#ParsedReport
08-12-2022
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37
Actors/Campaigns:
Apt37 (motivation: government_sponsored)
Threats:
Rtf_template_inject_technique
Rokrat_rat
Bluelight
Dolphin
Geo:
Korea, Korean
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
CVE-2021-34480 [Vulners]
Vulners: Score: 6.8, CVSS: 2.4,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (r2)
have more...
CVE-2022-41128 [Vulners]
Vulners: Score: Unknown, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 1
Hash: 6
Domain: 5
Softs:
internet explorer, microsoft office
Languages:
javascript, jscript
08-12-2022
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37
Actors/Campaigns:
Apt37 (motivation: government_sponsored)
Threats:
Rtf_template_inject_technique
Rokrat_rat
Bluelight
Dolphin
Geo:
Korea, Korean
CVEs:
CVE-2017-0199 [Vulners]
Vulners: Score: 9.3, CVSS: 7.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2, *)
- microsoft windows server 2012 (-)
- microsoft windows vista (*)
- microsoft office (2010, 2013, 2016, 2007)
- microsoft windows 7 (*)
have more...
CVE-2021-34480 [Vulners]
Vulners: Score: 6.8, CVSS: 2.4,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows 10 (-, 20h2, 21h1, 1607, 1809, 1909, 2004)
- microsoft windows 7 (-)
- microsoft windows 8.1 (-)
- microsoft windows rt 8.1 (-)
- microsoft windows server 2008 (r2)
have more...
CVE-2022-41128 [Vulners]
Vulners: Score: Unknown, CVSS: 2.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft windows server 2008 (r2)
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 20h2, 21h1, 21h2, 22h2, 1809)
- microsoft windows 8.1 (-, -)
- microsoft windows server 2016 (-)
have more...
IOCs:
File: 1
Hash: 6
Domain: 5
Softs:
internet explorer, microsoft office
Languages:
javascript, jscript
Google
Internet Explorer 0-day exploited by North Korean actor APT37
Google’s Threat Analysis Group describes a new 0-day vulnerability attributed to North Korean government-backed actors known as APT37.
#ParsedReport
08-12-2022
Fantasy a new Agrius wiper deployed through a supplychain attack
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack
Actor/Campaign:
Agrius
Threats:
Fantasywiper
Apostle
Credential_harvesting_technique
Minidump_tool
Mimikatz_tool
Secretsdump_tool
Killdisk
Lsass_dumper_tool
Impacket_tool
Timestomp_technique
Stop_ransomware
Industry:
Petroleum, Financial
Geo:
Iran, Emirates, Ukraine, African, Israel, Israeli, Africa
TTPs:
Tactics: 9
Technics: 15
IOCs:
Path: 5
File: 4
Registry: 3
Hash: 7
Softs:
psexec
Algorithms:
base64, zip, des
Functions:
SetLastAccessTimeUtc, GetSubDirectoryFileListRecursive
Win API:
SeShutdownPrivilege
Languages:
php, java, lua, python
Links:
08-12-2022
Fantasy a new Agrius wiper deployed through a supplychain attack
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack
Actor/Campaign:
Agrius
Threats:
Fantasywiper
Apostle
Credential_harvesting_technique
Minidump_tool
Mimikatz_tool
Secretsdump_tool
Killdisk
Lsass_dumper_tool
Impacket_tool
Timestomp_technique
Stop_ransomware
Industry:
Petroleum, Financial
Geo:
Iran, Emirates, Ukraine, African, Israel, Israeli, Africa
TTPs:
Tactics: 9
Technics: 15
IOCs:
Path: 5
File: 4
Registry: 3
Hash: 7
Softs:
psexec
Algorithms:
base64, zip, des
Functions:
SetLastAccessTimeUtc, GetSubDirectoryFileListRecursive
Win API:
SeShutdownPrivilege
Languages:
php, java, lua, python
Links:
https://github.com/cube0x0/MiniDump
https://github.com/bb00/zer0dump/blob/master/secretsdump.pyWeLiveSecurity
Fantasy – a new Agrius wiper deployed through a supply‑chain attack
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper.
#ParsedReport
08-12-2022
CISA and the FBI issue alert about Cuba ransomware
https://www.malwarebytes.com/blog/news/2022/12/cisa-and-fbi-issue-alert-about-cuba-ransomware
Threats:
Cuba
Stop_ransomware
Romcom_rat
Hancitor
Industry:
Financial, Government, Healthcare
Geo:
Ukraine, California, Russian
Softs:
psexec
08-12-2022
CISA and the FBI issue alert about Cuba ransomware
https://www.malwarebytes.com/blog/news/2022/12/cisa-and-fbi-issue-alert-about-cuba-ransomware
Threats:
Cuba
Stop_ransomware
Romcom_rat
Hancitor
Industry:
Financial, Government, Healthcare
Geo:
Ukraine, California, Russian
Softs:
psexec
Malwarebytes
CISA and the FBI issue alert about Cuba ransomware
Cuba ransomware is spotlighted in a recent cybersecurity advisory (CSA) in the ongoing #StopRansomware campaign spearheaded by CISA and the FBI.
#ParsedReport
08-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
https://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
08-12-2022
SMS scams trick Indian banking customers into installing malicious apps. Indicators of Compromise (IOC)
https://www.zscaler.com/blogs/security-research/sms-scams-trick-indian-banking-customers-installing-malicious-apps
Industry:
Financial
Geo:
Indian
IOCs:
Url: 20
Hash: 10
Zscaler
Indian Banking Customers Fall for SMS Scams | Zscaler Blog
Indian banking customers are being targeted with fake complaint forms from phishing sites spreading info stealers with phony banking apps via SMS scams.
#ParsedReport
09-12-2022
New MuddyWater Threat: Old Kitten; New Tricks
https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Luna_moth
Threats:
Remoteutilities_tool
Screenconnect_tool
Atera_tool
Syncro_tool
Batloader
Luna
Industry:
Telco, Healthcare, Government, Aerospace, Petroleum
Geo:
America, Jordan, Emirates, Israeli, Asia, Israel, Africa, Syrian, Armenia, Oman, Azerbaijan, Tajikistan, Iran, Egypt, Qatar, Iraq
TTPs:
Tactics: 3
Technics: 5
IOCs:
File: 2
Hash: 36
Algorithms:
zip, exhibit
09-12-2022
New MuddyWater Threat: Old Kitten; New Tricks
https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks
Actors/Campaigns:
Muddywater (motivation: cyber_espionage)
Luna_moth
Threats:
Remoteutilities_tool
Screenconnect_tool
Atera_tool
Syncro_tool
Batloader
Luna
Industry:
Telco, Healthcare, Government, Aerospace, Petroleum
Geo:
America, Jordan, Emirates, Israeli, Asia, Israel, Africa, Syrian, Armenia, Oman, Azerbaijan, Tajikistan, Iran, Egypt, Qatar, Iraq
TTPs:
Tactics: 3
Technics: 5
IOCs:
File: 2
Hash: 36
Algorithms:
zip, exhibit
Deep Instinct
New MuddyWater Threat: Old Kitten; New Tricks | Deep Instinct
MuddyWater, also known as Static Kitten and Mercury, is a cyber espionage group that’s most likely a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).
#ParsedReport
09-12-2022
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine. Introduction
https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine
Actors/Campaigns:
Cloudatlas (motivation: cyber_espionage)
Threats:
Powershower
Rtcpproxy_tool
Lockbit
Ntdsutil_tool
Anydesk_tool
Putty_tool
Industry:
Education, Energy, Financial, Transport, Government
Geo:
Russia, Russian, Belarus, Belarusian, Moldova, Asia, Ukraine
CVEs:
CVE-2018-0802 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2007, 2013, 2016, 2010, 2016)
- microsoft word (2013, 2007, 2010, 2013, 2016)
- microsoft office compatibility pack (-)
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
IP: 1
Registry: 1
File: 2
Softs:
microsoft office, squid, telegram
Algorithms:
aes-256, base64, xor, zip
Functions:
WriteAllBytes, ReadAllText, ReadBytes, OpenDrive
Win API:
Decompress
Languages:
python
09-12-2022
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine. Introduction
https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine
Actors/Campaigns:
Cloudatlas (motivation: cyber_espionage)
Threats:
Powershower
Rtcpproxy_tool
Lockbit
Ntdsutil_tool
Anydesk_tool
Putty_tool
Industry:
Education, Energy, Financial, Transport, Government
Geo:
Russia, Russian, Belarus, Belarusian, Moldova, Asia, Ukraine
CVEs:
CVE-2018-0802 [Vulners]
Vulners: Score: 9.3, CVSS: 3.5,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2007, 2013, 2016, 2010, 2016)
- microsoft word (2013, 2007, 2010, 2013, 2016)
- microsoft office compatibility pack (-)
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
IP: 1
Registry: 1
File: 2
Softs:
microsoft office, squid, telegram
Algorithms:
aes-256, base64, xor, zip
Functions:
WriteAllBytes, ReadAllText, ReadBytes, OpenDrive
Win API:
Decompress
Languages:
python
Check Point Research
Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine - Check Point Research
Introduction Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques…
#ParsedReport
09-12-2022
APT Cloud Atlas: Unbroken Threat
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat
Actors/Campaigns:
Cloudatlas (motivation: cyber_espionage)
Gamaredon
Bitter
Threats:
Powershower
Trojan.win32.generic.a
Trojan.win32.reglolbins.a
Industry:
Government, Financial
Geo:
Belarus, Slovenia, Russia, Azerbaijan, Russian, Turkey, Iranian, Tajikistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 7
Technics: 20
IOCs:
File: 12
Hash: 16
Softs:
microsoft office, component object model
Algorithms:
aes-cbc, aes, base64, lzma, xor, cbc
Win API:
GetLocalTime, GetUserDefaultLCID, GetSystemDefaultLCID
Languages:
visual_basic
YARA: Found
09-12-2022
APT Cloud Atlas: Unbroken Threat
https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat
Actors/Campaigns:
Cloudatlas (motivation: cyber_espionage)
Gamaredon
Bitter
Threats:
Powershower
Trojan.win32.generic.a
Trojan.win32.reglolbins.a
Industry:
Government, Financial
Geo:
Belarus, Slovenia, Russia, Azerbaijan, Russian, Turkey, Iranian, Tajikistan
CVEs:
CVE-2017-11882 [Vulners]
Vulners: Score: 9.3, CVSS: 4.8,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft office (2013, 2010, 2016, 2007)
TTPs:
Tactics: 7
Technics: 20
IOCs:
File: 12
Hash: 16
Softs:
microsoft office, component object model
Algorithms:
aes-cbc, aes, base64, lzma, xor, cbc
Win API:
GetLocalTime, GetUserDefaultLCID, GetSystemDefaultLCID
Languages:
visual_basic
YARA: Found
ptsecurity.com
Блог PT ESC Threat Intelligence
В этом блоге вы можете найти информацию об актуальных атаках хакерских группировок по всему миру, разбор их инструментов, информацию об инцидентах, TTP группировок, индикаторы компрометации и названия детектов в наших продуктах
#ParsedReport
09-12-2022
Supply Chain Attack via New Malicious Python Package, shaderz (Part 1)
https://www.fortinet.com/blog/threat-research/supply-chain-attack-new-malicious-python-package-shaderz
IOCs:
Url: 1
Hash: 2
File: 2
Languages:
python
09-12-2022
Supply Chain Attack via New Malicious Python Package, shaderz (Part 1)
https://www.fortinet.com/blog/threat-research/supply-chain-attack-new-malicious-python-package-shaderz
IOCs:
Url: 1
Hash: 2
File: 2
Languages:
python
Fortinet Blog
Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)
FortiGuard Labs recently discovered a 0-day attack in a PyPI package called “shaderz.” Read our blog to learn about the executable file and how to protect against the attack.…
#ParsedReport
09-12-2022
Threat Actors Targeting Fans Amid FIFA World Cup Fever
https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever
Threats:
Redline_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Geo:
Australia, Qatar, Georgia, India, Dubai, Singapore
TTPs:
Tactics: 7
Technics: 20
IOCs:
Domain: 2
Url: 4
File: 2
Hash: 2
Softs:
android
09-12-2022
Threat Actors Targeting Fans Amid FIFA World Cup Fever
https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever
Threats:
Redline_stealer
Beacon
Process_injection_technique
Process_hollowing_technique
Geo:
Australia, Qatar, Georgia, India, Dubai, Singapore
TTPs:
Tactics: 7
Technics: 20
IOCs:
Domain: 2
Url: 4
File: 2
Hash: 2
Softs:
android
Cyble
Threat Actors Targeting Fans Amid FIFA World Cup Fever
Cyble Research and Intelligence Labs analyzes various cybercrime activities exploiting the popularity of 22nd FIFA World Cup.
#ParsedReport
09-12-2022
Ransomware Roundup New Vohuk, ScareCrow, and AERST Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants
Threats:
Vohuk
Scarecrow
Aerst
Conti
W32/ransom.fywdocb!tr
W32/filecoder.oke!tr.ransom
W32/filecoder.rth!tr.ransom
W32/filecoder.ace!tr.ransom
Industry:
Financial
Geo:
Philippines, Germany, India, Italy, Russia
IOCs:
File: 1
Hash: 8
Softs:
telegram
Algorithms:
chacha20
09-12-2022
Ransomware Roundup New Vohuk, ScareCrow, and AERST Variants
https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants
Threats:
Vohuk
Scarecrow
Aerst
Conti
W32/ransom.fywdocb!tr
W32/filecoder.oke!tr.ransom
W32/filecoder.rth!tr.ransom
W32/filecoder.ace!tr.ransom
Industry:
Financial
Geo:
Philippines, Germany, India, Italy, Russia
IOCs:
File: 1
Hash: 8
Softs:
telegram
Algorithms:
chacha20
Fortinet Blog
Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants
In this week's ransomware roundup, FortiGuard Labs covers the Vohuk, ScareCrow, and AERST ransomware along with protection recommendations. Read more. …
Интеграция с IBM Exchange для получения инфы о CVE пока отъехала. Буду чинить :(
#ParsedReport
09-12-2022
: MaaS- BlueFox. Fear the blue foxes: analysis of the new Bluefox Maas Styler
https://habr.com/ru/company/pt/blog/704174
Threats:
Bluefox_stealer
Redline_stealer
Raccoon_stealer
Vidar_stealer
IOCs:
File: 8
Command: 1
Hash: 5
IP: 9
Softs:
telegram
Algorithms:
aes
Links:
09-12-2022
: MaaS- BlueFox. Fear the blue foxes: analysis of the new Bluefox Maas Styler
https://habr.com/ru/company/pt/blog/704174
Threats:
Bluefox_stealer
Redline_stealer
Raccoon_stealer
Vidar_stealer
IOCs:
File: 8
Command: 1
Hash: 5
IP: 9
Softs:
telegram
Algorithms:
aes
Links:
https://github.com/glmcdona/Process-Dump/blob/main/README.mdhttps://github.com/SychicBoy/NETReactorSlayerХабр
Опасайтесь синих лис: разбор нового MaaS-стилера BlueFox
Мы, специалисты PT Expert Security Center , регулярно отслеживаем угрозы ИБ, в том числе как ранее известные, так и впервые обнаруженные вредоносные программы. Во время такого мониторинга в нашу...
#technique
Precious Gemstones: The New Generation of Kerberos Attacks
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Precious Gemstones: The New Generation of Kerberos Attacks
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Unit 42
Precious Gemstones: The New Generation of Kerberos Attacks
Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access.
#technique
Vulpes: Obfuscating Memory Regions with Timers
https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
Vulpes: Obfuscating Memory Regions with Timers
https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
#technique
StealthHook - A method for hooking a function without modifying memory protection
https://www.x86matthew.com/view_post?id=stealth_hook
StealthHook - A method for hooking a function without modifying memory protection
https://www.x86matthew.com/view_post?id=stealth_hook
#technique
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
Claroty
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
Team82 developed a generic web application firewall bypass exploiting a lack of JSON syntax support in leading vendors' SQL injection like AWS and Imperva WAF.
#technique
A BOF to determine Windows Defender exclusions.
https://github.com/EspressoCake/Defender_Exclusions-BOF
A BOF to determine Windows Defender exclusions.
https://github.com/EspressoCake/Defender_Exclusions-BOF
GitHub
GitHub - EspressoCake/Defender_Exclusions-BOF: A BOF to determine Windows Defender exclusions.
A BOF to determine Windows Defender exclusions. Contribute to EspressoCake/Defender_Exclusions-BOF development by creating an account on GitHub.
#ParsedReport
12-12-2022
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper. Highlights:
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper
Threats:
Azov
Smokeloader
Junk_code_technique
Geo:
Ukraine
IOCs:
File: 4
Hash: 2
Algorithms:
xor
Functions:
FindGetProcAddress, start_0, AllocAndDecryptShellcode, TryToBackdoorExeFile, BackdoorExeFile
Languages:
python
YARA: Found
12-12-2022
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper. Highlights:
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper
Threats:
Azov
Smokeloader
Junk_code_technique
Geo:
Ukraine
IOCs:
File: 4
Hash: 2
Algorithms:
xor
Functions:
FindGetProcAddress, start_0, AllocAndDecryptShellcode, TryToBackdoorExeFile, BackdoorExeFile
Languages:
python
YARA: Found
Check Point Research
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper - Check Point Research
Highlights: Introduction During the past few weeks, we have shared the preliminary results of our investigation of the Azov ransomware on social media, as well as with Bleeping Computer. The below report goes into more detail regarding the internal workings…
#ParsedReport
12-12-2022
Dark Web Profile: APT42 Iranian Cyber Espionage Group
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group
Actors/Campaigns:
Cleaver (motivation: cyber_espionage, cyber_criminal)
Phosphorus (motivation: cyber_espionage)
Tag-56 (motivation: cyber_espionage)
Remix_kitten (motivation: cyber_espionage)
Irgc (motivation: cyber_espionage)
Threats:
Nemesis
Brokeyolk
Pineflower
Stuxnet
Credential_harvesting_technique
Powerpost_tool
Chairsmack
Magicdrop
Silentuploader
Dostealer
Tabbycat
Vinethorn
Vbrevshell
Tamecat
Industry:
Education, Healthcare, Government, Telco
Geo:
Irans, Germany, Iranian, Israeli, Albanian, Australia, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
Domain: 5
File: 10
Hash: 9
Url: 28
Softs:
android, telegram
12-12-2022
Dark Web Profile: APT42 Iranian Cyber Espionage Group
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group
Actors/Campaigns:
Cleaver (motivation: cyber_espionage, cyber_criminal)
Phosphorus (motivation: cyber_espionage)
Tag-56 (motivation: cyber_espionage)
Remix_kitten (motivation: cyber_espionage)
Irgc (motivation: cyber_espionage)
Threats:
Nemesis
Brokeyolk
Pineflower
Stuxnet
Credential_harvesting_technique
Powerpost_tool
Chairsmack
Magicdrop
Silentuploader
Dostealer
Tabbycat
Vinethorn
Vbrevshell
Tamecat
Industry:
Education, Healthcare, Government, Telco
Geo:
Irans, Germany, Iranian, Israeli, Albanian, Australia, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
Domain: 5
File: 10
Hash: 9
Url: 28
Softs:
android, telegram
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: APT42 - Iranian Cyber Espionage Group - SOCRadar® Cyber Intelligence Inc.
APT42 -also known as Crooked Charms and TA453– is a cyber espionage group linked to Iran. The group is allegedly affiliated with the IRGC-IO.
#ParsedReport
12-12-2022
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
https://www.malwarebytes.com/blog/news/2022/12/iranian-hacking-group-uses-compromised-email-accounts-to-distribute-msp-remote-access-tool
Actors/Campaigns:
Muddywater
Threats:
Msp_remote_tool
Log4shell_vuln
Syncro_tool
Atera_tool
Screenconnect_tool
Remoteutilities_tool
Industry:
Government, Petroleum, Telco
Geo:
Tajikistan, Iraq, Azerbaijan, Egypt, Oman, Qatar, Emirates, Jordan, Iran, Israel, Armenia, Iranian
IOCs:
File: 1
12-12-2022
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
https://www.malwarebytes.com/blog/news/2022/12/iranian-hacking-group-uses-compromised-email-accounts-to-distribute-msp-remote-access-tool
Actors/Campaigns:
Muddywater
Threats:
Msp_remote_tool
Log4shell_vuln
Syncro_tool
Atera_tool
Screenconnect_tool
Remoteutilities_tool
Industry:
Government, Petroleum, Telco
Geo:
Tajikistan, Iraq, Azerbaijan, Egypt, Oman, Qatar, Emirates, Jordan, Iran, Israel, Armenia, Iranian
IOCs:
File: 1
Malwarebytes
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
A new campaign by hacking group MuddyWater has been uncovered in which a legitimate remote access tool is sent to targets from a compromised email account.
#ParsedReport
12-12-2022
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT. Conclusion
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
Actors/Campaigns:
Teamtnt
Threats:
Chaos
Kinsing_miner
Xmrig_miner
Malxmr_miner
Geo:
Russia
TTPs:
Tactics: 7
Technics: 0
IOCs:
File: 5
Hash: 6
Softs:
unix task scheduler
Languages:
golang
Links:
12-12-2022
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT. Conclusion
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
Actors/Campaigns:
Teamtnt
Threats:
Chaos
Kinsing_miner
Xmrig_miner
Malxmr_miner
Geo:
Russia
TTPs:
Tactics: 7
Technics: 0
IOCs:
File: 5
Hash: 6
Softs:
unix task scheduler
Languages:
golang
Links:
https://github.com/tiagorlampert/CHAOSTrend Micro
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
We intercepted a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.