今日威胁情报2020/9/28-30(第308期)

  • A+
所属分类:安全新闻

今日威胁情报2020/9/28-30(第308期)


祝大家国庆/中秋节日快乐


高级威胁
今日威胁情报2020/9/28-30(第308期)


1、【重点】EquationGroup与Stuxnet 结合,追踪老美的不多线索之一……

今日威胁情报2020/9/28-30(第308期)

https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/

今日威胁情报2020/9/28-30(第308期)

完整报告:

https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf

YARA:

rule EquationGroup_TbInitStruct{    meta:        author =      "Facundo Muñoz [email protected] / @fmmrsrch"        description = "Detects the function TbInitStruct from tibe.dll/tibe-1.dll used by exploits and implants from EquationGroup, including Stuxnet exploits."        reference =   "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/"
strings: $tbblock1 = { 68 00 20 00 00 89 AE 64 01 00 00 89 AE 24 04 00 00 89 AE B4 04 00 00 89 AE B8 04 00 00 89 AE BC 04 00 00 66 89 86 C0 04 00 00 66 89 86 C2 04 00 00 66 89 86 C4 04 00 00 89 9E DC 04 00 00 89 9E D0 04 00 00 C7 86 D4 04 00 00 00 20 00 00 E8 ?? ?? ?? ?? 83 C4 04 3B C3 89 86 D8 04 00 00 0F 84 AC 01 00 00 89 AE 34 08 00 00 66 C7 86 2C 08 00 00 B0 03 89 9E 68 07 00 00 89 9E 38 08 00 00 89 AE 40 08 00 00 C7 86 DC 08 00 00 FA 00 00 00 89 AE 70 08 00 00 66 C7 86 A6 08 00 00 07 00 FF D7 8B D8 81 E3 FF 00 00 00 FF D7 C1 E0 08 0B D8 C1 E3 08 FF D7 25 FF 00 00 00 0B D8 C1 E3 08 FF D7 25 FF 00 00 00 0B D8 89 9E 74 08 00 00 FF D7 24 0F 0C 40 33 DB 8A F8 FF D7 8A D8 66 89 9E 78 08 00 00 FF D7 66 0F B6 D8 FF D7 33 D2 66 8B 96 78 08 00 00 8A F8 81 E2 FF 3F 00 00 81 CA 00 80 00 00 }
condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $tbblock1}


2、赛门铁克发布的关于BlackTech。emm……看吧

今日威胁情报2020/9/28-30(第308期)

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt


3、【重点报告,一定要看】微软发布的“数字防御报告”

该报告清楚地表明,过去一年中,威胁行为者的复杂性迅速提高,他们使用的技术使他们更加难以发现,甚至威胁到最精明的目标。例如,民族国家行为者正在采用新的侦察技术,以增加其破坏高价值目标的机会,针对企业的犯罪集团已将其基础设施移至云中以隐藏在合法服务中,攻击者已开发出新的方法来搜寻Internet易受勒索软件攻击的系统。

另外,微软跟踪的组织实体根据微软的内部命名标签规范:

今日威胁情报2020/9/28-30(第308期)

https://www.microsoft.com/en-us/download/confirmation.aspx?id=101738


4、Hunter  lazarus,该组织的TTP,关注这个组织的老哥们可以看下。

https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic


5、另一个朝鲜组织Kimsuky钓鱼攻击整理梳理,附带IOC。

今日威胁情报2020/9/28-30(第308期)


https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/

https://3hyr133hoba8cg1mqt4pktdd-wpengine.netdna-ssl.com/wp-content/uploads/ThreatConnect-Kimsuky-Phishing-Operations-Putting-In-Work-Figure11-Adventure-Graph.pdf?_ga=2.252501577.1936123424.1601457666-907990324.1601457666


6、针对隔离网的Ramsay…… mark

https://vblocalhost.com/presentations/ramsay-a-cyber-espionage-toolkit-tailored-for-air-gapped-networks/


7、FIN7 的攻击技战术。这个文章技术手法和报告编写挺不错的。

今日威胁情报2020/9/28-30(第308期)

https://threatintel.blog/OPBlueRaven-Part2/


技术分享
今日威胁情报2020/9/28-30(第308期)


1、【TOOLS】内网渗透扫描小工具

今日威胁情报2020/9/28-30(第308期)

https://github.com/airbus-cyber/CyberSecRessources/tree/master/RpcGetWinVersion


2、恶意Shell脚本的演变

https://www.trendmicro.com/en_us/research/20/i/the-evolution-of-malicious-shell-scripts.html


3、利用Microsoft Exchange进行网络钓鱼(CVE-2020-0688),重温一下,很不错的研究报告

今日威胁情报2020/9/28-30(第308期)

https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/


4、Fireeye:In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors

https://www.fireeye.com/blog/executive-perspective/2020/09/merging-mitre-attack-for-enterprise-and-ics-to-communicate-adversary-behaviors.html


漏洞相关
今日威胁情报2020/9/28-30(第308期)


1、CVE-2020-17382 POC

https://github.com/uf0o/CVE-2020-17382

https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/


2、CVE-2020-1510 POC

https://cpr-zero.checkpoint.com/vulns/cprid-2157/


网络战与网络情报
今日威胁情报2020/9/28-30(第308期)


1、川普和拜登今天电视辩论,这个时间点发俄罗斯当年的事儿,是不是也是打算干扰大选?川普加油,狙击你的太多了。

今日威胁情报2020/9/28-30(第308期)

https://www.politico.com/news/2020/09/29/john-ratcliffe-hillary-clinton-russia-423022


2、普京想在网络空间休战—同时否认俄罗斯的干涉

https://www.nytimes.com/2020/09/25/world/europe/russia-cyber-security-meddling.html


今日威胁情报2020/9/28-30(第308期)

广告时间

360威胁情报中心TI新版上线

https://ti.360.cn


今日威胁情报2020/9/28-30(第308期)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: