#ParsedReport
30-09-2022
Brazilian Banking Trojan Resurfaces
https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces
Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
America, Brazilian, Brasil
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 8
Url: 3
IP: 1
Hash: 2
Softs:
chrome
Algorithms:
base64, aes, rc4, zip
Languages:
javascript, jscript
30-09-2022
Brazilian Banking Trojan Resurfaces
https://labs.k7computing.com/index.php/brazilian-banking-trojan-resurfaces
Threats:
Klbanker
Janeleiro
Amavaldo
Html_smuggling_technique
Dll_sideloading_technique
Industry:
Financial
Geo:
America, Brazilian, Brasil
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 8
Url: 3
IP: 1
Hash: 2
Softs:
chrome
Algorithms:
base64, aes, rc4, zip
Languages:
javascript, jscript
K7 Labs
Brazilian Banking Trojan Resurfaces
Recently we came across a tweet shared by StopMalvertisin, which was part of an ongoing cyberattack on the banking customers […]
#ParsedReport
30-09-2022
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days
https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Proxyshell_vuln
Geo:
Chinese, China
TTPs:
Tactics: 1
Technics: 14
IOCs:
File: 6
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange
30-09-2022
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days
https://socradar.io/threat-actors-exploit-unpatched-microsoft-exchange-zero-days
Actors/Campaigns:
Hafnium
Threats:
Chinachopper
Proxyshell_vuln
Geo:
Chinese, China
TTPs:
Tactics: 1
Technics: 14
IOCs:
File: 6
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange
SOCRadar® Cyber Intelligence Inc.
Threat Actors Exploit Unpatched Microsoft Exchange Zero-Days (ProxyNotShell) - SOCRadar® Cyber Intelligence Inc.
Security experts caution about actively exploited zero-day vulnerabilities in Microsoft Exchange servers. The flaws could allow remote code execution in fully
#ParsedReport
30-09-2022
Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro
https://asec.ahnlab.com/ko/39329
Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833
Industry:
Financial
IOCs:
File: 4
Path: 1
IP: 17
Hash: 5
Softs:
windows defender
30-09-2022
Excel Macro Qakbot, ISO. Distributed to QAKBOT, ISO files distributed in Excel Macro
https://asec.ahnlab.com/ko/39329
Threats:
Qakbot
Asyncrat_rat
Icedid
Bumblebee
Malware/win.generic.c5240833
Industry:
Financial
IOCs:
File: 4
Path: 1
IP: 17
Hash: 5
Softs:
windows defender
ASEC
Excel Macro 로 유포되던 Qakbot, ISO 파일로 유포 중 - ASEC
Excel Macro 로 유포되던 Qakbot, ISO 파일로 유포 중 ASEC
#ParsedReport
30-09-2022
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary
https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion
Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz
Geo:
Chinese, China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
TTPs:
Tactics: 12
Technics: 40
IOCs:
Hash: 13
IP: 1
File: 9
Path: 34
Softs:
windows service, local security authority, active directory, component object model
Algorithms:
aes-cbc, aes, 7zip , xor
Languages:
python
30-09-2022
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion. Summary
https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion
Threats:
Shadowpad
Timestomp_technique
Credential_harvesting_technique
Powerview
Sessiongopher_tool
Process_injection_technique
Process_hollowing_technique
Powersploit
Winrm_tool
Poison_ivy
Adfind_tool
Nbtscan_tool
Mimikatz
Geo:
Chinese, China
CVEs:
CVE-2022-29464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.2,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- wso2 identity server analytics (5.5.0, 5.4.1, 5.6.0, 5.4.0)
- wso2 api manager (le4.0.0)
- wso2 identity server (le5.11.0)
- wso2 enterprise integrator (le6.6.0)
- wso2 identity server as key manager (le5.10.0)
have more...
TTPs:
Tactics: 12
Technics: 40
IOCs:
Hash: 13
IP: 1
File: 9
Path: 34
Softs:
windows service, local security authority, active directory, component object model
Algorithms:
aes-cbc, aes, 7zip , xor
Languages:
python
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
#ParsedReport
30-09-2022
Ransomware Roundup: Bisamware and Chile Locker
https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker
Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom
Industry:
Government, Financial
Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 1
Hash: 11
Softs:
microsoft word
30-09-2022
Ransomware Roundup: Bisamware and Chile Locker
https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker
Threats:
Bisamware
Follina_vuln
W32/agent.bnq!tr.ransom
W64/agent.bnq!tr.ransom
Industry:
Government, Financial
Geo:
Uruguay, Netherland, Italy, Malaysia, Chile, Spain, Romania, Canada, China, Poland, Russia, Mexico
CVEs:
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
IOCs:
File: 1
Hash: 11
Softs:
microsoft word
Fortinet Blog
Ransomware Roundup - Bisamware and Chile Locker
The latest FortiGuard Labs Threat Signal Ransomware Roundup covers Bisamware and Chile Locker ransomware, along with protection recommendations. Read more. …
#ParsedReport
30-09-2022
Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
https://www.trellix.com/en-us/about/newsroom/stories/research/dismantling-a-prolific-cybercriminal-empire.html
Threats:
Empire_loader
Revil
Gandcrab
Conti
Cobalt_strike
Adfind_tool
Mimikatz
Agent_tesla
Industry:
Government, Entertainment, Foodtech, Financial
Geo:
Ukrainian, Russia, Russian
30-09-2022
Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
https://www.trellix.com/en-us/about/newsroom/stories/research/dismantling-a-prolific-cybercriminal-empire.html
Threats:
Empire_loader
Revil
Gandcrab
Conti
Cobalt_strike
Adfind_tool
Mimikatz
Agent_tesla
Industry:
Government, Entertainment, Foodtech, Financial
Geo:
Ukrainian, Russia, Russian
Trellix
Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
In this blog, we will take you all the way from the steps REvil took to build their cybercriminal enterprise through the missteps that eventually led to their downfall.
#tool
IcedID Decryptor
A script to statically decrypt license.dat files associated with IcedID infections.
The script will also decrypt the .data section from unpacked IcedID samples.
https://github.com/matthewB-huntress/IcedID
IcedID Decryptor
A script to statically decrypt license.dat files associated with IcedID infections.
The script will also decrypt the .data section from unpacked IcedID samples.
https://github.com/matthewB-huntress/IcedID
GitHub
GitHub - embee-research/Icedid-file-decryptor: Static Decryptor for IcedID Malware
Static Decryptor for IcedID Malware. Contribute to embee-research/Icedid-file-decryptor development by creating an account on GitHub.
#ParsedReport
30-09-2022
Deep dive into the TTD ecosystem. Background
https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem
Threats:
Windbg_tool
Dll_injection_technique
Process_injection_technique
Lolbas_technique
IOCs:
File: 11
IP: 1
Hash: 2
Registry: 1
Softs:
windows service, local security authority
Algorithms:
base64
Functions:
SbValidateAndParseDebugAuthToken
Win API:
SeDebugPrivilege, NtOpenProcess, NtQuerySystemEnvironmentValueEx, SeSystemEnvironmentPrivilege, IsDebuggerPresent
Platforms:
x86, arm, x64, amd64
Links:
30-09-2022
Deep dive into the TTD ecosystem. Background
https://www.elastic.co/security-labs/deep-dive-into-the-ttd-ecosystem
Threats:
Windbg_tool
Dll_injection_technique
Process_injection_technique
Lolbas_technique
IOCs:
File: 11
IP: 1
Hash: 2
Registry: 1
Softs:
windows service, local security authority
Algorithms:
base64
Functions:
SbValidateAndParseDebugAuthToken
Win API:
SeDebugPrivilege, NtOpenProcess, NtQuerySystemEnvironmentValueEx, SeSystemEnvironmentPrivilege, IsDebuggerPresent
Platforms:
x86, arm, x64, amd64
Links:
https://gist.github.com/calladoum-elastic/4666dafc789a273c35a4aedf2ed9cd9ehttps://gist.github.com/calladoum-elastic/328068f19e60a76b00f20cdb936cd078www.elastic.co
Deep dive into the TTD ecosystem — Elastic Security Labs
This is the first in a series focused on the Time Travel Debugging (TTD) technology developed by Microsoft that was explored in detail during a recent independent research period.
#ParsedReport
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Platform
https://blog.qualys.com/misc/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
China, Vietnamese, Chinese
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Platform
https://blog.qualys.com/misc/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
China, Vietnamese, Chinese
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)Qualys
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform | Qualys
On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named…
#ParsedReport
01-10-2022
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082
Threats:
Chinachopper
Backdoor:win32/rewritehttp.a
Win32/iisexchgdropwebshell.a!dha
Trojan:win32/iisexchgspawncmd.a
Trojan:win32/webshellterminal.a
Trojan:win32/webshellterminal.b
Proxyshell_vuln
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.5
X-Force: Patch: Official fix
CVE-2022-21082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 1
Softs:
microsoft defender for endpoint, microsoft defender, microsoft 365 defender, microsoft exchange server, active directory, microsoft exchange, windows hello
Links:
01-10-2022
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082
Threats:
Chinachopper
Backdoor:win32/rewritehttp.a
Win32/iisexchgdropwebshell.a!dha
Trojan:win32/iisexchgspawncmd.a
Trojan:win32/webshellterminal.a
Trojan:win32/webshellterminal.b
Proxyshell_vuln
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.5
X-Force: Patch: Official fix
CVE-2022-21082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 1
Softs:
microsoft defender for endpoint, microsoft defender, microsoft 365 defender, microsoft exchange server, active directory, microsoft exchange, windows hello
Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yamlhttps://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/http\_proxy\_oab\_CL/ExchagngeSuspiciousFileDownloads.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yamlhttps://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yamlMicrosoft News
Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks.
#ParsedReport
03-10-2022
DeftTorero: tactics, techniques and procedures of intrusions revealed
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610
Actors/Campaigns:
Volatile_cedar
Threats:
Lolbin
Caterpillar_shell
Aspxspy_shell
Nmap_tool
Mimikatz
Empire_loader
Mimikittenz_tool
Meterpreter_tool
Powersploit
Regeorg
Industry:
Government, Telco, Education
Geo:
Emirates, Lebanon, Kuwait, Turkey, Jordan, Egypt
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 24
Path: 1
Url: 1
IP: 1
Hash: 20
Softs:
vssadmin
Algorithms:
base64
Functions:
GetAllData, GetIEHistory, OpenClipFn, SetWinHoK
Languages:
php
YARA: Found
Links:
03-10-2022
DeftTorero: tactics, techniques and procedures of intrusions revealed
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610
Actors/Campaigns:
Volatile_cedar
Threats:
Lolbin
Caterpillar_shell
Aspxspy_shell
Nmap_tool
Mimikatz
Empire_loader
Mimikittenz_tool
Meterpreter_tool
Powersploit
Regeorg
Industry:
Government, Telco, Education
Geo:
Emirates, Lebanon, Kuwait, Turkey, Jordan, Egypt
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 24
Path: 1
Url: 1
IP: 1
Hash: 20
Softs:
vssadmin
Algorithms:
base64
Functions:
GetAllData, GetIEHistory, OpenClipFn, SetWinHoK
Languages:
php
YARA: Found
Links:
https://github.com/Neo23x0/signature-base/blob/master/yara/apt\_volatile\_cedar.yarhttps://github.com/tennc/webshellSecurelist
DeftTorero TTPs in 2019–2021
In this report we focus on tactics, techniques, and procedures (TTPs) of the DeftTorero (aka Lebanese Cedar or Volatile Cedar) threat actor, which targets Middle East countries.
#ParsedReport
03-10-2022
Bumblebee: increasing its capacity and evolving its TTPs. Background & Key Findings
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps
Threats:
Bumblebee
Cobalt_strike
Vidar_stealer
Sliver_tool
Meterpreter_tool
Beacon
Trickbot
Industry:
Financial
IOCs:
Hash: 21
Coin: 2
IP: 30
Softs:
active directory
Algorithms:
base64, exhibit, rc4
YARA: Found
Links:
03-10-2022
Bumblebee: increasing its capacity and evolving its TTPs. Background & Key Findings
https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps
Threats:
Bumblebee
Cobalt_strike
Vidar_stealer
Sliver_tool
Meterpreter_tool
Beacon
Trickbot
Industry:
Financial
IOCs:
Hash: 21
Coin: 2
IP: 30
Softs:
active directory
Algorithms:
base64, exhibit, rc4
YARA: Found
Links:
https://github.com/LordNoteworthy/al-khaserCheck Point Research
Bumblebee: increasing its capacity and evolving its TTPs - Check Point Research
Research by: Marc Salinas Fernandez Background & Key Findings The spring of 2022 saw a spike in activity of Bumblebee loader, a recent threat that has garnered a lot of attention due to its many links to several well-known malware families. In this piece…
#ParsedReport
03-10-2022
Ransomware Gangs Targeting US Critical Infrastructure
https://socradar.io/ransomware-gangs-targeting-us-critical-infrastructure
Actors/Campaigns:
Vice_society
Blackcat
Threats:
Blackcat
Industry:
Education, Petroleum, Financial, Aerospace, Government, Energy
Geo:
German
03-10-2022
Ransomware Gangs Targeting US Critical Infrastructure
https://socradar.io/ransomware-gangs-targeting-us-critical-infrastructure
Actors/Campaigns:
Vice_society
Blackcat
Threats:
Blackcat
Industry:
Education, Petroleum, Financial, Aerospace, Government, Energy
Geo:
German
SOCRadar® Cyber Intelligence Inc.
Ransomware Gangs Targeting US Critical Infrastructure - SOCRadar® Cyber Intelligence Inc.
Last week, notorious ransomware gangs made a splash again by targeting US critical infrastructures. One of the threat actors that victimized the defense and
#ParsedReport
03-10-2022
ProxyNotShell-Microsoft Exchange Vulnerabilities
https://cyberint.com/blog/research/proxynotshell-microsoft-exchange-vulnerabilities
Threats:
Proxynotshell_vuln
Nmap_tool
Geo:
Chinese
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange server
Links:
03-10-2022
ProxyNotShell-Microsoft Exchange Vulnerabilities
https://cyberint.com/blog/research/proxynotshell-microsoft-exchange-vulnerabilities
Threats:
Proxynotshell_vuln
Nmap_tool
Geo:
Chinese
CVEs:
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
Hash: 10
IP: 18
Url: 1
Softs:
microsoft exchange server
Links:
https://github.com/AntSwordProject/antSwordCyberint
ProxyNotShell-Microsoft Exchange Vulnerabilities
On September 29, Microsoft Security Threat Intelligence reported two significant zero-day vulnerabilities being exploited in the wild.
#ParsedReport
03-10-2022
RedLine Stealer Campaign Abusing Discord via PDF Links
https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links
Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion
Industry:
Financial, Entertainment
Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan
IOCs:
File: 11
Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...
Algorithms:
zip, aes, xor, base64, gzip
Languages:
visual_basic
YARA: Found
Links:
03-10-2022
RedLine Stealer Campaign Abusing Discord via PDF Links
https://www.netskope.com/blog/redline-stealer-campaign-abusing-discord-via-pdf-links
Threats:
Redline_stealer
Purecrypter
Njrat_rat
Agent_tesla
Asyncrat_rat
Lockbit
Lampion
Industry:
Financial, Entertainment
Geo:
Belarus, Armenia, Azerbaijan, Ukraine, Russia, Moldova, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan
IOCs:
File: 11
Softs:
discord, chrome, atomicwallet, binancechain, bitappwallet, boltx, bravewallet, coin98wallet, coinbase, equalwallet, have more...
Algorithms:
zip, aes, xor, base64, gzip
Languages:
visual_basic
YARA: Found
Links:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealerhttps://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/RedLine%20Stealer/2022-09-30Netskope
RedLine Stealer Campaign Abusing Discord via PDF Links
Summary RedLine is an infostealer malware discovered in 2020. Often sold in underground forums, it is capable of stealing data such as credit card
#ParsedReport
03-10-2022
Amazonthemed campaigns of Lazarus in the Netherlands and Belgium
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)
Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool
Industry:
Entertainment, Aerospace, Financial, Healthcare
Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4
Softs:
windows kernel
Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit
Functions:
SetOfficeCertInit, SetOfficeCert
Links:
03-10-2022
Amazonthemed campaigns of Lazarus in the Netherlands and Belgium
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium
Actors/Campaigns:
Lazarus (motivation: cyber_espionage, financially_motivated, cyber_criminal)
Dream_job (motivation: cyber_espionage)
Threats:
Airdry
Fudmodule_rootkit
Cobra
Wannacryptor
Wannacry
Byovd_technique
Threatneedle
Watering_hole_technique
Nukesped_rat
Timestomp_technique
Dll_sideloading_technique
Themida_tool
Vmprotect_tool
Putty_tool
Industry:
Entertainment, Aerospace, Financial, Healthcare
Geo:
Ukraine, Korean, Netherlands, Belgium, Polish, Mexican, Korea, Dprk, Aruba, Berlin
CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)
TTPs:
Tactics: 7
Technics: 19
IOCs:
File: 16
Url: 4
Hash: 16
Path: 18
IP: 4
Softs:
windows kernel
Algorithms:
base64, zip, crc, spritz, aes-128, xor, rc4, hc-128, exhibit
Functions:
SetOfficeCertInit, SetOfficeCert
Links:
https://github.com/wolfSSL/wolfsslhttps://github.com/tike/GOnpphttps://github.com/alecmus/lecuihttps://github.com/erinata/FingerTexthttps://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus#amazon-themed-campaigns-of-lazarus-in-the-netherlands-and-belgiumWeLiveSecurity
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers.
#ParsedReport
03-10-2022
Private Drainer for MetaMask Crypto Wallets
https://cloudsek.com/threatintelligence/private-drainer-for-metamask-crypto-wallets/?utm_source=rss&utm_medium=rss&utm_campaign=private-drainer-for-metamask-crypto-wallets
Actors/Campaigns:
Seaflower
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
telegram
03-10-2022
Private Drainer for MetaMask Crypto Wallets
https://cloudsek.com/threatintelligence/private-drainer-for-metamask-crypto-wallets/?utm_source=rss&utm_medium=rss&utm_campaign=private-drainer-for-metamask-crypto-wallets
Actors/Campaigns:
Seaflower
Industry:
Financial
TTPs:
Tactics: 1
Technics: 0
Softs:
telegram
Cloudsek
Private Drainer for MetaMask Crypto Wallets | Threat Intelligence | CloudSEK
We Discovered a Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
#ParsedReport
03-10-2022
Phishing Campaigns Targeting KFC and McDonalds
https://cloudsek.com/threatintelligence/phishing-campaigns-targeting-kfc-and-mcdonalds/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaigns-targeting-kfc-and-mcdonalds
Industry:
Financial
Geo:
Indian, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 23
Softs:
android, chrome
03-10-2022
Phishing Campaigns Targeting KFC and McDonalds
https://cloudsek.com/threatintelligence/phishing-campaigns-targeting-kfc-and-mcdonalds/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaigns-targeting-kfc-and-mcdonalds
Industry:
Financial
Geo:
Indian, Singapore
TTPs:
Tactics: 1
Technics: 0
IOCs:
Domain: 23
Softs:
android, chrome
Cloudsek
Phishing Campaigns Targeting KFC and McDonald’s | Threat Intelligence | CloudSEK
KFC and McDonald’s were targeted via phishing campaigns. Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions. Payment details has also been compromised.
#ParsedReport
03-10-2022
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
https://cloudsek.com/threatintelligence/phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io
Industry:
Financial
Geo:
Indian
03-10-2022
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
https://cloudsek.com/threatintelligence/phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-abusing-reverse-tunnel-service-provider-portmap-io
Industry:
Financial
Geo:
Indian
Cloudsek
Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io | Threat Intelligence | CloudSEK
Portmap.io was misused in a phishing campaign targeting Indian banking customers. Phishing URLs are distributed via smishing techniques.
#ParsedReport
03-10-2022
Dissecting BlueSky Ransomware Payload
https://yoroi.company/research/dissecting-bluesky-ransomware-payload
Actors/Campaigns:
Bluesky
Threats:
Conti
Industry:
Ics
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
Registry: 1
File: 8
Algorithms:
chacha20, rc4, curve25519
Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState
Platforms:
x86
YARA: Found
03-10-2022
Dissecting BlueSky Ransomware Payload
https://yoroi.company/research/dissecting-bluesky-ransomware-payload
Actors/Campaigns:
Bluesky
Threats:
Conti
Industry:
Ics
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 2
Registry: 1
File: 8
Algorithms:
chacha20, rc4, curve25519
Win API:
NtSetInformationThread, RtlAdjustPrivilege, SeDebugPrivilege, CryptAcquireContextA, CreateFileW, NtQueryInformatonFile, NtQueryInformatonProcess, SetThreadExecutionState
Platforms:
x86
YARA: Found
Tinexta Cyber
Il polo italiano della Cyber Security
Innovazione digitale sicura Protezione per un futuro digitale resiliente Tinexta Cyber è il polo italiano della cyber security. Parte del gruppo Tinexta, nasce dalla sintesi di tre eccellenze – Corvallis, Swascan e Yoroi – con l’obiettivo di supportare le…
#ParsedReport
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform
https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
Vietnamese, China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
01-10-2022
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform
https://blog.qualys.com/vulnerabilities-threat-research/2022/09/30/qualys-response-to-proxynotshell-microsoft-exchange-server-zero-day-threat-using-qualys-platform
Threats:
Proxynotshell_vuln
Chinachopper
Geo:
Vietnamese, China, Chinese
CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
TTPs:
IOCs:
File: 4
Path: 1
Hash: 10
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Links:
https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Zero%20Day/CVE-2022-41040%2C41082(ProxyNotShell%20Microsoft%20Exchange%20Server)Qualys
Qualys Response to ProxyNotShell Microsoft Exchange Server Zero-Day Threat Using Qualys Cloud Platform | Qualys
On September 29, 2022, active attacks against Microsoft Exchange were reported by Vietnamese cybersecurity company GTSC. The researcher at GTSC reported two critical vulnerabilities (now named…