CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
04-10-2022

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

http://blog.talosintelligence.com/2022/09/threat-advisory-exchange-server-vulns.html

Actors/Campaigns:
Hafnium

Threats:
Proxynotshell_vuln
Proxyshell_vuln
Sharpyshell
Chinachopper

Geo:
China, Chinese

CVEs:
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)

CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)


IOCs:
Path: 4
IP: 19
Url: 1

Softs:
microsoft exchange

Links:
https://github.com/antonioCoco/SharPyShell
#ParsedReport
04-10-2022

OnionPoison: infected Tor Browser installer distributed through popular YouTube channel

https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627

Actors/Campaigns:
Onionpoison

Threats:
Onionduke

Geo:
China, Chinese

IOCs:
File: 7
Registry: 1
Domain: 1
Hash: 3

Softs:
visual studio, chrome, wechat

Algorithms:
xor, aes-128, base64, aes, hmac-sha1, hmac

Win API:
RtlDecompressBuffer
#ParsedReport
05-10-2022

APT Group Lazarus Exploits High Severity Flaw in Dell Driver

https://socradar.io/apt-group-lazarus-exploits-high-severity-flaw-in-dell-driver

Actors/Campaigns:
Lazarus (motivation: cyber_espionage)

Threats:
Byovd_technique
Airdry
Sslsniffer_tool
Fudmodule_rootkit
Timestomp_technique
Dll_sideloading_technique

Industry:
Aerospace

Geo:
Netherlands, Belgium

CVEs:
CVE-2021-21551 [Vulners]
Vulners: Score: 4.6, CVSS: 4.3,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- dell dbutil 2 3.sys (-)


TTPs:
Tactics: 7
Technics: 19

IOCs:
File: 3
Hash: 13
Url: 3

Links:
https://github.com/eset/malware-ioc/tree/master/nukesped\_lazarus
#ParsedReport
05-10-2022

Analysis of LilithBot Malware and Eternity Threat Group. Introduction

https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group

Actors/Campaigns:
Eternity
Jester
Shathak

Threats:
Lilithbot
Eternity_project
Lilith_rat

Industry:
Financial

Geo:
Russian

TTPs:
Tactics: 6
Technics: 15

IOCs:
Email: 1
Coin: 2
IP: 4
Hash: 6
File: 4
Path: 1

Softs:
telegram

Algorithms:
zip, aes
#ParsedReport
05-10-2022

Malware Analysis Report (AR22-277C)

https://us-cert.cisa.gov/ncas/analysis-reports/ar22-277c

Actors/Campaigns:
Hafnium

Threats:
Chinachopper
Impacket_tool

Geo:
China

CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)


TTPs:

IOCs:
Hash: 17

Softs:
microsoft exchange, active directory

Functions:
Page_Load

Languages:
javascript, jscript
#ParsedReport
05-10-2022

Alert (AA22-277A)

https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool

Industry:
Government, Iot

Geo:
China

CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)

CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)


TTPs:
Tactics: 10
Technics: 31

IOCs:
File: 13
Path: 2

Softs:
microsoft exchange server, microsoft onedrive, active directory

Algorithms:
aes, zip

Languages:
python

YARA: Found
#ParsedReport
05-10-2022

How Water Labbu Exploits Electron-Based Applications. Initial investigation

https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html

Actors/Campaigns:
Water_labbu

Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu

Industry:
Financial

Geo:
Chinese

CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)


IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1

Softs:
chromium, chrome, internet explorer

Algorithms:
zip, xor, aes, base64

Languages:
javascript, golang, php

Platforms:
x64

Links:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome\_cve\_2021\_21220\_v8\_insufficient\_validation.rb
https://github.com/electron/asar
#technique

Это, конечно, лолкек...
#ParsedReport
07-10-2022

LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots

https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year

Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro

Threats:
Glitch
Typosquatting_technique
Starjacking_technique

Industry:
Entertainment, Financial

Geo:
Portuguese, Brazilian, Brazil

IOCs:
File: 1
Url: 80

Softs:
discord, zoom, nitro generator

Links:
https://github.com/PolarLofy
https://github.com/relative/synchrony
https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7
#ParsedReport
07-10-2022

Modified FiveM Spoofer Targeting Gamers

https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers

Threats:
Asyncrat_rat
Beacon

Industry:
Entertainment

Geo:
Singapore, Australia, Dubai, India, Georgia

TTPs:
Tactics: 6
Technics: 6

IOCs:
Url: 4
File: 2
Hash: 4

Softs:
fivem, discord, tiktok