今日威胁情报2020/9/28-30(第308期）

祝大家国庆/中秋节日快乐

高级威胁

1、【重点】EquationGroup与Stuxnet 结合，追踪老美的不多线索之一……

https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/

完整报告：

https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf

YARA:

rule EquationGroup_TbInitStruct{    meta:        author =      "Facundo Muñoz [email protected] / @fmmrsrch"        description = "Detects the function TbInitStruct from tibe.dll/tibe-1.dll used by exploits and implants from EquationGroup, including Stuxnet exploits."        reference =   "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/"
strings:    $tbblock1 = { 68 00 20 00 00 89 AE 64 01 00 00 89 AE 24 04 00 00 89 AE B4 04 00 00 89 AE                  B8 04 00 00 89 AE BC 04 00 00 66 89 86 C0 04 00 00 66 89 86 C2 04 00 00 66                  89 86 C4 04 00 00 89 9E DC 04 00 00 89 9E D0 04 00 00 C7 86 D4 04 00 00 00                  20 00 00 E8 ?? ?? ?? ?? 83 C4 04 3B C3 89 86 D8 04 00 00 0F 84 AC 01 00 00                  89 AE 34 08 00 00 66 C7 86 2C 08 00 00 B0 03 89 9E 68 07 00 00 89 9E 38 08                  00 00 89 AE 40 08 00 00 C7 86 DC 08 00 00 FA 00 00 00 89 AE 70 08 00 00 66                  C7 86 A6 08 00 00 07 00 FF D7 8B D8 81 E3 FF 00 00 00 FF D7 C1 E0 08 0B D8                  C1 E3 08 FF D7 25 FF 00 00 00 0B D8 C1 E3 08 FF D7 25 FF 00 00 00 0B D8 89                  9E 74 08 00 00 FF D7 24 0F 0C 40 33 DB 8A F8 FF D7 8A D8 66 89 9E 78 08 00                  00 FF D7 66 0F B6 D8 FF D7 33 D2 66 8B 96 78 08 00 00 8A F8 81 E2 FF 3F 00                  00 81 CA 00 80 00 00 }
condition:        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $tbblock1}

2、赛门铁克发布的关于BlackTech。emm……看吧

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt

3、【重点报告，一定要看】微软发布的“数字防御报告”

该报告清楚地表明，过去一年中，威胁行为者的复杂性迅速提高，他们使用的技术使他们更加难以发现，甚至威胁到最精明的目标。例如，民族国家行为者正在采用新的侦察技术，以增加其破坏高价值目标的机会，针对企业的犯罪集团已将其基础设施移至云中以隐藏在合法服务中，攻击者已开发出新的方法来搜寻Internet易受勒索软件攻击的系统。

另外，微软跟踪的组织实体根据微软的内部命名标签规范：

https://www.microsoft.com/en-us/download/confirmation.aspx?id=101738

4、Hunter  lazarus,该组织的TTP，关注这个组织的老哥们可以看下。

https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic

5、另一个朝鲜组织Kimsuky钓鱼攻击整理梳理，附带IOC。

https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/

https://3hyr133hoba8cg1mqt4pktdd-wpengine.netdna-ssl.com/wp-content/uploads/ThreatConnect-Kimsuky-Phishing-Operations-Putting-In-Work-Figure11-Adventure-Graph.pdf?_ga=2.252501577.1936123424.1601457666-907990324.1601457666

6、针对隔离网的Ramsay…… mark

https://vblocalhost.com/presentations/ramsay-a-cyber-espionage-toolkit-tailored-for-air-gapped-networks/

7、FIN7 的攻击技战术。这个文章技术手法和报告编写挺不错的。

https://threatintel.blog/OPBlueRaven-Part2/

技术分享

1、【TOOLS】内网渗透扫描小工具

https://github.com/airbus-cyber/CyberSecRessources/tree/master/RpcGetWinVersion

2、恶意Shell脚本的演变

https://www.trendmicro.com/en_us/research/20/i/the-evolution-of-malicious-shell-scripts.html

3、利用Microsoft Exchange进行网络钓鱼（CVE-2020-0688），重温一下，很不错的研究报告

https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/

4、Fireeye:In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors

https://www.fireeye.com/blog/executive-perspective/2020/09/merging-mitre-attack-for-enterprise-and-ics-to-communicate-adversary-behaviors.html

漏洞相关

1、CVE-2020-17382 POC

https://github.com/uf0o/CVE-2020-17382

https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/

2、CVE-2020-1510 POC

https://cpr-zero.checkpoint.com/vulns/cprid-2157/

网络战与网络情报

1、川普和拜登今天电视辩论，这个时间点发俄罗斯当年的事儿，是不是也是打算干扰大选？川普加油，狙击你的太多了。

https://www.politico.com/news/2020/09/29/john-ratcliffe-hillary-clinton-russia-423022

2、普京想在网络空间休战—同时否认俄罗斯的干涉

https://www.nytimes.com/2020/09/25/world/europe/russia-cyber-security-meddling.html

广告时间

360威胁情报中心TI新版上线

https://ti.360.cn