<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=439793516377641&amp;ev=PageView&amp;noscript=1">

Bi-Weekly Security Update 3/29/17

MW-AY155_cyber__20130111111154_MG.jpg

 

Malicious Content Identified and Inserted:

  • IPs – 1363
  • Domains – 868

Target List Content Updated:

  • TSCritical
  • TSRansomware
  • TSPhishing
  • TSBanking

Indicators of compromise have been updated for the following:

(For a deeper dive into the research behind a threat or campaign, click on the links in each description)

  • IOCs involved in suspicious scanning activities on domains and hosts.
  • IOCs involved in malspam.
  • IOCs involved in phishing.
  • Mirai, a Linux malware targeting IoT systems, is primarily used for DDoS attacks. This malware is distributed by identifying vulnerable devices (using a table of common factory default usernames and passwords) and subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber attack. You can read more in our blog here.
  • Nebula EK is a new variant of a previously known Exploit Kit, Sundown, with minor deviations. The only difference between the two, as mentioned by cyber researcher Kafeine, is Nebula’s internal TDS. (TDS is a gate that is used to redirect visitors to various content)
  • A site offering a free AV coupon led to a tech support scam, as reported by Malwarebytes.
  • Snake\Turla is a cyber espionage group found to be active in APT campaigns. In 2016, they were found to infect targets in over 45 countries. Their distribution of malware includes both direct spear phishing and watering hole attacks. Additionally, this group has a distinct modus operandi through consistent use of satellite-based Internet links.
  • Fareit aka Pony is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details and more. You can read more about it in our blog post here.
  • Landing pages on compromised embassy websites, targeting multiple countries, are all embassies physically located within the US.
  • Luabot is a unique malware written in LUA scripting language, first published by MalwareMustDie. This malware is distributed by attempting to brute force SSH servers and exploit Linksys router command injections. Luabot targets ARM platforms, usually found in embedded (IoT) devices.

Security Blog Roundup:

 New/Updated Targets:

  • End of Life:
    • VOIP Honey
  • New:
    • Botnets 2 – A compound target to be used in addition to the “Botnets” target on devices that can support the larger MAX_POLICY size.
    • UNIX 2 – A compound target to be used in addition to the “UNIX” target on devices that can support the larger MAX_POLICY size.

Share this:

Home Page

OTHER THREATSTOP OUTLETS

  1. ThreatSTOP on YouTube
  2. ThreatSTOP on Twitter