de logiciels de progrès (CVE et CVE-2023-34363 et CVE-2023-34364).Alors que le site de fuite de Darkweb du groupe (> _clop ^ _- les fuites) a commencé à s'adresser aux entités compromises, l'événement d'exploitation original a été évalué comme un événement de sécurité mondial.Ceci est basé sur la liste croissante des organisations violées connues et l'utilisation de Moveit parmi des milliers d'organisations à travers le monde, y compris les secteurs public, privé et gouvernemental. Commentaire des analystes: Les défenseurs du réseau doivent suivre les étapes d'assainissement des logiciels de progrès qui incluent le durcissement, la détection, le nettoyage et l'installation des récentes correctifs de sécurité de transfert Moveit.Les règles YARA et les indicateurs basés sur l'hôte associés à l'exploitation de déplacement observé sont disponibles dans la plate-forme Anomali pour la détection et la référence historique. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter le publicApplication | [mitre att & amp; ck] t1036 - masquée | [mitre att & amp; ck] t1560.001 - Données collectées par les archives: archive via l'utilité Signatures (Sigma Rules): Exploitation potentielle de transfert de déplacement | exploitation movet . (Règles Yara) lemurloot webshell dll charges utiles - yara by mandiant | scénarisation de la webshell lemurloot ASP.net - yara par mandiant | exploitation movet - yara par Florian Roth | moveit_transfer_exploit_webshell_aspx | moveit_transfer_exploit_webshell_dll Tags: Target-Software: Moveit Transfer, Vulnérabilité: CVE-2023-34362, Vulnérabilité: CVE-2023-35036, Vulnérabilité: CVE-2023-35708, Vulnérabilité: CVE-2023-34363, Vulnérabilité:CVE-2023-34364, Target-Country: ÉtatsType: ransomware, malware: Lemurloot, Type de logiciels malveillants: webs]]> 2023-06-21T20:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cadet-blizzard-new-gru-apt-chameldoh-hard-to-detect-linux-rat-stealthy-doublefinger-targets-cryptocurrency www.secnews.physaphae.fr/article.php?IdArticle=8347828 False Threat,Ransomware,Cloud,Tool APT 28 2.0000000000000000 Anomali - Firm Blog Anomali MOVEit Vulnerability Dashboard The Anomali Threat Research team has additionally researched and documented additional details on this vulnerability via Threat Bulletin. The team has also identified over 430 relevant  indicators and signatures and several sector specific articles to provide more industry-specific details. The dashboard below highlights some of the insights available to Anomali customers via ThreatStream. What can you do about it? There are several steps important to reduce the impact of this vulnerability, some of which are also documented in Progress’ knowledge base article [6] 1. Discover your attack surface. there are several tools that offer this capability, including Anomali Attack Surface Management [7] 2. Patch the vulnerable systems at the earliest. The Progress knowledge base [6] article captures this in the following steps           a.Disable HTTP/S traffic to your MOVEit Transfer environment           b.Patch the vulnerable systems           c.Enable HTTP/S access to the MOVEit Transfer environment 3. Monitor your environment for any known indicators to identify malicious activities. The Anomali Threat Bulletin captures over 2200 observables that can be used to monitor for malicious activities via a SIEM, firewall, or other technologies. Proactively distribute these indicators to your security controls (firewalls, proxies, etc.) to monitor for any malicious activity. Anomali MOVEit Vulnerability Threat Bulletin 4. Hunt for any attacker footprints. While monitoring looks forward, hunting a]]> 2023-06-17T01:48:00+00:00 https://www.anomali.com/blog/are-you-ready-for-moveit www.secnews.physaphae.fr/article.php?IdArticle=8346382 False Threat,Ransomware,Tool,Vulnerability None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Il est temps de patcher pour patcherVotre solution de transfert Moveit à nouveau! (Publié: 12 juin 2023) Le 9 juin 2023, le logiciel de progression a découvert des vulnérabilités supplémentaires d'injection SQL qui pourraient potentiellement être utilisées par les attaquants non authentifiés pour saisir les données de la base de données Moveit Transfer.La société a publié des correctifs / versions fixes et déployé un nouveau correctif à tous les clusters de cloud Moveit pour aborder les nouvelles vulnérabilités.Le gang CL0P Cyber Extorsion a activement exploité une autre vulnérabilité de transfert Moveit récemment divulguée (CVE-2023-34362) et a ciblé une variété d'organisations, des petites entreprises aux grandes entreprises dans une variété de secteurs du monde.Aer Lingus, la BBC, Boots, British Airways, le gouvernement de la province de la Nouvelle-Écosse (Canada) et Zellis font partie des organisations victimes.Les chercheurs de Kroll ont trouvé des preuves d'une activité similaire survenant en avril 2022 et juillet 2021, indiquant que les attaquants testaient l'accès aux organisations et saisissent les informations des serveurs de transfert Moveit pour identifier l'organisation à laquelle ils accédaient. Commentaire de l'analyste: Moveit Transfer 2020.0.x (12.0) ou plus doit être mis à niveau vers une version prise en charge, pour les versions plus récentes appliquez les correctifs de sécurité disponibles à partir du logiciel Progress depuis le 10 juin 2023 (lien) .Les organisations doivent demander des confirmations de leurs fournisseurs, en particulier de ceux qui gèrent les données en leur nom, qu'ils utilisent Moveit dans leurs services, et confirment tout compromis et sont à jour avec l'atténuation et les correctifs recommandés. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter l'application de formation publique | [mitre att & amp; ck] t1036 - masquée | [mitre att & amp; ck] t1560.001 - Données collectées par les archives: archive via l'utilité Tags: Target-Software: Moveit Transfert, Vulnérabilité: CVE-2023-34362, Target-Country: Canada, Target-Country: États-Unis, acteur: CL0P, technique: injection SQL, type de menace: donnéesFuite, type de menace: Extorsion, Cible-Country: Royaume-Uni, Cible-Country: Canada, Système cible: Windows Les mods Minecraft infectés conduisent à des logiciels malveillants infostèleurs multiplateformes]]> 2023-06-13T18:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-fractureiser-attempted-clipboard-poisoning-vm-escape-asylum-ambuscade-spies-as-a-side-job-stealth-soldier-connected-with-the-eye-on-the-nile-campaign-and-more www.secnews.physaphae.fr/article.php?IdArticle=8344917 False Threat,Malware,Cloud,Prediction,Vulnerability None 3.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces vulnérabilité de la journée zéro dansTransfert Moveit exploité pour le vol de données (Publié: 2 juin 2023) Une vulnérabilité du zéro-day dans le logiciel de transfert de fichiers géré de transfert Moveit (CVE-2023-34362) a été annoncée par Progress Software Corporation le 31 mai 2023. Les chercheurs mandiants ont observé une large exploitation qui avait déjà commencé le 27 mai le 27 mai, 2023. Cette campagne opportuniste a affecté le Canada, l'Allemagne, l'Inde, l'Italie, le Pakistan, les États-Unis et d'autres pays.Les attaquants ont utilisé le shell Web LemurLoot personnalisé se faisant passer pour un composant légitime du transfert Moveit.Il est utilisé pour exfiltrater les données précédemment téléchargées par les utilisateurs de systèmes de transfert Moveit individuels.Cette activité d'acteur est surnommée UNC4857 et elle a une faible similitude de confiance avec l'extorsion de vol de données attribuée à FIN11 via le site de fuite de données de ransomware CL0P. Commentaire des analystes: L'agence américaine de sécurité de cybersécurité et d'infrastructure a ajouté le CVE-2023-34362 du CVE-2023-34362 à sa liste de vulnérabilités exploitées connues, ordonnant aux agences fédérales américaines de corriger leurs systèmes d'ici le 23 juin 2023.Progress Software Corporation STAPES RESTATIONS, notamment le durcissement, la détection, le nettoyage et l'installation des récentes correctifs de sécurité de transfert Moveit.Les règles YARA et les indicateurs basés sur l'hôte associés à la coque en ligne Lemurloot sont disponibles dans la plate-forme Anomali pour la détection et la référence historique. mitre att & amp; ck: [mitre att & amp; ck] t1587.003 - développer des capacités:Certificats numériques | [mitre att & amp; ck] t1190 - exploiter la demande publique | [mitre att & amp; ck] t1036 - masquée | [mitre att & amp; ck] t1136 - créer un compte | [mitre att & amp; ck] t1083 - Discovery de dossier et d'annuaire | [mitre att & amp; ck] t1560.001 -Données collectées des archives: Archive via l'utilitaire Signatures: LEMURLOOT WEBSHELL DLL TARDS - YARA BY BYMandiant | scénarisation de la webshell lemurloot ASP.net - yara par mandiant | Moveit Exploitation - Yara par Florian Roth . Tags: Malware: LemurLoot,]]> 2023-06-06T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-lemurloot-on-exploited-moveit-transfers-zero-click-ios-exploit-targeted-kaspersky-qakbot-turns-bots-into-proxies www.secnews.physaphae.fr/article.php?IdArticle=8342695 False Threat,Ransomware,Malware,Tool,Vulnerability None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces shadowVictiticoor et Coinmin de Force Group \\ (Publié: 27 mai 2023) Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor. Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor]]> 2023-05-31T17:19:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-shadow-force-targets-korean-servers-volt-typhoon-abuses-built-in-tools-cosmicenergy-tests-electric-distribution-disruption www.secnews.physaphae.fr/article.php?IdArticle=8340962 False Threat,Ransomware,Malware,Tool,Vulnerability APT 38,CosmicEnergy ,Guam 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces CloudWizard APT: La mauvaise histoire magique continue (Publié: 19 mai 2023) Un cadre de logiciel malveillant modulaire nouvellement découvert surnommé CloudWizard est actif depuis 2016. Les chercheurs de Kaspersky ont pu le connecter à des activités de menace persistante avancées précédemment enregistrées: Operation Groundbait et le Prikormka Malware (2008-2016), Operation Bugdrop (2017), PowerMagic (2020-2022) et Common Magic (2022).Semblable à ces campagnes précédentes, CloudWizard cible des individus, des organisations diplomatiques et des organisations de recherche dans les régions de Donetsk, de Lugansk, de Crimée, du centre et de l'ouest de l'Ukraine.Les deux modules principaux de CloudWizard effectuent le chiffrement et le décryptage de toutes les communications et relayez les données cryptées au cloud ou au C2 basé sur le Web.Les modules supplémentaires permettent de prendre des captures d'écran, un enregistrement de microphone, un keylogging et plus encore. Commentaire des analystes: Auparavant, les chercheurs de l'ESET ont conclu que les acteurs derrière l'opération Groundbait opérent très probablement à partir de l'Ukraine, mais que les chercheurs de Kaspersky ne partaient pas s'ils sont d'accord avec cette attribution.Les guerres et les conflits militaires attirent une cyber-activité supplémentaire.Tous les indicateurs CloudWizard connus sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] T1027 - Obfuscated Files ou informations | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1555 - Contaliens de compétenceDes magasins de mot de passe | [mitreAtt & amp; ck] t1056.001 - Capture d'entrée: keylogging | [mitre att & amp; ck] t1573 - canal chiffré Tags: Actor: CloudWizard, Apt, Target-Country: Ukraine, Target-Region: Donetsk, Target-Region: Lugansk, Target-Region: Crimea, Target-Region: Central Ukraine, Target-Région: Western Ukraine, Campagne: Operation Bugdrop, Campagne: Opération Boulot, logiciels malveillants: Prikormka, Malware: CloudWizard, Malware: PowerMagic, Malware: CommonMagic, Target-Industry: Diplomatic,Industrie cible: recherche, abusé: OneDrive, type de fichier: DLL, type de fichier: VFS, type de fichier: LRC, système cible: Windows utilisateurs de capcut sous le feu (Publié: 19 mai 2023) Plusieurs campagnes ciblent les utilisateurs du logiciel d'édition vidéo Capcut avec des sites Web typosqua]]> 2023-05-23T17:42:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cloudwizard-targets-both-sides-in-ukraine-camaro-dragon-trojanized-tp-link-firmware-ra-group-ransomware-copied-babuk www.secnews.physaphae.fr/article.php?IdArticle=8338812 False Threat,Ransomware,Malware,Cloud None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces lancefly: Le groupe utilise la porte dérobée personnalisée pour cibler les orgs au gouvernement, l'aviation, d'autres secteurs (Publié: 15 mai 2023) Les chercheurs de Symantec ont détecté une nouvelle campagne de cyberespionnage par le groupe parrainé par Lancefly Chine ciblant les organisations en Asie du Sud et du Sud-Est.De la mi-2022 à 2023, le groupe a ciblé les secteurs de l'aviation, du gouvernement, de l'éducation et des télécommunications.Les indications des vecteurs d'intrusion montrent que Lancefly est peut-être passé des attaques de phishing à la force brute SSH et en exploitant des dispositifs accessibles au public tels que les équilibreurs de charge.Un petit nombre de machines ont été infectées de manière très ciblée pour déployer la porte dérobée Merdoor personnalisée et une modification de la ZXShell Rootkit open source.Lancefly abuse d'un certain nombre de binaires légitimes pour le chargement latéral DLL, le vol d'identification et d'autres activités de vie (lolbin). Commentaire des analystes: Les organisations sont conseillées de surveiller l'activité suspecte des PME et les activités LOLBIN indiquant une éventuelle injection de processus ou un dumping de la mémoire LSASS.Les hachages de fichiers associés à la dernière campagne Lancefly sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter l'application de formation publique | [mitreAtt & amp; ck] t1078 - comptes valides | [mitre att & amp; ck] t1056.001 - Capture d'entrée: keylogging | [mitre att & amp; ck] t1569 - services système | [mitre att & amp; ck] t1071.001 - couche d'applicationProtocole: protocoles Web | [mitre att & amp; ck] t1071.004 - protocole de couche d'application: DNS | [mitre att & amp; ck] t1095 - couche non applicationProtocole | [mitre att & amp; ck] t1574.002 - flux d'exécution de hijack: chargement secondaire dll | [mitre att & amp; ck] T1003.001 - Dumping des informations d'identification du système d'exploitation: mémoire lsass | [mitre att & amp; ck] T1003.002 - Dumping des informations d'identification du système d'exploitation: gestionnaire de compte de s]]> 2023-05-16T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-lancefly-apt-adopts-alternatives-to-phishing-bpfdoor-removed-hardcoded-indicators-fbi-ordered-russian-malware-to-self-destruct www.secnews.physaphae.fr/article.php?IdArticle=8337033 False Threat,Ransomware,Malware,Cloud,Tool,Vulnerability None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Threat,Malware,Tool APT 43,APT 37 3.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows ]]> 2023-05-01T23:16:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt37-adopts-lnk-files-charming-kitten-uses-bellaciao-implant-dropper-vipersoftx-infostealer-unique-byte-remapping-encryption www.secnews.physaphae.fr/article.php?IdArticle=8332656 False Threat,Ransomware,Malware,Cloud,Tool,Prediction,Vulnerability APT 35,APT 37,APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Threat,Ransomware,Spam,Malware,Cloud,Tool APT 38,ChatGPT,APT 43,Uber 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces banquier QBOT livré par correspondance commerciale (Publié: 17 avril 2023) Début avril 2023, un volume accru de Malspam en utilisant le détournement de fil commercial-imail a été détecté pour fournir le troin bancaire QBOT (QAKBOT, Quackbot, Pinkslipbot).Les leurres observés en anglais, en allemand, en italien et en français visaient divers pays, les trois premiers étant l'Allemagne, l'Argentine et l'Italie, dans cet ordre.Les attaquants usurpaient un nom dans la conversation détournée pour inciter la cible à ouvrir un fichier PDF ci-joint.La cible est ensuite confrontée à un bouton, à un mot de passe et à une instruction pour télécharger, déballer et exécuter un fichier de script Windows malveillant (WSF) dans une archive protégée par mot de passe.L'exécution des utilisateurs est suivie d'une désobfuscation automatisée d'un JScript contenu produisant un script PowerShell codé visant à télécharger une DLL QBOT à partir d'un site Web compromis et à l'exécuter à l'aide de RunDLL32.QBOT vole les informations d'identification, profil les systèmes pour identifier les perspectives de ciblage supplémentaire de grande valeur et vole des e-mails stockés localement pour une prolifération supplémentaire via le détournement de fil calspam. Commentaire de l'analyste: L'usurpation du nom de l'expéditeur des lettres précédentes du & lsquo; from & rsquo;Le champ peut être identifié dans cette campagne car il utilise une adresse e-mail frauduleuse de l'expéditeur différent de celle du véritable correspondant.Les utilisateurs doivent être prudents avec des archives protégées par mot de passe et des types de fichiers suspects tels que WSF.Les indicateurs de réseau et d'hôtes associés à cette campagne QBOT sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitreAtt & amp; ck: [mitre att & amp; ck] t1566 - phishing | [mitre att & amp; ck] t1204 - exécution des utilisateurs | [mitre att & amp; ck] t1207 - contrôleur de domaine voyou | [mitre att & amp; ck] t1140 - déobfuscate /Décoder des fichiers ou des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1218.011 - Exécution par proxy binaire signée: rundll32 | [mitre att & amp; ck] t1090 - proxy | [mitre att & amp; ck] t1114.001 - collection de courriels: collection de message]]> 2023-04-18T17:14:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-employs-new-downloaders-rtm-locker-ransomware-seeks-privacy-vice-society-automated-selective-exfiltration www.secnews.physaphae.fr/article.php?IdArticle=8328981 False Threat,Ransomware,Malware,Tool APT 29,APT 29 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces cryptoclippie parle portugais (Publié: 5 avril 2023) Depuis au moins au début de 2022, une campagne de clipper de crypto-monnaie opportuniste cible des conférenciers portugais en invitant un téléchargement à partir d'un site Web contrôlé par l'acteur promu via un empoisonnement SEO et malvertiser abusant Google Ads.Le fichier imite WhatsApp Web et fournit des cryptoclippages doublés de logiciels malveillants dans le but de remplacer les adresses de crypto-monnaie dans le presse-papiers Target & Acirc; & euro; & Trade.Les deux premiers fichiers de la chaîne d'infection sont EXE et BAT ou ZIP et LNK.Les acteurs utilisent des techniques d'obscurcissement et de cryptage étendues (RC4 et XOR), la compensation des journaux et des fichiers, et un profilage approfondi des utilisateurs pour un ciblage étroit et une évasion de défense.L'utilisation du type d'obscuscation invoqué-obfuscation peut indiquer un attaquant brésilien. Commentaire de l'analyste: Les portefeuilles contrôlés par l'acteur observés ont gagné un peu plus de 1 000 dollars américains, mais leurs logiciels malveillants complexes à plusieurs étages peuvent les aider à étendre ces dégâts.Il est conseillé aux utilisateurs de vérifier les informations du destinataire avant d'envoyer une transaction financière.Des indicateurs liés à la cryptoclippie sont disponibles dans la plate-forme Anomali.Les organisations qui publient des applications pour leurs clients sont invitées à utiliser une protection contre les risques numériques anomalie premium pour découvrir des applications malveillantes et malveillantes imitant votre marque que les équipes de sécurité ne recherchent généralement ni ne surveillent. mitre att & amp; ck: [mitre att & amp; ck] t1204 - exécution de l'utilisateur | [mitre att & amp; ck] t1027 - fichiers obscurcissantsOu des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1140 - déobfuscate / décode les fichiers ou informations | [mitre att & amp; ck] t1620 - chargement de code réfléchissant | [mitreAtt & amp; ck] T1547.001 - Exécution de démarrage ou de connexion Autostart: Registry Run Keys / Startup Folder | [mitre att & amp; ck] t1112: modifier le registre | [mitre att & amp; ck] t1136.001 - Crée]]> 2023-04-11T19:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aggressively-mutating-mantis-backdoors-target-palestine-fake-cracked-packages-flood-npm-rorschach-ransomware-is-significantly-faster-than-lockbit-v3 www.secnews.physaphae.fr/article.php?IdArticle=8326770 False Threat,Ransomware,Malware,Tool APT-C-23 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Vulnérabilité à haute gravité dans WordPress Elementor Pro patchée (Publié: 31 mars 2023) La campagne Balada Injecteur cible les plugins et les thèmes de site Web vulnérables depuis au moins 2017. Sa nouvelle cible sont les sites Web WordPress WooCommerce avec une vulnérabilité de contrôle d'accès brisé dans le populaire site Web Plugin Elementor Pro.Cette vulnérabilité à haute gravité (CVSS V3.1: 8.8, élevée) a reçu un patch de sécurité le 22 mars 2023, par conséquent, l'injecteur de Balada cible des sites Web qui n'ont pas encore été corrigés.Les attaquants créent un nouvel utilisateur administrateur et insérent un script envoyant des visiteurs à une redirection multi-HOP aux fins de spam, d'escroquerie ou d'installation de logiciels publicitaires. Commentaire de l'analyste: Les administrateurs de sites Web doivent mettre à jour immédiatement s'ils ont Elementor Pro version 3.11.6 ou moins installé.Utilisez la numérisation côté serveur pour détecter le contenu malveillant non autorisé.Tous les indicateurs connus associés à la campagne Balada Injector sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1587.004 - développer des capacités:Exploits | [mitre att & amp; ck] t1190 - exploiter l'application de formation publique Tags: Campagne: Balada Injecteur, site Web compromis, redirection, spam, arnaque, type malware: Adware, Contrôle d'accès cassé, vulnérabilité, élémentor Pro, WordPress 3cx: SupplyL'attaque en chaîne affecte des milliers d'utilisateurs dans le monde (Publié: 30 mars 2023) Un groupe de menaces non identifié lié à la Corée du Nord a trojanisé le bureau de 3cx \\, un client de bureau vocal et vidéo utilisé par 12 millions d'utilisateurs dans 190 pays.Les installateurs de Windows récents (18.12.407 et 18.12.416) et Mac (18.11.1213, 18.12.402, 18.12.407 et 18.12.416) ont été compromis.Les installateurs de Windows contenaient des versions propres de l'application ainsi que des DLL malveillantes prêtes pour l'attaque de chargement latéral DLL.Les versions MacOS affectées ont été compromises de la même manière et contenaient une version trojanisée de la bibliothèque dynamique nommée libffmpeg.dylib.La charge utile finale observée était un logiciel malveillant de volée d'informations téléchargé comme un fichier ICO à partir d'un référentiel GitHub spécifique. Commentaire de l'analyste: Les attaques de la chaîne d]]> 2023-04-03T22:13:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-clipboard-injectors-infostealers-malvertising-pay-per-install-supply-chain-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8324500 False Threat,Malware,Tool,Vulnerability None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Threat,Malware,Cloud,Tool APT 43,APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Visern d'hiver |Découvrir une vague d'espionnage mondial (Publié: 16 mars 2023) Depuis décembre 2020, Winter Vivern se livrait à des campagnes de cyberespionnage alignées sur les objectifs du Bélarus et du gouvernement russe.Depuis janvier 2021, il a ciblé les organisations gouvernementales en Lituanie, en Inde, au Vatican et en Slovaquie.De la mi-2022 à décembre 2022, il a ciblé l'Inde et l'Ukraine: a usurpé l'identité du site Web du service de courrier électronique du gouvernement indien et a envoyé un excel macro-compétitif pour cibler un projet facilitant la reddition du personnel militaire russe.Au début de 2023, Winter Vivern a créé de fausses pages pour le bureau central de la Pologne pour la lutte contre la cybercriminalité, le ministère ukrainien des Affaires étrangères et le service de sécurité de l'Ukraine.Le groupe s'appuie souvent sur le simple phishing pour les références.Un autre type d'activité d'hiver VIVERN comprend des documents de bureau malveillants avec des macros, un script de chargeur imitant un scanner de virus et l'installation de la porte dérobée de l'ouverture.L'infrastructure malveillante du groupe comprend des domaines typosquattés et des sites Web WordPress compromis. Commentaire de l'analyste: Faites attention si un domaine demande vos mots de passe, essayez d'établir son authenticité et sa propriété.Les clients anomalis préoccupés par les risques pour leurs actifs numériques (y compris les domaines similaires / typosquattés) peuvent essayer Service de protection numérique premium d'Anomali \\ 's .De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec des pièces jointes malveillantes qui obligent l'utilisateur à l'ouvrir et à activer les macroses.Il est important d'enseigner à vos utilisateurs une hygiène de base en ligne et une conscience de phishing. mitre att & amp; ck: [mitre att & amp; ck] t1583.001 -Acquérir des infrastructures: domaines | [mitre att & amp; ck] t1566.001 - phishing: spearphishing attachement | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1059.003 - commande et scriptInterprète: Shell de commande Windows | [mitre att & amp; ck] t1105 - transfert d'outils d'en]]> 2023-03-20T23:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-china-data-leak-injectors-packers-phishing-ransomware-russia-and-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8320062 False Threat,Ransomware,Malware,Cloud,Tool,Vulnerability None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Threat,Ransomware,Malware,Guideline,Tool,Conference,Vulnerability ChatGPT,ChatGPT,APT 35,APT 42,APT 36 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT (published: March 2, 2023) In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe. Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives. MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion | ]]> 2023-03-07T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mustang-panda-adopted-mqtt-protocol-redis-miner-optimization-risks-data-corruption-blacklotus-bootkit-reintroduces-vulnerable-uefi-binaries www.secnews.physaphae.fr/article.php?IdArticle=8316353 False Threat,Ransomware,Malware,Tool,Vulnerability,Medical None 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence WinorDLL64: A Backdoor From The Vast Lazarus Arsenal? (published: February 23, 2023) When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group. Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations. MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery |]]> 2023-02-28T16:15:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-newly-discovered-winordll64-backdoor-has-code-similarities-with-lazarus-ghostsecret-atharvan-backdoor-can-be-restricted-to-communicate-on-certain-days www.secnews.physaphae.fr/article.php?IdArticle=8314193 False Threat,Ransomware,Malware,Cloud,Tool,Medical,Medical APT 38 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Coinbase Cyberattack Targeted Employees with Fake SMS Alert (published: February 20, 2023) On February 5th, 2023, several employees at the Coinbase cryptocurrency exchange platform received a fake SMS alert on their mobile phones. The message indicated that they need to urgently log in via the link provided to receive an important message. One employee got phished by the attackers, but they failed to login due to the MFA restrictions. The attackers, likely associated with the previously-documented 0ktapus phishing campaign, proceeded to call the employee and phish him for more information by pretending to be from the corporate IT. Coinbase was able to detect the unusual activity and stop the breach, although the attackers have obtained some contact information belonging to multiple Coinbase employees in addition to the login credentials of the phished user. Analyst Comment: Network defenders are advised to monitor for access attempts from a third-party VPN provider, such as Mullvad VPN. Monitor for download of remote desktop viewers such as AnyDesk or ISL Online. Set up monitoring for Incoming phone calls / text messages from Bandwidth dot com, Google Voice, Skype, and Vonage/Nexmo. Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. And as always with these types of social engineering attacks employee awareness is key - not just of the threat but how to independently verify the legitimacy of any contact and what to do with anything suspicious. MITRE ATT&CK: [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1219 - Remote Access Software Tags: campaign:0ktapus, Coinbase, Social engineering, SMS, Typosquatting, AnyDesk, ISL Online, Mullvad VPN, Google Voice, Skype, Vonage/Nexmo, Bandwidth, Browser extension, EditThisCookie Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack (published: February 17, 2023) Since the end of 2022, a new campaign by the state-sponsored Earth Kitsune group targets visitors of pro-North Korea websites. A malicious JavaScript embedded into their video pages prompts a viewer to download a codec installer. Only visitors from particular subnets located in Nagoya, Japan and Shenyang, China, and users of a VPN provider in Brazil are receiving the malicious payload. The legitimate codec installer was patched to increase the PE image size and add an additional section. The attackers employ elliptic cryptography to protect encryption keys and use rare hashing algorithms: 32-bit Fowler-Noll-Vo hash (FNV-1) to compute machine IDs and a 32-bit Murmur3 hash of the 16-byte AES key to compute the]]> 2023-02-22T19:12:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-earth-kitsune-uses-chrome-native-messaging-for-persistence-wip26-targets-middle-east-telco-from-abused-clouds-azerbaijan-sponsored-group-geofenced-its-payloads-to-armenian-ips www.secnews.physaphae.fr/article.php?IdArticle=8312556 False Threat,Malware,Guideline,Tool None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (published: February 9, 2023) The US and South Korea issued a joint advisory on ongoing, North Korea-sponsored ransomware activity against healthcare and other critical infrastructure. The proceedings are used to fund North Korea’s objectives including further cyber attacks against the US and South Korean defense and defense industrial base sectors. For initial access, the attackers use a trojanized messenger (X-Popup) or various exploits including those targeting Apache log4j2 and SonicWall appliances. Despite having two custom ransomware crypters, Maui and H0lyGh0st, the attackers can portray themselves as a different ransomware group (REvil) and/or use publicly-available crypters, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Analyst Comment: Organizations in the healthcare sector should consider following the Cross-Sector Cybersecurity Performance Goals developed by the U.S. Cybersecurity and Infrastructure Security Agency and the U.S. National Institute of Standards and Technology. Follow the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts. Turn off weak or unnecessary network device management interfaces. MITRE ATT&CK: [MITRE ATT&CK] T1583 - Acquire Infrastructure | [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1133 - External Remote Services | [MITRE ATT&CK] T1195 - Supply Chain Compromise | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1021 - Remote Services | [MITRE ATT&CK] T1486: Data Encrypted for Impact Tags: malware-type:Ransomware, source-country:North Korea, source-country:DPRK, source-country:KP, target-industry:Healthcare, target-sector:Critical infrastructure, target-industry:Defense, target-industry:Defense Industrial Base, Log4Shell, SonicWall, CVE-2021-44228, CVE-2021-20038, CVE-2022-24990, X-Popup, malware:Maui, malware:H0lyGh0st, malware:BitLocker, malware:Deadbolt, malware:ech0raix, malware:GonnaCry, malware:Hidden Tear, malware:Jigsaw, malware:LockBit 2.0, malware:My Little Ransomware, malware:NxRansomware, malware:Ryuk, malware:YourRansom ]]> 2023-02-14T17:48:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-hospital-ransoms-pay-for-attacks-on-defense-nodaria-got-upgraded-go-based-infostealer-ta866-moved-screenshot-functionality-to-standalone-tool www.secnews.physaphae.fr/article.php?IdArticle=8310132 False Threat,Ransomware,Malware,Tool,Industrial None 2.0000000000000000 Anomali - Firm Blog 2023-02-09T09:45:00+00:00 https://www.anomali.com/blog/transforming-threat-datainto-actionable-intelligence www.secnews.physaphae.fr/article.php?IdArticle=8308493 False Threat,Malware,Guideline,Patching None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (published: February 2, 2023) In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer. Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators. MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | ]]> 2023-02-07T17:23:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-malvirt-obfuscates-with-koivm-virtualization-icebreaker-overlay-hides-v8-bytecode-runtime-interpretation-sandworm-deploys-multiple-wipers-in-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8307984 False Threat,Malware,Tool,Medical,Medical APT 38 3.0000000000000000 Anomali - Firm Blog here to fill out the Sign-Up Form, tell us a bit about yourself and we'll get in touch when we have a study we think you’d be a good fit for.]]> 2023-02-02T09:13:00+00:00 https://www.anomali.com/blog/introducing-the-anomali-user-research-group www.secnews.physaphae.fr/article.php?IdArticle=8306503 False Threat,Studies None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese PlugX Malware Hidden in Your USB Devices? (published: January 26, 2023) Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it. Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name. MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows Abraham's Ax Likely Linked to Moses Staff (published: January 26, 2023) Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware. Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an]]> 2023-01-31T17:27:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-killlsomeone-folders-invisible-in-windows-everything-apis-abuse-speeds-up-ransomware-apt38-experiments-with-delivery-vectors-and-backdoors www.secnews.physaphae.fr/article.php?IdArticle=8305945 False Threat,Ransomware,Malware,Tool,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Threat,Malware,Guideline,Tool APT 25,APT 15 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware (published: January 16, 2023) On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens. Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent. MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd (published: January 11, 2023) In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries. Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads. MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host Tags: FG-IR-22-398, CVE-2022-42]]> 2023-01-18T16:35:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-fortios-zero-day-has-been-exploited-by-an-apt-two-rats-spread-by-four-types-of-jar-polyglot-files-promethium-apt-continued-android-targeting www.secnews.physaphae.fr/article.php?IdArticle=8302291 False Threat,Malware,Guideline,Tool,Vulnerability LastPass 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence OPWNAI : Cybercriminals Starting to Use ChatGPT (published: January 6, 2023) Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool. Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware. MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP Turla: A Galaxy of Opportunity (published: January 5, 2023) Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022. Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated]]> 2023-01-10T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turla-re-registered-andromeda-domains-spynote-is-more-popular-after-the-source-code-publication-typosquatted-site-used-to-leak-companys-data www.secnews.physaphae.fr/article.php?IdArticle=8299602 False Threat,Ransomware,Malware,Tool ChatGPT,APT-C-36 2.0000000000000000 Anomali - Firm Blog 2023-01-05T05:50:00+00:00 https://www.anomali.com/blog/focusing-on-your-adversary www.secnews.physaphae.fr/article.php?IdArticle=8298031 False Threat,Ransomware,Malware,Tool,Prediction,Industrial,Vulnerability None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays (published: January 1, 2023) Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server. Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux Linux Backdoor Malware Infects WordPress-Based Websites (published: December 30, 2022) Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect. Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use ]]> 2023-01-04T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-machine-learning-toolkit-targeted-by-dependency-confusion-multiple-campaigns-hide-in-google-ads-lazarus-group-experiments-with-bypassing-mark-of-the-web www.secnews.physaphae.fr/article.php?IdArticle=8297872 False Threat,Malware,Patching,Tool,Vulnerability,Medical APT 38,LastPass 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New RisePro Stealer Distributed by the Prominent PrivateLoader (published: December 22, 2022) RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies. Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform). MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | ]]> 2022-12-29T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-zerobot-added-new-exploits-and-ddos-methods-gamaredon-group-bypasses-dns-proxynotshell-exploited-prior-to-dll-side-loading-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=8295813 False Threat,Malware,Tool None 2.0000000000000000 Anomali - Firm Blog 2022-12-21T05:11:00+00:00 https://www.anomali.com/blog/2023-anomali-predictions-new-risks-to-put-added-pressure-on-enterprise-defenders www.secnews.physaphae.fr/article.php?IdArticle=8293292 False Threat,Malware,Prediction None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT5: Citrix ADC Threat Hunting Guidance (published: December 13, 2022) On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware. Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT (published: December 12, 2022) In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots. Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing. MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12]]> 2022-12-20T20:46:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt5-exploited-citrix-zero-days-azov-data-wiper-features-advanced-anti-analysis-techniques-inception-apt-targets-russia-controlled-territories-and-more www.secnews.physaphae.fr/article.php?IdArticle=8295338 False Threat,Malware,Patching,Tool,Prediction,Vulnerability APT 5 3.0000000000000000 Anomali - Firm Blog download our ebook, The Need to Focus on the Adversary, to learn why understanding the attacker is important. Intelligence Channels:  Security teams are under pressure to do more with less. Unfortunately, most organizations need help effectively implementing threat intelligence, not benefiting from the value their threat intelligence team, processes, and tools provide. We’ve made it easier for Security teams to implement out-of-the-box tailored intelligence with Intelligence Channels. Intelligence Channels are for organizations that need help implementing threat intelligence. Curated by The Anomali]]> 2022-12-15T05:12:00+00:00 https://www.anomali.com/blog/anomali-november-quarterly-product-update www.secnews.physaphae.fr/article.php?IdArticle=8291449 False Threat,Malware None 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New MuddyWater Threat: Old Kitten; New Tricks (published: December 8, 2022) In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates. Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows Babuk Ransomware Variant in Major New Attack (published: December 7, 2022) In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files). Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-12-13T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-muddywater-hides-behind-legitimate-remote-administration-tools-vice-society-tops-ransomware-threats-to-education-abandoned-javascript-library-domain-pushes-web-skimmers www.secnews.physaphae.fr/article.php?IdArticle=8290724 False Threat,Ransomware,Malware,Tool,Medical APT 38 3.0000000000000000 Anomali - Firm Blog 2022-12-08T19:03:00+00:00 https://www.anomali.com/blog/why-understanding-your-attack-surface-is-imperative www.secnews.physaphae.fr/article.php?IdArticle=8289565 False Threat,Vulnerability None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese Gambling Spam Targets World Cup Keywords (published: December 2, 2022) Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu). Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou Leaked Android Platform Certificates Create Risks for Users (published: December 2, 2022) On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked. Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature. Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware Blowing Cobalt Strike Out of the Water With Memory Analysis (published: December 2, 2022) The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me]]> 2022-12-06T17:09:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-infected-websites-show-different-headers-depending-on-search-engine-fingerprinting-10-android-platform-certificates-abused-in-the-wild-phishing-group-impersonated-major-uae-oil www.secnews.physaphae.fr/article.php?IdArticle=8288335 False Threat,Spam,Malware,Tool,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown (published: November 25, 2022) iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites. Analyst Comment: Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling. Tags: iSpoof, Teejai Fletcher, United Kingdom, source-country:UK, Caller ID, Calling Line Identification, Voice-scamming, Social engineering New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers (published: November 25, 2022) On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension. Analyst Comment: Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: detection:RansomBoggs, detection:Filecoder.Sullivan, malware-type:Ransomware, AES-256, PowerShell, detection:PowerGap, mitre-group:Sandworm Team, actor:Iridium, Russia]]> 2022-11-29T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-caller-id-spoofing-actors-arrested-fast-moving-qakbot-infection-deploys-black-basta-ransomware-new-yara-rules-to-detect-cobalt-strike-and-more www.secnews.physaphae.fr/article.php?IdArticle=8282165 False Threat,Ransomware,Malware,Guideline,Tool None 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads (published: November 17, 2022) From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer. Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment (published: November 16, 2022) From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL. Analyst Comment: Evasion through URI fragmentation hides the token value from traff]]> 2022-11-22T23:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uri-fragmentation-used-to-stealthily-defraud-holiday-shoppers-lazarus-and-billbug-stick-to-their-custom-backdoors-z-team-turned-ransomware-into-wiper-and-more www.secnews.physaphae.fr/article.php?IdArticle=8169179 False Threat,Ransomware,Malware,Guideline,Tool,Medical APT 38 4.0000000000000000 Anomali - Firm Blog research recommends that organizations take a holistic view of the problem and ensure proper alignment of security to top emerging threats by: • Gaining a clear picture of the current state of play: What are the biggest threats facing companies today? Where do they lie within the context of the overall threat landscape? And can you identify the threats? • Understanding where the most significant risk lies: Which areas pose the greatest threat to businesses today? And why? • Implementing effective strategies for mitigating threats: What are effective ways to address the most significant threats? For example, what types of technologies can help protect against data breaches? And how do you protect against insider threats? Or secure cloud environments? Post-Covid Era Cybersecurity Even though we’re now past the COVID-19 crisis, there were many disruptions in the cybersecurity industry. Many large companies continue to focus on remote work, causing cloud-based operations to increase and expanding 5G networks connected devices at faster speeds and greater bandwidths. Cryptocurrencies exploded in popularity and are now bought, sold, and traded by individuals on a grander scale than ever before. Many organizations need more visibility into the full extent of the risks across their growing attack surface, making it challenging to identify and address vulnerabilities effectively. In addition, the rapid pace of innovation and sophistication in attacks makes it increasingly challenging for organizations to keep up with new threats. Organizations must ensure they have the right solutions, like a threat intelligence management or extended detection and response (XDR) platform, to defend against cyberattacks proactively. Cyber Attacks and Attackers are Evolving The stereotypical hacker working alone is no longer the main threat. Today’s attackers are more methodological and work within larger teams of individuals, often organized into hacking collectives known as advanced persistent threats (APTs). These groups are typically comprised of highly skilled professionals who spend months plannin]]> 2022-11-17T14:35:00+00:00 https://www.anomali.com/blog/gartner-insights-how-to-respond-to-the-cyberthreat-landscape www.secnews.physaphae.fr/article.php?IdArticle=8068622 False Threat,Malware,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence KmsdBot: The Attack and Mine Malware (published: November 10, 2022) KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations. Analyst Comment: Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections. MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7 Massive ois[.]is Black Hat Redirect Malware Campaign (published: November 9, 2022) Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&A sites. Analyst Comment: WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads LockBit 3.0 Being Distributed via Amadey Bot (published: November 8, 2022) Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey B]]> 2022-11-16T03:26:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-amadey-bot-started-delivering-lockbit-30-ransomware-strelastealer-delivered-by-a-html-dll-polyglot-spymax-rat-variant-targeted-indian-defense-and-more www.secnews.physaphae.fr/article.php?IdArticle=8039573 False Threat,Ransomware,Spam,Malware,Tool None None Anomali - Firm Blog ESG research found that survey respondents want to use more data for security operations, driving the need for scalable, high-performance, cloud-based back-end data repositories. The research found that 80% of organizations use more than 10 data sources as part of security operations to detect malicious activities, believing the most important to be: endpoint security data, threat intelligence feeds, security device logs, cloud security data, and network flow logs. While these are all valuable in their own right, they can also be difficult to collect, store, analyze, and correlate across multiple systems. Big data analytics has made it possible for organizations to combine multiple sources of information into one unified view of an event or incident. Though there have been advanced, many security tools still lack the ability to integrate, especially if they are from multiple vendors. This makes sharing information harder and highlights the need for better integration between telemetry sources and analysis tools. Challenges with Big Data There is no shortage of hype surrounding big data. Many companies are already reaping the benefits of big data and applying it to improve their operations. Big data is often described as “dense,” meaning that it contains a lot of information and is hard to analyze. While this makes it easier to collect, it also challenges organizations to figure out what information is relevant and how to apply it. The same goes for cybersecurity threats. There is a lot of buzz about the potential of big data to help identify attackers, but the reality is that it doesn’t just work like that. Instead, big data also provides a way for attackers to hide within vast amounts of information. They can further exploit this to avoid detection and even change their identity multiple times before unleashing a cyber attack. Using Data for Cybersecurity Even though data is the most appetizing and easily accessible target for attackers, that doesn’t mean you shouldn’t collect and analyze it. Data analysis can provide insights into how attackers target your organization for a cyber attack and what they might do next. According to the ESG Research, SOC teams collect, process, and analyze a variety of security telemetry to help them determine detection weaknesses where custom rules are needed. Security teams customize vendor rule sets to meet their needs and develop custom rules to detect threats targeting their industry or organization. Data Visualization & Analytics Big data analytics allows an organization to visualize attacks, detect anomalies, and discover relationships between different data sets. Machine Learning & Predictive Modeling Machine learning helps identify potential threats and behavior patterns by analyzing the data collected during the attack and comparing it with patterns we know about. We can even build predictive models based on our experience to detect similar attacks in the future. Security Controls Automation Artificial intelligence can help quickly automate threat intelligence to security controls to protect against security breaches. For example, machine learning could help identify activities related to a particular type of event and block access to those actions or events. The Need to Understand the Attacker Threat actors use three main attack vectors: social engineering, malware, and brute force. Social engineering occurs when someone attempts to trick another person into disclosing confidential information or giving up control]]> 2022-11-10T11:49:00+00:00 https://www.anomali.com/blog/the-need-for-more-data-in-security-operations www.secnews.physaphae.fr/article.php?IdArticle=7924478 False Threat,Malware,Vulnerability None None Anomali - Firm Blog 2022-11-08T22:09:00+00:00 https://www.anomali.com/blog/modernize-your-security-operations-reduce-cost www.secnews.physaphae.fr/article.php?IdArticle=7895482 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild (published: November 3, 2022) Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes). Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows Abusing Microsoft Customer Voice to Send Phishing Links (published: November 3, 2022) Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=... At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials. Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 Tags: Customer Voice, Phishing, Microsoft, Forms Pro Black Basta Ransomware]]> 2022-11-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-cobalt-strike-c2s-black-basta-ransomware-connected-to-fin7-robin-banks-phishing-as-a-service-became-stealthier-and-more www.secnews.physaphae.fr/article.php?IdArticle=7890921 False Threat,Ransomware,Malware,Tool None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad) (published: October 27, 2022) ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group). Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity (published: October 27, 2022) The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop). Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction. MITRE ATT&CK: [MITRE ATT&CK] Replicat]]> 2022-11-01T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-shadowpad-c2s-fodcha-hides-behind-obscure-tlds-awaiting-openssl-30-patch-and-more www.secnews.physaphae.fr/article.php?IdArticle=7765391 False Threat,Ransomware,Malware,Hack,Guideline,Tool,Vulnerability APT 41 None Anomali - Firm Blog 2022-10-26T21:00:00+00:00 https://www.anomali.com/blog/anomali-earns-frost-and-sullivan-market-leadership-award-for-threat-intelligence-Management-Platforms www.secnews.physaphae.fr/article.php?IdArticle=7702553 False Threat,Guideline None None Anomali - Firm Blog [1] times faster than before due to the onset of the pandemic. The changes included customer interactions, employee engagement, back-office processes, supply chain, and more. It’s a cliché to state that cyber becomes a core business risk as businesses get more digitally connected. Scan the SEC filings of any publicly listed company, and it’s amply clear that digital transformation unlocks massive growth but also expands the risk profile for most organizations. Cyber resilience is business resilience. The corollary holds equally true – cyber fragility impedes business growth. Figure 1: Digital transformation & cyber risk The traditional approach to cybersecurity has focused on a tech-centric approach to security, evolving a technology acronym soup, continuously trying to find the smarter tool to speed up and scale security operations. This approach, somewhat successful at the lower levels of digital transformation, has become unmanageable and incredibly expensive for businesses. In spending time with board directors, management teams, CIOs, and CISOs, we’ve realized that there is a dire need to pause and reset the foundational thinking with an eye on more effective delivery that can scale at a manageable cost. When an attacker targets an organization, they start by first conducting reconnaissance and understanding a company’s business model, profile, and strategy. Security needs to focus on the WHY - the business context. Why are they an interesting target, and what can they do to deter the attackers? This fusion of business context with security is critical to transforming security for the modern enterprise and helping executives answer key questions on business risk and resilience. As Einstein aptly said, “we cannot solve our problems with the same thinking we used to create them.” Sprucing up Security Operations A recent ESG survey highlighted that 52% of security professionals consider security today more complex today than two years ago[2]. There are several drivers for this, including changing threat landscape, growing attack surface, higher volume and complexity of security alerts, growing adoption of public cloud services, keeping up with operational needs of SecOps technologies, and collecting and growing more data. Elevating security necessitates a step back first to understand the goal. “The core purpose of security operations in a business is to drive operational resilience and]]> 2022-10-26T18:31:00+00:00 https://www.anomali.com/blog/accelerating-security-resilience-at-a-fraction-of-the-cost www.secnews.physaphae.fr/article.php?IdArticle=7692043 False Threat,Guideline,Tool None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Alert (AA22-294A) #StopRansomware: Daixin Team (published: October 21, 2022) Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code. Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (published: October 21, 2022) Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload. Analyst Comment: It is crucial that your company ensures that servers are]]> 2022-10-25T16:53:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-daixin-team-ransoms-healthcare-sector-earth-berberoka-breaches-casinos-for-data-windows-affected-by-bring-your-own-vulnerable-driver-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=7673563 False Threat,Ransomware,Malware,Tool,Vulnerability,Medical APT 38 None Anomali - Firm Blog A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell executio]]> 2022-10-20T13:36:00+00:00 https://www.anomali.com/blog/threat-hunting-eight-tactics-to-a-accelerating-threat-hunting www.secnews.physaphae.fr/article.php?IdArticle=7666507 False Threat,Spam,Malware,Tool,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Ransom Cartel Ransomware: A Possible Connection With REvil (published: October 14, 2022) Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys. Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host -]]> 2022-10-18T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransom-cartel-uses-dpapi-dumping-unknown-china-sponsored-group-targeted-telecommunications-alchimist-c2-framework-targets-multiple-operating-systems-and-more www.secnews.physaphae.fr/article.php?IdArticle=7541845 False Threat,Ransomware,Malware,Tool APT 27 None Anomali - Firm Blog blog post, I dove deeper into why security is more challenging than ever. And it all comes back to people. People are the heart of any security organization. Security tools are a requirement, but they don’t replace people. According to (ISC) ²’s 2021 Cyber Workforce Report, there is still a cybersecurity workforce gap of more than 2.72 million. Which for some organizations can mean they’re already behind before even starting. Improving Your Security Posture There are many ways an organization can improve its security posture. They can share threat intelligence. They can invest in threat intelligence platforms or XDR solutions that improve their existing investments. For this blog, I’ve narrowed it down to five: 1) Understanding Your Relevant Threat Landscape Understanding the attack surface is key to knowing what assets need protection and how best to protect them. Unfortunately, most organizations struggle because their attack surface keeps changing. Start with an attack surface assessment. Find out how an attacker sees you. Map your assets against their potential vulnerabilities and readiness to prevent or respond to threats. This will help understand how well current tools and investments protect critical assets and what additional measures need to be taken to improve protection. A comprehensive assessment should include the following: • Visibility into all external facing assets to uncover exposed assets • Identify and evaluate the current security programs • Evaluate the effectiveness of information security policies, procedures, and processes • Determine the effect of cybersecurity incidents on KPIs, including availability, integrity, and privacy • Assess the maturity level of current tools and investments ]]> 2022-10-13T10:00:00+00:00 https://www.anomali.com/blog/see-yourself-in-cyber-top-five-ways-to-help-improve-your-organizations-security-posture www.secnews.physaphae.fr/article.php?IdArticle=7431361 False Threat,Ransomware,Malware,Hack,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence VMware Report Exposes Emotet Malware’s Supply Chain (published: October 10, 2022) VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers. Analyst Comment: For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure. Block known network-based indicators available via Anomali platform. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Signed Script Proxy Execution - T1216 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Email Collection - T1114 Tags: mitre-software:Emotet, mitre-group:Wizard Spider, SMB, Proxy, Botnet, Malware-as-a-service, Windows LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM (published: October 7, 2022) Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it. Analyst Comment: Developers should be extra cautious and sensitized to the growing exploitation of the open source eco]]> 2022-10-12T18:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-emotet-added-two-new-modules-lofygang-distributed-200-malicious-packages-bumblebee-loader-expanded-its-reach-and-more www.secnews.physaphae.fr/article.php?IdArticle=7417719 False Threat,Ransomware,Malware,Tool None None Anomali - Firm Blog ESG Research found that the MITRE ATT&CK framework has grown in popularity to the point that nearly nine in ten organizations use it today. As SOC managers look into the future, they see even greater MITRE utilization. 97% of security professionals believe that MITRE ATT&CK (and derivative projects) will be critically important to their organization’s security operations strategy. If you missed our recent webinar, here’s an excerpt on how to explain Mitre ATT&CK to executives:    Or check out our “What is the Mitre ATT&CK Framework” resource for an in-depth overview. Seeing the Big Picture with the Mitre ATT&CK Framework Breaches are inevitable. Anyone who tells you otherwise probably has a bridge for sale as well. The reality is that breaches happen—and often multiple times. Our Cybersecurity Insights report showed that no industry is safe as even with increased investment, most businesses (87%) have fallen victim to successful cyberattacks in the past three years that resulted in damage, disruption, or a breach to their businesses. As an organization’s attack surface grows, it provides more opportunities and vulnerabilities for attackers to exploit. Adversaries continuously improve their stealth and TTPs to bypass existing security controls, a reality that is forcing organizations to change how they approach threat detection and response. MITRE ATT&CK helps organizations understand the bigger picture by shifting their focus away from just looking at IP addresses and domains to one that illuminates the threat within the context of an organization’s overall cybersecurity posture. With MITRE ATTACK, organizations are creating more secure futures by detecting incoming attacks and identifying and mitigating them before they cause damage. The ATT&CK framework helps security professionals with their daily technical analyses, making them better at what they do. When used to its full potential, MITRE ATT&CK can help security executives gain better value from existing technologies, including threat intelligence platforms (TIPs), SIEMs, and other security analytics tools. Using ATT&CK to Understand Gaps ATT&CK helps organizations establish strategic visibility into gaps in controls, making it easier to prioritize security investments in people, processes, services, and solutions.  By using the MITRE ATT&CK framework to apply contextualization to security postures and controls, organiza]]> 2022-10-06T10:28:00+00:00 https://www.anomali.com/blog/getting-value-with-the-mitre-attck-framework www.secnews.physaphae.fr/article.php?IdArticle=7318116 False Threat,Malware,Guideline,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Royal Ransomware Emerges in Multi-Million Dollar Attacks (published: September 29, 2022) AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network. Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566 Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering ZINC Weaponizing Open-Source Software (published: September 29, 2022) Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file. Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | ]]> 2022-10-04T18:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-canceling-subscription-installs-royal-ransomware-lazarus-covinces-to-ssh-to-its-servers-polyglot-file-executed-itself-as-a-different-file-type-and-more www.secnews.physaphae.fr/article.php?IdArticle=7298043 False Threat,Ransomware,Malware,Tool,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Multimillion Dollar Global Online Credit Card Scam Uncovered (published: September 23, 2022) ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment. Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing. Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52 Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam (published: September 22, 2022) Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers. Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam NFT Malware Gets New Evasion Abilities (published: September 22, 2022) Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user ]]> 2022-09-27T16:51:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-sandworm-uses-html-smuggling-and-commodity-rats-blackcat-ransomware-adds-new-features-domain-shadowing-is-rarely-detected-and-more www.secnews.physaphae.fr/article.php?IdArticle=7161515 False Threat,Ransomware,Spam,Malware,Tool None None Anomali - Firm Blog ESG research found that organizations are interested in extended detection and response (XDR) technology because current tools struggle to detect and investigate advanced threats. Today’s threats are more advanced than ever, with attackers more sophisticated, better funded, and well equipt to inflict damage.  Despite investments, SOC teams are still struggling, chasing false positives and performing manual tasks to detect and investigate alerts accurately. XDR solutions, like The Anomali Platform, can help address these challenges by aggregating alerts, surfacing relevant threats, and integrating intelligence to present a timeline of events related to cyber-kill chains that improve threat detection while streamlining investigations. The report found that security professionals are interested in using XDR to help them address several threat detection and response challenges. The common XDR use cases analyses have in mind are:  Help prioritize alerts based on risk Improved detection of advanced threats More efficient threat/ forensic investigations A layered addition to existing threat detection tools Improve threat detection to reinforce security controls and prevent future similar attacks Users want XDR to fill gaps within their security stack while improving the efficacy and efficiency of threat detection and response. So, how does XDR do that? Let’s look at the common XDR use cases security teams are looking for. Help prioritize alerts based on risk A Security Operations Center’s primary responsibility is monitoring security events and investigating and responding promptly. SOC Analysts need to act quickly when threats arise. They must ensure that threats with elevated risk scores get elevated for further research, investigation, and analysis. Unfortunately, most analysts suffer from alert fatigue and cannot process the overload of alerts to determine what’s real and false. This can also result in some alerts being ignored and missed. Research by Invicti's found that SOCs waste an average of 10,000 hours and some $500,000 annually on validating unreliable and incorrect alerts. An effective XDR solution integrates automation and machine learning to minimize false positives and enable security analysts to focus on the highest priority events to respond quickly. This helps increase efficiencies and enables organizations to quickly experience the key benefits of an XDR solution. With XDR solutions that integrate threat intelligence, like Anomali’s, you can uplevel your analysts with a critical understanding of the threat and what’s needed to remove it from the environment. Improved detection of advanced threats Threat actors continue to evolve, and cyber-attacks increase in complexity. Keeping up with an ever-changing threat landscape to identify complex attacks is challenging. Threat intelligence needs to be at the foundation of any security program. Threat intelligence enhances detection capabilities and informs security professionals of potential cyber risks with real-time information to help them better understand their adversaries and attack vectors that affect the security of my business.  Extended detection and response solutions collect telemetry from security tools in real-time to eliminate security gaps and provide an integrated platform for effective threat detection. Through one platform, they provide increased visibility across multiple security tools (Big Data Lake, UEBA, SOAR, TIP, NDR, or EDR). But not all XDR solutions integrate threat intelligence. Anomali takes the data collection p]]> 2022-09-21T14:55:00+00:00 www.secnews.physaphae.fr/article.php?IdArticle=7040339 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability Uber,Uber,APT 15,APT 41 None Anomali - Firm Blog   Routine Workflow Automation:  Customers are always looking for solutions that make their life easier. This release introduces the first phase of our Routine Task Automation Framework within ThreatStream Cloud that adds support for the automation of routine analyst tasks.  This first phase allows users to define an enrichment routine that can be triggered against a given indicator in an investigation. Users can create multiple automated routines to build up a library of regular workflows to create one-click actions instead of an involved sequence of enrichment pivots or transforms.  Users can also share created routines cross-functionally to foster team collaboration and increase efficiencies. Automating routine tasks in ThreatStream will help reduce noise by filtering out unwanted enrichment data, allowing analysts to focus and prioritize analysis efforts.  Screenshot: Configuring a Routine Task Automation - running multiple (up to 20) enrichments with one button click Scheduled Retrospective Search One of the critical features of our cloud XDR solution is the ability to search for matches in an environment retrospectively. Customers can schedule automated retrospective searches to correlate against new intelligence findings automatically.   This automated process will enable security teams to detect real-time threats in their environment and provides insights into new threat actors, bulletins, and other threat models. Screenshot: Showing a list of already configured Retrospective Searches, scheduled to run at specific cadences Automated Response for The Anomali Platform Alerts within The Anomali Platform identify malicious IoCs within a customer’s environment that trigger a series of actions that enable an effective response. The key is distributing IOCs to clients’ security tools within appropriate ]]> 2022-09-14T18:38:00+00:00 https://www.anomali.com/blog/august-2022-quarterly-product-release www.secnews.physaphae.fr/article.php?IdArticle=6893239 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability APT 27,APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (published: September 5, 2022) Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195 Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain Ragnar Locker Ransomware Targeting the Energy Sector (published: September 1, 2022) Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind. Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste]]> 2022-09-07T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-evilproxy-defeats-second-factor-ragnar-locker-ransomware-hits-critical-infrastructure-montenegro-blames-russia-for-massive-cyberattack-and-more www.secnews.physaphae.fr/article.php?IdArticle=6768417 False Threat,Ransomware,Malware,Guideline,Patching,Tool Yahoo None Anomali - Firm Blog recent research by ESG, 52% of respondents believe security operations are more difficult today than they were two years ago. Responses stated this was due to multiple factors, such as the increasingly dangerous threat landscape, a growing attack surface, the volume and complexity of security alerts, and public cloud proliferation.  Today’s threats are more sophisticated than ever, making them more challenging to defend against. Security teams must constantly do more with less, protecting more data, endpoints, and applications. And, as the threat landscape evolves, so will they, but chances are they must do so with fewer resources. The growing list of challenges is never-ending. So what tops the list? An Ever-Growing Attack Surface Organizations are collecting and storing more data than ever, driven by more cloud-based applications and services. This new on-prem/off-prem environment has created more potential entry points for attackers. Additionally, many organizations lose track of their assets, failing to update policies and their security infrastructure, leaving them vulnerable to attacks that exploit known vulnerabilities. Another reason security teams face more challenges today is the increasing number of mobile devices and cloud apps used by employees. These devices and apps can provide a convenient way for employees to access company data, but they can also be a security risk if they are not adequately secured. The Evolving Threat Landscape  As the attack surface grows, so does the number of potential threats. Security teams must now contend with a broader range of threats, including sophisticated malware, zero-day exploits, and ransomware. Additionally, attackers are becoming more brazen and are targeting high-profile organizations with well-funded security operations. In addition, the rise of social media has created new opportunities for hackers to launch cyber attacks. Social media platforms can spread malware or gather information about people’s online habits, used to launch targeted attacks and infiltrate enterprise organizations. Increasing Compliance Requirements Organizations must comply with an ever-growing number of regulations, such as the EU’s General Data Protection Regulation (GDPR), that require security teams to put in place additional controls and processes, which can be costly and time-consuming. Additionally, compliance failures can result in heavy fines and strain an already tight budget. Limited Resources According to (ISC)²'s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to defend organizations’ critical assets effectively. While the number of professionals required to fill the gap has decreased, the number of qualified cyber professionals will fall even further due to the growing demand for highly skilled individuals. Complex Tech Stack Enterprises frequently deploy new security tools and services to address changing needs and increased threats. As previously mentioned, a typical enterprise SOC may use a combination of twenty or more technologies, making it difficult to customize each solution for its environment. The interoperability issues caused by the possibility of using multiple vendors make it very challenging to get a complete picture of your overall security environment. The Need to Adapt Despite these challenges, security teams must find ways to adapt to protect their organizations effectively against ever-evolving threats.  So what c]]> 2022-09-01T16:50:00+00:00 https://www.anomali.com/blog/security-operations-are-more-difficult-now-more-than-ever-buy-why www.secnews.physaphae.fr/article.php?IdArticle=6667648 False Threat,Malware,Guideline,Tool None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-08-30T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-first-real-life-video-spoofing-attack-magicweb-backdoors-via-non-standard-key-identifier-lockbit-ransomware-blames-victim-for-ddosing-back-and-more www.secnews.physaphae.fr/article.php?IdArticle=6626943 False Threat,Ransomware,Hack,Guideline,Cloud,Tool,Vulnerability APT 29,APT 37,LastPass None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Reservations Requested: TA558 Targets Hospitality and Travel (published: August 18, 2022) Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR). Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570 Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments (published: August 18, 2022) On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes. Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I]]> 2022-08-23T17:35:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-emissary-panda-adds-new-operation-systems-to-its-supply-chain-attacks-russia-sponsored-seaborgium-spies-on-nato-countries-ta558-switches-from-macros-to-container-files-and-more www.secnews.physaphae.fr/article.php?IdArticle=6487319 False Threat,Ransomware,Malware,Tool APT 27 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT-C-35: New Windows Framework Revealed (published: August 11, 2022) The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules. Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows]]> 2022-08-16T15:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransomware-module-added-to-sova-android-trojan-bitter-apt-targets-mobile-phones-with-dracarys-china-sponsored-ta428-deploys-six-backdoors-at-once-and-more www.secnews.physaphae.fr/article.php?IdArticle=6354068 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability,Medical APT 38 None Anomali - Firm Blog ESG Research, XDR momentum continues to build despite there being confusion about what XDR is. Extended Detection & Response (XDR) is one of those solutions that everyone knows about, but few understand. Extended Detection and Response (XDR) solutions provide increased visibility into security threats by collecting data across all security telemetry, including networks, clouds, endpoints, and applications to detect, analyze, hunt, and mitigate threats, in real-time. Watch this quick video from Gartner® on all you need to know about XDR. There are two types of XDR solutions: Open XDR and Native XDR. But what are the differences between these two options, and which is right for your organization? This blog post will take a closer look at both Open XDR and Native XDR solutions and compare their pros and cons. By the end of this post, you'll be able to make an informed decision about which option is best for your business. Comparing Open XDR vs. Native XDR Solutions What is open XDR? Open XDR is a vendor-agnostic approach to XDR that easily integrates into a customer's existing tech stack to incorporate all of their investments and security tools as part of the platform.  How does open XDR work? Open XDR is designed to ingest security data from all available telemetry sources in a security environment, using machine learning and artificial intelligence to collect and correlate data and drive detection and response.  An Open XDR solution utilizes an organization's existing security infrastructure, aggregating data across on-prem, cloud, and hybrid sources. Instead of ripping and replacing current security tools, Open XDR solutions connect with existing infrastructure to provide a unified extended detection and response platform.  OpenXDR security solutions are designed to collect, streamline, and consolidate data for organizations so they can save money and improve their security insights by using them. Key Benefits of Open XDR: Unification of the Security Stack,: AI powered detection and response translates a faster, better approach to security operations by consolidating complex security stacks. Playing the Field: Open XDR solutions allow you to work with multiple vendors as they offer third-party integrations with tools into which organizations have already invested capital and effort. This enables security teams to continue to leverage those technologies going forward without needing to replace them. Increased Efficiencies,: Open XDR can leverage multiple security tools, vendors and telemetry types, all integrated into a single detection and response platform that centralizes behavior analysis. What is Native XDR? A Native XDR solution integrates security tools from one vendor to collect data and perform threat detection and response activities. Since some organizations have already made significant investments in their tech stack, with products from a single vendor, it might make sense to use that vendor's XDR platform. Key Benefits of Native XDR Familiarity: Security teams might be more comfortable using a particular vendor for certain things, including event management and response capabilities.  Time to Value: Because of the familiarity mentioned above, it might take less time to deploy and experience the benefits of a security platform with a standard UI Economies of Scale: Bundling might be an option, with tight integration and potential discounts or perks from using ]]> 2022-08-10T16:42:00+00:00 https://www.anomali.com/blog/open-xdr-vs-native-xdr-solutions-which-solution-is-right-for-you www.secnews.physaphae.fr/article.php?IdArticle=6250699 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence So RapperBot, What Ya Bruting For? (published: August 3, 2022) RapperBot, a new Internet of things (IoT) botnet, is rapidly evolving despite appearing in the wild just two months ago (June 2022). Fortinet researchers discovered that RapperBot heavily reuses parts of the Mirai source code, but changed the attack vector (brute-forcing SSH instead of Telnet), command and control (C2) protocol, and added persistence capabilities. RapperBot maintains remote access by adding the attacker's public key to ~/.ssh/authorized_keys. The latest RapperBot samples also started adding the root user "suhelper” to /etc/passwd and /etc/shadow/, and continue to add the root user account every hour. Top targeted IPs were from Taiwan, USA, and South Korea, in that order. RapperBot has basic DDoS capabilities such as UDP and TCP STOMP flood copied from Mirai source code. Analyst Comment: Despite sharing a significant amount of source code with Mirai variants, RapperBot appears to be developed by a persistent actor and not a novice motivated by notoriety. It is possible that the actors will add new impact functionality after the RapperBot botnet grows substantially. SSH server administrators should adhere to secure password practices. It is also important to note that simply restarting the device, changing SSH credentials or even disabling SSH password authentication does not remove the RapperBot infection. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Scheduled Task - T1053 Tags: RapperBot, Taiwan, target-country:TW, USA, target-country:US, South Korea, target-country:KR, SSH brute force, DDoS, IoT, ARM, MIPS, SPARC, x86, Linux, UDP flood, TCP STOMP, port:4343, port:4344, port:4345, port:48109, Mirai Woody RAT: A New Feature-Rich Malware Spotted in the Wild (published: August 3, 2022) Malwarebytes researchers have identified a new Remote Access Trojan (RAT) dubbed Woody Rat. It has been used by unidentified attackers for at least one year targeting Russian organizations in the aerospace industry. Two kinds of spearphishing attachment were used. Initially, Woody Rat was delivered via archived executable with double extension .DOC.EXE. More recently, the attackers switched to Microsoft Office documents leveraging the Follina (CVE-2022-30190) vulnerability. Woody Ra]]> 2022-08-09T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-rapperbot-persists-on-ssh-servers-manjusaka-attack-framework-tested-in-china-blackcat-darkside-ransom-energy-again-and-more www.secnews.physaphae.fr/article.php?IdArticle=6212381 False Threat,Ransomware,Malware,Tool,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Threat,Malware,Guideline,Cloud,Patching,Tool,Vulnerability APT 37,APT 28 None Anomali - Firm Blog Cybersecurity Insights Report. If you’ve followed along and kept up with me, thank you. If you’ve downloaded the report, thank you again.  Coming in at number one on our list (drum roll, please): Maintaining a pulse on new and emerging global cybersecurity threats. I think the fact that this came in at number one should come as no surprise to security professionals, especially considering that the threat landscape is constantly changing and evolving at an alarming rate. Today’s attackers are more innovative, adapting and deploying sophisticated attacks daily.  According to our research, 62% of organizations use tools and technology to monitor global threats and accelerate their threat intelligence performance. Threat intelligence should be foundational to any security program, as should threat intelligence platforms or threat intelligence management solutions. These tools inform security teams, helping to turn raw data into relevant intelligence. They also help automate processes for intelligence professionals to manage stakeholder requirements, maximize data analysis by understanding adversaries’ intent and objectives, and improve decision making. Cybersecurity Risks are Global The world is changing rapidly, with technology becoming increasingly central to how we live and work. This digital transformation presents challenges and opportunities and requires organizations to think differently about cybersecurity. The threat landscape has never been as complex as today. There are no longer just “traditional” cyber threats. Everything is interconnected, and attacks can come from anywhere. Organizations must look beyond their perimeter to take a holistic view of cyber risks and consider the full range of potential attack vectors, including physical infrastructure, communications networks; software applications; human behavior; and data center operations.  The threat environment is evolving quickly, and security professionals must ensure they keep pace. Threat Actors Are Growing More Sophisticated In today’s world, hacking is a multi-billion-dollar business. Gone is the traditional stereotype of the lone hacker in a hoodie, working solo. Cybercrime as a service, modeled after the Software as a Service (SaaS) business model, is stronger than ever. For example, ransomware attacks can be purchased via an affiliate program. Affiliates can use already-developed tools to execute ransomware attacks. And earn a percentage for each successful ransom payment. Even customer care centers field ransomware victims’ inquiries, instructing them on how to procure the bitcoins attackers demand in exchange for a decryption key for unlocking a forcibly encrypted PC or server. Keeping Pace with Attackers As attackers develop new ways to exploit critical vulnerabilities, the number of threats continues to rise. Cybersecurity professionals face various threats from multiple groups, including nation-states, organized crime, hacktivism, and human error.  In addition to the traditional security concerns of data breaches, financial loss, identity theft, and fraud, security teams now face challenges related to the speed and sophistication of modern attacks. These include: Attacks that target critical infrastructure Sophisticated forms of social engineering Zero-day exploits Targeted phishing campaigns Automated lateral movement  The Past Informs the Future Technology is constantly evolving, mak]]> 2022-07-28T12:24:00+00:00 https://www.anomali.com/blog/the-need-for-maintaining-a-pulse-on-emerging-global-cybersecurity-threats www.secnews.physaphae.fr/article.php?IdArticle=5990161 False Threat,Ransomware None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware (published: July 21, 2022) Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it. Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention. MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229 Google Ads Lead to Major Malvertising Campaign (published: July 20, 2022) Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac]]> 2022-07-26T17:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-abuses-google-drive-api-complex-lightning-framework-targets-linux-google-ads-hide-fraudulent-redirects-and-more www.secnews.physaphae.fr/article.php?IdArticle=5953922 False Threat,Malware,Guideline,Tool APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Digium Phones Under Attack: Insight Into the Web Shell Implant (published: July 15, 2022) Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones. The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor. The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence. Analyst Comment: Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: CVE-2021-45461, Digium Asterisk, PHP Web Shell, Binary padding, Rest Phone Apps, restapps, FreePBX, Elastix North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware (published: July 14, 2022) Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools. Analyst Comment: Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Scheduled Task - T1053 | ]]> 2022-07-19T15:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-h0lygh0st-ransomware-earns-for-north-korea-ot-unlocking-tools-drop-sality-switch-case-oriented-programming-for-chromeloader-and-more www.secnews.physaphae.fr/article.php?IdArticle=5826660 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability None None Anomali - Firm Blog 2022-07-14T10:04:00+00:00 https://www.anomali.com/blog/key-research-findings-of-the-esg-report-soc-modernization-and-the-role-of-xdr www.secnews.physaphae.fr/article.php?IdArticle=5716433 False Threat None None Anomali - Firm Blog 2022-07-13T15:56:00+00:00 https://www.anomali.com/blog/tag-cyber-interviews-anomali-about-our-intelligence-driven-approach-to-xdr www.secnews.physaphae.fr/article.php?IdArticle=5700454 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (published: July 7, 2022) SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut). Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798 OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow (published: July 6, 2022) Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | ]]> 2022-07-11T22:59:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-brute-ratel-c4-framework-abused-to-avoid-detection-orbit-kernel-malware-patches-linux-loader-hive-ransomware-gets-rewritten-and-more www.secnews.physaphae.fr/article.php?IdArticle=5664956 False Threat,Ransomware,Malware,Patching,Tool,Vulnerability APT 29 None Anomali - Firm Blog Listen to the interview and read Hugh’s blog to learn more.]]> 2022-07-11T19:19:00+00:00 https://www.anomali.com/blog/the-evolution-of-anomali-how-anomalis-threatstream-has-evolved-into-delivering-a-differentiated-approach-to-xdr www.secnews.physaphae.fr/article.php?IdArticle=5663936 False Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Toll Fraud Malware: How an Android Application Can Drain Your Wallet (published: June 30, 2022) Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities. Analyst Comment: Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 Tags: Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks (published: June 28, 2022) Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon. Analyst Comment: SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Component Object Model Hijacking - T1122]]> 2022-07-06T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-killnet-ddosed-lithuania-building-automation-systems-targeted-to-install-shadowpad-china-sponsored-group-jumps-from-home-routers-to-connected-machines-and-more www.secnews.physaphae.fr/article.php?IdArticle=5579532 False Threat,Malware,Tool,Vulnerability None None Anomali - Firm Blog Anomali ThreatStream offered integrations with Microsoft Sentinel in the past using the ThreatStream integrator and leveraging the power of the Graph Security API and TIP data connector of Microsoft Sentinel. Today we are announcing our integration with Anomali ThreatStream, which allows you to get threat intelligence data from Anomali ThreatStream into Microsoft Sentinel using the Threat Intelligence – TAXII Data Connector. Microsoft Sentinel benefits with Anomali ThreatStream Anomali ThreatStream is a threat intelligence management solution that allows you to automate data collection from hundreds of threat sources, including commercial vendors, OSINT, ISACs, and more, to operationalize threat intelligence at scale. Utilizing Anomali Macula, our built-in proprietary machine learning engine, intelligence is aggregated, scored, and categorized for real-time intelligence distribution to security controls across your entire security ecosystem. Users can choose between configuring integrations to send only high confidence, high severity observables, or observables associated with known threat actors, active malware campaigns, or a number of other Threat Models. Pushing these filtered, prioritized observables to Sentinel via TAXII enables you to proactively correlate events within your network against high fidelity intelligence to identify threats against your organization. Connecting Microsoft Sentinel to Anomali ThreatStream TAXII Server To connect Microsoft Sentinel to Anomali ThreatStream’s TAXII Server, obtain the API Root, Collection ID, Username and Password from Anomali. ThreatStream allows you to configure Saved Searches against your observables set, and these are automatically provided as TAXII collections for consumption by TAXII clients. Once you’ve configured a saved search, navigate to the Manage Observable Searches page, and identify the ID of the desired search. You can then use the following details to configure the TAXII data connector: API Root: https://api.threatstream.com/api/v1/taxii21/search_filters/ Collection ID: Username & Password: The ThreatStream Username & Password of the user who configured the saved search. For more details on how to configure the TAXII data connector in Microsoft Sentinel, please refer to the following documentation. Put Anomali ThreatStream to use with Microsoft Sentinel Once the threat intelligence from Anomali ThreatStream is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These c]]> 2022-07-05T15:38:00+00:00 https://www.anomali.com/blog/increased-microsoft-sentinel-benefits-using-anomali-threatstream www.secnews.physaphae.fr/article.php?IdArticle=5564426 False Threat,Malware None None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number two on our list: Dealing with the speed and complexity of digital transformation. During the COVID-19 crisis, digital transformation became even more critical. To describe digital transformation in economic terms means integrating digital technologies into every aspect of a business, resulting in fundamental changes to how companies operate and provide value to their customers. Technology has changed from supporting business processes to becoming integral to a company’s customer value proposition. A study by McKinsey found that companies accelerated their digital transformation efforts by three to seven years within just months, fearing that they would lose their competitive advantage and be left behind by competitors already ahead. Organizations need to rethink what they mean when saying “digital transformation.” It’s not just about making your website responsive, adding digital capabilities, or creating a mobile app for your business. It’s about changing your mindset when thinking about your customers, empowering your staff, and powering business. And ensuring your security program can adapt to that mindset to ensure the security of your enterprise. Digital Transformation Increases Cyber Risk   Security teams continue to face unique challenges daily. Their organization’s digital transformation initiatives continue to increase the complexity, expanding their attack surface with a distributed infrastructure. Because of this, cybersecurity postures should be updated and adjusted to support transformation goals to defend against this new level of complexity. In addition to the ever-changing threat landscape, security teams face more concerns due to a more distributed workforce. They also need to evaluate the risks associated with a growing number of connected devices and the disappearing perimeter. The increased adoption of cloud infrastructures also poses unique challenges to organizations, forcing them to transform their security posture to protect against cloud infrastructure vulnerabilities. Securing a Remote Work Force Remote work is here to stay and will only increase. Global Workplace Analytics calculates that 22% of the workforce (i.e., 36.2 million Americans) will work remotely by 2025. The significant uptick in remote work setups and digital business is pushing organizations to apply for secure access no matter where their users, applications, or devices are located. To provide the level of security necessary to protect the variety of new systems implemented, many enterprises are shifting to more cloud-friendly and behavior-based security approaches.  New Challenges and Security Vulnerabilities As mentioned above, studies show that a large portion of those working from home will likely stay that way for the long term. Corporate leaders attempting to coax employees back to the office have broadly accepted the inevitability of the hybrid work model. To ensure their defensive measures remain in place and to maintain business as usual safely, it’s critical for IT teams to develop strategic plans to safeguard employees, facilities, data,]]> 2022-06-30T10:00:00+00:00 https://www.anomali.com/blog/dealing-with-the-cybersecurity-challenges-of-digital-transformation www.secnews.physaphae.fr/article.php?IdArticle=5468174 False Threat,Guideline,Studies,Tool None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed (published: June 24, 2022) ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection. Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families (published: June 24, 2022) Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes. Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: malware:BazarLoad]]> 2022-06-28T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-api-hammering-confuses-sandboxes-pirate-panda-wrote-in-nim-magecart-obfuscates-variable-names-and-more www.secnews.physaphae.fr/article.php?IdArticle=5436667 False Threat,Ransomware,Spam,Malware,Tool,Vulnerability APT 23,APT 28 None Anomali - Firm Blog AWS Partner Network blog. By Ranjith Raman, Sr. Partner Solutions Architect – AWS By Oded Rosenmann, Global Practice Lead, SaaS Partners – AWS Organizations are increasingly looking for new ways to defend themselves against cyber threats, fraud, and ransomware attacks. Many enterprises and government agencies turn to cyber security solutions that provide efficient and effective detection and response capabilities to proactively prevent attackers from breaching their networks and applications. To help organizations overcome these challenges, Anomali, a leader in intelligence-driven cybersecurity solutions, has recently launched its Cloud-Native extended detection and response (XDR) solution, The Anomali Platform. Building upon its leadership position in the cyber threat intelligence space,  The Anomali Platform provides customers with a new dimension of security visibility across all log telemetry from endpoints to the cloud. The Anomali Platform provides precision detection and optimized response capabilities that extends across their entire security infrastructure.   With the support of AWS SaaS Factory, Anomali has built the Anomali Cloud-Native XDR offering as a software-as-a-services (SaaS) solution that helps improve organizational efficiencies, providing security teams with the tools and insights needed to detect relevant threats, make informed decisions, and respond effectively.      “The AWS SaaS Factory team was instrumental in helping us identify appropriate service options aligned with our enterprise customer requirements. Working with the team, we saved months of engineering efforts to build a powerful platform that meets our current needs and allows us to scale.” Mark Alba, Chief Product Officer, Anomali Mark Alba, Chief Product Officer, Anomali The cloud-native XDR solution is fueled by big data management, machine learning, and the world’s largest repository of global intelligence. With the new SaaS model, The Anomali Platform can be easily integrated with existing security infrastructures, enabling CIOs, CISOs, and other business leaders to optimize their overall security investments and create more efficient and effective detection and response programs that proactively address advanced cyber threats. The SaaS Factory team spoke with Mark Alba, Chief Product Officer at Anomali, to learn more about Anomali Cloud-Native XDR SaaS, the value its new solution brings to customers, and the key lessons learned from the journey to SaaS on AWS. Check out the new Anomali Cloud-Native XDR SaaS solution >>   Q&A with Anomali AWS SaaS Factory: Mark, thank you for taking the time to speak with us today. Could you share a bit about your background and role at Anomali? Mark Alba:       My name is Mark Alba, and I’m the Chief Product Officer at Anomali. I’ve been with Anomali since April 2020 and am responsible for product management, user experience, threat research, and technology incubator functions.  My background includes over 20 years of experience building, managing, and marketing disruptive products and services. I brought to market the security industry’s first fully-integrated applian]]> 2022-06-23T12:00:00+00:00 https://www.anomali.com/blog/anomali-launches-differentiated-cloud-native-xdr-saas-solution-with-support-from-aws-saas-factory www.secnews.physaphae.fr/article.php?IdArticle=5341120 False Threat,Ransomware,Guideline,Tool None None Anomali - Firm Blog our previous post on cyber threats, organizations must find new and novel defenses against adversaries who increasingly shift tactics. As adversaries become more nuanced, we must understand their moves and motivations to try to get one step ahead of them.  Let’s Recap:  Several high-profile security incidents in the recent past altogether grimly encapsulate the myriad challenges companies now face. NotPetya, the most expensive cyber incident in history, demonstrated how attackers are masquerading their efforts. NotPetya targeted a tax software company in Ukraine in 2017. At first, the effort appeared to be ransomware. However, its intent was purely destructive as it was designed to inflict damage as quickly and effectively as possible.    The C Cleaner attack, a few months later, demonstrated how complex and patient actors who were focused on IP level threats had become. The targets were system administrative tools that, if compromised, already had an increased level of access. C Cleaner showed that all software supply chain attacks aren’t created equal. It’s dependent on the level of access of the systems and the users that you’re compromising. Some 3 million versions of the compromised C Cleaner software were downloaded. However, only 50 of the downloaded software received additional payloads. This was an adversary that was willing to compromise more than 3 million systems to just get a foothold into 50. This gives you a clear idea of the challenges that we face as enterprises from these types of sophisticated actors. Attackers are also being more flagrant and doing a better job of covering their tracks. In the past, nation states focused on covert activities. Olympic Destroyer, which targeted the 2018 Olympics in South Korea, showed how attacks are now being brought to the public eye. False flags, tactics applied to deceive or misguide attribution attempts, were also put into Olympic Destroyer. Six months after the attack, it was attributed to multiple different nations, because such care had been put into throwing off attribution. More recently, VPN Filter/Cyber Blink demonstrated how adversaries are targeting different types of equipment. While attacks have historically focused on office equipment, these incidents shifted to home routers, in tandem with the increase in remote work. At home, people often use combination modem routers. These devices challenge detection capabilities. A foothold into home routers also allows actors to analyze all traffic moving in and out of the network. It’s incredibly difficult to detect an attack. You have to treat a home Wi-Fi like a public Wi-Fi at a coffee shop. Threat actors are targeting the foundational infrastructure of the internet as well. Sea T]]> 2022-06-22T13:00:00+00:00 https://www.anomali.com/blog/rsa-2022-cyber-attacks-continue-to-come-in-ever-shifting-waves www.secnews.physaphae.fr/article.php?IdArticle=5325562 False Threat,Malware,Tool NotPetya,NotPetya None Anomali - Firm Blog XDR is a significant evolution, and we believe that adversary detection and response (ADR) is not far behind, particularly with more collaboration between the public and private sectors.  Perhaps most importantly, we are getting closer and closer to realizing the full promise of Big Data in a cybersecurity context. At Anomali, much of our energy is put towards closing that gap. We believe it is the key to unlocking adversary defense as a truly viable and scalable approach to securing companies and people. At the RSA Conference 2022, cyber threat experts gave attendees a virtual trip around the world during a panel presentation examining threat actor activity from both nation-states and criminal groups. The panelists revealed the latest global threat activity, as well as the best strategies to thwart increasingly sophisticated attacks. They detailed adversary behavior that should both concern and energize us, and we share it here in the hopes of generating energy amongst our community, our partners, our customers, and all those who see an understanding of adversary behavior as a critical mission. Attacks Go Beyond Traditional Platforms China, while not as flashy and flamboyant as Russia, is reshaping the cyber threat landscape as well. Its attacks are moving beyond traditional platforms such as Microsoft and Linux malware to esoteric systems, like Huawei routers and Solaris implants. As panelists noted, the attack surface is shifting, widening, and morphing in many different ways. For example, China exploited a vulnerability in software that tracks diseases in cattle to gain a foothold into 18 state and local governments in the U.S. that use the software. Often, threat actors can exploit vulnerabilities within hours. The implication, according to the panel? Defenders must look beyond traditional assets and accelerate the patching of critical systems. It’s no longer a matter of simply matching every so often. Instead, it’s imperative to have hard conversations with the business about downtime and schedule patching regularly. Ransomware as Harassment Iran has become an innovator in government-backed ransomware. Iranian attackers are becoming more patient, sometimes having 10 interactions with a victim before doing anything malicious. The panelists referred to them as “big-game hunters at scale,” and I couldn’t agree more. We’re not talking about just targeting one system within the network to lock it up. This is a network-wide ransomware endeavor to get as much ransom as possible. Add to this the practice of leaking data to harass organizations. Cyber Criminals are Posing as Job Seekers North Korea, whose cyber activities have been mostly on hold during the pandemic, is returning in a vengeful – and creative way. Among the newest developments: A focus on cryptocurrency schemes. Panelists recounted examples of stolen crypto wallets. If one doesn’t store cryptocurrency offline, they will likely lose al]]> 2022-06-21T18:28:00+00:00 https://www.anomali.com/blog/cyber-threats-are-as-bad-as-you-imagine-but-different-than-you-may-think www.secnews.physaphae.fr/article.php?IdArticle=5312430 False Threat,Ransomware,Malware,Patching,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E]]> 2022-06-21T15:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gallium-expands-targeting-across-telecommunications-government-and-finance-sectors-with-new-pingpull-tool-dragonforce-malaysia-opspatuk-opsindia-and-more www.secnews.physaphae.fr/article.php?IdArticle=5309464 False Threat,Ransomware,Malware,Guideline,Tool,Conference,Vulnerability APT 35,Yahoo None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat (published: June 9, 2022) Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074 Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2 Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (published: June 8, 2022) Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan. Analyst Comment: When planning your company]]> 2022-06-14T15:15:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-symbiote-linux-backdoor-is-hard-to-detect-aoqin-dragon-comes-through-fake-removable-devices-china-sponsored-groups-proxy-through-compromised-routers-and-more www.secnews.physaphae.fr/article.php?IdArticle=5145972 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability CCleaner None Anomali - Firm Blog Malware Intelligence - Remote Access Tools and Trojans Pulls OSINT and primary intelligence feeds related to remote access tool and trojan samples, actors who use these tools and trojans, and TTPs associated with known remote access tool and trojan families, among others, and displays the data in 10 widgets. ]]> 2022-06-13T16:46:00+00:00 https://www.anomali.com/blog/malware-intelligence-dashboards www.secnews.physaphae.fr/article.php?IdArticle=5133965 False Threat,Ransomware,Malware,Tool None None Anomali - Firm Blog Joint Cyber Defense Collaborative last year. This collaboration between federal agencies and the private sector, led by the Cybersecurity and Infrastructure Security Agency (CISA), marks an important advance in making the nation’s cyber defenses more robust through closer planning, preparation, and information sharing. Information sharing is part of Anomali’s DNA, particularly in our industry-centric communities where security professionals from around the world can engage safely, without fear of compromise. While this concept is still being developed and vetted with internal and external stakeholders, we are committed to a “rising tide” view of safety and security. During the panel discussion, an NSA panelist lauded the combination of experts and “in the trenches” knowledge to generate context around the data. The pairing of insight and human intel surely is all to the good. For example, the CISA panelist marked the JCDC’s response to Log4j as a significant milestone in private-public collaboration. In addition to creating a public-facing website so organizations could see if any of the software/hardware they run was susceptible to Log4j, the panelist noted that behind the scenes, they were also tracking adversaries who were looking to exploit Log4j, and examining what sectors were targeted. At Anomali, we see adversaries working in concert on a daily basis to further their ends, and we believe it’s impossible to truly secure companies and the people that rely on them without doing the same. Moving from Reactive to Proactive When we consider adversary detection and response, which we believe will fulfill the ultimate promise of XDR, it becomes clear that relevant intelligence is key to the security of every company and every individual. Why? Because critical threat intelligence should do more than inform and remediate. To secure the future, the promise of big data in cybersecurity cannot stop at understanding. It must extend all the way to the identification of adversaries and the prevention of attacks. And it must be relevant to those using it, when they need it. How do we get there? Intelligence is only as good as the data that informs it. Add to this siloed systems and the traditional separation between public and private sectors in sharing information. Yet the results of collaborations like that of the JCDC, as discussed during the RSA panel session, show that more detailed preparation and prevention is possible. We’ve said many times in this blog that we at Anomali believe in shifting the cybersecurity emphasis from the attack to the attacker. Savvy security professionals understand this. And so, as they make investments in intelligence, they are looking to become more strategic in their detection approach&m]]> 2022-06-10T16:59:00+00:00 https://www.anomali.com/blog/rsa-2022-the-strategy-behind-using-critical-threat-intelligence-strategically www.secnews.physaphae.fr/article.php?IdArticle=5078934 False Threat None 5.0000000000000000 Anomali - Firm Blog first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures. Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact. All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response. That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour. The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats. For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team. It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way. Winning Over the Board Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors. In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact. Going even further, the CISO at some point early in their tenure will need to report progress t]]> 2022-06-09T02:40:00+00:00 https://www.anomali.com/blog/rsa-2022-youre-the-new-ciso-want-to-fix-the-problem-start-by-simply-listening www.secnews.physaphae.fr/article.php?IdArticle=5058766 False Threat,Guideline,Tool None None Anomali - Firm Blog major ransomware attack that took down the Colonial Pipeline, disrupting energy supplies up and down the East Coast, and an attack on Costa Rica resulting in its president declaring a state of emergency. Elsewhere, critical infrastructure in Asia was targeted in a “low and slow” attack that lasted over a year – with attackers using “live off the land” techniques to steal credentials and move laterally from less protected IT systems to highly critical operational infrastructure. These were all attacks that had a real-life impact on people's lives, underscoring the urgency of moving beyond reactive threat detection to proactive attacker response. This much is understood: We need to extend our attack visibility across the entirety of the digital ecosystem. That means not just detecting attacks that have occurred but also preventing those that are likely to occur in the future. In my conversations with security professionals, it’s clear they want to be more proactive. They make investments in intelligence in an attempt to become more strategic in their detection approach. But static intelligence puts analysts on a hamster wheel cycle of investigation without conclusion and provides CEOs and boards with a dangerous false sense of security]]> 2022-06-07T22:18:00+00:00 https://www.anomali.com/blog/why-its-time-to-rethink-adversary-detection-and-response-now www.secnews.physaphae.fr/article.php?IdArticle=5029199 False Threat,Ransomware None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence WinDealer Dealing on the Side (published: June 2, 2022) Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom. Analyst Comment: Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups. MITRE ATT&CK: [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Discovery - T1057 Tags: Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN. Analysis of the Massive NDSW/NDSX Malware Campaign (published: June 2, 2022) Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading ]]> 2022-06-07T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-man-on-the-side-attack-affects-48000-ip-addresses-iran-outsources-cyberespionage-to-lebanon-xloader-complex-randomization-to-contact-mostly-fake-c2-domains-and-more www.secnews.physaphae.fr/article.php?IdArticle=5024723 False Threat,Malware,Tool,Vulnerability None None Anomali - Firm Blog 2022-06-06T21:34:00+00:00 https://www.anomali.com/blog/welcome-to-rsa www.secnews.physaphae.fr/article.php?IdArticle=5016356 False Threat,Ransomware,Patching,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Credit Card Stealer Targets PsiGate Payment Gateway Software (published: May 25, 2022) Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data. Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity. MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056 Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX How the Saitama Backdoor uses DNS Tunneling (published: May 25, 2022) MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2. Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling ]]> 2022-06-01T17:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turlas-new-phishing-based-reconnaissance-campaign-in-eastern-europe-unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion-and-more www.secnews.physaphae.fr/article.php?IdArticle=4921519 False Threat,Ransomware,Malware,Tool APT 19 None Anomali - Firm Blog Screenshot - How a user would map their log source data to the Cloud XDR schema to optimize correlation efficiency   Enhanced Dashboards  This release also introduces key dashboards that provide multi-dimensional views using our advanced search to provide an instant snapshot of your environment. New dashboards include: Multi-Dimensional View: presents a number of visualizations showing the occurrence of IOC matches over time, whether by Source Host, Indicator, iType, Severity, Confidence, and more.  Match Analysis View: provides analytics about the threat intelligence feeds, indicator types, indicators, and DGA domains that match events in your network, such as Matches Over Time, Matches by iType, Matches by Indicator, Matches by DGA You can also schedule and distribute reports based on these dashboards to decision-makers who do not regularly access the Platform, providing key insights and snapshots to executives and key stakeholders. Screenshot: Enhance Dashboard Example   Extended TAXII 2.1 client support for sharing indicators Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging intelligence over HTTPS. ThreatStream hosts a TAXII server instance that enables the sharing of observables with external applications, enabling out-of-the-box integration with security controls and other threat intelligence-consuming products. We’ve updated our ThreatStream TAXII client to ensure that any applications or products attempting to gather indicators using a TAXII 2.1 client will be able to receive intelligence without any issues. Easy configuration of new TAXII 2.x sites allows for out-of-the-box integration with intelligence providers running TAXII 2.x servers.  Customers are also able to choose between TAXII 1.1, 2.0, and 2.1 when configuring a new site for IoC collection.   Full Granular Dashboard Management in ThreatStream  Dashboards provide quick snapshots into relevant data for users to keep tabs on what's going on in their environment. Now, ThreatStream customers can granularly manage their dashboards to further customize the]]> 2022-05-31T13:18:00+00:00 https://www.anomali.com/blog/may-2022-quarterly-product-release www.secnews.physaphae.fr/article.php?IdArticle=4904832 False Threat None None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number three on our list: Identifying and Utilizing the Latest Cybersecurity Solutions This is not surprising, as just under half of security decision-makers strongly agree that their cybersecurity teams can quickly prioritize threats based on trends, severity, and potential impact. Cybersecurity Analysts use various tools in their jobs, which can be organized into a few categories: network security monitoring, encryption, web vulnerability, penetration testing, antivirus software, network intrusion detection, and packet sniffers. Types of Tools Network security monitoring tools These tools are used to analyze network data and detect network-based threats.  Encryption tools Encryption protects data by scrambling text so that it is unreadable to unauthorized users.  Web vulnerability scanning tools These software programs scan web applications to identify security vulnerabilities, including cross-site scripting, SQL injection, and path traversal.  Penetration testing Penetration testing, also known as “pen test”, simulates an attack on a computer system to evaluate the security of that system.  Antivirus software This software is designed to find viruses and harmful malware, including ransomware, worms, spyware, adware, and Trojans. Network intrusion detection An Intrusion Detection System (IDS) monitors network and system traffic for unusual or suspicious activity and notifies the administrator if a potential threat is detected.  Packet sniffers A packet sniffer, also called a packet analyzer, protocol analyzer or network analyzer, is used to intercept, log, and analyze network traffic and data.  Firewall tools Monitor incoming and outgoing network traffic and permit or block data packets based on security rules. Detection and Response Platforms Detection and response services analyze and proactively detect and eventually eliminate cyber threats. Alerts are investigated to determine if any action is required. As I pointed out in a previous blog, enterprise organizations have deployed over 130 security tools. Here's a look at the current technology security teams use or plan to invest in. What's even crazier is this stat: CyberDB claims to have more than 3,500 cybersecurity vendors listed in the United States alone. So, how are security professionals supposed to keep up with the latest trends or innovations in technology? Thankfully, we live in the digital age where information is just a click away. I typically start my day by reading news websites and blogs from security experts and check the twitter. You can also attend webinars and conferences or communicate directly with someone well-versed in the field. Get Social Social media networks are excellent sources for finding new content. (Shameless plug, make sure you're following us on LinkedIn and Twitter) Twitter is particularly useful if you know what hashtags to search for or who to follow. You can see discussions in real-time to get yourself into the conversation; create feed lists to weed out the noise by specifying what security vendors, influencers, and developers you]]> 2022-05-26T10:42:00+00:00 https://www.anomali.com/blog/understanding-the-latest-cybersecurity-solutions-to-keep-up-with-todays-threats www.secnews.physaphae.fr/article.php?IdArticle=4819998 False Threat,Tool,Vulnerability None 5.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) (published: May 20, 2022) In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation. Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (published: May 20, 2022) Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity ]]> 2022-05-24T17:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-contis-talent-goes-to-other-ransom-groups-china-based-espionage-targets-russia-xorddos-stealthy-linux-trojan-is-on-the-rise-and-more www.secnews.physaphae.fr/article.php?IdArticle=4788392 False Threat,Ransomware,Malware,Tool,Vulnerability None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Threat,Ransomware,Malware,Tool,Conference,Vulnerability APT 35,APT 15,APT 34 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number four on the list is “Lack of skilled cybersecurity professionals.”   I’m a little surprised this wasn’t number one on our list, but organizations have adapted to alleviate this constraint. Understanding the Cybersecurity Skills Shortage The cybersecurity skills shortage is nothing new, but it was exacerbated by the pandemic, which accelerated digital transformation, expanded attack surfaces, and increased security. According to the latest statistics from (ISC)², there will be approximately 1.8 million unfilled cybersecurity jobs by 2022. Even though that is a significant drop compared to the 3.5 million cybersecurity workforce shortage in 2021, it still leaves a substantial gap in the market. Why the cybersecurity skills gap exists – and persists I’m always in awe when I watch SOC Analysts, Threat Hunters, and Reverse Engineers work. There’s a lot of discipline involved in what they do, taking a specific mindset. According to Gartner, there is a persistent cybersecurity skills shortage because the cybersecurity industry covers several different disciplines, ranging from secure code practices and full-stack knowledge of IT infrastructure to regulatory and legal compliance. Others say it reflects skills shortages across the broader IT market. However, the growing size and intensity of cyber-attacks mean that demand for cybersecurity professionals has grown much faster than in other sectors of the IT job market. It’s challenging to find and recruit multi­disciplinary IT staff in the first place, so finding someone who has the additional focus on security is even more challenging.  Working in cybersecurity requires an extensive range of soft and technical skills and a suitable personality for the job. Despite the massive demand for cyber security jobs, IT candidates are less inclined to pursue careers because of the stress involved. What’s Required? The shortage of cybersecurity skills lies within this tangled web of requirements: to become the person who can protect organizations from cyber attacks, you need many years’ worth of applied experience far beyond any formal education. In speaking with colleagues, successful cybersecurity candidates today must first be a general security expert who has a good grasp of physical and technical cybersecurity issues. You also need at minimum one or two specific domains in deep IT expertise with a grasp on the evolution of technology and an understanding of how organizations and their people use technology to achieve their goals.  Taking a quick look at job reqs, most companies hiring an entry-level SOC analyst are looking for someone with: 3 to 5 years or more of information security-related experience. Technical expertise in IT technology: Cybersecurity, cloud computing, networking, and software development Experience-based familiarity with the auditing discipline of information security. Knowledge of security and regulatory compliance frameworks: PCI DSS, SOC, NIST, HIPAA, GDPR, etc.  Holds the CISA or other information security certifications I came across an old stat on cybersecurityventures.com that said only 3 Percent Of US Bachelor’s Degree Grads Have Cybersecurity Related Skills. If more students don’t enroll to get the necessary skills, who knows if we’ll ever catch up. Dealin]]> 2022-05-12T11:00:00+00:00 https://www.anomali.com/blog/dealing-with-the-cybersecurity-skills-gap www.secnews.physaphae.fr/article.php?IdArticle=4582676 False Threat,Guideline None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Threat,Ransomware,Malware,Tool,Vulnerability APT 29,APT 28 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | ]]> 2022-05-03T16:31:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-time-to-ransom-under-four-hours-mustang-panda-spies-on-russia-ricochet-chollima-sends-goldbackdoor-to-journalists-and-more www.secnews.physaphae.fr/article.php?IdArticle=4538825 False Threat,Ransomware,Malware,Guideline,Cloud,Tool,Vulnerability APT 10,APT 10,APT 37 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. In the last blog, I wrote about the challenges that organizations have with disparate tools, highlighted by the fact that mature enterprise organizations deployed over 130 security tools on average. That blog is a perfect introduction to number five on our list of challenges enterprise organizations face: ‘Solutions not customized to the types of risks we face.’ More Tools, More Problems Most security teams use several security management tools to help them manage their security infrastructure. While each tool was acquired for a specific reason and purpose, introducing each tool into an existing security tech stack poses a different challenge. Unfortunately, there’s no one size fits all approach. Every new security tool introduced requires integration to use the tool effectively. It takes a lot of time and effort to implement a tool properly into your environment and processes. There would most likely need training involved for those analysts who would be using the new tools. While necessary, these tasks take time and attention away from everyday activities and can significantly decrease a security team’s effectiveness before they’re fully integrated into their workflow. Increasing in Multiple Tools Increases Security Complexity The increasing adoption of cybersecurity solutions has created more consequences and challenges for organizations and their IT teams. With each addition of a new solution, another problem emerges Tool sprawl. Tool sprawl is when an organization invests in various tools that make it harder for IT teams to manage and orchestrate the solution. Time is a precious commodity, especially in cybersecurity. It takes time to collect information from multiple tools and disparate data sources, then correlate it manually with the necessary intelligence. Instead of responding quickly to an attack, analysts will waste time collecting the data and relevant intelligence needed to understand what kind of attacks they are dealing with and which actions they should take. Instead of fixing a problem, security teams may suddenly find that they’ve added more.  How Cybersecurity Tools Grew Out of Control Traditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. It was evident by the mid-1990s that investing in cybersecurity would be necessary. Organizations now had a budget for security and had to figure out which parts of their infrastructure were most vulnerable. As their strategy evolved, organizations began investing in hiring cybersecurity experts but realized people are expensive. They then began buying various tools to complement their security professionals. They soon realized that there was a security tool you could buy that could help resolve the situation for any potential problem. The desire to throw tools at a situation continues today. Cybersecurity budgets have increased since the pandemic sped up digital transformation efforts and increased an organization’s attack surface. Board members and Executives realize the need to invest more in cybersecurity. New security products continue to spring up, promising to solve problems and secure all the various parts of businesses’ technology stacks.  Unfortunately, when adding tools, too many organizations make the mistake of looking for a quick fix, working in silos to solve one problem rather than t]]> 2022-04-28T11:00:00+00:00 https://www.anomali.com/blog/more-tools-more-problems-why-its-important-to-ensure-security-tools-work-together www.secnews.physaphae.fr/article.php?IdArticle=4516458 False Threat,Guideline,Tool None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Threat,Ransomware,Malware,Guideline,Tool,Vulnerability,Medical APT 38,Uber,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lazarus Targets Chemical Sector (published: April 14, 2022) In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information. Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector Old Gremlins, New Methods (published: April 14, 2022) Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode]]> 2022-04-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-raidforums-seized-sandworm-attacks-ukrainian-power-stations-north-korea-steals-chemical-secrets-and-more www.secnews.physaphae.fr/article.php?IdArticle=4477972 False Threat,Ransomware,Spam,Malware,Guideline,Vulnerability,Medical APT 38,APT 28 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience: Lack of integrated cyber-security solutions. To deal with the cyberthreats they face every day, Enterprise Security Decision Makers seek new and well-supported solutions. They look for solutions that are easy to use and integrate with other cybersecurity systems and different parts of their organizations. 44% of those surveyed said that easily integrating with other cybersecurity tools is essential when evaluating cybersecurity solutions. What do you look for?   initIframe('62573c84d0742a0929d79352');   So why do almost half of enterprise decision-makers want easily integrated tools? Enterprises frequently deploy new security tools and services to address changing needs and an increase in threats. In fact, according to recent findings, mature security organizations have deployed on average: Small business: 15 and 20 security tools Medium-sized companies: 50 to 60 security tools Enterprises: over 130 tools security tools If you like math, check out these stats: A typical six-layer enterprise tech stack, composed of networking, storage, physical servers, virtualization, management, and application layers, causes enterprise organizations to struggle with 1.6 billion versions of tech installations for 336 products by 57 vendors. Increasing Investments Our research showed that 74% of organizations had increased their cybersecurity budgets to help defend against increasing cyber-attacks. Despite these increasing investments in cybersecurity, only 46% are very confident that their cyber-protection technologies can detect today’s sophisticated attacks. While investment is on the uptake, effectiveness is not. Response efforts have been hindered by the complexity caused by fragmented toolsets, highlighting that investing in too many tools can reduce the effectiveness of security defenses. More Tools, More Problems The wide variety of tools enterprises invest their time and money into to combat security threats can create numerous issues. Security analysts are understandably frustrated. They’re spending most of their time chasing false positives and performing manual processes born from these disparate toolsets. They’re working longer hours and are under more pressure to protect the business. CSO Online provides a good article listing the top challenges of security tool integration: 7 top challenges of security tool integration | CSO Online Too many security tools Lack of interoperability among security tools Broken functionality Limited network visibility Increase in false alarms Failure to set expectations properly Lack of skills You can find the full article here. Source: csoonline.com For this blog, I’ll focus on what I think is the biggest challenge the article did not mention: Disparate tools create siloed organizations.  Creating Gaps and Silos In the last ]]> 2022-04-14T11:00:00+00:00 https://www.anomali.com/blog/more-is-less-the-challenge-of-utilizing-multiple-security-tools www.secnews.physaphae.fr/article.php?IdArticle=4446501 False Threat,Guideline,Tool None None