#ParsedReport
09-12-2022
: MaaS- BlueFox. Fear the blue foxes: analysis of the new Bluefox Maas Styler
https://habr.com/ru/company/pt/blog/704174
Threats:
Bluefox_stealer
Redline_stealer
Raccoon_stealer
Vidar_stealer
IOCs:
File: 8
Command: 1
Hash: 5
IP: 9
Softs:
telegram
Algorithms:
aes
Links:
09-12-2022
: MaaS- BlueFox. Fear the blue foxes: analysis of the new Bluefox Maas Styler
https://habr.com/ru/company/pt/blog/704174
Threats:
Bluefox_stealer
Redline_stealer
Raccoon_stealer
Vidar_stealer
IOCs:
File: 8
Command: 1
Hash: 5
IP: 9
Softs:
telegram
Algorithms:
aes
Links:
https://github.com/glmcdona/Process-Dump/blob/main/README.mdhttps://github.com/SychicBoy/NETReactorSlayerХабр
Опасайтесь синих лис: разбор нового MaaS-стилера BlueFox
Мы, специалисты PT Expert Security Center , регулярно отслеживаем угрозы ИБ, в том числе как ранее известные, так и впервые обнаруженные вредоносные программы. Во время такого мониторинга в нашу...
#technique
Precious Gemstones: The New Generation of Kerberos Attacks
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Precious Gemstones: The New Generation of Kerberos Attacks
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Unit 42
Precious Gemstones: The New Generation of Kerberos Attacks
Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access.
#technique
Vulpes: Obfuscating Memory Regions with Timers
https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
Vulpes: Obfuscating Memory Regions with Timers
https://mez0.cc/posts/vulpes-obfuscating-memory-regions/
#technique
StealthHook - A method for hooking a function without modifying memory protection
https://www.x86matthew.com/view_post?id=stealth_hook
StealthHook - A method for hooking a function without modifying memory protection
https://www.x86matthew.com/view_post?id=stealth_hook
#technique
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
Claroty
{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
Team82 developed a generic web application firewall bypass exploiting a lack of JSON syntax support in leading vendors' SQL injection like AWS and Imperva WAF.
#technique
A BOF to determine Windows Defender exclusions.
https://github.com/EspressoCake/Defender_Exclusions-BOF
A BOF to determine Windows Defender exclusions.
https://github.com/EspressoCake/Defender_Exclusions-BOF
GitHub
GitHub - EspressoCake/Defender_Exclusions-BOF: A BOF to determine Windows Defender exclusions.
A BOF to determine Windows Defender exclusions. Contribute to EspressoCake/Defender_Exclusions-BOF development by creating an account on GitHub.
#ParsedReport
12-12-2022
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper. Highlights:
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper
Threats:
Azov
Smokeloader
Junk_code_technique
Geo:
Ukraine
IOCs:
File: 4
Hash: 2
Algorithms:
xor
Functions:
FindGetProcAddress, start_0, AllocAndDecryptShellcode, TryToBackdoorExeFile, BackdoorExeFile
Languages:
python
YARA: Found
12-12-2022
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper. Highlights:
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper
Threats:
Azov
Smokeloader
Junk_code_technique
Geo:
Ukraine
IOCs:
File: 4
Hash: 2
Algorithms:
xor
Functions:
FindGetProcAddress, start_0, AllocAndDecryptShellcode, TryToBackdoorExeFile, BackdoorExeFile
Languages:
python
YARA: Found
Check Point Research
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper - Check Point Research
Highlights: Introduction During the past few weeks, we have shared the preliminary results of our investigation of the Azov ransomware on social media, as well as with Bleeping Computer. The below report goes into more detail regarding the internal workings…
#ParsedReport
12-12-2022
Dark Web Profile: APT42 Iranian Cyber Espionage Group
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group
Actors/Campaigns:
Cleaver (motivation: cyber_espionage, cyber_criminal)
Phosphorus (motivation: cyber_espionage)
Tag-56 (motivation: cyber_espionage)
Remix_kitten (motivation: cyber_espionage)
Irgc (motivation: cyber_espionage)
Threats:
Nemesis
Brokeyolk
Pineflower
Stuxnet
Credential_harvesting_technique
Powerpost_tool
Chairsmack
Magicdrop
Silentuploader
Dostealer
Tabbycat
Vinethorn
Vbrevshell
Tamecat
Industry:
Education, Healthcare, Government, Telco
Geo:
Irans, Germany, Iranian, Israeli, Albanian, Australia, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
Domain: 5
File: 10
Hash: 9
Url: 28
Softs:
android, telegram
12-12-2022
Dark Web Profile: APT42 Iranian Cyber Espionage Group
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group
Actors/Campaigns:
Cleaver (motivation: cyber_espionage, cyber_criminal)
Phosphorus (motivation: cyber_espionage)
Tag-56 (motivation: cyber_espionage)
Remix_kitten (motivation: cyber_espionage)
Irgc (motivation: cyber_espionage)
Threats:
Nemesis
Brokeyolk
Pineflower
Stuxnet
Credential_harvesting_technique
Powerpost_tool
Chairsmack
Magicdrop
Silentuploader
Dostealer
Tabbycat
Vinethorn
Vbrevshell
Tamecat
Industry:
Education, Healthcare, Government, Telco
Geo:
Irans, Germany, Iranian, Israeli, Albanian, Australia, Iran
CVEs:
CVE-2018-13379 [Vulners]
Vulners: Score: 5.0, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
IOCs:
Domain: 5
File: 10
Hash: 9
Url: 28
Softs:
android, telegram
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: APT42 - Iranian Cyber Espionage Group - SOCRadar® Cyber Intelligence Inc.
APT42 -also known as Crooked Charms and TA453– is a cyber espionage group linked to Iran. The group is allegedly affiliated with the IRGC-IO.
#ParsedReport
12-12-2022
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
https://www.malwarebytes.com/blog/news/2022/12/iranian-hacking-group-uses-compromised-email-accounts-to-distribute-msp-remote-access-tool
Actors/Campaigns:
Muddywater
Threats:
Msp_remote_tool
Log4shell_vuln
Syncro_tool
Atera_tool
Screenconnect_tool
Remoteutilities_tool
Industry:
Government, Petroleum, Telco
Geo:
Tajikistan, Iraq, Azerbaijan, Egypt, Oman, Qatar, Emirates, Jordan, Iran, Israel, Armenia, Iranian
IOCs:
File: 1
12-12-2022
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
https://www.malwarebytes.com/blog/news/2022/12/iranian-hacking-group-uses-compromised-email-accounts-to-distribute-msp-remote-access-tool
Actors/Campaigns:
Muddywater
Threats:
Msp_remote_tool
Log4shell_vuln
Syncro_tool
Atera_tool
Screenconnect_tool
Remoteutilities_tool
Industry:
Government, Petroleum, Telco
Geo:
Tajikistan, Iraq, Azerbaijan, Egypt, Oman, Qatar, Emirates, Jordan, Iran, Israel, Armenia, Iranian
IOCs:
File: 1
Malwarebytes
Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
A new campaign by hacking group MuddyWater has been uncovered in which a legitimate remote access tool is sent to targets from a compromised email account.
#ParsedReport
12-12-2022
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT. Conclusion
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
Actors/Campaigns:
Teamtnt
Threats:
Chaos
Kinsing_miner
Xmrig_miner
Malxmr_miner
Geo:
Russia
TTPs:
Tactics: 7
Technics: 0
IOCs:
File: 5
Hash: 6
Softs:
unix task scheduler
Languages:
golang
Links:
12-12-2022
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT. Conclusion
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
Actors/Campaigns:
Teamtnt
Threats:
Chaos
Kinsing_miner
Xmrig_miner
Malxmr_miner
Geo:
Russia
TTPs:
Tactics: 7
Technics: 0
IOCs:
File: 5
Hash: 6
Softs:
unix task scheduler
Languages:
golang
Links:
https://github.com/tiagorlampert/CHAOSTrend Micro
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
We intercepted a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.
#ParsedReport
12-12-2022
Amadey Bot Nitol DDoS
https://asec.ahnlab.com/ko/43766
Threats:
Amadey
Nitol
Lockbit
Njrat_rat
Smokeloader
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
IOCs:
File: 13
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
microsoft office, internet explorer
Languages:
csharp
12-12-2022
Amadey Bot Nitol DDoS
https://asec.ahnlab.com/ko/43766
Threats:
Amadey
Nitol
Lockbit
Njrat_rat
Smokeloader
Trojan/win.generic.r539958
Malware/mdp.behavior.m3108
IOCs:
File: 13
Path: 1
Hash: 6
Url: 9
IP: 3
Domain: 1
Softs:
microsoft office, internet explorer
Languages:
csharp
ASEC BLOG
Amadey Bot을 설치하는 Nitol DDoS 악성코드 - ASEC BLOG
ASEC 분석팀은 최근 공격자가 Nitol DDoS Bot 악성코드를 이용해 Amadey를 설치하고 있는 것을 확인하였다. Amadey는 2018년경부터 유포되고 있는 악성코드로서 사용자의 정보를 탈취하는 기능 외에도 추가 악성코드들을 설치하는 목적으로 사용될 수 있는 다운로더 악성코드이다. Amadey는 올해부터 다시 활발하게 유포되고 있는데 올해 초부터 시작하여 최근까지도 정상 소프트웨어 크랙 및 시리얼 생성 프로그램을 위장한 유포 사이트에서 유포되면서…
#ParsedReport
12-12-2022
Drokbk Malware Uses GitHub as Dead Drop Resolver
https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
Actors/Campaigns:
Cobalt_mirage (motivation: government_sponsored)
Comment_crew
Threats:
Dead_drop_technique
Mirage
Frpc_tool
Tunnelfish_tool
Log4shell_vuln
Beacon
Industry:
Government
Geo:
Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
CVE-2021-45046 [Vulners]
Vulners: Score: 5.1, CVSS: 1.8,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.12.2, <2.16.0)
- intel oneapi (-)
- intel audio development kit (-)
- intel datacenter manager (-)
- intel system debugger (-)
have more...
IOCs:
File: 1
Path: 8
Hash: 17
IP: 3
Softs:
vmware horizon
Algorithms:
exhibit
Links:
12-12-2022
Drokbk Malware Uses GitHub as Dead Drop Resolver
https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
Actors/Campaigns:
Cobalt_mirage (motivation: government_sponsored)
Comment_crew
Threats:
Dead_drop_technique
Mirage
Frpc_tool
Tunnelfish_tool
Log4shell_vuln
Beacon
Industry:
Government
Geo:
Iranian
CVEs:
CVE-2021-44228 [Vulners]
Vulners: Score: 9.3, CVSS: 4.5,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.15.0, <2.3.1, <2.12.2)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens logo\! soft comfort (*)
- siemens spectrum power 4 (4.70, 4.70, <4.70, 4.70)
- siemens siveillance control pro (*)
have more...
CVE-2021-45046 [Vulners]
Vulners: Score: 5.1, CVSS: 1.8,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.12.2, <2.16.0)
- intel oneapi (-)
- intel audio development kit (-)
- intel datacenter manager (-)
- intel system debugger (-)
have more...
IOCs:
File: 1
Path: 8
Hash: 17
IP: 3
Softs:
vmware horizon
Algorithms:
exhibit
Links:
https://github.com/fatedier/frphttps://github.com/dnSpyEx/dnSpySecureworks
Drokbk Malware Uses GitHub as Dead Drop Resolver
A subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence.
#ParsedReport
12-12-2022
Magniber Ransomware 12/9 !. Magniber Ransomware 12/9 Distribution Starting Corona related files related to distribution attention!
https://asec.ahnlab.com/ko/42439
Threats:
Magniber
Lockbit
Gandcrab
Revil
Motw_bypass_technique
Uac_bypass_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Softs:
internet explorer, chrome
12-12-2022
Magniber Ransomware 12/9 !. Magniber Ransomware 12/9 Distribution Starting Corona related files related to distribution attention!
https://asec.ahnlab.com/ko/42439
Threats:
Magniber
Lockbit
Gandcrab
Revil
Motw_bypass_technique
Uac_bypass_technique
TTPs:
Tactics: 1
Technics: 0
IOCs:
Path: 1
File: 5
Softs:
internet explorer, chrome
ASEC BLOG
Magniber Ransomware 12/9 유포 시작 코로나 관련 파일명 포함 유포 주의! - ASEC BLOG
안랩 ASEC 분석팀은 Magniber Ransomware가 2022.12.09에 재유포 되는 것을 확인하였다. 기존에 보안 업데이트 관련 파일명을 포함하여 코로나가 기승을 부리는 시기에 Magniber Ransomware도 코로나 관련 파일명을 포함하여 유포되는 것을 확인하였다. C:Users$USERSDownloadsCOVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:Users$USERSDown…
#ParsedReport
12-12-2022
Phylum Detects Ongoing Typosquat/Ransomware Campaign in PyPI and NPM
https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi
Threats:
Typosquatting_technique
Industry:
Aerospace
IOCs:
File: 1
Languages:
javascript, golang, python
Platforms:
apple
12-12-2022
Phylum Detects Ongoing Typosquat/Ransomware Campaign in PyPI and NPM
https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi
Threats:
Typosquatting_technique
Industry:
Aerospace
IOCs:
File: 1
Languages:
javascript, golang, python
Platforms:
apple
Phylum Research | Software Supply Chain Security
Phylum Detects Ongoing Typosquat/Ransomware Campaign in PyPI and NPM
Malicious packages that download ransomware binaries written in Golang published today, with more expected in the coming hours.
#ParsedReport
12-12-2022
Cisco Talos Intelligence Blog. Breaking the silence - Recent Truebot activity
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity
Actors/Campaigns:
Ta505
Whisper_spider
Evil_corp
Threats:
Truebot
Flawedgrace_rat
Raspberry_robin
Clop
Teleport_tool
Winrm_tool
Cobalt_strike
Socgholish_loader
Icedid
Bumblebee
Flawedammyy
Industry:
Telco, Education, Financial
Geo:
Mexico, Brazil, Deutsche, Pakistan
CVEs:
CVE-2022-31199 [Vulners]
Vulners: Score: Unknown, CVSS: 4.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- netwrix auditor (<10.5)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Softs:
active directory
Algorithms:
crc-32, aes, cbc
12-12-2022
Cisco Talos Intelligence Blog. Breaking the silence - Recent Truebot activity
https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity
Actors/Campaigns:
Ta505
Whisper_spider
Evil_corp
Threats:
Truebot
Flawedgrace_rat
Raspberry_robin
Clop
Teleport_tool
Winrm_tool
Cobalt_strike
Socgholish_loader
Icedid
Bumblebee
Flawedammyy
Industry:
Telco, Education, Financial
Geo:
Mexico, Brazil, Deutsche, Pakistan
CVEs:
CVE-2022-31199 [Vulners]
Vulners: Score: Unknown, CVSS: 4.8,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- netwrix auditor (<10.5)
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 3
Softs:
active directory
Algorithms:
crc-32, aes, cbc
Cisco Talos Blog
Breaking the silence - Recent Truebot activity
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks…
#ParsedReport
12-12-2022
A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Threats:
Netcat_tool
Asbit_rat
Tsunami_botnet
CVEs:
CVE-2020-3992 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware esxi (6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 7.0.0, 6.5, 6.5, 6.5, 6.7, 6.7, 7.0.0)
- vmware cloud foundation (<4.1, <3.10.1.1)
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2019-5544 [Vulners]
Vulners: Score: 7.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- vmware horizon daas (<9.0.0.0)
- vmware esxi (6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux server (7.0)
- redhat enterprise linux server aus (7.7)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
IP: 1
Softs:
esxi, redis
Algorithms:
base64
Languages:
python
12-12-2022
A Custom Python Backdoor for VMWare ESXi Servers
https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers
Threats:
Netcat_tool
Asbit_rat
Tsunami_botnet
CVEs:
CVE-2020-3992 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware esxi (6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 7.0.0, 6.5, 6.5, 6.5, 6.7, 6.7, 7.0.0)
- vmware cloud foundation (<4.1, <3.10.1.1)
CVE-2022-30190 [Vulners]
Vulners: Score: 9.3, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft windows server 2012 (r2, -)
- microsoft windows 10 (1607, -, 1809, 20h2, 21h1, 21h2)
- microsoft windows 8.1 (-)
- microsoft windows server 2016 (-)
- microsoft windows server 2008 (-, r2)
have more...
CVE-2019-5544 [Vulners]
Vulners: Score: 7.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- vmware horizon daas (<9.0.0.0)
- vmware esxi (6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.0, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.5, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7, 6.7)
- redhat enterprise linux desktop (7.0)
- redhat enterprise linux server (7.0)
- redhat enterprise linux server aus (7.7)
have more...
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 6
IP: 1
Softs:
esxi, redis
Algorithms:
base64
Languages:
python
Juniper Networks
A Custom Python Backdoor for VMWare ESXi Servers
Juniper Threat Labs analyzes a backdoor installed on a compromised VMware ESXi server that can execute arbitrary commands and launch reverse shells.
Запилили новый API по данным, что генерит движок парсинга TI-отчетов (разбираем где-то 200-250 отчетов в мес. от 98 источников).
Очень много данных еще остается лежать на диске и не входит ни в одну из наших API (email, registry, coin wallets, commands, код yara|sigma, winapi). Думаю, добавим уже в новую версию API, где данные будут уже в STIX-формате.
Текущая версия API скорее про бюллетени по TI-отчету. Через API можно получить сразу все бюллетени по всем отчетам за выбранные сутки.
Выгляди это вот так.
Очень много данных еще остается лежать на диске и не входит ни в одну из наших API (email, registry, coin wallets, commands, код yara|sigma, winapi). Думаю, добавим уже в новую версию API, где данные будут уже в STIX-формате.
Текущая версия API скорее про бюллетени по TI-отчету. Через API можно получить сразу все бюллетени по всем отчетам за выбранные сутки.
Выгляди это вот так.
🔥2
#ParsedReport
12-12-2022
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?
https://asec.ahnlab.com/en/43821
Geo:
Korea, Korean
IOCs:
File: 2
Hash: 2
Softs:
office365
Algorithms:
aes, base64
12-12-2022
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?
https://asec.ahnlab.com/en/43821
Geo:
Korea, Korean
IOCs:
File: 2
Hash: 2
Softs:
office365
Algorithms:
aes, base64
ASEC
How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page? - ASEC
Many corporations and users both in and outside Korea use Microsoft accounts to use major services offered by Microsoft, including Outlook, Office, OneDrive, and Windows. Users use integrated login to easily access all Microsoft services linked to their account.…
#ParsedReport
12-12-2022
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 December 3rd, 2022)
https://asec.ahnlab.com/en/43832
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Neutrino_pos
Industry:
Transport, Financial
Geo:
Asia, India, Spain, Korean, Qatar
TTPs:
IOCs:
File: 33
Url: 7
Algorithms:
zip
Languages:
php
12-12-2022
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 December 3rd, 2022)
https://asec.ahnlab.com/en/43832
Actors/Campaigns:
Calypso
Threats:
Agent_tesla
Formbook
Neutrino_pos
Industry:
Transport, Financial
Geo:
Asia, India, Spain, Korean, Qatar
TTPs:
IOCs:
File: 33
Url: 7
Algorithms:
zip
Languages:
php
ASEC BLOG
ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 – December 3rd, 2022) - ASEC BLOG
The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 27th, 2022 to December 3rd, 2022 and…
#ParsedReport
13-12-2022
Fortinet Released Patch for FortiOS SSL-VPN RCE VulnerabilityCVE-2022-42475. Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
https://socradar.io/fortinet-released-patch-for-fortios-ssl-vpn-rce-vulnerability-cve-2022-42475
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
IP: 4
Languages:
javascript
13-12-2022
Fortinet Released Patch for FortiOS SSL-VPN RCE VulnerabilityCVE-2022-42475. Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
https://socradar.io/fortinet-released-patch-for-fortios-ssl-vpn-rce-vulnerability-cve-2022-42475
CVEs:
CVE-2022-42475 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
IP: 4
Languages:
javascript
SOCRadar® Cyber Intelligence Inc.
Fortinet Released Patch for FortiOS SSL-VPN RCE Vulnerability CVE-2022-42475
The critical flaw, identified as CVE-2022-42475 (CVSS score: 9.3), relates to a heap-based buffer overflow (CWE-122) vulnerability that...
#ParsedReport
13-12-2022
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links. What Happened?
https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links
Industry:
Retail, E-commerce
IOCs:
Email: 1
Domain: 87
File: 3
Softs:
nuget package manager, tiktok, instagram
Links:
13-12-2022
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links. What Happened?
https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links
Industry:
Retail, E-commerce
IOCs:
Email: 1
Domain: 87
File: 3
Softs:
nuget package manager, tiktok, instagram
Links:
https://gist.github.com/jossef/77c4fd00fccf68b56d76a36c79799ca1https://gist.github.com/jossef/1c1152368ff6210340644f44afec7e8eCheckmarx.com
How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links
Joint research of Checkmarx and Illustria reveals new attack vector in NuGet ecosystem: attackers spam open-source ecosystem with packages containing links to phishing campaigns. Our teams have disclosed this info to NuGet security and the packages were unlisted.…