#ParsedReport
27-09-2022
Metador is behind the series of intrusions on telcos, ISPs & Unis
https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell
Industry:
Telco, Government, Education
Geo:
Chinese, Africa, Spanish, Iranian
Softs:
windows security
27-09-2022
Metador is behind the series of intrusions on telcos, ISPs & Unis
https://www.secureblink.com/cyber-security-news/metador-is-behind-the-series-of-intrusions-on-telcos-is-ps-and-unis
Actors/Campaigns:
Metador (motivation: cyber_espionage)
Threats:
Bespoke
Lolbin
Metamain
Mafalda
Cryshell
Industry:
Telco, Government, Education
Geo:
Chinese, Africa, Spanish, Iranian
Softs:
windows security
Secureblink
Metador is behind the series of intrusions on telcos, ISPs & Unis
researchers just recently discovered its operations while examining a series of intrusions at one organization
#ParsedReport
27-09-2022
Watch Out for the New NFT-001
https://blog.morphisec.com/nft-malware-new-evasion-abilities
Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)
Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer
Industry:
Financial
IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13
Softs:
discord, windows defender
Links:
27-09-2022
Watch Out for the New NFT-001
https://blog.morphisec.com/nft-malware-new-evasion-abilities
Actors/Campaigns:
Nft_001 (motivation: cyber_criminal, cyber_espionage)
Threats:
Babadeda
Remcos_rat
Sbit_rat
Dll_sideloading_technique
Asyncrat_rat
Uac_bypass_technique
Eternity_stealer
Arkei_stealer
Industry:
Financial
IOCs:
IP: 13
File: 3
Path: 1
Url: 2
Hash: 16
Domain: 13
Softs:
discord, windows defender
Links:
https://github.com/AzAgarampur/byeintegrity-liteMorphisec
NFT Malware Gets New Evasion Abilities
The NFT malware NFT-001 has upgraded to a new staged downloader, making it more evasive and dangerous.
#ParsedReport
27-09-2022
LockBit 3.0. Lockbit 3.0 ransomware distributed through word documents
https://asec.ahnlab.com/ko/39196
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 11
Path: 2
Hash: 6
Url: 2
Softs:
curl
27-09-2022
LockBit 3.0. Lockbit 3.0 ransomware distributed through word documents
https://asec.ahnlab.com/ko/39196
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 11
Path: 2
Hash: 6
Url: 2
Softs:
curl
ASEC
워드 문서를 통해 유포되는 LockBit 3.0 랜섬웨어 - ASEC
ASEC 분석팀은 9/23 공유한 <입사지원 위장 메일로 유포 중인 NSIS형태의 LockBit 3.0 랜섬웨어>가 워드 문서 형태로도 유포되는 것을 확인하였다. 정확한 유포 경로는 확인되지 않았으나, 유포 파일명으로 ‘임규민.docx’, ‘전채린.docx’ 등 사람 이름을 사용하는 것으로 보아 전과 유사하게 입사지원서를 위장하여 유포되었을 것으로 추정된다. 확인된 워드 문서 내부 word_relssettings.xml.rels 파일에 External…
#ParsedReport
27-09-2022
Exmatter Tool Provides a New Strategy for Extortion
https://socradar.io/exmatter-tool-provides-a-new-strategy-for-extortion
Actors/Campaigns:
Blackmatter
Threats:
Exmatter_tool
27-09-2022
Exmatter Tool Provides a New Strategy for Extortion
https://socradar.io/exmatter-tool-provides-a-new-strategy-for-extortion
Actors/Campaigns:
Blackmatter
Threats:
Exmatter_tool
SOCRadar® Cyber Intelligence Inc.
Exmatter Tool Provides a New Strategy for Extortion - SOCRadar® Cyber Intelligence Inc.
Data exfiltration malware Exmatter, previously associated with the BlackMatter ransomware gang, now has data corruption capabilities. This could signify a new
#ParsedReport
27-09-2022
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
Actors/Campaigns:
Axiom
Oilrig
Europium
Threats:
Icedid
Terra_stealer
Agent_tesla
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 4
Domain: 1
Algorithms:
zip, 7zip , exhibit
Functions:
Mshta
Languages:
javascript
27-09-2022
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
Actors/Campaigns:
Axiom
Oilrig
Europium
Threats:
Icedid
Terra_stealer
Agent_tesla
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
Hash: 4
Domain: 1
Algorithms:
zip, 7zip , exhibit
Functions:
Mshta
Languages:
javascript
Unit 42
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification.
#ParsedReport
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
28-09-2022
LockBit 3.0 Ransomware Distributed via Word Documents
https://asec.ahnlab.com/en/39242
Threats:
Lockbit
Malware/mdp.download.m1197
Ransom/mdp.decoy.m1171
IOCs:
File: 9
Url: 2
Path: 4
Hash: 6
Softs:
curl
ASEC
LockBit 3.0 Ransomware Distributed via Word Documents - ASEC
LockBit 3.0 Ransomware Distributed via Word Documents ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
28-09-2022
ASEC Weekly Malware Statistics (September 12th, 2022 September 18th, 2022)
https://asec.ahnlab.com/en/39332
Threats:
Agent_tesla
Cloudeye
Formbook
Remcos_rat
Nanocore_rat
Lokibot_stealer
Smokeloader
Clipboard_grabbing_technique
Industry:
Financial
Geo:
Korea
IOCs:
Domain: 7
IP: 2
Email: 4
File: 17
Url: 8
Softs:
discord, nsis installer
Languages:
visual_basic, php
ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) - ASEC
ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) ASEC
#ParsedReport
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
28-09-2022
ASEC Weekly Malware Statistics (September 19th, 2022 September 25th, 2022)
https://asec.ahnlab.com/en/39370
Threats:
Agent_tesla
Vidar_stealer
Snake_keylogger
Smokeloader
Lockbit
Dharma
Industry:
Financial
Geo:
Korea, Korean
IOCs:
Domain: 10
IP: 4
Email: 8
File: 17
Url: 9
Softs:
discord
ASEC BLOG
ASEC Weekly Malware Statistics (September 19th, 2022 - September 25th, 2022) - ASEC BLOG
The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category…
#ParsedReport
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
28-09-2022
Prilex: the pricey prickle credit card complex
https://securelist.com/prilex-atm-pos-malware-evolution/107551
Threats:
Prilex
Spsniffer
Anydesk_tool
Golden_ticket_technique
Code_cave_technique
Industry:
Financial
Geo:
Brazil, German, Brazilian, Russian
Softs:
telegram
Algorithms:
des
Functions:
GetZip, SetStartup, GetStartup, GetModules, GetConfig, GetKey, SetConfig
Win API:
CloseHandle
Languages:
java, visual_basic, php
#ParsedReport
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
28-09-2022
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
https://socradar.io/threat-actors-impersonate-github-zoom-and-cloudflare-to-steal-user-information
Actors/Campaigns:
Fin11 (motivation: financially_motivated)
Threats:
Asyncrat_rat
Vidar_stealer
Clop
Raccoon_stealer
Amadey
Geo:
Russia, Russian
IOCs:
File: 5
Path: 1
Url: 13
IP: 17
Domain: 14
Hash: 4
Softs:
zoom, chrome
Algorithms:
base64, zip
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Threat Actors Impersonate GitHub, Zoom, and Cloudflare to Steal User Information
During the last two months, threat actors impersonating well-known names such as CloudFlare, GitHub, and Zoom.
#ParsedReport
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
28-09-2022
Chaos is a Go-based Swiss army knife of malware
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=rss&utm_medium=rss&utm_campaign=chaos-is-a-go-based-swiss-army-knife-of-malware
Threats:
Chaos
Kaiji
Emotet
Beacon
Xmrig_miner
Ddostf
Industry:
Entertainment, Financial
Geo:
Emea, China, Australia, America, Asia, Chinese, Apac, Pacific
CVEs:
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.1,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
CVE-2022-30525 [Vulners]
Vulners: Score: 10.0, CVSS: 2.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- zyxel usg flex 100w firmware (<5.30)
- zyxel usg flex 200 firmware (<5.30)
- zyxel usg flex 500 firmware (le5.30)
- zyxel usg flex 700 firmware (<5.30)
- zyxel vpn100 firmware (<5.30)
have more...
IOCs:
Registry: 1
File: 5
Coin: 1
Hash: 7
Domain: 17
Algorithms:
exhibit, aes
Platforms:
arm, x86, intel, mips, amd64
Languages:
golang
Links:
https://gist.github.com/paul91/60371b437658093e826e
https://github.com/blacklotuslabs/IOCs/blob/main/Chaos\_IoCs.txt
https://github.com/xmrig/xmrigLumen
Blog & News Updates | Lumen Technologies
The Lumen blog and newsroom is your source for business technology news and insights, customer stories, press and media, and trending articles.
#ParsedReport
29-09-2022
SmokeLoader Delivers the New Erbium Stealer
https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer
Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook
Industry:
Financial, Entertainment
Geo:
Russian
IOCs:
File: 3
Hash: 10
Softs:
telegram, discord
Languages:
php
29-09-2022
SmokeLoader Delivers the New Erbium Stealer
https://cyberint.com/blog/research/smokeloader-delivers-the-new-erbium-stealer
Threats:
Erbium_stealer
Smokeloader
Redline_stealer
Gimmick
Arkei_stealer
Dcrat_rat
Raccoon_stealer
Formbook
Industry:
Financial, Entertainment
Geo:
Russian
IOCs:
File: 3
Hash: 10
Softs:
telegram, discord
Languages:
php
Cyberint
SmokeLoader Delivers the New Erbium Stealer
Over the past few months, a new info stealer has emerged developed by an underground Russian-based group that has been operating since July
#ParsedReport
29-09-2022
Erbium stealer on the hunt for data
https://www.malwarebytes.com/blog/news/2022/09/increasingly-popular-erbium-stealer-on-the-hunt-for-data
Threats:
Erbium_stealer
Chaos
Industry:
E-commerce
Softs:
chrome, clover wallet, keychain, zilpay
29-09-2022
Erbium stealer on the hunt for data
https://www.malwarebytes.com/blog/news/2022/09/increasingly-popular-erbium-stealer-on-the-hunt-for-data
Threats:
Erbium_stealer
Chaos
Industry:
E-commerce
Softs:
chrome, clover wallet, keychain, zilpay
Malwarebytes
Erbium stealer on the hunt for data
We take a look at reports of new data theft malware relying on sold old tricks
#ParsedReport
29-09-2022
ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon
Industry:
Entertainment, Aerospace
Geo:
India, Korea, Russia
IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9
Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler
Algorithms:
zip, aes
Languages:
php
Platforms:
x64
Links:
29-09-2022
ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, information_theft, financially_motivated, politically_motivated)
Ice_fog
Threats:
Zetanile
Putty_tool
Tightvnc_tool
Foggybrass
Phantomstar
Artemis
Airdry
Themida_tool
Vmprotect_tool
Eventhorizon
Industry:
Entertainment, Aerospace
Geo:
India, Korea, Russia
IOCs:
File: 13
IP: 3
Path: 10
Domain: 2
Hash: 9
Softs:
sumatra pdf, microsoft defender, microsoft defender for endpoint, microsoft 365 defender, task scheduler
Algorithms:
zip, aes
Languages:
php
Platforms:
x64
Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_IP\_Domain\_Hash\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_AVHits\_IOC.yaml
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ZincOctober2022\_Filename\_Commandline\_IOC.yamlMicrosoft News
ZINC weaponizing open-source software
In recent months, Microsoft detected weaponization of legitimate open-source software by an actor the Microsoft Threat Intelligence Center (MSTIC) tracks as ZINC, targeting employees at media, defense and aerospace, and IT service provider organizations in…
#ParsedReport
29-09-2022
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey
Industry:
Government
Geo:
Netherlands
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 6
File: 3
IP: 3
Hash: 12
Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu
Algorithms:
aes
Languages:
visual_basic
Platforms:
x86, x64
29-09-2022
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
http://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html
Threats:
Cobalt_strike
Beacon
Process_injection_technique
Redline_stealer
Amadey
Industry:
Government
Geo:
Netherlands
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: 9.3
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
Url: 6
File: 3
IP: 3
Hash: 12
Softs:
microsoft word, microsoft office, visual basic for applications, ubuntu
Algorithms:
aes
Languages:
visual_basic
Platforms:
x86, x64
Talosintelligence
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group
#ParsedReport
29-09-2022
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)
Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool
Industry:
Government
Geo:
China, Africa, African
CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1
Softs:
local security authority
Algorithms:
xor, zip
Win API:
MiniDumpWriteDump
Platforms:
x86
29-09-2022
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage
Actors/Campaigns:
Ta410 (motivation: cyber_espionage)
Stone_panda (motivation: cyber_espionage)
Threats:
Proxyshell_vuln
Proxylogon_exploit
Lookback
Minidump_tool
Mimikatz
Winrm_tool
Chinachopper
Plugx_rat
Plink
Secretsdump_tool
Fscan_tool
Industry:
Government
Geo:
China, Africa, African
CVEs:
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 15
Path: 4
Registry: 1
IP: 4
Hash: 49
Domain: 1
Softs:
local security authority
Algorithms:
xor, zip
Win API:
MiniDumpWriteDump
Platforms:
x86
Security
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
Espionage group begins using new backdoor that leverages rarely seen steganography technique.
#ParsedReport
29-09-2022
APT28 attack uses old PowerPoint trick to download malware
https://www.malwarebytes.com/blog/news/2022/09/powerpoint-mouseover-triggers-powershell-script-for-malware-delivery
Actors/Campaigns:
Fancy_bear
Threats:
Mouseover_technique
Graphite
Industry:
Government
Geo:
Russian
IOCs:
File: 5
Path: 1
Softs:
microsoft onedrive
29-09-2022
APT28 attack uses old PowerPoint trick to download malware
https://www.malwarebytes.com/blog/news/2022/09/powerpoint-mouseover-triggers-powershell-script-for-malware-delivery
Actors/Campaigns:
Fancy_bear
Threats:
Mouseover_technique
Graphite
Industry:
Government
Geo:
Russian
IOCs:
File: 5
Path: 1
Softs:
microsoft onedrive
Malwarebytes
APT28 attack uses old PowerPoint trick to download malware
The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros
#ParsedReport
29-09-2022
(Magniber) (*.js -> *.wsf) 09/28. Magniber Ransomware Change ( *.js-> *.wsf) -09/28
https://asec.ahnlab.com/ko/39376
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 4
Hash: 2
Softs:
chrome
29-09-2022
(Magniber) (*.js -> *.wsf) 09/28. Magniber Ransomware Change ( *.js-> *.wsf) -09/28
https://asec.ahnlab.com/ko/39376
Threats:
Magniber
Typosquatting_technique
IOCs:
File: 4
Hash: 2
Softs:
chrome
ASEC BLOG
매그니베르(Magniber) 랜섬웨어 변경 (*.js -> *.wsf) - 09/28 - ASEC BLOG
ASEC 분석팀은 지난 9월 8일 매그니베르 랜섬웨어가 CPL 확장자 에서 JSE 확장자로 변경됨을 블로그를 통해 소개한 바 있다. 공격자는 9월 8일 이후에도 지난 9월 16일에는 JSE 확장자에서 JS 확장자로 변경하였다. 그리고 금일 공격자는 JS 확장자에서 WSF 확장자로 유포 방식을 변경하였다. 공격자는 V3와 같은 백신 제품의 다양한 탐지 방식을 회피하기 위해 지속적으로 변형을 유포하고 있는 것으로 보인다. 금일 변경된 WSF 유포 방식은 [그림…
#ParsedReport
29-09-2022
Fabricated Bank website distributes Android Spyware
https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware
Threats:
Spymax
Industry:
Financial
Geo:
Singapore, India, Georgia, Dubai, Australia
TTPs:
Tactics: 4
Technics: 9
IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1
Softs:
android, tronlink
29-09-2022
Fabricated Bank website distributes Android Spyware
https://blog.cyble.com/2022/09/29/fabricated-bank-website-distributes-android-spyware
Threats:
Spymax
Industry:
Financial
Geo:
Singapore, India, Georgia, Dubai, Australia
TTPs:
Tactics: 4
Technics: 9
IOCs:
File: 1
Domain: 1
Url: 4
Hash: 1
Softs:
android, tronlink
Cyble
Fabricated Bank website distributes Android Spyware
Cyble Research and Intelligence Labs analyzes Spymax Android spyware being distributed via a Fabricated bank Site.
Apollo OTP Bot Exploiting Google Voice for MFA Bypass
https://cloudsek.com/threatintelligence/apollo-otp-bot-exploiting-google-voice-for-mfa-bypass/?utm_source=rss&utm_medium=rss&utm_campaign=apollo-otp-bot-exploiting-google-voice-for-mfa-bypass
https://cloudsek.com/threatintelligence/apollo-otp-bot-exploiting-google-voice-for-mfa-bypass/?utm_source=rss&utm_medium=rss&utm_campaign=apollo-otp-bot-exploiting-google-voice-for-mfa-bypass
Cloudsek
Apollo OTP Bot Exploiting Google Voice for MFA Bypass | Threat Intelligence | CloudSEK
Category: Malware Intelligence Type/Family: Botnet Industry: Finance & Banking Region: Global Source*: C3 Executive Summary THREAT IMPACT MITIGATION Apollo OTP bot advertised on the cybercrime forum. Discord-based bot capable of making spoofed calls using…
#technique
fastjson1.2.80 payload collection
https://mp-weixin-qq-com.translate.goog/s/SwkJVTW3SddgA6uy_e59qg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
fastjson1.2.80 payload collection
https://mp-weixin-qq-com.translate.goog/s/SwkJVTW3SddgA6uy_e59qg?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp