#ParsedReport
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
05-12-2022
KoiVM Loader Resurfaces With a Bang
https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang
Threats:
Koivm
Remcos_rat
Agent_tesla
M4use_loader
Confuserex_tool
Process_injection_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Email: 1
Hash: 5
Url: 2
IP: 1
Algorithms:
base64, zip, rc4, xor
Languages:
python
Links:
https://github.com/dnSpyExhttps://github.com/Loksie/KoiVM-Virtualization#koivmhttps://github.com/yck1509/ConfuserExhttps://github.com/SychicBoy/NETReactorSlayerhttps://github.com/horsicq/Detect-It-Easyhttps://github.com/Loksie/KoiVM-Virtualization#:\~:text=first%20one%20is%20certainly%20ridiculous%20as%20it%20will%20%22merge%22%20with%20cex%20and%20virtualize%20every%20single%20method%2C%20including%20protections%20from%20ConfuserEX%2C%20however%20note%20that%20this%20might%20KILL%20your%20performanK7 Labs
KoiVM Loader Resurfaces With a Bang
We at K7 Labs recently found an interesting new .NET loader which downloads and executes KoiVM virtualized binary, which in […]
#ParsedReport
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
05-12-2022
ASEC (20221120 \~ 20221126). ASEC Weekly phishing email threat trend (20221120 \~ 20221126)
https://asec.ahnlab.com/ko/43163
Threats:
Agent_tesla
Formbook
Purecrypter
Industry:
Transport, Financial
Geo:
Mongolian, Korean
TTPs:
IOCs:
File: 46
Url: 9
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221120 ~ 20221126) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 11월 20일부터 11월 26일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
05-12-2022
Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
https://blog.cyble.com/2022/12/02/exposed-remote-desktop-protocol-actively-targeted-by-threat-actors-to-deploy-ransomware
Threats:
Redeemer
Vohuk
Amelia
Blackhunt
Daixin
Medusalocker
Conti
Bluekeep_vuln
Industry:
Financial, Government, Telco
Geo:
Korea, India, Vietnam, Russian, Netherlands, Russia
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
File: 1
Hash: 3
Softs:
remote desktop services
Cyble
Exposed RDP Actively Targeted By Threat Actors To Deploy Ransomware
Exposed RDP (Remote Desktop Protocol) is being actively targeted by cybercriminals to deploy ransomware. Learn how to secure your RDP access and protect your systems from these attacks.
#ParsedReport
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
05-12-2022
. Distribution of phishing mail impersonating quasi -governmental organizations
https://asec.ahnlab.com/ko/43341
Industry:
Government
Geo:
Korea
IOCs:
Url: 2
ASEC BLOG
준정부기관을 사칭한 피싱 메일 유포 - ASEC BLOG
ASEC 분석팀은 최근 비영리 정부기관을 사칭한 피싱메일이 유포되고 있는 정황을 확인하였다. 중소벤처기업진흥공단(KOSME)에서 서비스하는 고비즈코리아(GobizKOREA)의 로그인 화면을 위장한 웹페이지를 사용하여 사용자의 로그인을 유도하기 때문에, 무역 분야에 종사하는 사용자들의 각별한 주의가 필요하다. 피싱메일의 제목 및 본문은 다음과 같다.메일 본문에는 바이어의 새로운 문의가 등록되었다는 내용이 있으며, 본문에 포함된 다섯개의 모든 하이퍼링크에는…
#ParsedReport
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
05-12-2022
Hitching a ride with Mustang Panda
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups
Actors/Campaigns:
Red_delta
Luminousmoth
Nightscout
Threats:
Plugx_rat
Hodur_rat
Uac_bypass_technique
Nbtscan_tool
Industry:
Petroleum, Financial, Ngo, Government
Geo:
Pacific, Czech, Chinese, Myanmar, American, Vietnam, Burmese, Mongolia, Russia, Malaysia, Canada, Myanmars, Australia, Usa, China, France, Asian, Netherlands, Serbia, Israel, Tatarstan
TTPs:
Tactics: 2
Technics: 0
IOCs:
File: 109
Domain: 6
IP: 38
Hash: 129
Softs:
microsoft office, chrome, opera, telegram, vivaldi
Algorithms:
xor, exhibit
Functions:
GDU1_NEW, GDU_OLD
Languages:
delphi, javascript
Gendigital
Hitching a ride with Mustang Panda
APT Campaign Targets Myanmar Government
#ParsedReport
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
05-12-2022
. Analysis of the network attack activity of Torii remote control of the sea lotus organization
https://www.antiy.cn/research/notice&report/research_report/20221202.html
Actors/Campaigns:
Oceanlotus (motivation: information_theft)
Threats:
Torii_botnet
Kerrdown
Phantomlance
Cobalt_strike
Industry:
Government, Iot
Geo:
China
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 6
Softs:
android, macos, crontab
Algorithms:
aes, aes-128, rc4, gzip
Platforms:
x86, mips, arm, x64
www.antiy.cn
海莲花组织Torii远控的网络攻击活动分析
安天CERT捕获到一批活跃中的物联网远控木马,背发现该木马属于Torii僵尸网络家族的升级版本,与海莲花组织的同类远控木马存在一定的同源性和差别,且在依托的网络资产上与早期海莲花组织的攻击活动也存在重叠。
#ParsedReport
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
05-12-2022
Schoolyard Bully Trojan Facebook Credential Stealer
https://www.zimperium.com/blog/schoolyard-bully-trojan-facebook-credential-stealer
Threats:
Schoolyardbully
Flytrap
Industry:
Financial, Chemical
Geo:
Vietnamese, Nederlands
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 175
Softs:
android, google chrome, mozilla firefox, opera, microsoft edge
Algorithms:
zip
Languages:
java, javascript
Platforms:
apple
Zimperium
Schoolyard Bully Trojan Facebook Credential Stealer - Zimperium
Zimperium zLabs has discovered a new Android threat campaign, the Schoolyard Bully Trojan, which has been active since 2018 and has spread to over 300,000 victims and is specifically targeting Facebook credentials. To learn more about this new threat, read…
#ParsedReport
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
05-12-2022
Alert (AA22-335A)
https://us-cert.cisa.gov/ncas/alerts/aa22-335a
Actors/Campaigns:
Lapsus
Threats:
Cuba
Romcom_rat
Ransomware.gov
Hancitor
Kerberoasting_technique
Kerbercache_tool
Zerologon_vuln
Qakbot
Impacket_tool
Meterpreter_tool
Iobit_tool
Powerview
Industry:
Foodtech, Government, E-commerce, Healthcare, Financial
Geo:
Ukrainian, Ukraine
CVEs:
CVE-2022-24521 [Vulners]
Vulners: Score: 4.6, CVSS: 4.2,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 21h2, 1607, 1809, 1909)
- microsoft windows 11 (-, -)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
have more...
CVE-2020-1472 [Vulners]
Vulners: Score: 9.3, CVSS: 3.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (-, r2)
- microsoft windows server 2016 (-, 1903, 1909, 2004)
- microsoft windows server 2019 (-)
- fedoraproject fedora (31, 32, 33)
have more...
TTPs:
Tactics: 8
Technics: 13
IOCs:
File: 71
Path: 1
Hash: 48
IP: 53
Email: 4
Softs:
active directory, local security authority, keepass
www.cisa.gov
#StopRansomware: Cuba Ransomware | CISA
Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce phishing-resistant multifactor authentication.
#ParsedReport
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
06-12-2022
Technical Analysis of the Winbox Payload in WindiGo
https://www.nozominetworks.com/blog/technical-analysis-of-the-winbox-payload-in-windigo
Threats:
Windigo
Plaguebot
Meris_botnet
Revil
Glupteba
Mirai
Industry:
Telco, Iot
Geo:
Brazil, China, Vietnam
CVEs:
CVE-2018-14847 [Vulners]
Vulners: Score: 6.4, CVSS: 5.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- mikrotik routeros (le6.42)
TTPs:
Tactics: 1
Technics: 0
IOCs:
Hash: 4
File: 1
Domain: 17
Registry: 3
Nozominetworks
Technical Analysis of the Winbox Payload in WindiGo
This blog provides a technical analysis of WindiGo as well as Indicators of Compromise (IoCs) you can use to detect WindiGo in your network.
#ParsedReport
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
06-12-2022
Danger Lurking in GitHub Repositories
https://socradar.io/danger-lurking-in-github-repositories
Threats:
Repojacking_technique
Bluekeep_vuln
Houdini_rat
CVEs:
CVE-2019-0708 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows vista (-)
- microsoft windows server 2008 (r2, r2, -)
- microsoft windows xp (-, -)
- microsoft windows server 2003 (-, -, r2)
- microsoft windows 7 (-)
have more...
IOCs:
IP: 1
Hash: 27
File: 2
Algorithms:
base64
Languages:
python
Links:
https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repositorySOCRadar® Cyber Intelligence Inc.
Danger Lurking in GitHub Repositories - SOCRadar® Cyber Intelligence Inc.
As a threat actor claims, up to 14 million GitHub users and repository credentials have been stolen recently and offered for sale.
#ParsedReport
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
06-12-2022
- TgRat. The TGRAT virus was detected
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/vyyavlen-virus-shpion-tgrat
Threats:
Tgrat
Impacket_tool
Mimikatz_tool
IOCs:
File: 5
Softs:
telegram
Algorithms:
aes
Links:
https://github.com/wrwrabbit/telegram-bot-api-go)ptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
06-12-2022
The Story of a Ransomware Turning into an Accidental Wiper
https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper
Threats:
Cryptonite
Cyberdevilz_actor
Amsi_bypass_technique
W32/filecoder.ky!tr
W32/filecoder.ky!tr.ransom
Industry:
Financial
IOCs:
Hash: 1
File: 2
Url: 1
Domain: 1
Softs:
pyinstaller
Functions:
findFiles, warningScreen
Languages:
python
Fortinet Blog
The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs
FortiGuard Labs provides a deeper analysis of an open-source Cryptonite ransomware sample that never offers a decryption window, but instead acts as wiper malware. Read to find out more.…
#ParsedReport
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
06-12-2022
Calisto show interests into entities involved in Ukraine war support
https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support
Actors/Campaigns:
Calisto
Coldriver
Gamaredon
Apt31
Threats:
Typosquatting_technique
Evilginx_tool
Velar
Industry:
Logistic, Ngo
Geo:
Ukraine, Russian, Indian, African, Syrian, Polish, Ukrainian
IOCs:
Domain: 5
SIGMA: Found
Sekoia.io Blog
Calisto show interests into entities involved in Ukraine war support
Calisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April 2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed objectives and victimology that…
#ParsedReport
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
06-12-2022
Vice Society: Profiling a Persistent Threat to the Education Sector
https://unit42.paloaltonetworks.com/vice-society-targets-education-sector
Actors/Campaigns:
Vice_society (motivation: cyber_criminal)
Unc2447
Threats:
Hellokitty
Printnightmare_vuln
Lockbit
Fivehands
Zeppelin
Lotl_technique
Blackcat
Bloodhound_tool
Systembc
Avoslocker
Sombrat_rat
Industry:
Education, Financial, Healthcare, Government, E-commerce, Ngo
Geo:
Emea, Germany, America, Japan, California, Spain, France, Italy, Apac, Brazil
CVEs:
CVE-2021-34527 [Vulners]
Vulners: Score: 9.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-, 20h2, 2004)
have more...
CVE-2021-1675 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, -)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 1809, 1909, 2004)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
have more...
TTPs:
Tactics: 11
Technics: 0
IOCs:
Domain: 5
File: 4
Email: 14
Registry: 1
Hash: 15
Path: 1
Softs:
esxi, psexec, windows defender, microsoft defender, local security authority, ive directory data, windows print spooler
Algorithms:
aes
Unit 42
Vice Society: Profiling a Persistent Threat to the Education Sector
Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year.
#ParsedReport
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
06-12-2022
Iran: State-Backed Hacking of Activists, Journalists, Politicians
https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians
Actors/Campaigns:
Cleaver
Phosphorus
Irgc
Threats:
Credential_harvesting_technique
Hostile
Hyperscrape_tool
Industry:
Government, Financial
Geo:
Usa, Qatar, Iranian, Morocco, Iran, Africa, Tehran, Indian, Beirut, American, Israeli, Libya, Lebanon, Irans
IOCs:
Domain: 7
Url: 7
Softs:
telegram, google takeout
Languages:
javascript, php
Human Rights Watch
Iran: State-Backed Hacking of Activists, Journalists, Politicians
Hackers backed by the Iranian government have targeted Human Rights Watch and at least 18 other high-profile journalists, researchers, and politicians working on Middle East issues in an ongoing social engineering and credential phishing campaign.
#ParsedReport
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
06-12-2022
Blue Callisto orbits around US Laboratories in 2022
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html
Actors/Campaigns:
Coldriver (motivation: cyber_espionage)
Tick
Threats:
Seaborgium
Evilginx_tool
Industry:
Financial, Aerospace, Education, Government, Healthcare, Telco, Transport, Logistic, Energy
Geo:
Ukraine, Australia, Russia, Ukrainian
TTPs:
IOCs:
Domain: 5
File: 3
Url: 6
IP: 7
Functions:
OpenSSL
Languages:
javascript
PwC
Blue Callisto orbits around US Laboratories in 2022
In this blog post we detail 2022 phishing activity the PwC threat intelligence team attributes to Blue Callisto and list indicators for defenders to query.
#ParsedReport
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
06-12-2022
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
Threats:
Credential_harvesting_technique
Anydesk_tool
Dwservice_tool
Logmein_tool
Screenconnect_tool
Teamviewer_tool
Sorillus_rat
Rustscan_tool
Impacket_tool
Dcsync_technique
Industry:
Bp_outsourcing, Telco
CVEs:
CVE-2021-35464 [Vulners]
Vulners: Score: 10.0, CVSS: 5.4,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- forgerock am (<6.5.3)
- forgerock openam (<14.6.3)
IOCs:
Domain: 3
IP: 86
Hash: 8
File: 1
Softs:
telegram, curl, beanywhere, domotz, pulseway, rport, rsocx, trendmicro basecamp, zerotier, esxi, have more...
Languages:
python
Links:
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
https://github.com/NetSPI/aws\_consoler
https://github.com/RustScan/RustScan
https://github.com/b23r0/rsocxCrowdStrike.com
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
CrowdStrike Services analyzes a recent intrusion campaign targeting telecom and business process outsourcing companies and shares how to defend against this attack.
#ParsedReport
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
06-12-2022
Microsoft ?. How much similar to the Microsoft account stealing phishing page is real?
https://asec.ahnlab.com/ko/43416
Geo:
Korean
IOCs:
File: 2
Hash: 2
Algorithms:
base64, aes
ASEC BLOG
Microsoft 계정 탈취 피싱 페이지는 진짜와 얼마나 비슷할까? - ASEC BLOG
국내외 많은 기업과 개인 사용자가 Microsoft 계정을 이용하여 Outlook, Office, OneDrive, Windows를 비롯한 Microsoft의 주요 서비스를 이용하고 있다. 사용자는 통합 로그인을 이용하여 계정과 연결된 모든 Microsoft 서비스에 편리하게 접속할 수 있다. 공격자 입장에서는 어떨까? 단 한 개의 계정을 이용하여 취할 수 있는 정보가 많기 때문에 더없이 좋은 공격 타깃이다. 특히 기업 내에서 민감 정보를 취급하는 사용자인…
#ParsedReport
06-12-2022
Exposing TAG-53s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations
Actors/Campaigns:
Tag-53 (motivation: cyber_espionage, information_theft)
Coldriver (motivation: cyber_espionage, information_theft)
Seaborgium (motivation: cyber_espionage, information_theft)
Threats:
Credential_harvesting_technique
Typosquatting_technique
Industry:
Ngo, Logistic, Government, Telco, Aerospace
Geo:
Russian, Ukraine, Poland, Russia
TTPs:
IOCs:
Domain: 38
IP: 38
Softs:
microsoft onedrive
06-12-2022
Exposing TAG-53s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations
Actors/Campaigns:
Tag-53 (motivation: cyber_espionage, information_theft)
Coldriver (motivation: cyber_espionage, information_theft)
Seaborgium (motivation: cyber_espionage, information_theft)
Threats:
Credential_harvesting_technique
Typosquatting_technique
Industry:
Ngo, Logistic, Government, Telco, Aerospace
Geo:
Russian, Ukraine, Poland, Russia
TTPs:
IOCs:
Domain: 38
IP: 38
Softs:
microsoft onedrive
Recordedfuture
Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
A recent spear phishing attempt uncovers a Russia-aligned cyber espionage campaign targeting government, intelligence, and military industries.
#ParsedReport
06-12-2022
ASEC (20221128 \~ 20221204). ASEC Weekly Malware Statistics (20221128 \~ 20221204)
https://asec.ahnlab.com/ko/43356
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Vidar_stealer
Antefrigus
Revil
Ransomware.later
Postealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 17
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
06-12-2022
ASEC (20221128 \~ 20221204). ASEC Weekly Malware Statistics (20221128 \~ 20221204)
https://asec.ahnlab.com/ko/43356
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Vidar_stealer
Antefrigus
Revil
Ransomware.later
Postealer
Clipbanker
Redline_stealer
Beamwinhttp_loader
Industry:
Transport, Financial
Geo:
Korea
IOCs:
File: 17
Email: 5
Url: 9
IP: 6
Softs:
telegram
Languages:
php
ASEC BLOG
ASEC 주간 악성코드 통계 (20221128 ~ 20221204) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 11월 28일 월요일부터 12월 4일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 인포스틸러가 34.8%로 1위를 차지하였으며, 그 다음으로는 다운로더가 28.2%, 백도어 21.1%, 랜섬웨어 14.6%, 코인마이너가 0.3%로 집계되었다. Top 1 – SmokeLoader…
#ParsedReport
06-12-2022
DEV-0139 launches targeted attacks against the cryptocurrency industry
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry
Threats:
Dll_sideloading_technique
Industry:
Financial
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 27
Path: 7
Url: 1
Hash: 10
Domain: 1
IP: 1
Softs:
microsoft defender, microsoft defender for endpoint, telegram, microsoft excel, windows media player, "powerpnt", microsoft 365 defender
Algorithms:
base64, xor
Functions:
CreateDate, CreateFile, OpenDrive, Win32
Win API:
CreateProcess
Languages:
visual_basic
Platforms:
x64
Links:
06-12-2022
DEV-0139 launches targeted attacks against the cryptocurrency industry
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry
Threats:
Dll_sideloading_technique
Industry:
Financial
TTPs:
Tactics: 6
Technics: 13
IOCs:
File: 27
Path: 7
Url: 1
Hash: 10
Domain: 1
IP: 1
Softs:
microsoft defender, microsoft defender for endpoint, telegram, microsoft excel, windows media player, "powerpnt", microsoft 365 defender
Algorithms:
base64, xor
Functions:
CreateDate, CreateFile, OpenDrive, Win32
Win API:
CreateProcess
Languages:
visual_basic
Platforms:
x64
Links:
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/Least\_Common\_Parent\_Child\_Process.yamlhttps://github.com/Azure/Azure-Sentinel/blob/46906229919827bffa14211341f52dd68e27ad81/Hunting%20Queries/Microsoft%20365%20Defender/Execution/detect-anomalous-process-trees.yamlMicrosoft News
DEV-0139 launches targeted attacks against the cryptocurrency industry
Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network.