TI.360.CN
高级威胁分析
1、Google TAG发布朝鲜网络攻击组织对定向攻击网络安全人员,思路社工手段:聊天聊天啊聊天,建立感情后,帮忙分析个样本、分析个工具、共享个数据呗……然后把带后门的文件发给你,你就中招了……就这个事儿,多家安全厂商发布了看法:
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
先看国内的看法:
2、360的看法:破壳行动 - Lazarus(APT-C-26)组织针对安全研究人员的定向攻击活动揭秘
https://mp.weixin.qq.com/s/W-C_tKVnXco8C3ctgAjoNQ
3、安恒的看法:防不胜防,黑客利用Visual Studio编译器特性定向攻击二进制漏洞安全研究员
https://mp.weixin.qq.com/s/UBD0hyXUooYuDrpsz8-MtQ
国外看法:
4、comae看法:PANDORABOX-朝鲜黑客针对安全研究人员
https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/
5、norfolkinfosec看法:朝鲜针对安全研究人员的恶意软件
https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/
6、如何检测自己是否中招?
# Checks the registry for IOCs# If not vulnerable should return "ERROR: The system was unable to find the specified registry key or value."reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionKernelConfig"reg query "HKLMSOFTWAREMicrosoftWindowsCurrentVersionDriverConfig"reg query "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunSSL Update"# Checks the paths of IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/# If not vulnerable each will return falseTest-Path C:WindowsSystem32Nwsapagent.sys -PathType LeafTest-Path C:WindowsSystem32helpsvc.sys -PathType LeafTest-Path C:ProgramDataUSOShareduso.bin -PathType LeafTest-Path C:ProgramDataVMwarevmnat-update.bin -PathType LeafTest-Path C:ProgramDataVirtualBoxupdate.bin -PathType Leaf
https://gist.github.com/ZephrFish/0deb1458aeb63ae832987cc53addc404
7、检测Visual Studio手段之一,“同源、同技术”分析
rule exploit_tlb_sct{meta:description = "Detects malicious TLB files which may be delivered via Visual Studio projects"author = "Rich Warren"reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"date = "2021-01-26"strings:$a = ".sct" ascii nocase$b = "script:" ascii nocase$c = "scriptlet:" ascii nocase$d = "soap:" ascii nocase$e = "winmgmts:" ascii nocasecondition:uint32be(0) == 0x4D534654 and any of them}
https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf
https://gist.github.com/rxwx/2138a3f41c1c657d769e6cf8c9d32ed1
8、APT16使用的ELMER后门的详细分析,兔兔兔兔……
https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/
9、Lazarus攻击新活动
https://blogs.jpcert.or.jp/ja/2021/01/Lazarus_malware2.html
技术分享
1、利用PDNS分析SUNBURST续集。OSINT溯源技术之一
https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc
2、Necro僵尸网络分析
https://blog.netlab.360.com/necro/
漏洞相关
1、HackBack - A DIY guide to rob banks
https://www.exploit-db.com/papers/47682
2、CVE-2021-3115 golang RCE,利用windows 环境变量触发,666!
https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/
网络战与网络情报
1、被动收集卫星流量以获取威胁情报
https://xorl.wordpress.com/2021/01/26/passive-collection-of-satellite-traffic-for-threat-intelligence/
https://www.blackhat.com/us-20/briefings/schedule/#whispers-among-the-stars-a-practical-look-at-perpetrating-and-preventing-satellite-eavesdropping-attacks-19391
2、【警惕】美军GPS测试,干扰、欺骗GPS信号,战时武器!
https://spectrum.ieee.org/aerospace/aviation/faa-files-reveal-a-surprising-threat-to-airline-safety-the-us-militarys-gps-tests
3、nshc又整理2020年11月的攻击活动,又是我看不懂系列
https://redalert.nshc.net/2021/01/26/monthly-threat-actor-group-intelligence-report-november-2020/
本文始发于微信公众号(ThreatPage全球威胁情报):今日威胁情报2021/1/25-26(第342期)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论