CTT Report Hub
3.41K subscribers
9.74K photos
6 videos
67 files
13.4K links
Threat Intelligence Report Hub
Download Telegram
#ParsedReport
05-10-2022

Alert (AA22-277A)

https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Threats:
Impacket_tool
Covalent_stealer
Chinachopper
Hyperbro
Netstat_tool
Screenconnect_tool

Industry:
Government, Iot

Geo:
China

CVEs:
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26858 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2019, 2019)

CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)

CVE-2021-26857 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2010, 2013, 2019, 2016, 2019, 2016)


TTPs:
Tactics: 10
Technics: 31

IOCs:
File: 13
Path: 2

Softs:
microsoft exchange server, microsoft onedrive, active directory

Algorithms:
aes, zip

Languages:
python

YARA: Found
#ParsedReport
05-10-2022

How Water Labbu Exploits Electron-Based Applications. Initial investigation

https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html

Actors/Campaigns:
Water_labbu

Threats:
Cobalt_strike
Metasploit_tool
Typosquatting_technique
Filecoder
Trojan.win64.shelload.i
Trojan.win32.shelload.bk
Swrort
Matsnu

Industry:
Financial

Geo:
Chinese

CVEs:
CVE-2021-21220 [Vulners]
Vulners: Score: 6.8, CVSS: 3.1,
Vulners: Exploitation: True
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- google chrome (<89.0.4389.128)
- fedoraproject fedora (32, 33, 34)


IOCs:
Hash: 80
Domain: 3
File: 9
Registry: 1

Softs:
chromium, chrome, internet explorer

Algorithms:
zip, xor, aes, base64

Languages:
javascript, golang, php

Platforms:
x64

Links:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome\_cve\_2021\_21220\_v8\_insufficient\_validation.rb
https://github.com/electron/asar
#technique

Это, конечно, лолкек...
#ParsedReport
07-10-2022

LofyGang Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year. Connecting The Dots

https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year

Actors/Campaigns:
Lofygang (motivation: cyber_criminal)
Nitro

Threats:
Glitch
Typosquatting_technique
Starjacking_technique

Industry:
Entertainment, Financial

Geo:
Portuguese, Brazilian, Brazil

IOCs:
File: 1
Url: 80

Softs:
discord, zoom, nitro generator

Links:
https://github.com/PolarLofy
https://github.com/relative/synchrony
https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7
#ParsedReport
07-10-2022

Modified FiveM Spoofer Targeting Gamers

https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers

Threats:
Asyncrat_rat
Beacon

Industry:
Entertainment

Geo:
Singapore, Australia, Dubai, India, Georgia

TTPs:
Tactics: 6
Technics: 6

IOCs:
Url: 4
File: 2
Hash: 4

Softs:
fivem, discord, tiktok
#ParsedReport
07-10-2022

SpiderLabs Blog. HTML File Attachments: Still A Threat

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-file-attachments-still-a-threat

Actors/Campaigns:
Wizard_spider (motivation: cyber_criminal)

Threats:
Html_smuggling_technique
Mekotio
Ousaban
Trickbot
Qakbot

Industry:
Financial

Algorithms:
zip

Languages:
javascript

Links:
https://github.com/javascript-obfuscator/javascript-obfuscator
#ParsedReport
07-10-2022

Letting off steam

https://blog.group-ib.com/steam

Threats:
Blackcat

Industry:
Entertainment, Education, Financial

Geo:
Singapore, Russian

TTPs:
Tactics: 1
Technics: 0

IOCs:
File: 5

Softs:
telegram, discord

Languages:
rust, php
#ParsedReport
07-10-2022

We Smell A RatMilad Android Spyware

https://blog.zimperium.com/we-smell-a-ratmilad-mobile-spyware

Threats:
Ratmilad

Industry:
Financial, Government

IOCs:
Url: 2
File: 14
Domain: 1
Hash: 8

Softs:
android, telegram, burp suite, media features

Algorithms:
zip
#ParsedReport
07-10-2022

Excel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 Part II

https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two

Threats:
Redline_stealer
Formbook
Imminentmonitor_rat

CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)


IOCs:
Url: 2
IP: 1
File: 20
Domain: 2
Hash: 2

Softs:
task scheduler, chrome, opera, waterfox, k-meleon, icedragon, cyberfox, blackhaw, 7star, chromeplus, have more...

Algorithms:
gzip

Functions:
CreateProcessAsUser, CreateFlag, APIs, Wow64GetThreadContext, Wow64SetThreadContext, CreateBind, CreateChannel, GetArguments, GetUpdates, CheckConnect, have more...

Win API:
GetThreadContext, ReadProcessMemory, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread
#ParsedReport
07-10-2022

Conti Ransomware: The History Behind One of the Worlds Most Aggressive RaaS Groups

https://flashpoint.io/blog/history-of-conti-ransomware

Actors/Campaigns:
Wizard_spider

Threats:
Conti
Maze
Egregor
Ryuk
Cobalt_strike
Trickbot
Beacon
Adfind_tool
Diavol

Industry:
Government, Healthcare, E-commerce, Financial

Geo:
Japanese, Ukraine, Japan, Russian, Russia

Softs:
active directory
#ParsedReport
07-10-2022

Fake Ransomware Infection Under widespread

https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread

Industry:
Financial

Geo:
Australia, Singapore, Georgia, Dubai, India

TTPs:
Tactics: 5
Technics: 9

IOCs:
File: 7
Path: 1
Url: 1
Hash: 15

Algorithms:
gzip, zip

Languages:
php
#ParsedReport
10-10-2022

Dark Web Profile: Play Ransomware

https://socradar.io/dark-web-profile-play-ransomware

Threats:
Playcrypt
Nokoyawa
Adfind_tool
Lolbin

Industry:
Government

Geo:
Brazil, American

CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)

CVE-2020-12812 [Vulners]
Vulners: Score: 7.5, CVSS: 2.6,
Vulners: Exploitation: True
X-Force: Risk: 5.3
X-Force: Patch: Official fix
Soft:
- fortinet fortios (<6.2.4, 6.4.0, <6.0.10)


IOCs:
Hash: 20
Url: 4
IP: 2

Softs:
active directory, psexec
#ParsedReport
10-10-2022

Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims

https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims

Actors/Campaigns:
Red_delta (motivation: cyber_espionage)

Threats:
Plugx_rat
Cobalt_strike
Poison_ivy
Beacon
Dll_sideloading_technique

Industry:
Ngo, Government

Geo:
Chinese, Asian, Myanmar, Asia, China

IOCs:
Domain: 4
File: 1
Hash: 4
IP: 2

Algorithms:
xor

Win API:
RtlDecompressBuffer

YARA: Found