Forwarded from vx-underground
mcbazza was exploring Shodan. He found an exposed camera monitoring a large crop of Tomatoes
Good find!
Good find!
🔥2
#ParsedReport
15-12-2022
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers
Threats:
Log4shell_vuln
Trojan:win32/mccrash.ma
Industry:
Healthcare, Iot
Geo:
Russia
IOCs:
File: 7
Domain: 2
Hash: 7
Softs:
microsoft defender for iot, (debian, ubuntu, pyinstaller, azure active directory, microsoft 365 defender, windows security, windows defender application control, microsoft defender, microsoft defender for endpoint, have more...
Languages:
java, python
15-12-2022
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers
Threats:
Log4shell_vuln
Trojan:win32/mccrash.ma
Industry:
Healthcare, Iot
Geo:
Russia
IOCs:
File: 7
Domain: 2
Hash: 7
Softs:
microsoft defender for iot, (debian, ubuntu, pyinstaller, azure active directory, microsoft 365 defender, windows security, windows defender application control, microsoft defender, microsoft defender for endpoint, have more...
Languages:
java, python
Microsoft News
MCCrash: Cross-platform DDoS botnet targets private Minecraft servers
The Microsoft Defender for IoT research team analyzed a cross-platform botnet that infects both Windows and Linux systems from PCs to IoT devices, to launch distributed denial of service (DDoS) attacks against private Minecraft servers.
#ParsedReport
15-12-2022
Tracking Malicious Glupteba Activity Through the Blockchain
https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain
Threats:
Glupteba
Cerber
Industry:
Financial, Iot
IOCs:
Hash: 1
Domain: 41
Coin: 25
File: 1
Algorithms:
aes-gcm, exhibit, xor
15-12-2022
Tracking Malicious Glupteba Activity Through the Blockchain
https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain
Threats:
Glupteba
Cerber
Industry:
Financial, Iot
IOCs:
Hash: 1
Domain: 41
Coin: 25
File: 1
Algorithms:
aes-gcm, exhibit, xor
Nozominetworks
Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain
This blog presents how Glupteba hides its C&C domains in the bitcoin blockchain, presenting various campaigns over the years.
#ParsedReport
16-12-2022
Dark Web Profile: Black Basta Ransomware
https://socradar.io/dark-web-profile-black-basta-ransomware
Actors/Campaigns:
Carbanak
Threats:
Blackbasta
Lockbit
Conti
Cobalt_strike
Qakbot
Industry:
Retail, Healthcare, Foodtech
Geo:
Deutsche, American
Algorithms:
chacha20
YARA: Found
SIGMA: Found
16-12-2022
Dark Web Profile: Black Basta Ransomware
https://socradar.io/dark-web-profile-black-basta-ransomware
Actors/Campaigns:
Carbanak
Threats:
Blackbasta
Lockbit
Conti
Cobalt_strike
Qakbot
Industry:
Retail, Healthcare, Foodtech
Geo:
Deutsche, American
Algorithms:
chacha20
YARA: Found
SIGMA: Found
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: Black Basta Ransomware - SOCRadar® Cyber Intelligence Inc.
According to some researchers, Black Basta is a ransomware group that works with the RaaS (ransomware as a service) model.
#ParsedReport
16-12-2022
Sophisticated DarkTortilla Malware Spreading Via Phishing Sites
https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites
Actors/Campaigns:
Tortilla
Threats:
Darktortilla
Agent_tesla
Asyncrat_rat
Nanocore_rat
Process_injection_technique
TTPs:
Tactics: 5
Technics: 6
IOCs:
Hash: 10
Url: 2
Registry: 1
File: 4
Path: 1
Domain: 2
Softs:
task scheduler, net framework, chrome
Algorithms:
rc4, exhibit, zip
Functions:
CreateDecryptor, FindNextFileExW, WriteFileA
Win API:
FindFirstFileExW, CreateFileA, GetObjectA
16-12-2022
Sophisticated DarkTortilla Malware Spreading Via Phishing Sites
https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites
Actors/Campaigns:
Tortilla
Threats:
Darktortilla
Agent_tesla
Asyncrat_rat
Nanocore_rat
Process_injection_technique
TTPs:
Tactics: 5
Technics: 6
IOCs:
Hash: 10
Url: 2
Registry: 1
File: 4
Path: 1
Domain: 2
Softs:
task scheduler, net framework, chrome
Algorithms:
rc4, exhibit, zip
Functions:
CreateDecryptor, FindNextFileExW, WriteFileA
Win API:
FindFirstFileExW, CreateFileA, GetObjectA
Cyble
DarkTortilla Malware Spread Through Phishing Sites
Cyble Research and Intelligence Labs analyzes DarkTortilla, a sophisticated malware spreading via Phishing sites.
#ParsedReport
16-12-2022
. Types of the latest .NET packers and domestic distribution trends
https://asec.ahnlab.com/ko/44066
Threats:
Agent_tesla
Formbook
Postealer
Avemaria_rat
Asyncrat_rat
Darktortilla
Purecrypter
Confuserex_tool
Lokibot_stealer
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Industry:
Transport
Geo:
Korea
IOCs:
File: 101
Hash: 33
Url: 27
Softs:
discord
Algorithms:
base64, xor
Functions:
Gameloader, Type
Languages:
csharp
16-12-2022
. Types of the latest .NET packers and domestic distribution trends
https://asec.ahnlab.com/ko/44066
Threats:
Agent_tesla
Formbook
Postealer
Avemaria_rat
Asyncrat_rat
Darktortilla
Purecrypter
Confuserex_tool
Lokibot_stealer
Remcos_rat
Trojan/win.msilkrypt.r478738
Trojan/win.msilkrypt.r479010
Trojan/win.malwarex-gen.c4922823
Trojan/win.msilkrypt.c5020026
Trojan/win.msil.r503383
Trojan/win.msil.r510208
Trojan/win.msil.r492640
Trojan/win.msilkrypt.r478746
Trojan/win.msil.r491654
Trojan/win.msil.r479032
Trojan/win.msil.r536135
Trojan/win.loader.c5020045
Trojan/win.msilkrypt.r479033
Trojan/win.generic.c5197697
Trojan/win.msilkrypt.r479202
Trojan/win.msil.r5288800
Trojan/win.msil.c5134406
Trojan/win.msil.r498082
Trojan/win.msil.c5198300
Trojan/win.msil.r510204
Industry:
Transport
Geo:
Korea
IOCs:
File: 101
Hash: 33
Url: 27
Softs:
discord
Algorithms:
base64, xor
Functions:
Gameloader, Type
Languages:
csharp
ASEC BLOG
최신 닷넷 패커의 종류 및 국내 유포 동향 - ASEC BLOG
[TOC] 0. 개요 본 내용은 TI 보고서 ‘최신 닷넷 패커의 동향 및 분류 보고서‘를 축약한 내용으로 자세한 내용은 가장 하단의 링크를 통해 확인할 수 있다. 최근 닷넷으로 만들어진 패커가 국내와 국외 많은 곳에서 확인되고 있다. 따라서 ASEC 분석팀에서는 국내에 주로 유포되는 다섯 종류의 닷넷(.NET) 패커에 대해 소개하고 국내 유포 동향을 설명할 것이다. 따라서 닷넷 패커로 유포되는 악성 코드의 종류에 대해 간략히 소개하고, 이 문서만의 패커의…
#ParsedReport
16-12-2022
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Actors/Campaigns:
Mofang
Contileaks
Threats:
Poortry
Stonestop
Plugx_rat
Trickbot
Fivesys
Vmprotect_tool
Industry:
Entertainment, Education
Geo:
Chinese, Iranian, Russian
IOCs:
Hash: 288
IP: 7
File: 13
Path: 3
Languages:
python
YARA: Found
16-12-2022
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
Actors/Campaigns:
Mofang
Contileaks
Threats:
Poortry
Stonestop
Plugx_rat
Trickbot
Fivesys
Vmprotect_tool
Industry:
Entertainment, Education
Geo:
Chinese, Iranian, Russian
IOCs:
Hash: 288
IP: 7
File: 13
Path: 3
Languages:
python
YARA: Found
Google Cloud Blog
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware | Mandiant | Google Cloud Blog
#ParsedReport
16-12-2022
ASEC (20221204 \~ 20221210). ASEC Weekly phishing email threat trend (20221204 \~ 20221210)
https://asec.ahnlab.com/ko/44397
Threats:
Agent_tesla
Formbook
Smokeloader
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 20
Url: 5
Algorithms:
zip
16-12-2022
ASEC (20221204 \~ 20221210). ASEC Weekly phishing email threat trend (20221204 \~ 20221210)
https://asec.ahnlab.com/ko/44397
Threats:
Agent_tesla
Formbook
Smokeloader
Industry:
Financial, Transport
Geo:
Korea, Korean
TTPs:
IOCs:
File: 20
Url: 5
Algorithms:
zip
ASEC BLOG
ASEC 주간 피싱 이메일 위협 트렌드 (20221204 ~ 20221210) - ASEC BLOG
ASEC 분석팀에서는 샘플 자동 분석 시스템(RAPIT)과 허니팟을 활용하여 피싱 이메일 위협을 모니터링하고 있다. 본 포스팅에서는 2022년 12월 04일부터 12월 10일까지 한 주간 확인된 피싱 이메일 공격의 유포 사례와 이를 유형별로 분류한 통계 정보를 제공한다. 일반적으로 피싱은 공격자가 사회공학 기법을 이용하여 주로 이메일을 통해 기관, 기업, 개인 등으로 위장하거나 사칭함으로써 사용자의 로그인 계정(크리덴셜) 정보를 유출하는 공격을 의미한다.…
#ParsedReport
16-12-2022
Agenda Ransomware Uses Rust to Target More Vital Industries
https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html
Actors/Campaigns:
Earth_preta
Threats:
Blackcat
Ransomexx
Ransom.win32.agenda.thiafbb
Ransom.win32.agenda.thiahbb
Industry:
Education, Healthcare, Government
Geo:
Thailand, Indonesia
IOCs:
Hash: 3
Languages:
rust, golang
16-12-2022
Agenda Ransomware Uses Rust to Target More Vital Industries
https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html
Actors/Campaigns:
Earth_preta
Threats:
Blackcat
Ransomexx
Ransom.win32.agenda.thiafbb
Ransom.win32.agenda.thiahbb
Industry:
Education, Healthcare, Government
Geo:
Thailand, Indonesia
IOCs:
Hash: 3
Languages:
rust, golang
Trend Micro
Agenda Ransomware Uses Rust to Target More Vital Industries
This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda's Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works.
#ParsedReport
16-12-2022
Backdoor Targets FreePBX Asterisk Management Portal
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html
Geo:
Deutschland
IOCs:
IP: 1
Hash: 1
File: 1
Softs:
freepbx, wordpress, mysql, cpanel
Algorithms:
base64
Languages:
php, javascript
16-12-2022
Backdoor Targets FreePBX Asterisk Management Portal
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-management-portal.html
Geo:
Deutschland
IOCs:
IP: 1
Hash: 1
File: 1
Softs:
freepbx, wordpress, mysql, cpanel
Algorithms:
base64
Languages:
php, javascript
Sucuri Blog
Backdoor Targets FreePBX Asterisk Management Portal
Learn about a simple piece of malware targeting FreePBX Asterisk Management portal which allows attackers to backdoor a site and modify the website’s .htaccess file
#ParsedReport
16-12-2022
Dark Web Profile: Killnet Russian Hacktivist Group
https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group
Actors/Campaigns:
Killnet (motivation: financially_motivated, hacktivism)
Xaknet (motivation: hacktivism)
Zarya (motivation: hacktivism)
Anonymous_russia (motivation: hacktivism)
Dpr_joker (motivation: hacktivism)
Beregini (motivation: hacktivism)
Rahdit (motivation: hacktivism)
Noname057 (motivation: hacktivism)
Zsecnet (motivation: hacktivism)
Threats:
Killmilk_actor
Joker
Orbit_technique
Cannon
Karma
Industry:
Transport, Government, Aerospace, Telco, Financial, Healthcare
Geo:
Poland, Italy, Japan, Romania, London, Ukrainian, Germany, Ukraines, Indiana, Russia, Norwegian, Estonia, Ukraine, Italian, Romanian, Russian, Lithuania, Czech, American
TTPs:
Tactics: 3
Technics: 5
Softs:
telegram, teamspeak
16-12-2022
Dark Web Profile: Killnet Russian Hacktivist Group
https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group
Actors/Campaigns:
Killnet (motivation: financially_motivated, hacktivism)
Xaknet (motivation: hacktivism)
Zarya (motivation: hacktivism)
Anonymous_russia (motivation: hacktivism)
Dpr_joker (motivation: hacktivism)
Beregini (motivation: hacktivism)
Rahdit (motivation: hacktivism)
Noname057 (motivation: hacktivism)
Zsecnet (motivation: hacktivism)
Threats:
Killmilk_actor
Joker
Orbit_technique
Cannon
Karma
Industry:
Transport, Government, Aerospace, Telco, Financial, Healthcare
Geo:
Poland, Italy, Japan, Romania, London, Ukrainian, Germany, Ukraines, Indiana, Russia, Norwegian, Estonia, Ukraine, Italian, Romanian, Russian, Lithuania, Czech, American
TTPs:
Tactics: 3
Technics: 5
Softs:
telegram, teamspeak
SOCRadar® Cyber Intelligence Inc.
Dark Web Profile: Killnet - Russian Hacktivist Group - SOCRadar® Cyber Intelligence Inc.
Killnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the...
#ParsedReport
19-12-2022
Veeam Fixes Critical Vulnerabilities in Backup & Replication Software (CVE-2022-26500 & CVE-2022-26501)
https://socradar.io/veeam-fixes-critical-vulnerabilities-in-backup-replication-software-cve-2022-26500-cve-2022-26501
Threats:
Monti
Yanluowang
Empire_loader
CVEs:
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-265001 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
IOCs:
File: 4
Hash: 3
IP: 1
Languages:
python
19-12-2022
Veeam Fixes Critical Vulnerabilities in Backup & Replication Software (CVE-2022-26500 & CVE-2022-26501)
https://socradar.io/veeam-fixes-critical-vulnerabilities-in-backup-replication-software-cve-2022-26500-cve-2022-26501
Threats:
Monti
Yanluowang
Empire_loader
CVEs:
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-265001 [Vulners]
Vulners: Score: Unknown, CVSS: Unknown,
Vulners: Exploitation: Unknown
X-Force: Risk: Unknown
X-Force: Patch: Unknown
IOCs:
File: 4
Hash: 3
IP: 1
Languages:
python
SOCRadar® Cyber Intelligence Inc.
Veeam Fixes Critical Vulnerabilities in Backup & Replication Software (CVE-2022-26500 & CVE-2022-26501)
Veeam has recently fixed two security vulnerabilities (CVE-2022-26500 and CVE-2022-26501) in the Veeam Backup & Replication software.
#ParsedReport
19-12-2022
Ducklogs: A Malware-as-a-Service Comes With Multifold Functionalities
https://www.secureblink.com/threat-research/ducklogs-a-malware-as-a-service-comes-with-multifold-functionalities
Threats:
Ducklogs
Process_hollowing_technique
Softs:
telegram
19-12-2022
Ducklogs: A Malware-as-a-Service Comes With Multifold Functionalities
https://www.secureblink.com/threat-research/ducklogs-a-malware-as-a-service-comes-with-multifold-functionalities
Threats:
Ducklogs
Process_hollowing_technique
Softs:
telegram
Secureblink
Ducklogs: A Malware-as-a-Service Comes With Multifold Functionalities | Secure Blink
Ducklogs Malware-as-a-Service offers functionality to steal & exfiltrate user data from compromised systems…
#ParsedReport
19-12-2022
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
Actors/Campaigns:
Unc4166 (motivation: information_theft)
Fancy_bear
Threats:
Stowaway_tool
Beacon
Sparepart
Eternal_petya
Cobalt_strike
Process_injection_technique
Industry:
Government
Geo:
Ukrainian, Russian
TTPs:
Tactics: 7
Technics: 22
IOCs:
File: 13
Hash: 14
Url: 6
Path: 11
Command: 4
Domain: 5
IP: 2
Softs:
curl, windows service, windows image
Algorithms:
zip
Win API:
GetSystemFirmwareTable, DriveType
Languages:
visual_basic
Platforms:
x64
Links:
19-12-2022
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
Actors/Campaigns:
Unc4166 (motivation: information_theft)
Fancy_bear
Threats:
Stowaway_tool
Beacon
Sparepart
Eternal_petya
Cobalt_strike
Process_injection_technique
Industry:
Government
Geo:
Ukrainian, Russian
TTPs:
Tactics: 7
Technics: 22
IOCs:
File: 13
Hash: 14
Url: 6
Path: 11
Command: 4
Domain: 5
IP: 2
Softs:
curl, windows service, windows image
Algorithms:
zip
Win API:
GetSystemFirmwareTable, DriveType
Languages:
visual_basic
Platforms:
x64
Links:
https://github.com/ethanpil/sheret
https://github.com/microsoft/Windows-universal-samples/blob/main/Samples/CustomCapability/Service/Client/smbios.cpp
https://gist.github.com/poudyalanil/ed1a7ed5603805833ca41cbaccefe0d5
https://github.com/DeltoidDelta/Remove-MS-Telemetry-and-Annoyances/blob/master/remove\_MS\_telemetry.cmd
https://github.com/ph4ntonn/StowawayGoogle Cloud Blog
Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant | Google Cloud Blog
#ParsedReport
19-12-2022
Flying Phish. Timeline
https://www.domaintools.com/resources/blog/flying-phish
Threats:
Cyberchef_tool
Credential_harvesting_technique
Procmon_tool
Industry:
Telco, E-commerce
Geo:
Chinese
IOCs:
Domain: 8
Email: 8
IP: 1
File: 8
Hash: 5
Url: 2
Softs:
discord, instagram
Algorithms:
base64, zip
Languages:
php
Platforms:
intel
YARA: Found
Links:
19-12-2022
Flying Phish. Timeline
https://www.domaintools.com/resources/blog/flying-phish
Threats:
Cyberchef_tool
Credential_harvesting_technique
Procmon_tool
Industry:
Telco, E-commerce
Geo:
Chinese
IOCs:
Domain: 8
Email: 8
IP: 1
File: 8
Hash: 5
Url: 2
Softs:
discord, instagram
Algorithms:
base64, zip
Languages:
php
Platforms:
intel
YARA: Found
Links:
https://github.com/DomainTools/SecuritySnacks/tree/main/2022/Flying%20PhishDomainTools | Start Here. Know Now.
Flying Phish - DomainTools | Start Here. Know Now.
In our latest blog, we’ll explore and analyze a recurring phishing campaign most recently used against a popular social media platform
#ParsedReport
19-12-2022
Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs
https://www.proofpoint.com/us/newsroom/news/iran-linked-charming-kitten-espionage-gang-bares-claws-pollies-power-orgs
Actors/Campaigns:
Cleaver (motivation: hacktivism, information_theft, cyber_espionage)
Phosphorus
Irgc (motivation: cyber_espionage)
Bec
Threats:
Beacon
Credential_harvesting_technique
Ghostecho
Quantum_locker
Revil
Wannacry
Industry:
Government, Energy, Education, Healthcare, Aerospace
Geo:
Iranian, Tehran, American, Iran, Iranians, Emea, Israel
IOCs:
Domain: 2
Platforms:
intel, arm
19-12-2022
Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs
https://www.proofpoint.com/us/newsroom/news/iran-linked-charming-kitten-espionage-gang-bares-claws-pollies-power-orgs
Actors/Campaigns:
Cleaver (motivation: hacktivism, information_theft, cyber_espionage)
Phosphorus
Irgc (motivation: cyber_espionage)
Bec
Threats:
Beacon
Credential_harvesting_technique
Ghostecho
Quantum_locker
Revil
Wannacry
Industry:
Government, Energy, Education, Healthcare, Aerospace
Geo:
Iranian, Tehran, American, Iran, Iranians, Emea, Israel
IOCs:
Domain: 2
Platforms:
intel, arm
The Register
Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs
If you get email from 'Samantha Wolf', congrats: you're important enough to make a decent target
#ParsedReport
19-12-2022
CVE-2022-41040 and CVE-2022-41082 zero-days in MS Exchange
https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Dllhijacker
Trojan.win64.agent.qwibok
Dll_hijacking_technique
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 4
IP: 1
Hash: 5
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
19-12-2022
CVE-2022-41040 and CVE-2022-41082 zero-days in MS Exchange
https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364
Threats:
Proxynotshell_vuln
Proxyshell_vuln
Dllhijacker
Trojan.win64.agent.qwibok
Dll_hijacking_technique
CVEs:
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: Unknown
X-Force: Patch: Unknown
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41040 [Vulners]
Vulners: Score: Unknown, CVSS: 3.2,
Vulners: Exploitation: True
X-Force: Risk: 6.5
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2022-41082 [Vulners]
Vulners: Score: Unknown, CVSS: 2.8,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2019, 2019, 2016)
IOCs:
File: 4
IP: 1
Hash: 5
Softs:
microsoft exchange server, microsoft exchange
Languages:
python
Securelist
CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange
At the end of September, GTSC reported the finding of two 0-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082. The cybersecurity community dubbed the pair of vulnerabilities ProxyNotShell.
#ParsedReport
19-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
ruby, javascript, python
Links:
19-12-2022
SentinelSneak: Malicious PyPI module poses as security software development kit
https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk
Actors/Campaigns:
Iconburst
Threats:
Sentinelsneak
Typosquatting_technique
W4sp
Geo:
German
IOCs:
IP: 1
Hash: 48
Languages:
ruby, javascript, python
Links:
https://github.com/javascript-obfuscator/javascript-obfuscatorReversingLabs
SentinelSneak: Malicious PyPI module poses as security software development kit
A malicious Python file found on the PyPI repo adds backdoor and data exfiltration features to what appears to be a legitimate SDK client from SentinelOne.
#ParsedReport
20-12-2022
Lazarus APTs Operation Interception Uses Signed Binary
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary
Actors/Campaigns:
Lazarus
IOCs:
File: 2
Hash: 1
Softs:
macos, coinbase, microsoft word, curl
Functions:
startDaemon, DownloadFile, curl_easy_init, curl_easy_setopt
Platforms:
apple, intel, arm
20-12-2022
Lazarus APTs Operation Interception Uses Signed Binary
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary
Actors/Campaigns:
Lazarus
IOCs:
File: 2
Hash: 1
Softs:
macos, coinbase, microsoft word, curl
Functions:
startDaemon, DownloadFile, curl_easy_init, curl_easy_setopt
Platforms:
apple, intel, arm
K7 Labs
Lazarus APT’s Operation Interception Uses Signed Binary
Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across […]
#ParsedReport
20-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Hive
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
curve25519, salsa20, base64, ecc, sect233r1
Languages:
rust, golang
Links:
20-12-2022
Nokoyawa Ransomware: Rust orBust. Key Points
https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust
Actors/Campaigns:
Blackcat
Threats:
Nokoyawa
Karma
Nemty
Hive
Blackcat
Industry:
Financial
IOCs:
Hash: 3
Algorithms:
curve25519, salsa20, base64, ecc, sect233r1
Languages:
rust, golang
Links:
https://github.com/threatlabz/tools/tree/main/nokoyawahttps://github.com/kokke/tiny-ECDH-cZscaler
Nokoyawa Ransomware: Rust or Bust | Zscaler
Nokoyawa ransomware code ported from C to Rust with new configuration provided at runtime.