祝大家国庆/中秋节日快乐
高级威胁
1、【重点】EquationGroup与Stuxnet 结合,追踪老美的不多线索之一……
https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/
完整报告:
https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf
YARA:
rule EquationGroup_TbInitStruct
{
meta:
author = "Facundo Muñoz [email protected] / @fmmrsrch"
description = "Detects the function TbInitStruct from tibe.dll/tibe-1.dll used by exploits and implants from EquationGroup, including Stuxnet exploits."
reference = "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/"
strings:
$tbblock1 = { 68 00 20 00 00 89 AE 64 01 00 00 89 AE 24 04 00 00 89 AE B4 04 00 00 89 AE
B8 04 00 00 89 AE BC 04 00 00 66 89 86 C0 04 00 00 66 89 86 C2 04 00 00 66
89 86 C4 04 00 00 89 9E DC 04 00 00 89 9E D0 04 00 00 C7 86 D4 04 00 00 00
20 00 00 E8 ?? ?? ?? ?? 83 C4 04 3B C3 89 86 D8 04 00 00 0F 84 AC 01 00 00
89 AE 34 08 00 00 66 C7 86 2C 08 00 00 B0 03 89 9E 68 07 00 00 89 9E 38 08
00 00 89 AE 40 08 00 00 C7 86 DC 08 00 00 FA 00 00 00 89 AE 70 08 00 00 66
C7 86 A6 08 00 00 07 00 FF D7 8B D8 81 E3 FF 00 00 00 FF D7 C1 E0 08 0B D8
C1 E3 08 FF D7 25 FF 00 00 00 0B D8 C1 E3 08 FF D7 25 FF 00 00 00 0B D8 89
9E 74 08 00 00 FF D7 24 0F 0C 40 33 DB 8A F8 FF D7 8A D8 66 89 9E 78 08 00
00 FF D7 66 0F B6 D8 FF D7 33 D2 66 8B 96 78 08 00 00 8A F8 81 E2 FF 3F 00
00 81 CA 00 80 00 00 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $tbblock1
}
2、赛门铁克发布的关于BlackTech。emm……看吧
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
3、【重点报告,一定要看】微软发布的“数字防御报告”
该报告清楚地表明,过去一年中,威胁行为者的复杂性迅速提高,他们使用的技术使他们更加难以发现,甚至威胁到最精明的目标。例如,民族国家行为者正在采用新的侦察技术,以增加其破坏高价值目标的机会,针对企业的犯罪集团已将其基础设施移至云中以隐藏在合法服务中,攻击者已开发出新的方法来搜寻Internet易受勒索软件攻击的系统。
另外,微软跟踪的组织实体根据微软的内部命名标签规范:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=101738
4、Hunter lazarus,该组织的TTP,关注这个组织的老哥们可以看下。
https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic
5、另一个朝鲜组织Kimsuky钓鱼攻击整理梳理,附带IOC。
https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/
https://3hyr133hoba8cg1mqt4pktdd-wpengine.netdna-ssl.com/wp-content/uploads/ThreatConnect-Kimsuky-Phishing-Operations-Putting-In-Work-Figure11-Adventure-Graph.pdf?_ga=2.252501577.1936123424.1601457666-907990324.1601457666
6、针对隔离网的Ramsay…… mark
https://vblocalhost.com/presentations/ramsay-a-cyber-espionage-toolkit-tailored-for-air-gapped-networks/
7、FIN7 的攻击技战术。这个文章技术手法和报告编写挺不错的。
https://threatintel.blog/OPBlueRaven-Part2/
技术分享
1、【TOOLS】内网渗透扫描小工具
https://github.com/airbus-cyber/CyberSecRessources/tree/master/RpcGetWinVersion
2、恶意Shell脚本的演变
https://www.trendmicro.com/en_us/research/20/i/the-evolution-of-malicious-shell-scripts.html
3、利用Microsoft Exchange进行网络钓鱼(CVE-2020-0688),重温一下,很不错的研究报告
https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/
4、Fireeye:In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors
https://www.fireeye.com/blog/executive-perspective/2020/09/merging-mitre-attack-for-enterprise-and-ics-to-communicate-adversary-behaviors.html
漏洞相关
1、CVE-2020-17382 POC
https://github.com/uf0o/CVE-2020-17382
https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/
2、CVE-2020-1510 POC
https://cpr-zero.checkpoint.com/vulns/cprid-2157/
网络战与网络情报
1、川普和拜登今天电视辩论,这个时间点发俄罗斯当年的事儿,是不是也是打算干扰大选?川普加油,狙击你的太多了。
https://www.politico.com/news/2020/09/29/john-ratcliffe-hillary-clinton-russia-423022
2、普京想在网络空间休战—同时否认俄罗斯的干涉
https://www.nytimes.com/2020/09/25/world/europe/russia-cyber-security-meddling.html
广告时间
360威胁情报中心TI新版上线
https://ti.360.cn
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论