今日威胁情报2021/1/25-26(第342期)

  • A+
所属分类:安全新闻

今日威胁情报2021/1/25-26(第342期)

TI.360.CN


高级威胁分析
今日威胁情报2021/1/25-26(第342期)


1、Google TAG发布朝鲜网络攻击组织对定向攻击网络安全人员,思路社工手段:聊天聊天啊聊天,建立感情后,帮忙分析个样本、分析个工具、共享个数据呗……然后把带后门的文件发给你,你就中招了……就这个事儿,多家安全厂商发布了看法:

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/


先看国内的看法:

2、360的看法:破壳行动 - Lazarus(APT-C-26)组织针对安全研究人员的定向攻击活动揭秘

https://mp.weixin.qq.com/s/W-C_tKVnXco8C3ctgAjoNQ


3、安恒的看法:防不胜防,黑客利用Visual Studio编译器特性定向攻击二进制漏洞安全研究员

https://mp.weixin.qq.com/s/UBD0hyXUooYuDrpsz8-MtQ


国外看法:

4、comae看法:PANDORABOX-朝鲜黑客针对安全研究人员

https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/


5、norfolkinfosec看法:朝鲜针对安全研究人员的恶意软件

https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/


6、如何检测自己是否中招?

# Checks the registry for IOCs# If not vulnerable should return "ERROR: The system was unable to find the specified registry key or value."reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionKernelConfig"reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionDriverConfig"reg query "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSSL Update"
# Checks the paths of IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/# If not vulnerable each will return falseTest-Path C:WindowsSystem32Nwsapagent.sys -PathType LeafTest-Path C:WindowsSystem32helpsvc.sys -PathType LeafTest-Path C:ProgramDataUSOShareduso.bin -PathType LeafTest-Path C:ProgramDataVMwarevmnat-update.bin -PathType LeafTest-Path C:ProgramDataVirtualBoxupdate.bin -PathType Leaf

https://gist.github.com/ZephrFish/0deb1458aeb63ae832987cc53addc404


7、检测Visual Studio手段之一,“同源、同技术”分析

rule exploit_tlb_sct{   meta:      description = "Detects malicious TLB files which may be delivered via Visual Studio projects"      author = "Rich Warren"      reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"      date = "2021-01-26"   strings:      $a = ".sct" ascii nocase      $b = "script:" ascii nocase      $c = "scriptlet:" ascii nocase      $d = "soap:" ascii nocase      $e = "winmgmts:" ascii nocase   condition:      uint32be(0) == 0x4D534654 and any of them}

https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf

https://gist.github.com/rxwx/2138a3f41c1c657d769e6cf8c9d32ed1


8、APT16使用的ELMER后门的详细分析,兔兔兔兔……

https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/


9、Lazarus攻击新活动

https://blogs.jpcert.or.jp/ja/2021/01/Lazarus_malware2.html


技术分享
今日威胁情报2021/1/25-26(第342期)


1、利用PDNS分析SUNBURST续集。OSINT溯源技术之一

https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc


2、Necro僵尸网络分析

https://blog.netlab.360.com/necro/


漏洞相关
今日威胁情报2021/1/25-26(第342期)


1、HackBack - A DIY guide to rob banks

https://www.exploit-db.com/papers/47682


2、CVE-2021-3115 golang RCE,利用windows 环境变量触发,666!

https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/


网络战与网络情报
今日威胁情报2021/1/25-26(第342期)


1、被动收集卫星流量以获取威胁情报

今日威胁情报2021/1/25-26(第342期)

https://xorl.wordpress.com/2021/01/26/passive-collection-of-satellite-traffic-for-threat-intelligence/

https://www.blackhat.com/us-20/briefings/schedule/#whispers-among-the-stars-a-practical-look-at-perpetrating-and-preventing-satellite-eavesdropping-attacks-19391


2、【警惕】美军GPS测试,干扰、欺骗GPS信号,战时武器!

https://spectrum.ieee.org/aerospace/aviation/faa-files-reveal-a-surprising-threat-to-airline-safety-the-us-militarys-gps-tests


3、nshc又整理2020年11月的攻击活动,又是我看不懂系列

https://redalert.nshc.net/2021/01/26/monthly-threat-actor-group-intelligence-report-november-2020/


今日威胁情报2021/1/25-26(第342期)

今日威胁情报2021/1/25-26(第342期)

本文始发于微信公众号(ThreatPage全球威胁情报):今日威胁情报2021/1/25-26(第342期)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: