#ParsedReport
31-03-2022
Tracking cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe
Actors/Campaigns:
Curious_gorge
Comment_crew
Ghostwriter
Industry:
Government, Financial
Geo:
Russia, Korea, Belarusian, Iran, China, Ukraine, Mongolia
IOCs:
IP: 5
Domain: 9
31-03-2022
Tracking cyber activity in Eastern Europe
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe
Actors/Campaigns:
Curious_gorge
Comment_crew
Ghostwriter
Industry:
Government, Financial
Geo:
Russia, Korea, Belarusian, Iran, China, Ukraine, Mongolia
IOCs:
IP: 5
Domain: 9
Google
Tracking cyber activity in Eastern Europe
An update on cyber activity in Eastern Europe.
#ParsedReport
31-03-2022
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
Actors/Campaigns:
Shell_crew (tags: dropper, rat, backdoor, malware, rootkit)
Axiom
Threats:
Fire_chili_rootkit (tags: dropper, rat, backdoor, malware, rootkit)
Log4shell_vuln (tags: dropper, rat, backdoor, malware, rootkit)
Gh0st_rat
Netbot
Themida_packer_tool
Industry:
Financial
Geo:
Chinese, Korean
TTPs:
IOCs:
File: 10
Path: 1
Domain: 4
Hash: 50
IP: 3
Url: 4
Links:
31-03-2022
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
Actors/Campaigns:
Shell_crew (tags: dropper, rat, backdoor, malware, rootkit)
Axiom
Threats:
Fire_chili_rootkit (tags: dropper, rat, backdoor, malware, rootkit)
Log4shell_vuln (tags: dropper, rat, backdoor, malware, rootkit)
Gh0st_rat
Netbot
Themida_packer_tool
Industry:
Financial
Geo:
Chinese, Korean
TTPs:
IOCs:
File: 10
Path: 1
Domain: 4
Hash: 50
IP: 3
Url: 4
Links:
https://github.com/bowlofstew/rootkit.com/blob/master/cardmagic/PortHidDemo\_Vista.chttps://github.com/geemion/Record/blob/master/HideReg.chttps://github.com/sin5678/gh0stFortinet Blog
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
FortiGuard Labs discovered a campaign by Deep Panda exploiting Log4Shell, along with a novel kernel rootkit signed with a stolen digital certificate also used by Winnti. Read to learn about these a…
#ParsedReport
31-03-2022
Cloud Atlas Maldoc
https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc
Threats:
Cloudatlas (tags: rat, malware, phishing)
Industry:
Aerospace, Media, Financial, Government
Geo:
Russian, Ukraine
IOCs:
Hash: 3
Url: 1
Domain: 2
IP: 1
31-03-2022
Cloud Atlas Maldoc
https://inquest.net/blog/2022/03/30/cloud-atlas-maldoc
Threats:
Cloudatlas (tags: rat, malware, phishing)
Industry:
Aerospace, Media, Financial, Government
Geo:
Russian, Ukraine
IOCs:
Hash: 3
Url: 1
Domain: 2
IP: 1
#ParsedReport
31-03-2022
Analysis of BlackGuard - a new info stealer malware being sold in a Russian hacking forum
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
Threats:
Blackguard_stealer (tags: cryptomining, vpn, ransomware, malware, phishing, stealer)
Exodus
Terra_stealer
Industry:
Financial, E-commerce
Geo:
Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 10
31-03-2022
Analysis of BlackGuard - a new info stealer malware being sold in a Russian hacking forum
https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking
Threats:
Blackguard_stealer (tags: cryptomining, vpn, ransomware, malware, phishing, stealer)
Exodus
Terra_stealer
Industry:
Financial, E-commerce
Geo:
Russian
TTPs:
Tactics: 1
Technics: 0
IOCs:
File: 2
Hash: 10
Zscaler
Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog
In this blog, ThreatLabz analyzes BlackGuard, an emerging an info stealer malware being sold as a service on a Russian hacking forum.
#ParsedReport
31-03-2022
Phishing pages used for Malware Delivery
https://blog.cyble.com/2022/03/31/phishing-pages-used-for-malware-delivery
Threats:
Sms_stealer (tags: malware, phishing)
Industry:
Media, Financial, Healthcare
Geo:
India
TTPs:
Tactics: 3
Technics: 0
IOCs:
Url: 4
Hash: 1
31-03-2022
Phishing pages used for Malware Delivery
https://blog.cyble.com/2022/03/31/phishing-pages-used-for-malware-delivery
Threats:
Sms_stealer (tags: malware, phishing)
Industry:
Media, Financial, Healthcare
Geo:
India
TTPs:
Tactics: 3
Technics: 0
IOCs:
Url: 4
Hash: 1
Cyble
Phishing pages used for Malware Delivery
Cyble Research Labs analyzes a threat actor leveraging Phishing techniques and malware to steal sensitive banking credentials from Patanjali customers.
#ParsedReport
31-03-2022
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage. Introduction
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage
Actors/Campaigns:
Siamesekitten (tags: malware)
Sidewinder (tags: malware, stealer)
Threats:
Machete
Industry:
Financial, Government, Energy
Geo:
Nicaragua, Iranian, America, India, Indian, Venezuela, Americans, Africa, Pakistani, Israel, Pakistan, Israeli, Asia, Arabia, Russia, Iran, Ukraine, China, Saudi, Russian
CVEs:
CVE-2017-11882 [Vulners]
Vulners score: 8.3
Exploitation: True
Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Email: 1
Domain: 7
File: 15
Hash: 53
IP: 3
Url: 7
Path: 2
YARA: Found
Links:
31-03-2022
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage. Introduction
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage
Actors/Campaigns:
Siamesekitten (tags: malware)
Sidewinder (tags: malware, stealer)
Threats:
Machete
Industry:
Financial, Government, Energy
Geo:
Nicaragua, Iranian, America, India, Indian, Venezuela, Americans, Africa, Pakistani, Israel, Pakistan, Israeli, Asia, Arabia, Russia, Iran, Ukraine, China, Saudi, Russian
CVEs:
CVE-2017-11882 [Vulners]
Vulners score: 8.3
Exploitation: True
Patch: Official fix
Soft:
- microsoft office (2013, 2010, 2016, 2007)
IOCs:
Email: 1
Domain: 7
File: 15
Hash: 53
IP: 3
Url: 7
Path: 2
YARA: Found
Links:
https://github.com/TheGeekHT/Loki.Rat/https://github.com/ghuntley/Heijden.DnsCheck Point Research
State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage - Check Point Research
Introduction Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check…
#ParsedReport
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
31-03-2022
Lazarus Trojanized DeFi app for delivering malware
https://securelist.com/lazarus-trojanized-defi-app/106195
Actors/Campaigns:
Lazarus (tags: malware, backdoor, trojan)
Threats:
Cookietime
Volgmer
Threatneedle
Industry:
Financial
Geo:
Korea
TTPs:
Tactics: 6
Technics: 11
IOCs:
Hash: 12
File: 11
Path: 2
Url: 8
Securelist
Lazarus Trojanized DeFi app for delivering malware
We recently discovered a Trojanized DeFi application that contains a legitimate cryptocurrency wallet called DeFi Wallet, but also implants a full-featured backdoor.
#ParsedReport
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
31-03-2022
Ransomware Enforcement Operations in 2020 and 2021
https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021
Threats:
Revil (tags: ransomware)
Netwalker (tags: ransomware)
Log4shell_vuln
Industry:
Media, Financial, Healthcare, Government
Geo:
Romania, Russian, Uk, Japan, Poland, Ukraine
Recordedfuture
Ransomware Enforcement Operations in 2020 and 2021
This report looks at international law enforcement operations focused on ransomware and is based on data collected over the last 2 years.
#ParsedReport
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
31-03-2022
Deep Dive Analysis Borat RAT
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat
Threats:
Borat_rat (tags: trojan, rat, keylogger, malware, ransomware)
TTPs:
Tactics: 6
Technics: 16
IOCs:
File: 2
Hash: 27
Cyble
Deep Dive Analysis – Borat RAT | Cyble
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
#ParsedReport
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
31-03-2022
Conti-nuation: methods and techniques observed in operations post the leaks
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks
Threats:
Conti
Bazarbackdoor
Trickbot
Cobalt_strike
Qakbot
Proxyshell_vuln
Proxylogon_exploit
Bloodhound_tool
Mimikatz
Zerologon_vuln
CVEs:
CVE-2018-13379 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- fortinet fortios (le6.0.4, le5.6.7)
CVE-2018-13374 [Vulners]
Vulners score: 4.4
Exploitation: Unknown
Patch: Official fix
Soft:
- fortinet fortios (le5.6.7, le6.0.2)
CVE-2021-44228 [Vulners]
Vulners score: 4.0
Exploitation: True
Patch: Official fix
Soft:
- apache log4j (2.0, 2.0, 2.0, 2.0, <2.3.1, <2.12.2, <2.15.0)
- siemens sppa-t3000 ses3000 firmware (*)
- siemens captial (<2019.1, 2019.1, 2019.1)
- siemens comos (*)
- siemens desigo cc advanced reports (4.0, 4.1, 4.2, 5.0, 5.1)
have more...
TTPs:
Tactics: 4
Technics: 0
IOCs:
File: 14
Url: 1
Path: 8
IP: 4
Domain: 1
Hash: 1
NCC Group Research Blog
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
#ParsedReport
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
31-03-2022
Security Advisory: Spring Cloud Framework Vulnerabilities
https://www.zscaler.com/blogs/security-research/security-advisory-spring-cloud-framework-vulnerabilities
Threats:
Spring4shell
CVEs:
CVE-2022-22963 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
CVE-2022-22965 [Vulners]
Score: CVSS Unknown, Vulners PENDING,
Exploitation: Unknown
Patch: Official fix
Links:
https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529Zscaler
Spring Cloud Framework Vulnerabilities
This article provides the analysis of the latest vulnerabilities found in Spring.
#ParsedReport
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
01-04-2022
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
https://asec.ahnlab.com/en/33322
Threats:
Trojan/vbs.agent
Geo:
Korean
IOCs:
File: 4
Url: 3
Hash: 2
ASEC BLOG
APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script) - ASEC BLOG
The ASEC analysis team has recently discovered that a malicious info-leaking VBS is being distributed via phishing email disguised as North Korea-related material. The email is about casting calls for a North Korea-related broadcast, and a compressed file…
#ParsedReport
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
01-04-2022
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
https://asec.ahnlab.com/en/33427
Actors/Campaigns:
Kimsuky (tags: trojan, malware)
Threats:
Akdoor
Trojan/vbs.runner
Geo:
Korea
IOCs:
File: 8
Path: 1
Url: 2
Hash: 7
ASEC BLOG
APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky) - ASEC BLOG
At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s…
#ParsedReport
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
01-04-2022
Dissecting Blackguard Info Stealer. Sophisticated Variant Spotted in the wild
https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer
Actors/Campaigns:
Lapsus
Threats:
Blackguard_stealer (tags: vpn, malware, phishing, stealer)
Industry:
Financial
TTPs:
Tactics: 7
Technics: 16
IOCs:
File: 12
Path: 2
Url: 2
Registry: 1
Hash: 4
Cyble
Dissecting Blackguard Info Stealer
Cyble Research Labs analyzes the Blackguard Info Stealer, which currently has an extremely sophisticated variant out in the wild.
#ParsedReport
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
01-04-2022
Complete dissection of an APK with a suspicious C2 Server
https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server
Threats:
Turla
IOCs:
IP: 1
Hash: 2
Url: 4
Email: 1
#ParsedReport
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
01-04-2022
AcidRain. A Modem Wiper Rains Down on Europe
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe
Actors/Campaigns:
Fancy_bear
Sandworm
Threats:
Acidrain (tags: rat, vpn, ddos, malware)
Vpnfilter (tags: botnet)
Whispergate
Hermeticwiper
Isaacwiper
Killdisk
Doublezero
Cyclops_blink
Industry:
Ics, Government, Iot
Geo:
Germany, Ukraine, Italy, German, Italian, Russia
IOCs:
Hash: 2
Links:
https://github.com/trendmicro/tlshSentinelOne
AcidRain | A Modem Wiper Rains Down on Europe
As the most impactful cyber attack of the Ukrainian invasion gets downplayed, SentinelLabs uncovers a more plausible explanation.
#ParsedReport
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
01-04-2022
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en
Actors/Campaigns:
Lapsus
Threats:
Spring4shell (tags: scan, botnet)
Mirai (tags: botnet)
CVEs:
CVE-2010-1622 [Vulners]
Vulners: Score: 6.0, CVSS: 7.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.5
X-Force: Patch: Official fix
Soft:
- oracle fusion middleware (11.1.1.8.0, 7.6.2, 11.1.1.6.1)
- springsource spring framework (2.5.6, 2.5.7, 2.5.2, 2.5.3, 3.0.0, 2.5.0, 2.5.1, 3.0.2, 3.0.1, 2.5.4, 2.5.5)
CVE-2022-22965 [Vulners]
Vulners: Score: Unknown, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
IOCs:
File: 4
IP: 311
Url: 12
Hash: 18
360 Netlab Blog - Network Security Research Lab at 360
What Our Honeypot Sees Just One Day After The Spring4Shell Advisory
Background
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
On March 31, 2022, Spring issued a security advisory[1] for the Spring4Shell vulnerability (CVE-2022-22965), this vulnerability has caused widespread concern in the security community.
When we looked back at our data, our threat hunting honeypot…
#ParsedReport
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
01-04-2022
New UAC-0056 activity: Theres a Go Elephant in the room
https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room
Actors/Campaigns:
Unc2589 (tags: stealer, backdoor, malware, phishing)
Threats:
Grimplant
Graphsteel
Cobalt_strike
Elephant_loader (tags: dropper)
Whispergate
Industry:
Media, Government
Geo:
Georgia, Ukrainian, Ukraine
IOCs:
Path: 4
Hash: 10
IP: 1
Links:
https://github.com/denisbrodbeck/machineidMalwarebytes Labs
New UAC-0056 activity: There's a Go Elephant in the room
In late March, the cyber espionage group UNC2589 also known as SaintBear launched a spear phishing campaign targeting several entities in Ukraine. In this blog we review this attack and the intended payloads.
#ParsedReport
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
02-04-2022
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
Threats:
Beastmode_botnet (tags: ddos, rat, malware, botnet)
Mirai (tags: ddos, rat, malware, botnet)
Dark_mirai_botnet
Industry:
Iot
CVEs:
CVE-2016-5674 [Vulners]
Vulners: Score: 10.0, CVSS: 8.5,
Vulners: Exploitation: Unknown
X-Force: Risk: 6.3
X-Force: Patch: Unavailable
Soft:
- netgear readynas surveillance (1.4.2, 1.4.1, 1.1.1, 1.1.2, 1.3.2.14, 1.2.0.4, 1.3.2.4, 1.4.0)
- nuuo nvrmini 2 (3.0.0, 2.2.1, 2.0.0, 1.7.6, 1.7.5)
- nuuo nvrsolo (2.3.9.6, 2.3.7.10, 2.0.0, 1.75, 3.0.0, 2.1.5, 2.0.1, 2.3.7.9, 2.3.1.20, 2.3, 2.2.2)
CVE-2021-4045 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- tp-link tapo c200 firmware (le1.1.15)
CVE-2022-25075 [Vulners]
Vulners: Score: 7.5, CVSS: 6.9,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Official fix
Soft:
- totolink a3000ru firmware (v5.9c.2280_b20180512)
CVE-2021-45382 [Vulners]
Vulners: Score: 10.0, CVSS: 5.3,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- dlink dir-820l firmware (-)
- dlink dir-820lw firmware (-)
- dlink dir-826l firmware (-)
- dlink dir-830l firmware (-)
- dlink dir-836l firmware (-)
have more...
CVE-2022-26210 [Vulners]
Vulners: Score: 7.5, CVSS: 7.1,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink a830r firmware (5.9c.4729_b20191112)
- totolink a3100r firmware (4.1.2cu.5050_b20200504)
- totolink a950rg firmware (4.1.2cu.5161_b20200903)
- totolink a800r firmware (4.1.2cu.5137_b20200730)
- totolink a3000ru firmware (5.9c.5185_b20201128)
have more...
CVE-2022-26186 [Vulners]
Vulners: Score: 7.5, CVSS: PENDING,
Vulners: Exploitation: Unknown
X-Force: Risk: 7.3
X-Force: Patch: Unavailable
Soft:
- totolink n600r firmware (4.3.0cu.7570_b20200620)
CVE-2017-17215 [Vulners]
Vulners: Score: 6.5, CVSS: 6.9,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Unavailable
Soft:
- huawei hg532 firmware (-)
IOCs:
File: 7
Url: 11
IP: 2
Hash: 22
Fortinet Blog
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FortiGuard Labs analyzed fresh TOTOLINK vulnerabilities which the Beastmode Mirai-based DDoS campaign added to its arsenal. Read about how this threat leverages these vulnerabilities to control aff…
#ParsedReport
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
03-04-2022
PlugX: A Talisman to Behold
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Actors/Campaigns:
Redfoxtrot
Threats:
Plugx_rat (tags: rat, dns, malware, backdoor, scan)
Thor
Pcshare
Industry:
Telco
Geo:
Asia, China, Africa
TTPs:
Tactics: 3
Technics: 14
IOCs:
File: 13
Path: 2
Domain: 10
Hash: 19
IP: 18
Trellix
PlugX: A Talisman to Behold
This blog covers a PlugX variant that we have named Talisman and its rather long life since it first emerged in 2008.