www.anomali.com
Open in
urlscan Pro
2600:1f1c:4b7:6680:5601:58d5:7a57:c91b
Public Scan
URL:
https://www.anomali.com/blog/anomali-cyber-watch-apt-emotet-iran-redcurl-and-more
Submission: On November 24 via api from GB — Scanned from GB
Submission: On November 24 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
POST https://tribl.io/_c?i=O8naez8e2eHPYn7m991b&s=lZw&t=https%3A%2F%2Fwww.anomali.com%2F
<form class="module-browser-search" method="post" action="https://tribl.io/_c?i=O8naez8e2eHPYn7m991b&s=lZw&t=https%3A%2F%2Fwww.anomali.com%2F">
<div class="hiddenFields">
<input type="hidden" name="params" value="eyJyZXN1bHRfcGFnZSI6IlwvYmxvZ1wvc2VhcmNoIiwicmVxdWlyZWQiOiJrZXl3b3JkcyIsImZvcmNlX3Byb3RvY29sIjoiaHR0cHMifQ">
<input type="hidden" name="ACT" value="49">
<input type="hidden" name="site_id" value="1">
<input type="hidden" name="csrf_token" value="a8691068709106778e367f6f136fce07c9ad9f4a">
</div>
<div class="form-row">
<button type="submit" class="btn btn-default form-search-button"><i class="fas fa-search fa-flip-horizontal fa-lg fa-fw"></i><span class="sr-only">Search</span></button>
<div>
<input id="moduleBrowserSearchInput" type="search" class="form-control form-anomali-input-search" placeholder="Search in blog" name="keywords">
</div>
</div>
</form>Text Content
We use cookies to enhance your experience while on our website, serve
personalized content, provide social media features and to optimize our traffic.
By continuing to browse the site you are agreeing to our use of cookies. Find
out more here.
Accept
Navigation
Schedule Demo
Discover
Products
* ThreatStream
* Match
* Lens
Marketplace
* Threat Intelligence Feeds
* Threat Analysis Tools & Enrichments
* Security System Partners
* Join the Anomali Technology Partner Program
* Anomali SDKs
Partners
* Channel Resellers
* MSSPs
* System Integrators
* Threat Intel Sharing
* Technology Partner Program
Resources
* Datasheets
* Partner Datasheets
* Videos
* Webinars
* White Papers
* Detect LIVE
* Browse all Resources
* What is Threat Intelligence?
* Threat Intelligence Sharing
* Threat Intelligence Platform (TIP)
* What Is XDR?
* STIX/TAXII
* MITRE ATT&CK
* COVID-19 Resources
* Sunburst Resources
* Anomali Cyber Watch
* STAXX
* Limo
* Anomali Newsletter
Company
* Leadership
* News & Events
* Reviews
* Awards
* Careers
* Contact us
Blog
Support
Schedule Demo
* Schedule Demo
* English
English Français Deutsch 日本語 Italiano Português Русский Español
* Blog
* Support
* Schedule Demo
* Discover
* Products
* Marketplace
* Partners
* Resources
* Company
ANOMALI PRODUCT SUITE
Anomali’s intelligence-driven security solutions help organizations enhance
their security defenses by delivering extended detection and response
capabilities that stop attackers and help prevent future attacks.
Learn more
OUR PRODUCTS
THREATSTREAM
Transform threat data into relevant actionable intelligence to speed detection,
streamline investigations and increase analyst productivity.
MATCH
Detect and respond to threats in real-time by automatically correlating ALL
security telemetry against active threat intelligence to expose “(un)known”
threats and decisively respond.
LENS
Automate & streamline cyber threat research to identify relevant threats within
unstructured data in seconds and understand the impact.
THE ANOMALI APP STORE
A unique cybersecurity marketplace providing instant access to a growing catalog
of threat intelligence providers, integration partners, and threat analysis
tools.
Learn more
MARKETPLACE OFFERINGS
THREAT INTELLIGENCE FEEDS
Trial and purchase threat intelligence feeds from Anomali partners – find the
right intelligence for your organization, industry, geography, threat type, and
more.
THREAT ANALYSIS TOOLS & ENRICHMENTS
Gain the tools to pivot quickly from one piece of information to look up other
sources of data to get a complete picture of a threat – all one click away.
SECURITY SYSTEM PARTNERS
Anomali seamlessly integrates with many Security and IT systems to
operationalize threat intelligence.
FOR PARTNERS
Anomali SDKs
Join the Anomali Technology Partner Program
PARTNERS OVERVIEW
Anomali offers competitive advantages and new revenue opportunities for partners
looking to enhance their product portfolios with our market-leading threat
intelligence platform.
Learn more
SELL ANOMALI
Channel Resellers
MSSPs
System Integrators
INTEGRATE WITH ANOMALI
Threat Intel Sharing
Technology Partner Program
Anomali SDKs
FEATURED RESEARCH
RESOURCES
Datasheets
Partner Datasheets
Videos
Webinars
White Papers
Detect LIVE
BROWSE ALL
TOPICS
What is Threat Intelligence?
Threat Intelligence Sharing
Threat Intelligence Platform (TIP)
What Is XDR?
STIX/TAXII
MITRE ATT&CK
COVID-19 Resources
Sunburst Resources
FREE TOOLS
Anomali Cyber Watch
STAXX
Limo
Anomali Newsletter
ABOUT ANOMALI
Anomali delivers intelligence-driven cybersecurity solutions, including
ThreatStream®, Match™, and Lens™. Companies use Anomali to enhance threat
visibility, automate threat processing and detection, and accelerate threat
investigation, response, and remediation.
Learn more
ANOMALI AT WORK
Leadership
Events
Press Releases
In the News
Reviews
Awards
GET IN TOUCH
Contact us
Request a demo
Careers
The Anomali Blog
Search
Browse Topics
All Topics Anomali Anomali Cyber Watch Anomali Match Cyber Threat Intelligence
Malware Modern Honey Network Research SIEM STAXX Splunk Threat Intelligence
Platform ThreatStream
Subscribe
ANOMALI CYBER WATCH | NOVEMBER 23, 2021
ANOMALI CYBER WATCH: APT, EMOTET, IRAN, REDCURL AND MORE
by Anomali Threat Research
The various threat intelligence stories in this iteration of the Anomali Cyber
Watch discuss the following topics: APT, Data breach, Data leak, Malspam,
Phishing, and Vulnerabilities. The IOCs related to these stories are attached to
Anomali Cyber Watch and can be used to check your logs for potential malicious
activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this
magazine and provide a glimpse of the threats discussed.
TRENDING CYBER NEWS AND THREAT INTELLIGENCE
EMOTET MALWARE IS BACK AND REBUILDING ITS BOTNET VIA TRICKBOT
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in
April 2021 and German law enforcement used this infrastructure to load a module
triggering an uninstall of existing Emotet installs, new Emotet installs have
been detected via initial infections with TrickBot. These campaigns and
infrastructure appear to be rapidly proliferating. Once infected with Emotet, in
addition to leveraging the infected device to send malspam, additional malware
can be downloaded and installed on the victim device for various purposes,
including ransomware. Researchers currently have not seen any spamming activity
or any known malicious documents dropping Emotet malware besides from TrickBot.
It is possible that Emotet is using Trickbot to rebuild its infrastructure and
steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial
infection by many actors and malware families. End users should be cautious with
email attachments and links, and organizations should have robust endpoint
protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season
upon us, Anomali Threat Research has made available two, threat actor-focused
dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers.
The Dashboards are preconfigured to provide immediate access and visibility into
all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made
available through commercial and open-source threat feeds that users manage on
ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules -
T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool
Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
WIND TURBINE GIANT OFFLINE AFTER CYBER INCIDENT
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest
manufacturer of wind turbines, have been hit by an attack. This attack does not
appear to have affected their manufacturing or supply chain, and recovery of
affected systems is underway, although a number of systems remain off as a
precaution. The company has announced that some data has been compromised. The
investigation of this incident is ongoing, but may have been a ransomware
attack. The incidents of ransomware across the globe increased by nearly 500% in
2020. The attack appears to have started on Friday, November 18, 2021.
Researchers warn that these attacks will likely continue to increase, especially
given the news that the Emotet botnet is undergoing a resurgence.
Analyst Comment: A robust and tested backup and disaster recovery program can
assist organizations prevent extended outages due to a cyber attack. Data loss
prevention (DLP) as well as monitoring can also assist prevention of an initial
attack from rapidly spreading across an organization.
Tags: data breach, Europe, energy, manufacturing
PATCH NOW! FATPIPE VPN ZERO-DAY ACTIVELY EXPLOITED
(published: November 18, 2021)
A patch has been made available to fix a flaw in FatPipe VPN products MPVPN,
WARP, and IPVPN. This flaw has been actively exploited by malicious actors for
at least six months. Users of the affected products are encouraged to upgrade
immediately to versions 10.1.2r60p93 and 10.2.2r44p1 or later. If users are
unable to immediately upgrade, they are encouraged to disable the web
administration UI from being accessed from the WAN interfaces and/or setting
access control lists (ACLs) to only allow access from trusted sources.
Analyst Comment: The work arounds as described by FatPipe regarding this
vulnerability are good ones for all devices on the network, especially those
that have a web administration tool. If access from the internet to these
devices cannot be turned off, then using regularly updated ACLs to limit access
to trusted devices should be required. Regular audits and updates, especially
for critical network devices should be part of everyone's defense in depth
program.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE
ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Indicator
Removal on Host - T1070 | [MITRE ATT&CK] Bypass User Account Control - T1088 |
[MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
| [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Exploit
Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation of Remote
Services - T1210 | [MITRE ATT&CK] Modify Authentication Process - T1556
Tags: FatPipe VPN, web shell, zero-day
REDCURL CORPORATE ESPIONAGE HACKERS RESUME ATTACKS WITH UPDATED TOOLS
(published: November 18, 2021)
The advanced persistent threat (APT) group known as RedCurl, which has been
active since 2018, has resurfaced in a new set of attacks utilizing updated
tools. This group, believed to consist of sophisticated hackers, engages in
corporate espionage and is known for staying hidden in victim organizations for
two to six months during an attack before exfiltration of corporate information.
The group appears to have stopped activity for seven months before resuming with
significantly updated tools and attack techniques. The latest attacks include
one of Russia’s largest wholesale companies, and another organization that they
have previously breached.
Analyst Comment: Telemetry and monitoring are critical pieces of an
organization's security posture, especially to detect an APT after initial
compromise to prevent data breaches. As many of these attacks begin with
spearphishing, users should be trained to detect these emails and always use
caution when opening attachments or links from emails.
MITRE ATT&CK: [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK]
Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery -
T1083 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK]
Spearphishing Attachment - T1193 | [MITRE ATT&CK] Scheduled Transfer - T1029 |
[MITRE ATT&CK] Proxy - T1090
Tags: APT, RedCurl, spearphishing, FSABIN, CHABIN1, CHABIN2, LNK
IRANIAN GOVERNMENT-SPONSORED APT CYBER ACTORS EXPLOITING MICROSOFT EXCHANGE AND
FORTINET VULNERABILITIES
(published: November 17, 2021)
Cybersecurity and Infrastructure Security Agency (CISA), along with other US
government agencies and Australian and United Kingdom cyber security agencies
have issued a joint alert highlighting ongoing malicious activity by Iranian
government sponsored actors. These attacks leverage well known vulnerabilities
in Microsoft Exchange and Fortinet devices to attack a wide range of
organizations across various sectors. The actors can leverage the initial access
gained via these flaws to perform data exfiltration, ransomware, lateral
movement, and other attacks.
Analyst Comment: Administrators should take special care to update their devices
as well as making sure that they are minimally exposed to the external internet.
This alongside good internal telemetry can ameliorate a large number of
potential threats.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: APT, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591,
Fortinet, Iran, Microsoft Exchange, ProxyShell
NEW MICROSOFT EMERGENCY UPDATES FIX WINDOWS SERVER AUTH ISSUES
(published: November 15, 2021)
Microsoft has released a set of out-of-band patches to fix an issue breaking
single sign-on (SSO) introduced by the November 9, 2021 security updates. When
the security updates are applied to a Windows server domain controller, it can
cause failures for users attempting to use Kerberos tickets from Service for
User to Self (S4U2self). Administrators of affected Windows server versions are
encouraged to download and install the new patches, which are not automatically
available via Windows Update.
Analyst Comment: In addition to regular updates, it is also important for
administrators to check for any issues resulting from security updates. Having
good asset and vulnerability programs is a vital part of defense in depth and
can assist with identifying devices that need updating.
Tags: Kerberos, Microsoft, Windows Server
UNCOVERING MOSESSTAFF TECHNIQUES: IDEOLOGY OVER MONEY
(published: November 15, 2021)
Researchers describe the techniques of the threat actor group MosesStaff, which
has been targeting Israeali organizations starting in September, 2021. These
attacks appear to be ideologically motivated and involve data exfiltration and
encrypting affected devices with no ransom demands. Attackers get initial access
to the network by exploiting known vulnerabilities in public facing applications
and then move laterally using tools like PsExec, WMIC, and powershell.
Bootloader is installed as one of the initial steps to ensure that, even if
subsequent encryption using DiskCryptor did not complete, the user cannot access
the computers. The researchers provide a detailed walkthrough of the infection
chain utilized in these attacks, as well as analysis of their two main tools,
PyDCrypt and DCSrv.
Analyst Comment: Regular patching is a critical component of an organization's
defense in depth program, as actors continue to exploit vulnerabilities that
have patches available. Having good internal telemetry, protections, and a
process of least permissions can often prevent wide exploitation of an attack.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 |
[MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Ingress Tool Transfer
- T1105 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: DCSrv, Israel, MosesStaff, PyDCrypt
HIGH-SEVERITY INTEL PROCESSOR BUG EXPOSES ENCRYPTION KEYS
(published: November 15, 2021)
Researchers have discovered a security flaw in Intel processors that would allow
actors to acquire encryption keys and read encrypted files. This flaw has been
given the Common Vulnerabilities and Exposures (CVE) identifier of
CVE-2021-0146, and is a result of debugging capabilities that are not protected
well enough and have excessive permissions for unauthenticated users. This flaw
is found in a range of Intel processors that are used in laptops, desktops, and
IOT devices.
Analyst Comment: Users with affected processors are encouraged to update the
UEFI BIOS with patches provided by the device manufacturer. Asset management and
updates are critical to maintaining an organization's security, especially for
sensitive devices, even if encryption has been implemented.
MITRE ATT&CK: [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK]
Exploitation for Privilege Escalation - T1068
Tags: CVE-2021-0146, encryption, intel, UEFI
Topics:
Anomali Cyber Watch
RELATED CONTENT
GET THE ANOMALI NEWSLETTER
The latest Anomali updates and cybersecurity news, delivered straight to your
inbox each month.
Subscribe Today
EXPLORE MORE TOPICS
ANOMALI
ANOMALI CYBER WATCH
ANOMALI MATCH
CYBER THREAT INTELLIGENCE
MALWARE
MODERN HONEY NETWORK
RESEARCH
SIEM
STAXX
SPLUNK
THREAT INTELLIGENCE PLATFORM
THREATSTREAM
PRODUCTS
* ThreatStream
* Match
* Lens
THREAT INTEL SHARING
MARKETPLACE
* Threat Intelligence Feeds
* Threat Analysis Tools & Enrichments
* Security System Partners
RESOURCES
* Datasheets
* Partner Datasheets
* Videos
* Webinars
* White Papers
* Detect LIVE
* Anomali Cyber Watch
* STAXX
COMPANY
* Leadership
* News & Events
* Awards
* Careers
PARTNERS
* Channel Resellers
* MSSPs
* System Integrators
* Partner Portal
SCHEDULE DEMO
CONTACT
SUPPORT
BLOG
* Privacy Policy
* Terms of Use
* 3rd Party Vendor Policy
© Copyright 2021 Anomali®. All rights reserved.
ThreatStream® is a registered trademark of Anomali Inc. Anomali Match™ ("Match")
and Anomali Lens™ ("Lens") are trademarks of Anomali Inc.
* Twitter
* Instagram
* Facebook
* LinkedIn
* YouTube
Quick Poll
What best describes your role?
CISO/C-LevelThreat Intel TeamSOC TeamIncident Response Team
Thank you