#ParsedReport
02-06-2022
Hacker group "Ocean Lotus" combat weapon "Buni" latest exposure, targeting Linux platform
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Oceanlotus
Blacktech
Threats:
Doubleheaded_dragon
Wannacry
Industry:
Government, Iot, Transport, Financial, Energy, Healthcare
Geo:
China, Asia
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
02-06-2022
Hacker group "Ocean Lotus" combat weapon "Buni" latest exposure, targeting Linux platform
https://mp-weixin-qq-com.translate.goog/s/zHLY81XeNL8afYaPtd0Myw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en
Actors/Campaigns:
Oceanlotus
Blacktech
Threats:
Doubleheaded_dragon
Wannacry
Industry:
Government, Iot, Transport, Financial, Energy, Healthcare
Geo:
China, Asia
TTPs:
Tactics: 1
Technics: 0
IOCs:
IP: 1
微信公众平台
黑客组织“海莲花”作战武器“Buni”最新曝光,瞄准Linux平台
海莲花超强过杀软作战武器曝光,你中招了吗?
#ParsedReport
02-06-2022
Alert (AA22-152A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
Actors/Campaigns:
Karakurt
Threats:
Log4shell_vuln
Cobalt_strike
Beacon
Mimikatz
Blister_loader
Industry:
Government, Healthcare, Financial
Geo:
America
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 4
Technics: 12
IOCs:
Url: 1
File: 6
Email: 9
Hash: 11
02-06-2022
Alert (AA22-152A)
https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
Actors/Campaigns:
Karakurt
Threats:
Log4shell_vuln
Cobalt_strike
Beacon
Mimikatz
Blister_loader
Industry:
Government, Healthcare, Financial
Geo:
America
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.0,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
TTPs:
Tactics: 4
Technics: 12
IOCs:
Url: 1
File: 6
Email: 9
Hash: 11
#ParsedReport
02-06-2022
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
Actors/Campaigns:
Silverfish (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Evil_corp (tags: trojan, rat, malware, ransomware, vpn)
Unc1543
Gold_winter
Unc2758
Threats:
Hades (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Lockbit (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Blister_loader
Dridex
Wastedlocker
Cridex
Friedex
Doppelpaymer
Beacon
Phoenix_locker
Macaw
Fakeudpate
Netsupportmanager_rat
Cobalt_strike
Donut
Mimikatz
Kerberoasting_technique
Keethief_tool
Secretserversecretstealer
Putty_tool
Megasync_tool
Psexec_tool
Timestomp_tool
Domain_fronting_technique
Industry:
Government, Financial
Geo:
Russia
TTPs:
Tactics: 13
Technics: 85
IOCs:
Domain: 17
File: 1
Path: 1
YARA: Found
Links:
02-06-2022
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
Actors/Campaigns:
Silverfish (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Evil_corp (tags: trojan, rat, malware, ransomware, vpn)
Unc1543
Gold_winter
Unc2758
Threats:
Hades (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Lockbit (tags: trojan, rat, dns, malware, ransomware, vpn, dropper)
Blister_loader
Dridex
Wastedlocker
Cridex
Friedex
Doppelpaymer
Beacon
Phoenix_locker
Macaw
Fakeudpate
Netsupportmanager_rat
Cobalt_strike
Donut
Mimikatz
Kerberoasting_technique
Keethief_tool
Secretserversecretstealer
Putty_tool
Megasync_tool
Psexec_tool
Timestomp_tool
Domain_fronting_technique
Industry:
Government, Financial
Geo:
Russia
TTPs:
Tactics: 13
Technics: 85
IOCs:
Domain: 17
File: 1
Path: 1
YARA: Found
Links:
https://github.com/TheWover/donutMandiant
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant
#ParsedReport
02-06-2022
Clipminer Botnet Makes Operators at Least $1.7 Million
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
Threats:
Clipminer (tags: malware, scan, botnet, trojan, cryptomining, rat, dropper)
Kryptocibule (tags: malware)
Xmrig_miner
Industry:
Financial
IOCs:
File: 5
Hash: 4
Path: 3
Registry: 4
IP: 2
Functions Names: 1
02-06-2022
Clipminer Botnet Makes Operators at Least $1.7 Million
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
Threats:
Clipminer (tags: malware, scan, botnet, trojan, cryptomining, rat, dropper)
Kryptocibule (tags: malware)
Xmrig_miner
Industry:
Financial
IOCs:
File: 5
Hash: 4
Path: 3
Registry: 4
IP: 2
Functions Names: 1
Security
Clipminer Botnet Makes Operators at Least $1.7 Million
Malware used for cryptocurrency mining and clipboard hijacking.
#ParsedReport
02-06-2022
GoodWill Ransomware? Or Just Another Jasmin Variant?
https://www.netskope.com/blog/goodwill-ransomware-or-just-another-jasmin-variant
Actors/Campaigns:
Carbanak (tags: ransomware)
Threats:
Goodwill (tags: malware, rat, ransomware, stealer, fraud)
Jasmin (tags: malware, rat, ransomware, stealer, fraud)
Zeus
Hiddentear (tags: ransomware)
Follina_vuln
Redline_stealer
Industry:
Financial
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 4
YARA: Found
Links:
02-06-2022
GoodWill Ransomware? Or Just Another Jasmin Variant?
https://www.netskope.com/blog/goodwill-ransomware-or-just-another-jasmin-variant
Actors/Campaigns:
Carbanak (tags: ransomware)
Threats:
Goodwill (tags: malware, rat, ransomware, stealer, fraud)
Jasmin (tags: malware, rat, ransomware, stealer, fraud)
Zeus
Hiddentear (tags: ransomware)
Follina_vuln
Redline_stealer
Industry:
Financial
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 4
YARA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCshttps://github.com/codesiddhant/Jasmin-Ransomwarehttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20RansomwareNetskope
GoodWill Ransomware? Or Just Another Jasmin Variant?
Summary In March 2022, researchers spotted a new ransomware family named GoodWill, with a new method to collect the ransom. Instead of requesting payment
#ParsedReport
02-06-2022
CrowdStrike Uncovers New MacOS Browser Hijacking Campaign
https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign
Threats:
Applescript
Beacon
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 2
Domain: 1
Url: 1
Hash: 6
Functions Names: 1
02-06-2022
CrowdStrike Uncovers New MacOS Browser Hijacking Campaign
https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign
Threats:
Applescript
Beacon
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 2
Domain: 1
Url: 1
Hash: 6
Functions Names: 1
crowdstrike.com
How CrowdStrike Uncovered a New MacOS Browser Hijacking Campaign
Learn how the CrowdStrike Content Research team uncovered a new MacOS-targeted browser hijacking campaign that injects ads into the user’s Chrome or Safari browser.
Публикацию разобранных отчетов в github прекратили.
Публикация саммари в этом канале продолжится.
Публикация саммари в этом канале продолжится.
CTT Report Hub pinned «Публикацию разобранных отчетов в github прекратили. Публикация саммари в этом канале продолжится.»
#ParsedReport
02-06-2022
Zero-Day Exploitation of Atlassian Confluence
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
Threats:
Chinachopper (tags: rat, vpn)
Behinder (tags: malware)
Meterpreter_tool
Cobalt_strike
Geo:
China
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
IOCs:
File: 2
IP: 15
Hash: 2
Links:
02-06-2022
Zero-Day Exploitation of Atlassian Confluence
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
Threats:
Chinachopper (tags: rat, vpn)
Behinder (tags: malware)
Meterpreter_tool
Cobalt_strike
Geo:
China
CVEs:
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
IOCs:
File: 2
IP: 15
Hash: 2
Links:
https://github.com/tennc/webshell/blob/master/caidao-shell/%E8%8F%9C%E5%88%80jsp%E4%BF%AE%E6%94%B9.jsphttps://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csvhttps://github.com/Freakboy/Behinderhttps://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/yara.yarVolexity
Zero-Day Exploitation of Atlassian Confluence
UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to […]
#ParsedReport
03-06-2022
Outbreak of Follina in Australia. Key Observations
https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia
Threats:
Follina_vuln (tags: trojan, rat, proxy, malware)
Lolbas_technique
Asyncrat_rat (tags: trojan)
Industry:
Telco
Geo:
Australia, Pacific, Palau, Australian
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Domain: 1
Hash: 13
03-06-2022
Outbreak of Follina in Australia. Key Observations
https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia
Threats:
Follina_vuln (tags: trojan, rat, proxy, malware)
Lolbas_technique
Asyncrat_rat (tags: trojan)
Industry:
Telco
Geo:
Australia, Pacific, Palau, Australian
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Domain: 1
Hash: 13
Avast Threat Labs
Outbreak of Follina in Australia - Avast Threat Labs
Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what…
#ParsedReport
03-06-2022
Threat Actors Prey on Eager Travelers
https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
Actors/Campaigns:
Stone_panda
Threats:
Asyncrat_rat (tags: phishing, trojan, malware, rat)
Netwire_rat (tags: trojan, malware)
Quasar_rat (tags: trojan, malware, rat)
Kryptik_trojan
W32/vbkrypt.c!tr
Industry:
Aerospace, Government
Geo:
Colombia, Colombian
IOCs:
File: 14
Domain: 5
Hash: 13
03-06-2022
Threat Actors Prey on Eager Travelers
https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
Actors/Campaigns:
Stone_panda
Threats:
Asyncrat_rat (tags: phishing, trojan, malware, rat)
Netwire_rat (tags: trojan, malware)
Quasar_rat (tags: trojan, malware, rat)
Kryptik_trojan
W32/vbkrypt.c!tr
Industry:
Aerospace, Government
Geo:
Colombia, Colombian
IOCs:
File: 14
Domain: 5
Hash: 13
Fortinet Blog
Threat Actors Prey on Eager Travelers | FortiGuard Labs
With travel becoming more frequent, it is essential for travelers to understand that malicious actors are also eager to leverage travel as an opportunity to deliver malware. Read our blog to learn …
#ParsedReport
03-06-2022
Gootkit Loader Returns to Deliver Cobalt Strike
https://www.esentire.com/blog/gootkit-loader-returns-to-deliver-cobalt-strike
Threats:
Cobalt_strike (tags: phishing, ransomware, malware)
Gootkit (tags: phishing, ransomware, malware)
More_eggs
Gootloader
Industry:
Aerospace
Geo:
America, Apac, China, Emea, Africa
IOCs:
File: 5
03-06-2022
Gootkit Loader Returns to Deliver Cobalt Strike
https://www.esentire.com/blog/gootkit-loader-returns-to-deliver-cobalt-strike
Threats:
Cobalt_strike (tags: phishing, ransomware, malware)
Gootkit (tags: phishing, ransomware, malware)
More_eggs
Gootloader
Industry:
Aerospace
Geo:
America, Apac, China, Emea, Africa
IOCs:
File: 5
eSentire
Gootkit Loader Returns to Deliver Cobalt Strike
Learn about Gootkit Loader including what we found, how we found it and recommendations from our Threat Response Unit (TRU) to protect your business from this cyber threat.
#ParsedReport
06-06-2022
Analyzing the PowGoop variant "E400" of Iran's APT attack group Muddy Water, discovering dozens of C & C servers
https://insight-jp.nttsecurity.com/post/102hq2r/aptmuddywaterpowgoope400cc
Actors/Campaigns:
Muddywater (tags: malware, backdoor, rat)
Blacktech
Threats:
Powgoop (tags: malware, backdoor, rat)
Flagpro
Geo:
Japanese, Thailand, Japan, Iran, Iranian
IOCs:
File: 1
IP: 34
06-06-2022
Analyzing the PowGoop variant "E400" of Iran's APT attack group Muddy Water, discovering dozens of C & C servers
https://insight-jp.nttsecurity.com/post/102hq2r/aptmuddywaterpowgoope400cc
Actors/Campaigns:
Muddywater (tags: malware, backdoor, rat)
Blacktech
Threats:
Powgoop (tags: malware, backdoor, rat)
Flagpro
Geo:
Japanese, Thailand, Japan, Iran, Iranian
IOCs:
File: 1
IP: 34
Passle
イランのAPT攻撃グループMuddyWaterのPowGoop亜種「E400」を分析、数十台のC&Cサーバーを発見 (via Passle)
本記事は、スウェーデン SOC によるリサーチ結果「Analysis of an Iranian APTs “E400” PowGoop Variant Reveals Dozens of Control Servers Dating Back to 2020」の日本語による紹介記事です。概要2022年...
#ParsedReport
06-06-2022
From the Front Lines \| Another Rebrand? Mindware and SFile Ransomware Technical Breakdown
https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown
Actors/Campaigns:
Mindware (tags: malware, ransomware, rat)
Blackmatter
Threats:
Sfile (tags: malware, ransomware, rat)
Blister_loader (tags: ransomware)
Industry:
Financial, Healthcare, Retail
TTPs:
Tactics: 2
Technics: 8
IOCs:
File: 25
Hash: 18
Url: 1
Functions Names: 2
06-06-2022
From the Front Lines \| Another Rebrand? Mindware and SFile Ransomware Technical Breakdown
https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown
Actors/Campaigns:
Mindware (tags: malware, ransomware, rat)
Blackmatter
Threats:
Sfile (tags: malware, ransomware, rat)
Blister_loader (tags: ransomware)
Industry:
Financial, Healthcare, Retail
TTPs:
Tactics: 2
Technics: 8
IOCs:
File: 25
Hash: 18
Url: 1
Functions Names: 2
SentinelOne
From the Front Lines | Another Rebrand? Mindware and SFile Ransomware Technical Breakdown
Mindware ransomware has quietly been hitting organizations in the Engineering, Finance, Healthcare and Manufacturing industries. Here's how we stop it.
#ParsedReport
06-06-2022
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration
Threats:
Plink
Industry:
Financial, Healthcare
CVEs:
CVE-2021-44077 [Vulners]
Vulners: Score: 7.5, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine servicedesk plus (11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.3, 11.3, 11.3, 11.3, 11.3, 11.3)
- zohocorp manageengine servicedesk plus msp (10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, le10.5)
- zohocorp manageengine supportcenter plus (11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, le11.0)
TTPs:
Tactics: 11
Technics: 12
IOCs:
IP: 13
Path: 8
File: 9
Registry: 2
Url: 1
Hash: 5
YARA: Found
SIGMA: Found
Links:
06-06-2022
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration
Threats:
Plink
Industry:
Financial, Healthcare
CVEs:
CVE-2021-44077 [Vulners]
Vulners: Score: 7.5, CVSS: 4.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zohocorp manageengine servicedesk plus (11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.1, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.2, 11.3, 11.3, 11.3, 11.3, 11.3, 11.3)
- zohocorp manageengine servicedesk plus msp (10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, 10.5, le10.5)
- zohocorp manageengine supportcenter plus (11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, 11.0, le11.0)
TTPs:
Tactics: 11
Technics: 12
IOCs:
IP: 13
Path: 8
File: 9
Registry: 2
Url: 1
Hash: 5
YARA: Found
SIGMA: Found
Links:
https://github.com/horizon3ai/CVE-2021-44077The DFIR Report
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
#ParsedReport
06-06-2022
Atlassian Vulnerability CVE-2022-26134
https://cyberint.com/blog/research/cve-2022-26134
Threats:
Cobalt_strike
Behinder
Chinachopper
Meterpreter_tool
Geo:
China
CVEs:
CVE-2018-11776 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.16, le2.3.34)
CVE-2021-26084 [Vulners]
Vulners: Score: 7.5, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence (<6.13.23, <7.4.11, <7.11.6)
- atlassian confluence server (<7.12.5)
- atlassian data center (<6.13.23, <7.4.11)
- atlassian jira data center (<7.11.6, <7.12.5)
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
IP: 15
YARA: Found
Links:
06-06-2022
Atlassian Vulnerability CVE-2022-26134
https://cyberint.com/blog/research/cve-2022-26134
Threats:
Cobalt_strike
Behinder
Chinachopper
Meterpreter_tool
Geo:
China
CVEs:
CVE-2018-11776 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- apache struts (le2.5.16, le2.3.34)
CVE-2021-26084 [Vulners]
Vulners: Score: 7.5, CVSS: 7.3,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence (<6.13.23, <7.4.11, <7.11.6)
- atlassian confluence server (<7.12.5)
- atlassian data center (<6.13.23, <7.4.11)
- atlassian jira data center (<7.11.6, <7.12.5)
CVE-2022-26134 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
IP: 15
YARA: Found
Links:
https://github.com/Freakboy/BehinderCyberint
Atlassian Vulnerability CVE-2022-26134
Atlassian released a security advisory on a zero-day vulnerability in all versions of the Confluence Server and Data Center that is already being exploited.
#ParsedReport
07-06-2022
Shining the Light on Black Basta. Summary
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta
Threats:
Blackbasta (tags: ransomware)
Qakbot
Cobalt_strike
Beacon
Psexec_tool
TTPs:
Tactics: 5
Technics: 0
IOCs:
File: 11
Registry: 2
Path: 6
IP: 1
Hash: 2
07-06-2022
Shining the Light on Black Basta. Summary
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta
Threats:
Blackbasta (tags: ransomware)
Qakbot
Cobalt_strike
Beacon
Psexec_tool
TTPs:
Tactics: 5
Technics: 0
IOCs:
File: 11
Registry: 2
Path: 6
IP: 1
Hash: 2
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
07-06-2022
Android Malware Distributed Via Smishing. Banking Trojan Targets Spanish BBVA Bank Customers
https://blog.cyble.com/2022/06/06/android-malware-distributed-via-smishing
Industry:
Financial
Geo:
Spanish, Spain
TTPs:
Tactics: 4
Technics: 1
IOCs:
File: 3
Url: 5
Hash: 2
07-06-2022
Android Malware Distributed Via Smishing. Banking Trojan Targets Spanish BBVA Bank Customers
https://blog.cyble.com/2022/06/06/android-malware-distributed-via-smishing
Industry:
Financial
Geo:
Spanish, Spain
TTPs:
Tactics: 4
Technics: 1
IOCs:
File: 3
Url: 5
Hash: 2
Cyble
Android Malware Distributed Via Smishing
Cyble analyzes a variant of Android malware targeting Spanish BBVA customers through a banking Trojan delivered via Smishing.
#ParsedReport
07-06-2022
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed
https://asec.ahnlab.com/en/34978
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: malware, dropper, rat, backdoor)
Meterpreter_tool
Filecoder
Tightvnc_tool
Metasploit_tool
Blister_loader
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
07-06-2022
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed
https://asec.ahnlab.com/en/34978
Actors/Campaigns:
Kimsuky
Threats:
Appleseed (tags: malware, dropper, rat, backdoor)
Meterpreter_tool
Filecoder
Tightvnc_tool
Metasploit_tool
Blister_loader
IOCs:
File: 5
Path: 4
Hash: 5
Url: 3
Functions Names: 1
ASEC BLOG
AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed - ASEC BLOG
On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper…
#ParsedReport
07-06-2022
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)
https://asec.ahnlab.com/en/34998
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Registry: 2
Url: 1
Hash: 2
Functions Names: 1
07-06-2022
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190)
https://asec.ahnlab.com/en/34998
Threats:
Follina_vuln (tags: malware)
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 1809, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 3
Registry: 2
Url: 1
Hash: 2
Functions Names: 1
ASEC BLOG
Caution! Microsoft Office Zero-day Vulnerability Follina (CVE-2022-30190) - ASEC BLOG
A new vulnerability named Follina (CVE-2022-30190) has been revealed. According to Microsoft, it is a remote code execution vulnerability that occurs when the URL protocol is used to call MSDT in calling applications such as Microsoft Word. With the privileges…
#ParsedReport
07-06-2022
Bozon Ransomware
https://labs.k7computing.com/index.php/bozon-ransomware
Threats:
Simay_rat
IOCs:
File: 10
Registry: 1
Hash: 2
07-06-2022
Bozon Ransomware
https://labs.k7computing.com/index.php/bozon-ransomware
Threats:
Simay_rat
IOCs:
File: 10
Registry: 1
Hash: 2
K7 Labs
Bozon Ransomware - K7 Labs
In one of the enterprise incidents, we came across an interesting ransomware issue. Unfortunately we could not recover the sample […]