今日威胁情报2020/9/3-5(第298期）

高级威胁分析

1、APT32混淆工具：混淆几种APT32混淆工具包。又得让一大波人高潮一把。

https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/

https://github.com/levanvn/APT32_Deobfuscate

2、vBulletinRCE漏洞CVE-2020-17496的在野利用

https://unit42.paloaltonetworks.com/cve-2020-17496/

3、Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe

https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic

https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/

4、Evilnum组织，我差点不知道这个组织……

https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat

技术分享

1、capa检测可执行文件，识别恶意软件，工具库+1

https://github.com/fireeye/capa/

https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html

2、Cerberus银行木马研究报告。

https://github.com/ics-iot-bootcamp/cerberus_research

https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf

3、使用Sysmon搜寻本地帐户和组

https://blog.menasec.net/2020/09/hunting-local-accounts-and-groups.html

4、TOOLS，谁看谁知道，不看不知道。

https://www.pcapanalysis.com/download-malware-samples/

5、使用YARA规则处理Windows事件记录

https://blog.dylan.codes/pwning-windows-event-logging/

6、子域名库

https://gist.github.com/cihanmehmet/5d7f6d6514b4c1c54c00ebf36d5f9e81

7、微软首次推出Deepfake检测工具，检测社交媒体传播的东西是否被篡改

https://www.welivesecurity.com/2020/09/03/microsoft-debuts-deepfake-detection-tool/

8、在野外QNAP NAS攻击

https://blog.netlab.360.com/in-the-wild-qnap-nas-attacks-en/

9、loader或者downloader技术，利用google DNS把恶意载荷下载到植入到目标中，这种单纯的TIP检测不出来

https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt

https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/

漏洞相关

1、WordPress“文件管理器”插件 RCE 0day

https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/

2、CVE-2020-3495，Cisco Jabber的Windows版本中存在严重的远程代码执行（RCE）

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg

3、MoFi路由器中未修补的后门

https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/

数据泄露相关

1、机翻：Telmate是美国监狱中被关押的囚犯用来与他们的朋友和亲人通信的一项服务，它已经公开了一个数据库，该数据库包含数以百万计的通话记录，私人消息以及有关囚犯及其联系方式的个人信息。该数据库无需密码或访问它的任何其他身份验证即可在Web上公开。

https://www.comparitech.com/blog/information-security/prison-phone-service-exposes-millions-inmate-records/

2、在线营销公司披露3800万美国公民记录.

https://cybernews.com/security/online-marketing-company-exposes-data-of-millions-americans/

网络战与网络情报

1、白宫发布了一项新指令，其中详细列出了保护太空系统免受网络威胁和网络攻击的建议和最佳实践。

https://www.whitehouse.gov/presidential-actions/memorandum-space-policy-directive-5-cybersecurity-principles-space-systems/

2、虚伪的声明

https://ge.usembassy.gov/u-s-embassy-statement-on-september-1-2020-cyberattack-against-georgian-ministry-of-health/#

3、Chinese Professors Among Six Defendants Charged with Economic Espionage and Theft of Trade Secrets for Benefit of People’s Republic of China

https://www.hackread.com/chinese-professor-jailed-for-economic-espionage/

https://www.justice.gov/opa/pr/chinese-professors-among-six-defendants-charged-economic-espionage-and-theft-trade-secrets

4、2020年零信任进度报告

https://www.cybersecurity-insiders.com/portfolio/2020-zero-trust-progress-report-pulse-secure/

5、联邦法官发现FBI和NSA违反了监视法或隐私权规则

https://www.washingtonpost.com/national-security/fbi-and-nsa-violated-surveillance-law-or-privacy-rules-a-federal-judge-found/2020/09/04/b215cf88-eec3-11ea-b4bc-3a2098fc73d4_story.html

6、CISA命令机构建立漏洞披露程序

https://www.cyberscoop.com/cisa-vulnerability-disclosure-directive-omb/

广告时间

360威胁情报中心TI新版上线

https://ti.360.cn