Company Information

    Anomali was founded on January 2013. The company is based in Redwood City, CA, USA . The number of employees in Anomali is less than 500. Anomali delivers earlier detection and identification of adversaries in your organizations network.

    Here is how Anomali describes itself: "Anomali delivers intelligence-driven cybersecurity solutions that enable businesses to gain unlimited threat visibility, speed time to detection, and improve the productivity of security teams."
      If you are the founder or part of the founding team, please tell the world your story


          Funding & investors

          Anomali has received 6 rounds of venture funding. The total funding amount is around $96.3M.

            Similar Companies [beta]

              Venture Categories

                Active Venture Investors




                  Venture Competitors

                    News

                        Anomali - Blog

                          • Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More

                          • The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending Cyber News and Threat IntelligenceCOBALT MIRAGE Conducts Ransomware Operations in U.S.(published: May 12, 2022)Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591SYK Crypter Distributing Malware Families Via Discord(published: May 12, 2022)Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for debugging environment, achieves persistence through startup folder, and runs the payload using process hollowing technique. For final payloads the actors used the RedLine stealer and various remote access trojans: AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, and WarzoneRAT.Analyst Comment: As threat actors increasingly abuse popular cloud services, it is not always feasible to block all their staging domains. Organizations need to implement layered defenses starting from phishing awareness and finishing with network segmentation.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Impair Defenses - T1562Tags: SYK Crypter, DNetLoader, Discord CDN, Quasar RAT, AsyncRAT, NanoCore RAT, QuasarRAT, WarZone RAT, RedLine, njRAT, Agent Tesla, Crypter, WarzoneRAT, RedLine Stealer, Async RAT, Phishing, Windows, Debugger evasion, Process hollowingBitter APT Adds Bangladesh to Their Targets(published: May 11, 2022)Bitter (T-APT-17), is a group suspected of being sponsored by the Indian government. Since 2013, Bitter targeted China, Pakistan, and Saudi Arabia. From August 2021 to at least February 2022, their new cyberespionage campaign targeted the government of Bangladesh with spearphishing emails impersonating Pakistani officials. Upon a user opening the attached maldoc, the Equation Editor application is launched to run the embedded objects with shellcode to exploit known Microsoft Office vulnerabilities. It allows the attackers to download and execute their custom Trojan-downloader that Cisco Talos researchers called ZxxZ for the string common in its command-and-control (C2) communication.Analyst Comment: The impersonation of government agencies continues to be an effective spearphishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. Email attachments should be treated as untrusted regardless of the sender's credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140Tags: Bitter, ZxxZ, T-APT-17, APT, JavaMail, Zimbra, cURL, CVE-2018-0798, CVE-2018-0802, CVE-2017-11882, Equation Editor, Spearphishing, Government, Police, Pakistan, Bangladesh, target-country:BD, India, source-country:IN, CyberespionageNerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques(published: May 11, 2022)Proofpoint researchers describe Nerbian RAT, a new malware written in the Go programming language. It was spreading via malicious email campaigns using COVID-19 lures impersonating the World Health Organization (WHO). Nerbian reuses multiple open-source libraries, it reaches out to Github code of Chacal, a Golang anti-virtual-machine framework designed to make debugging and reverse engineering more difficult. It stops if the size of the hard disk is too small or certain functions take too long to execute, and if it detects certain MAC addresses, processes, and strings in the disk name. Nerbian RAT has additional checks not provided by Chacal that query network interface names and if the executable is being debugged.Analyst Comment: Defenders should monitor for strings referring to offensive GitHub repositories such as Chacal. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041Tags: Nerbian RAT, Chacal, COVID-19 lures, WHO, Phishing, NerbianRAT, Go, EU, target-region:Europe, Italy, target-country:IT, Spain, target-country:ES, United Kingdom, target-country:UKInfo-Stealer Campaign Targets German Car Dealerships and Manufacturers(published: May 10, 2022)Checkpoint researchers discovered a years-long phishing campaign that targeted German companies in the automotive industry. In February 2021, the actor behind this campaign started registering typosquatted domains. From July 2021 to mid-March 2022, phishing emails were sent enticing users to open attached ISO files and then the dropped .HTA (HTML Applications) file. The final payload was one of the various MaaS (Malware as a Service) info-stealers: AZORult, BitRAT, or Raccoon.Analyst Comment: Employees should be trained to report suspicious emails to IT. Network defenders advised to configure a system to explode suspicious emails in a sandbox environment, for example, as provided by Anomali XDR (ThreatStream). Anomali Targeted Threat Monitoring service reports newly registered typosquatted domains which then can be blocked through Email Security Solution using Anomali Integrator to help you protect from such targeted phishing attacks.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Credentials from Password Stores - T1555Tags: AZORult, Raccoon Stealer, BitRAT, EU, Germany, target-country:DE, Iran. source-country:IR, Automotive, Car dealership, Infostealer, ISO, HTA, PowerShell, Phishing, WindowsAPT34 Targets Jordan Government Using New Saitama Backdoor(published: May 10, 2022)On April 26, 2022, Iran-sponsored actor Helix Kitten (OilRig, APT34) targeted Jordan’s foreign ministry with a phishing attachment dropping a new backdoor named Saitama. The backdoor is written in .Net and communicates via DNS protocol. Saitama command-and-control (C2) includes hardcoded domains with subdomains generated using the Mersenne Twister pseudorandom number generator (PRNG). The backdoor also has a hardcoded list of possible command-line commands that include internal IP and domain addresses, showing the highly-targeted nature of the attack and some previous knowledge about the victim’s internal infrastructure. Saitama is implemented as a finite-state machine meaning it will change its state depending on the command sent to every state. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours, and Saitama has ​​different sleep time for every situation.Analyst Comment: Defense-in-depth is an effective way to help mitigate potential advanced persistent threat (APT) activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497Tags: Saitama, Helix Kitten, OilRig, APT34, UAC-0056, Saitama.Agent, Backdoor, Macro, APT, Cyberespionage, Iran, source-country:IR, Jordan, target-country:JO, Middle East, Government, Windows, Mersenne Twister, PRNG, DGA, .Net, Base36Costa Rica Declares National Emergency after Conti Ransomware Attacks(published: May 9, 2022)The Costa Rican President has declared a national emergency following cyber attacks from Conti ransomware group (threat actor Wizard Spider) on multiple government bodies. The country was cripled since the April 2022 attack and denying the ransom demand, its Treasury IT systems has been down for three weeks. Additionally, Conti started publishing the 672 GB dump of the data stolen from the Costa Rican government agencies. As Conti threatens many US organizations as well, the US Department of State has offered a multimillion-dollar reward for information to bring Conti co-conspirators to justice.Analyst Comment: Cleaning up after ransomware attacks involves restoration of backup data and IT systems, often purchasing at least some new equipment. A thorough investigation needed regarding the potential of abuse of leaked data in the future impersonation/phishing attacks.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Data from Local System - T1005Tags: Conti, BazarLoader, Wizard Spider, Conti ransomware group, TrickBot, Conti ransomware, Ryuk, Government, Financial, Costa Rica, target-country:CR, Russia, Social SecurityDirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains(published: May 9, 2022)Blackberry researchers analyzed a commodity malware called DCRat (DarkCrystal RAT). DCRat is a modular malware that receives regular updates even though its lowest price point is just $5 dollars (USD) for two months. DCRat is maintained by a developer in Russia. DCRat’s administration tool is programmed in a rarely seen JPHP programming language whose integrated development environment (IDE) is available only in the Russian language version. Subscribers have access to over two dozens of developer’s and third-party plugins with various functions including persistence, cryptomining, and stealing from various information stores.Analyst Comment: Defenders are advised to block known DCRat C2 domains. Potentially infected machines can be checked for presence of DCRat by identifying specific scheduled tasks and Windows registry entriesMITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal Application Access Token - T1528 | [MITRE ATT&CK] Endpoint Denial of Service - T1499 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Data Manipulation - T1565 | [MITRE ATT&CK] Inhibit System Recovery - T1490Tags: DCRat, DCRat Stealer, Windows, JPHP, DevelNext, PHP, JVM, .NET, Dark Crystal RAT, DCRat Studio, DarkCrystal RAT, boldenis44, crystalcoder, DarkCrystalRAT, DCRatSeller_bot, Russia, source-country:RUObserved ThreatsAdditional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:Wizard SpiderWizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider - A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider - This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.OilRigThe Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.Charming KittenThe Cyber Espionage group “Charming Kitten” is believed to be an Iranian-based group that has been active since at least 2014. Charming Kitten conducts cyber espionage operations on many entities, particularly diplomatic, media, and military organizations. The group is known for creating fake social media profiles, to use in an attempt to social engineer their targets. Charming Kitten also creates multiple fake news outlets, that copy news articles, from other legitimate sources, in order to use as a platform for attacks. The group has been observed to use gathered information to blackmail certain targets.Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of UsersA critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.CVE-2021-34473Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
                          • Dealing with the Cybersecurity Skills Gap

                          • Welcome to this week’s blog. We’re getting close to the end of the series in which I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience.Coming in at number four on the list is “Lack of skilled cybersecurity professionals.”  I’m a little surprised this wasn’t number one on our list, but organizations have adapted to alleviate this constraint.Understanding the Cybersecurity Skills ShortageThe cybersecurity skills shortage is nothing new, but it was exacerbated by the pandemic, which accelerated digital transformation, expanded attack surfaces, and increased security. According to the latest statistics from (ISC)², there will be approximately 1.8 million unfilled cybersecurity jobs by 2022. Even though that is a significant drop compared to the 3.5 million cybersecurity workforce shortage in 2021, it still leaves a substantial gap in the market.Why the cybersecurity skills gap exists – and persistsI’m always in awe when I watch SOC Analysts, Threat Hunters, and Reverse Engineers work. There’s a lot of discipline involved in what they do, taking a specific mindset.According to Gartner, there is a persistent cybersecurity skills shortage because the cybersecurity industry covers several different disciplines, ranging from secure code practices and full-stack knowledge of IT infrastructure to regulatory and legal compliance.Others say it reflects skills shortages across the broader IT market. However, the growing size and intensity of cyber-attacks mean that demand for cybersecurity professionals has grown much faster than in other sectors of the IT job market. It’s challenging to find and recruit multi­disciplinary IT staff in the first place, so finding someone who has the additional focus on security is even more challenging. Working in cybersecurity requires an extensive range of soft and technical skills and a suitable personality for the job. Despite the massive demand for cyber security jobs, IT candidates are less inclined to pursue careers because of the stress involved.What’s Required?The shortage of cybersecurity skills lies within this tangled web of requirements: to become the person who can protect organizations from cyber attacks, you need many years’ worth of applied experience far beyond any formal education.In speaking with colleagues, successful cybersecurity candidates today must first be a general security expert who has a good grasp of physical and technical cybersecurity issues. You also need at minimum one or two specific domains in deep IT expertise with a grasp on the evolution of technology and an understanding of how organizations and their people use technology to achieve their goals. Taking a quick look at job reqs, most companies hiring an entry-level SOC analyst are looking for someone with: 3 to 5 years or more of information security-related experience. Technical expertise in IT technology: Cybersecurity, cloud computing, networking, and software development Experience-based familiarity with the auditing discipline of information security. Knowledge of security and regulatory compliance frameworks: PCI DSS, SOC, NIST, HIPAA, GDPR, etc.  Holds the CISA or other information security certificationsI came across an old stat on cybersecurityventures.com that said only 3 Percent Of US Bachelor’s Degree Grads Have Cybersecurity Related Skills. If more students don’t enroll to get the necessary skills, who knows if we’ll ever catch up.Dealing with the ProblemForget About ItSome organizations still view cybersecurity as a nice, bolt-on process that isn’t critical to their business. Cyber attacks are often included in cost-cutting exercises even during tough economic times despite the growing intensity and frequency of cyberattacks. Thus, the first (and popular) approach to dealing with unfillable cybersecurity positions ignores the problem.Sadly, research has shown that inadequate cybersecurity resources are often seen as a significant cause of cybersecurity incidents. With the increasing intensity and impact of data breaches and other cyberattacks, it’s not a strategy anyone in their right mind should follow. Nurturing TalentHiring the perfect security professional might make the skills gap feel more significant for many organizations. An ideal approach might be to find and nurture the right talent. Don’t underestimate culture fit as well. Someone that checks all of the experience boxes with hands-on experience might look great on paper but might not fit in with the rest of the team. You can always teach people new subjects, but interpersonal-skills is a trait that should not be overlooked.Organizations should figure out their ideal profile, work on their must-haves and desirables, and find people who blend in well with the team. Then, nurture this talent over the long-term with training and mentorship and enable them to gain experience and grow.Share the ResponsibilityMany organizations believe that the security department is solely responsible for security, and that’s true - to an extent. As a business leader, your problem isn’t a lack of awareness of threats but a lack of resources to help get secure. Organizations with security personnel shortages need to make the best possible use of their existing resources to help relieve security teams’ burdens.A sustainable security culture demands that everyone be all in, which means that everyone must be aware of security risks and take steps to mitigate those risks. Everyone plays a part in the company’s security strategy and security culture, from executives down to interns. Everyone has a role to play and contributes to its success.Adopting a security-first mindset and ingraining cybersecurity methodologies into your business strategy can help achieve this “all in” mentality. Ensuring that your security objectives are clear and concise will help people understand what they should focus their attention on. Talk about the importance of security at the highest levels, not just from titles like CISO, CSO, etc., but also other executives at every company level.Maximize EffectivenessAccording to Security Week, the so-called ‘great resignation’ currently upending the US labor market is starting to affect cybersecurity programs, with a growing number of senior leaders opting for early retirement and mid-level managers leaving in droves for less stressful, fully remote work opportunities.To retain cybersecurity talent while attracting new talent, organizations must focus on providing the right technology, efficient workflows, effective management, and strong executive sponsorship for cybersecurity. This improves cybersecurity and reduces unnecessary workloads, frustrations, stresses, and ultimately burnouts for cybersecurity teams.It’s definitely in an organization’s best interest to invest some time and effort into caring for your cybersecurity team's working conditions, organizational structure, and general welfare.Utilize AutomationWith the right security tools, such as a threat intelligence management or XDR solution, organizations can automate elements of their cybersecurity role and responsibilities until they can hire human talent to fill those roles.While there’s no replacement for human expertise, automation and machine learning can provide many benefits, including: Improving efficiencies by automating manual security processes and protocols might seem dauntingImproving detection and response capabilitiesHelping to retain and recruit IT and cybersecurity workers by preventing burnoutThe Bottom LineThere isn’t any single solution to the cybersecurity skills shortage. There will always be too few qualified professionals to fill every job opening at any given time. However, organizations can begin by identifying their current skillset and then adjusting their requirements to determine which skills they need to expand or enhance to fill those gaps appropriately.As always, thanks for reading. Join me next time as I look at number three on our list. In the meantime, download our Cybersecurity Insights 2022 report or scroll through below for direct links to the other blogs in this series.
                          • Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More

                          • The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending Cyber News and Threat IntelligenceAttackers Are Attempting to Exploit Critical F5 BIG-IP RCE(published: May 9, 2022)CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authenticationMobile Subscription Trojans and Their Little Tricks(published: May 6, 2022)Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:THRaspberry Robin Gets the Worm Early(published: May 5, 2022)Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm typically installed via a USB drive targeting organizations with ties to technology and manufacturing. The malicious USB has an LNK file masquerading as a folder that is being activated through modification in the UserAssist registry. The actor uses compromised QNAP devices to stage malicious DLL and TOR traffic for further command-and-control (C2) communication. Raspberry Robin extensively uses mixed-case letters in its commands in an attempt to evade detection.Analyst Comment: It is crucial that your company has policies in place that forbid employees from using unknown USB drives. Identify the use of Windows Installer Tool msiexec.exe to download and execute packages in the command-line interface (CLI). Detect the Windows Open Database Connectivity utility (odbcconf.exe) loading a configuration file or DLL. Detect regsvr32.exe, rundll32.exe, and dllhost.exe making external network connections with no parameters.MITRE ATT&CK: [MITRE ATT&CK] Replication Through Removable Media - T1091 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218Tags: Raspberry Robin, USB, LNK, DLL, Mixed-case command, UserAssist registry, ROT-13, msiexec, Windows, QNAP NAS, TOR, Worm, ManufacturingUpdate on Cyber Activity in Eastern Europe(published: May 3, 2022)Google researchers describe five advanced groups especially active in Eastern Europe in regard to the military conflict between Russia and Ukraine. Three Russian groups: Fancy Bear (APT28) targets Ukraine with phishing attachments delivering a new information stealer written in .Net. Another group, Turla, attributed to Russia’s Federal Security Services (FSB), targets defense and cybersecurity organizations in Baltic states with phishing links dropping a malicious DOCX that would download a malicious PNG file. GoldRiver (Callisto) group abuses Google and Microsoft services in their credential-stealing phishing attempts with targets including government and defense officials, journalists, NGOs and think tanks, and politicians. Belarus-sponsored group Ghostwriter spoofed Google to target Ukraine and Facebook to target Lithuania. Curious George, a group attributed to China’s The People's Liberation Army Strategic Support Force (PLASSF), is targeting government, logistics, manufacturing, and military organizations in Central Asia, Russia and Ukraine, including Russia’s Ministry of Foreign Affairs.Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user interaction. It is important to teach your users basic online hygiene and phishing awareness.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Ingress Tool Transfer - T1105Tags: Ukraine, target-country:UA, Russia, source-country:RU, Belarus, source-country:BY, China, source-country:CN, Lithuania, target-country:LT, APT28, Fancy Bear, Turla, FSB, GoldRiver, Callisto, Ghostwriter, Curious George, PLA SSF, Phishing, Windows, Ukraine-Russia Conflict 2022Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad(published: May 2, 2022)SentinelOne researchers describe Moshen Dragon, a China-based threat group targeting Central Asia. Moshen Dragon abused binaries from BitDefender, Kaspersky, McAfee, Symantec, and TrendMicro. They performed a specific DLL search order hijacking attack called sideloading triad where the hijacked security software DLLs were used to decrypt and load the final payloads from the third file in the same folder. Moshen Dragon used ShadowPad and PlugX payloads, Gunters loader, and a Local Security Authority (LSA) Notification Package (SecureFilter).Analyst Comment: The observed abuse of different anti-virus products does not directly point to their insecurity, as it shows an advanced actor utilizing known Windows design limitations. Organizations can use behavioral monitoring capabilities to better detect anomalous behavior, detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] OS Credential Dumping - T1003Tags: Moshen Dragon, Gunters, PlugX, Shadowpad, China, source-country:CN, Central Asia, Windows, DLL search order hijacking, Sideloading triad, Impacket, wmiexec, SecureFilterUNC3524: Eye Spy on Your Email(published: May 2, 2022)Mandiant researchers detected an advanced threat group, designated as UNC3524, that targets organization networks to steal emails from IT departments, executives, and those responsible for mergers and acquisitions. In the victim networks, they target trusted systems such as load balancers, Storage Area Network (SAN) arrays, and wireless access point controllers that might be running older versions of BSD or CentOS. These systems are often unsupported by agent-based security tools allowing attackers to stealthily deploy their QuietExit backdoor that acts as a SSH client-server. Command-and-control (C2) communication goes from an Internet-of-Things (IoT) botnet consisting mostly of LifeSize conference room camera systems. UNC3524 actors use a heavily obfuscated version of ReGeorg web-shell as a backup backdoor for re-infection, move laterally using WMIEXEC, and target selected mailboxes in either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment.Analyst Comment: Defenders should hunt for outbound SSH traffic from unknown IPs and from ports other than 22. Investigate large volumes of outbound traffic from NAS arrays and load balancers. Identify devices on your network that do not support monitoring tools, harden them, limit or block egress traffic from such devices.MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Two-Factor Authentication Interception - T1111 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Masquerading - T1036Tags: QuietExit, UNC3524, ReGeorg, Cyberespionage, Microsoft Exchange, Email collection, IoT, Botnet, Persistence, Dropbear SSH, WMIEXEC, SOCKS, BSD, CentOS, LifeSize, Dynamic DNS, APTREvil Ransomware Returns: New Malware Sample Confirms Gang is Back(published: May 1, 2022)The REvil (Sodinokibi, Pinchy Spider) ransomware group resumed its operations. In October 2021, the group shut down after a law enforcement operation hijacked their Tor servers, and Russian police arrested some of its members. At the end of April 2022, the group became active on its ransom websites listing new and old victims, and on April 29, 2022, researchers detected a new sample of their encryptor compiled from its source code that includes new changes. The new REvil sample is highly targeted: it includes a new configuration field, 'accs,' with credentials for the specific victim (specified accounts and Windows domains), preventing encryption on devices outside of the intended target.Analyst Comment: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice defense-in-depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] System Owner/User Discovery - T1033Tags: Pinchy Spider, Sodinokibi, REvil, Ransomware, Windows, Russia, source-country:RURussian Hackers Compromise Embassy Emails to Target Governments(published: May 1, 2022)In January-March 2022, APT29 (Cozy Bear, Nobelium, attributed to Russia’s Foreign Intelligence Service (SVR)) targeted diplomats and government entities with phishing attacks from previously compromised diplomatic email addresses. To mask their command-and-control (C2) traffic, attackers used compromised websites and abused legitimate services such as Atlassian Trello, Firebase, or DropBox. They used a customized Cobalt Strike Beacon backdoor and a number of custom malware: BeatDrop downloader, BoomMic (VaporRage) shellcode downloader, and RootSaw (EnvyScout) dropper.Analyst Comment: Anti-phishing training should include ways to verify the authenticity of the received email such as a phone call. Network defenders advised to configure a system to explode suspicious emails in a sandbox environment, for example, as provided by Anomali XDR (ThreatStream).MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Indirect Command Execution - T1202 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Trusted Relationship - T1199 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Permission Groups Discovery - T1069 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Data from Information Repositories - T1213 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Non-Standard Port - T1571 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Data Transfer Size Limits - T1030Tags: APT29, Cozy Bear, Nobelium, SVR, BeatDrop, BoomMic, VaporRage, Cobalt Strike Beacon, RootSaw, EnvyScout, ISO, LNK, Trello, Firebase, DropBox, Russia, source-country:RU, Government, Embassy, Poland, Turkey, FranceObserved ThreatsAdditional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:APT28The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.APT29The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.Pinchy SpiderPinchy Spider is a Russian-speaking threat group that run a Ransomware-as-a-Service (RaaS). The threat group has been active since January 2018 when they announced the GandCrab RaaS on the “exploit[.]in” forum. The GandCrab RaaS was discontinued in June 2019 in favour of the newer RaaS Sodinokibi/REvil.CVE-2022-1388On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
                          • Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More

                          • The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending Cyber News and Threat IntelligenceA Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity(published: April 28, 2022)ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Application Window Discovery - T1010 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Data Transfer Size Limits - T1030 | [MITRE ATT&CK] System Shutdown/Reboot - T1529Tags: TA410, FlowingFrog, LookingFrog, JollyFrog, FlowCloud, China, source-country:CN, Mustang Panda, APT10, Tendyron, X4 backdoor, Lookback, Korplug, PlugX, QuasarRAT, Royal Road, Asia, Middle East, EU, Government, Military, EducationBRONZE PRESIDENT Targets Russian Speakers with Updated PlugX(published: April 27, 2022)Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President) targeting Russia. They found overlapping infrastructure previously used by the same advanced persistent group (APT). In the last two years, Mustang Panda switched its targeting from Southeast Asia to Europe, and now, to Russia. The latest attack starts by the threat actors somehow delivering a Windows executable file named in Russian that masquerades as a PDF file. It is heavily obfuscated and upon user execution it downloads four files from a staging server: decoy, legitimate but vulnerable signed executable, malicious DLL, and the PlugX payload.Analyst Comment: Suspicious malicious attachments and unwarranted files from the Internet should be reported to the system administrator and investigated. Report abnormal file behaviors such as if the content of opened attachment doesn’t match its filename and/or email context. Administrators should focus on detecting and blocking masquerading executable attachments.MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059Tags: Bronze President, Mustang Panda, PlugX, DLL search order hijacking, APT, Government, Military, Russia, China, source-country:CN, Russia, target-country:RU, EU, target-region:EUStonefly: North Korea-linked Spying Operation Continues to Hit High-Value Targets(published: April 27, 2022)Symantec researchers describe 2022 cyberespionage efforts by DarkSeoul (Stonefly, Silent Chollima), a North Korea-sponsored group first detected in 2009. The attackers breached an engineering organization working in the energy and military sectors by exploiting the Log4j2 (CVE-2021-44228) vulnerability on a public-facing VMware View server. During the attack, they relied on their updated custom backdoor Preft, a custom infostealer, and on a number of open-source tools: 3proxy tiny proxy server, Invoke-TheHash, Mimikatz, PuTTy, and WinSCP. Preft works in four stages: main Python script (Stage 1) unpacks two shellcode scripts and the payload, first shellcode script (Stage 2) starts Internet Explorer and injects second shellcode (Stage 3) into it, final payload (Stage 4) acts as a HTTP remote access tool (RAT).Analyst Comment: Organizations should consider blocking certain open-source tools, scanners, and remote administration tools in their environments. Keep your systems updated, segregate your networks, and limit accessibility of your servers from the Internet.MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Data from Local System - T1005Tags: Stonefly, DarkSeoul, BlackMine, Operation Troy, Silent Chollima, APT, North Korea, source-country:KP, Energy, Military, Engineering, VMware View, Backdoor.Preft, 3proxy tiny proxy server, WinSCP, Invoke-TheHash, PuTTy, Mimikatz, Log4j, CVE-2021-44228New Black Basta Ransomware Springs into Action with a Dozen Breaches(published: April 27, 2022)Black Basta ransomware group first appeared in the second week of April 2022 and have since breached at least twelve companies. One notable example is the attack on the US-based American Dental Association (ADA), when Black Basta started leaking ADA’s data, but then withdrew it, likely due to ransom negotiations. Black Basta shows signs of being an experienced ransomware group that went through rebranding. MalwareHunterTeam and other researchers assess with medium confidence that Black Basta is a rebrand of Conti ransomware that is operated by the threat group Wizard Spider.Analyst Comment: As with other forms of cyber-attacks, it is crucial that organizations ensure that their systems are secure and protected. This includes patch management, enhanced security systems and practices, regular backups, and effective solutions to security problems. Policies should be updated to include how to address these double-ransom attacks.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486Tags: Black Basta, Conti ransomware, Conti, Wizard Spider, American Dental Association, USA, target-country:USVMWare Identity Manager Attack: New Backdoor Discovered(published: April 25, 2022)On April 6, 2022, VMware addressed a number of vulnerabilities including VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability (CVE-2022-22957). On April 11, a proof-of-concept for this RCE was published and on April 13, it started to be exploited in the wild. Morphisec researchers detected exploitation to launch reverse HTTPS backdoors—mainly Cobalt Strike, Core Impact, or Metasploit payloads. Core Impact is a penetration testing tool developed by Core Security and abused by the attackers. The attack flow includes exploitation to deploy a PowerShell stager, which downloads a large, highly-obfuscated PowerShell script identified as the PowerTrash Loader, which decompresses the deflated payload: a Core Security Agent, and reflectively loads it in memory.Analyst Comment: VMWare’s identity access management should immediately apply the VMWare patches or consider virtual patching. Make sure your affected identity access management components are not accidentally published on the internet.MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Ingress Tool Transfer - T1105Tags: Core Impact, Cobalt Strike, PowerTrash Loader, Powershell, Metasploit, CVE-2022-22958, CVE-2022-22954, CVE-2022-22957, VMware, Workspace ONE Access, VMware Identity ManagerEmotet Malware Infects Users Again after Fixing Broken Installer(published: April 25, 2022)Threat group Mummy Spider adopted a new way to deliver Emotet, its modular stealer-downloader. The first wave of malspam could not infect due to a file-referencing error in the LNK dropper code, but Mummy Spider fixed it by April 25, 2022. This new malspam campaign includes password-protected ZIP archive attachments containing Windows shortcut (LNK) droppers masquerading as Microsoft Word documents. After the user executes the LNK dropper, it finds a string in itself, copies the remainder into a Visual Basic Script (VBS) file and executes it.Analyst Comment: Defenders are advised against allowing .LNK files in incoming email attachments or password-protected archives. Block .VBS executions out of temporary folders. Encourage your users to report to sysadmin instead of clicking through unwarranted suspicious emails, especially with password-protected archives.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140Tags: Mummy Spider, Emotet, Epoch4, LNK, VBS, Cobalt Strike, Phishing, Malspam, USA, target-country:USNorth Korean Hackers Targeting Journalists with Novel Malware(published: April 25, 2022)Stairwell researchers describe a multi-stage spearphishing attack on NK News, a US-based news media covering North Korea. The attack is attributed to North Korea-sponsored group APT37 (Ricochet Chollima, ScarCruft). Prior to the attack, APT37 compromised the computer of a former South Korean intelligence official, stole his past email correspondence with the NK News founder, and registered a similarly-looked email address. They also typosquatted NK News domain by registering .US instead of .COM top-level domain (TLD). The infection chain included user extracting and executing an attached LNK file leading to Powershell and shellcode scripts sequentially executing and downloading additional malware abusing Microsoft OneDrive and Google Drive file storages. The final payload, Goldbackdoor, shares code similarities with Bluelight malware attributed to APT37 by Volexity in August 2021.Analyst Comment: Have offline antivirus capabilities available as APT37 pad their malicious attachments to make them too large for online analysis. Some foreign spearphishing attempts could be identified by minor inconsistencies in grammar or even cultural settings. In the described case, the target became suspicious of the request for help getting a book published in the US, something not so complicated.MITRE ATT&CK: [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Input Capture - T1056Tags: Goldbackdoor, Gold-backdoor, Bluelight, LNK, PowerShell, Fantasy, APT37, Ricochet Chollima, ScarCruft, Chinotto, Windows, Government, USA, target-country:US, North Korea, source-country:KP, Journalists, Mass mediaQuantum Ransomware(published: April 25, 2022)Researchers with The DFIR Report detail a March 2022 domain-wide ransomware attack with an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. The first stage of the attack saw a user in the organization clicking a phishing ISO attachment and executing the embedded LNK file resulting in the IcedID infection. Actors gathered system and network information and created a scheduled task for IcedID persistence. During the second hour of the attack, they created a cmd.exe process and injected Cobalt Strike into it, and proceeded with domain and network discovery and stealing credentials from LSASS memory. During the third hour, attackers used stolen credentials to remotely (RDP) access an organization’s server, deploy a Cobalt Strike on it from second attempt, and move laterally to other Domain Controllers and file servers in the environment. Finally during the fourth hour, attackers staged the Quantum ransomware executable on the Domain Controller, used Admin Shares to deliver it to individual machines, and executed it via WMIC and PsExec from the Domain Controller.Analyst Comment: Attackers can encrypt your organization machines just a couple hours after an employer activated a phishing email. Defenders should implement constant network monitoring and consider 24/7 security operation center (SOC) operations to respond to detected warnings in a timely manner.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Application Layer Protocol - T1071Tags: Quantum, Ransomware, IcedID, Cobalt Strike, ISO, LNK, RDP, WMI, PsExec, Scheduled task, AdFind, Active Directory, LSASS, PowershellObserved ThreatsAdditional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:Mummy SpiderMummy Spider is a cybercrime actor that was first identified by the security community in June 2014. Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader. Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others. Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.Mustang PandaMalicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of UsersA critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.CVE-2022-22954VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.CVE-2022-22957VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.CVE-2022-22958VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
                          • More Tools, More Problems: Why It’s Important to Ensure Security Tools Work Together

                          • Welcome to blog #six as I explore the “Top 10 List of the Challenges Cybersecurity Professionals Face,” as found in our Cybersecurity Insights Report 2022: The State of Cyber Resilience.In the last blog, I wrote about the challenges that organizations have with disparate tools, highlighted by the fact that mature enterprise organizations deployed over 130 security tools on average. That blog is a perfect introduction to number five on our list of challenges enterprise organizations face: ‘Solutions not customized to the types of risks we face.’More Tools, More ProblemsMost security teams use several security management tools to help them manage their security infrastructure. While each tool was acquired for a specific reason and purpose, introducing each tool into an existing security tech stack poses a different challenge. Unfortunately, there’s no one size fits all approach.Every new security tool introduced requires integration to use the tool effectively. It takes a lot of time and effort to implement a tool properly into your environment and processes. There would most likely need training involved for those analysts who would be using the new tools. While necessary, these tasks take time and attention away from everyday activities and can significantly decrease a security team’s effectiveness before they’re fully integrated into their workflow.Increasing in Multiple Tools Increases Security ComplexityThe increasing adoption of cybersecurity solutions has created more consequences and challenges for organizations and their IT teams. With each addition of a new solution, another problem emerges Tool sprawl. Tool sprawl is when an organization invests in various tools that make it harder for IT teams to manage and orchestrate the solution.Time is a precious commodity, especially in cybersecurity. It takes time to collect information from multiple tools and disparate data sources, then correlate it manually with the necessary intelligence. Instead of responding quickly to an attack, analysts will waste time collecting the data and relevant intelligence needed to understand what kind of attacks they are dealing with and which actions they should take. Instead of fixing a problem, security teams may suddenly find that they’ve added more. How Cybersecurity Tools Grew Out of ControlTraditional cybersecurity operations were designed to manage anti-viruses, install and monitor firewalls, protect data, and help users manage passwords. It was evident by the mid-1990s that investing in cybersecurity would be necessary. Organizations now had a budget for security and had to figure out which parts of their infrastructure were most vulnerable.As their strategy evolved, organizations began investing in hiring cybersecurity experts but realized people are expensive. They then began buying various tools to complement their security professionals. They soon realized that there was a security tool you could buy that could help resolve the situation for any potential problem.The desire to throw tools at a situation continues today. Cybersecurity budgets have increased since the pandemic sped up digital transformation efforts and increased an organization’s attack surface. Board members and Executives realize the need to invest more in cybersecurity. New security products continue to spring up, promising to solve problems and secure all the various parts of businesses’ technology stacks. Unfortunately, when adding tools, too many organizations make the mistake of looking for a quick fix, working in silos to solve one problem rather than taking a holistic approach to evolving their cybersecurity strategy. Consolidation of Vendors on the RiseGartner conducted a survey on Security Vendor Consolidation Trends that revealed that 80% of the security leaders surveyed were pursuing vendor consolidation initiatives. An ESG survey also showed that 62% of companies are now rethinking how they purchase and deploy security technology. This aligns with what we found in our Cybersecurity Insights Report: Enterprise Security Decision Makers seek new solutions that are well-supported, easy to use, and integrated with other cybersecurity systems and different parts of their organizations.Security teams gain greater operational efficiencies when products are designed to work together. More importantly, it helps ensure an effective security posture to protect against today’s sophisticated threats.Best Practices for Evaluating Cybersecurity ToolsNew security toolsets continue to emerge from new vendors or existing players expanding their offerings. Trying to keep up with the latest security trends can be overwhelming for security teams that are already overworked with day-to-­day operations and trying to keep up with an ever-evolving threat landscape.This makes it harder for organizations to ensure they get the right tools to fit into their environment seamlessly. What steps can you take when searching for or evaluating new tools?Identify Your ProblemWhat Problem Are you Trying to Solve? Are there specific use cases you need to be addressed?It’s essential to understand your current attack surface to address any holes. Where are the gaps in your existing tech stack? What tools will help your organization enhance your defenses and reduce overall risk for your company? Leverage your analysts to see what challenges they’re having. Reach out to stakeholders to see what their priorities are to ensure your goals are aligned. Once you understand the problem, you can then solve it. Define RequirementsMap out your high-level requirements to meet your identified problem or any specific needs or use cases. Identify the critical users so you can get their input. Determine how it aligns with your existing tech stack to determine integration needs. Ensure you involve other stakeholders, like IT, network infrastructure, etc. As you define these requirements and work cross-functionally, you’ll be able to narrow down the number of solutions you’ll need to evaluate.Minimize DisruptionsAs you evaluate solutions, you need to ensure that any new tools you bring on board do not impact your current security posture or infrastructure. There may be processes in place or infrastructure needs that cannot be altered. There are also existing security tools in place to protect your organization that should not be paused or shut down to enable any open access for attackers. Ensure you’ve fully assessed your current cybersecurity posture, including policies, incidents, and historical data, to gain a complete picture of the environment to ensure you don’t run into any issues. Try Before You BuyAsk the vendor if they offer a pilot program or POC. or if they have a demo environment that you can explore. See if there are existing integrations you can test. Establish evaluation criteria for what’s important to you to evaluate the solution and quickly compare it to others you’ll be reviewing. The more you know beforehand, the better you’ll be at deployment.Ask Your PeersYou’re not the only one who’s experienced this problem. Check with peers to see which tools they use and see if any of their solutions meet your needs. Read up on what industry analysts are saying to see what they recommend. One Tool to Rule Them All?XDR (Extended Detection and Response) solutions are different from other security tools in that they centralize data collection from multiple sources, including EDR, Network, messaging, cloud security, etc. to break down security silos and detect threats. Security analysts need a solution that intelligently brings together all relevant security data to help detect advanced adversaries and sophisticated attacks in real-time. As adversaries use more complex attack tactics, techniques, and procedures (TTPs), analysts need more complete visibility and insights for faster detection.XDR might be the solution to end tool sprawl. Only time will tell. Every environment is different. Choosing the right tools to protect your organization is essential. Ensuring that those tools work together to quickly detect and respond to cyberattacks is even more critical. Thanks for reading. We're getting closer to the top of the list. Please join me next time as I look at number four on our list. In the meantime, download our Cybersecurity Insights 2022 report or scroll through below for direct links to the other blogs in this series. Or click here to learn more about XDR.
                          • Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More

                          • The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.Trending Cyber News and Threat IntelligenceSocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems(published: April 25, 2022)Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables.Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048Tags: SocGholish, Zloader, Masquerading, LotL, Cobalt Strike, SharpView, Rubeus, Stracciatella, PowerShell, Seatbelt, PowerShellRunner, SharpChromium, TeamViewer, CVE-2013-3900, Drive-byTeamTNT Targeting AWS, Alibaba(published: April 21, 2022)The German-speaking, cryptojacking group, TeamTNT, is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services (AWS), and modern development operations environments such as Docker and Kubernetes. TeamTNT scripts are impairing defenses by disabling cloud security tools and agents provided by Alibaba Cloud Security, BMC Helix Cloud Security, and Tencent Cloud Monitor. Other malicious functionality include credential stealing, cryptocurrency mining, lateral movement, and persistence.Analyst Comment: Organizations should monitor their cloud outgoing traffic for traffic to the TeamTNT servers and cryptocurrency mining pools. Configure Amazon CloudWatch Alarm for ongoing steady utilization of exactly 70%. Investigate if your security or monitoring tools stop working. Limit the use of the root user, implement multi-factor authentication and security logging.MITRE ATT&CK: [MITRE ATT&CK] Execution Guardrails - T1480 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Account Manipulation - T1098Tags: TeamTNT, Alibaba, XMRig, Monero, Cryptomining, Cryptocurrency, Cryptojacking, Cloud, AWS, Docker, Kubernetes, bcm-agent, aegis agentCriminals Provide Ginzo Stealer for Free, Now It is Gaining Traction(published: April 21, 2022)The Ginzo stealer was first advertised on a Russian-speaking hacker forum in the beginning of March 2022. Initially offered for free, Ginzo gained significant interest from other threat actors resulting in more than 400 Ginzo stealer binaries on VirusTotal between 20th and 30th of March, 2022. The Ginzo actors are starting to provide Ginzo as a paid service. They also have access to the stolen data as exfiltration goes through their server. Ginzo stealer is obfuscated with ConfuserEx requiring decryption on-the-fly and initializing data for string decryption, making automatic deobfuscation by researchers not sufficient.Analyst Comment: Information stealing is a common and prevalent threat facing individuals and organizations around the world. Education on frequently-used delivery methods such as malspam and phishing emails can help prevent infection. In addition, maintain efficient log management policies to identify potentially abnormal network activity.MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Archive Collected Data - T1560Tags: Ginzo, Information stealer, ConfuserEx, Electrum, Exodus, Cryptocurrency, CoinbaseShuckworm: Espionage Group Continues Intense Campaign Against Ukraine(published: April 20, 2022)Russia-linked cyberespionage group Gamaredon (Primitive Bear, Shuckworm) continues to target Ukrainian organizations. After using phishing to get into a victim computer, the group deploys multiple variants of the same malware, Backdoor.Pterodo (Pteranodon), that have similar functionality and obfuscation techniques, but use different command-and-control (C2) servers. Symantec researchers observed four variants used in recent attacks, these are Visual Basic Script (VBS) droppers that drop a VBScript file, use Scheduled Tasks for persistence, and download additional code from a C2 server. Additionally Gamaredon utilizes UltraVNC, an open-source remote-administration tool, and Process Explorer, a Microsoft Sysinternals tool.Analyst Comment: Gamaredon relies on a large number of phishing emails, so it is important to provide anti-phishing training and discourage users from enabling editing and interacting with unwarranted suspicious attachments. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Remote Access Tools - T1219Tags: Gamaredon, Primitive Bear, Shuckworm, APT, Russia, source-country:RU, Ukraine, target-country:UA, VBS, Backdoor.Pterodo, Pteranodon, Scheduled Tasks, UltraVNC, Process Explorer, CyberespionageBlackCat/ALPHV Ransomware Indicators of Compromise (published: April 20, 2022)The Federal Bureau of Investigation (FBI) published new details on operation and command-and-control (C2) infrastructure of the BlackCat/ALPHV ransomware. BlackCat/ALPHV ransomware as a service (RaaS) had compromised over 60 entities worldwide initially requesting ransom payments of several million dollars in Bitcoin and Monero. BlackCat uses previously stolen credentials to gain initial access. They proceed to compromise Active Directory and abuse Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.Analyst Comment: Organizations should audit user accounts with administrative privileges and configure access controls based on least privilege principle. Implement network segmentation, air gap, and password protect backup copies offline. Use multifactor authentication (MFA) where possible.MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Group Policy Modification - T1484 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Data Encrypted for Impact - T1486Tags: BlackCat, Ransomware, BlackMatter, DarkSide, ALPHV, CVE-2021-31207, Rust, Bitcoin, Monero, Powershell, Active Directory, Group Policy Objects, Cobalt StrikeHow to Recover Files Encrypted by Yanlouwang(published: April 18, 2022)Since October 2021, Yanluowang ransomware group has engaged in human-operated, highly targeted attacks against enterprise entities located mostly in Brazil, Turkey, and the US. The initial infection vector is currently unknown. To encrypt the victim’s files the attackers use the Sosemanuk stream cipher, its key then encrypted using RSA-1024, whose public key itself is embedded in the program encrypted with RC4, whose key is a string and also embedded in ransomware. Files under 3 GB are encrypted from beginning to end, bigger files are encrypted in stripes: 5 MB after every 200 MB. The extortionists threaten with additional exposure, DDoS attack, and repeated compromise with data-wiping. Kaspersky researchers have found a plain-text attack vulnerability in the Yanluowang encryption algorithm and offer free Rannoh Decryptor to help victims if they can provide a couple of original files.Analyst Comment: Keep your company’s VPN solutions updated. Do not expose Remote Desktop Protocol (RDP) and other remote desktop services to public networks unless absolutely necessary, and always protect them using strong passwords. Focus on detecting lateral movement and data exfiltration.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Network Connections Discovery - T1049Tags: Yanluowang, Ransomware, USA, target-country:US, Brazil, target-country:BR, Turkey, target-country:TR, Free decryptor, Extortion, DDoS, Data exposure, Data destruction, Sosemanuk, RSA-1024, RC4CatalanGate: Extensive Mercenary Spyware Operation Against Catalans Using Pegasus and Candiru(published: April 18, 2022)Citizen Lab researchers describe CatalanGate, a prolific cyberespionage campaign that targeted Catalonia, Spain through 2017-2020. Victims included Catalan Presidents and some of their relatives, jurists, members of the European Parliament, legislators, and members of civil society organizations. The CatalanGate campaign, which aligns with objectives of the Spanish government, used two mercenary providers of cyberespionage services: NSO Group and Candiru. Some spearphishing attacks were showing knowledge of the victim's name, business situation, and even taxpayer’s number. Other attacks were utilizing zero-click zero-day exploits that were affecting iOS (zero-click HOMAGE exploit) and Windows (CVE-2021-31979, CVE-2021-33771).Analyst Comment: It is important to study mercenary companies’ malicious infrastructure to detect the ongoing infections on your organization networks. Keep your devices updated to address the latest security patches. Isolate your networks and move sensitive conversation offline if your threat posture includes being targeted with zero-click zero-day exploits.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] File and Directory Discovery - T1083Tags: HOMAGE, NSO Group, Pegasus spyware, Candiru, Saito Tech Ltd., Smishing, Spearphishing, Zero-click, Zero-day, iMessage, Kismet, Spain, source-country:ES, Catalonia, target-region:Catalonia, CVE-2019-3568, CVE-2021-31979, CVE-2021-33771Alert (AA22-108A) TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies(published: April 18, 2022)Three US agencies issued a joint advisory related to a new campaign by North-Korea sponsored group Lazarus that targets the blockchain industry. This campaign starts with phishing delivering TraderTraitor: a number of malicious applications that were built based on open-source projects. These apps are written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework and pretend to provide cryptocurrency trading or price prediction. TraderTraitor downloads an encrypted payload and the decryption key via its “update” function. The malicious payload is the Manuscrypt RAT that allows the Lazarus attackers to propagate across the victim’s network environment, steal private keys, and eventually steal their cryptocurrency.Analyst Comment: Blockchain-related organizations should be aware of third-party cryptocurrency applications downloads and implement email and domain mitigations. Apply least access models and defense-in-depth to user and application privileges. Segment your networks into zones based on roles and requirements.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Application Layer Protocol - T1071Tags: TraderTraitor, Lazarus Group, Lazarus, APT, Manuscrypt, North Korea, source-country:KP, APT38, BlueNoroff, Stardust Chollima, Blockchain, Cryptocurrency, DeFi, Banking and finance, Non-fungible tokens, NFTs, Social engineering, Windows, macOSObserved ThreatsAdditional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:TeamTNTTeamTNT is a German- and English-speaking group targeting cloud environments since at least August 2020. This actor group primarily engages in cryptojacking (Monero mining) of the vulnerable Docker and Kubernetes systems. The group uses open-source tools, as well as developed their own distributed denial-of-service (DDoS) malware (TNTbotinger) and wormable cryptojacking malware (Black-T, Hildegard, Cetus).Gamaredon GroupThe Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military. The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon.Lazarus GroupThe Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People's Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121국), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (전자정찰국 사이버전지도국). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.CVE-2013-3900The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."CVE-2019-3568A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.CVE-2021-31207Microsoft Exchange Server Security Feature Bypass VulnerabilityCVE-2021-33771Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514.CVE-2021-31979Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514.

                          Share:     facebook    twitter    linkedin    reddit    email

                            Ventures Media is one of the largest startup and venture capital communities for startup and venture capital funding information and analysis.

                            Leave a Reply

                            Your email address will not be published. Required fields are marked *