Anomali Blog
Phishing Campaign Spoofs United Nations and Multiple Other Organizations
Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at...
Read More
Phishers Target Texas Department of Transportation Contractors with Online Bidding Scheme
On February 15th, 2019, Anomali Labs researchers found an active phishing page masquerading as a legitimate Texas Department of Transportation (TxDOT) online bidding website. The illegitimate portal <hxxps://www[.]txdot[.]gov[.]us.e-bid.sync.auth.moovindancestudio[.]com/secure/user-login/login[.]php> is being hosted on a suspected compromised server...
Read More
Transform Your CTI Program With the Anomali Threat Platform: Exploring 5 Common Use Cases
In this blog, we will be looking at a few popular use cases of Anomali Enterprise™, one of the core components of the Anomali Threat Platform. Anomali Enterprise is a powerful tool that addresses an industry-wide dilemma on how to leverage threat intelligence effectively. A key issue with most...
Read More
Weekly Threat Briefing: Google Spots Attacks Exploiting iOS Zero-Day Flaws
The intelligence in this weekís iteration discuss the following threats: Cryptominers, Data breach, ExileRAT, Malware, NanoCore, RATs, Remote code execution, Spear phishing, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs...
Read More
Weekly Threat Briefing: New SpeakUp Backdoor Infects Linux and macOS with Miners
The intelligence in this weekís iteration discuss the following threats: APT32, APT39, Backdoors, CookieMiner, Cryptominers, Data breach, Malspam, Malware, Phishing, SectorA05, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for...
Read More
Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?
Anomali Labs recently analyzed a large number of weaponized RTF phishing files related to APT groups aligned with Chinese and Indian state interests. This analysis has identified a shared object dimension and shared obfuscation methods across weaponized RTF files utilized by the APT groups known as Sidewinder (Indian State Interests),...
Read More
How I Learned to Stop Worrying about CVEs and Love Threat Intelligence (es)
In my previous job, one of my main responsibilities was related to consulting services. Most of my customers’ needs were in the field of compliance and security assessment, and one of the most frequent requests was a vulnerability assessment of their IT infrastructure. I frequently had to explain to...
Read More
Weekly Threat Briefing: Hackers Are Going After Cisco RV320/RV325 Routers Using A New Exploit
The intelligence in this week’s iteration discuss the following threats: Alert, Data leak, DNS tampering, Misconfigured database, Phishing, Ransomware, Trojan, Vulnerabilities, Website compromise and Zero-day. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your...
Read More
Abusing the Mali ccTLD (.ml) To Target Dutch Organisations
IntroductionAt the start of 2019, Anomali Labs observed an upward trend in threat actors abusing the Mali country code top-level domain (ccTLD), “.ml”, to host suspicious and malicious sites closely resembling Dutch-based organisations. Our research identified the .ml ccTLD is amongst one of the top ten most...
Read More
Cyber Threat Intelligence Threat Intelligence Platform
Partner Spotlight: Silobreaker
One of the key differentiators between good security and great security is the interconnectedness between security solutions. Organizations need numerous specialized tools to aggregate, analyze, monitor, block, share - the list goes on. The more seamless the transfer of information and actions between these tools, the more effectively security teams...
Read More
Weekly Threat Briefing: Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users
The intelligence in this weekís iteration discuss the following threats: Adware, APT, DarkHydrus, Data breach, Emotet, Lazarus group, MageCart, Malvertising, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs...
Read More
Phishing Scam Spoofs Canadian eTA and U.S. ESTA Websites To Target Visa-Exempt Foreign Travelers
On January 16, 2019, Anomali Labs detected two suspicious domains gov-canada-eta[.]com and canada-etavisa[.]info targeting foreign nationals interested in applying for a Canadian electronic travel authorization (eTA). Hosted on this domain is a replica website that spoofs the Government of Canada Electronic Travel Authorization (eTA) application site used by tourists, business...
Read More
Weekly Threat Briefing: NASA Jira Server Leaked Internal Project And Employee Data
The intelligence in this week's iteration discuss the following threats: Adware, Backdoor, CryptoMix, Data breaches, DNS hijacking, FlawedGrace, ICEPick-3PC, MageCart, Malware, Phishing, Ransomware, ServHelper, Side-channel attack, TA505, TEMP.MixMaster, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing...
Read More
Phishing Scam Lures Australian Government Contractors Into Disclosing Account Credentials
On January 9, 2019, Anomali Labs observed a new tender-themed phishing scam targeting companies allegedly selected by the Australian Government to submit tenders for commercial projects. The document purports to be from the Secretary of Infrastructure and Regional Development, Dr. Steven Kennedy. The premise behind the scam is to lure users into...
Read More
2019 Attack Predictions for the Payment Sector
Anomali Labs published this week a report, “Cyber Crime in the Payments Industry,” that examines threat trends affecting this sector. The report, available for download, details attacks and techniques, and provides recommendations for organizations that process credit card transactions.The payments industry, including retail, hospitality, restaurants and payment...
Read More
Weekly Threat Briefing: Another Windows 10 Zero-Day Bug Could Allow Overwriting Files With Random Data
The intelligence in this weekís iteration discuss the following threats: APT28, Danabot, Data breaches, Miori, Phishing, RATs, Ransomware, Roma225, The Dark Overlord, Vulnerabilities, and Zebrocy. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your...
Read More
Destructive Shamoon Malware Continues its Return with a New Anti-American Message
Anomali Labs in its continued hunt for the destructive Shamoon malware, has identified a new Shamoon malware sample that uses an image of a burning US Dollar as part of its destructive attack. Historic versions of the Shamoon destructive wiper have utilized images of a burning American flag and the...
Read More
Cyber Threat Intelligence Malware
Holiday Shopping Increases Threat Actor Activity in 2018—Be Vigilant and Jolly
OverviewAs the weather grows colder and holiday shopping seasons encroaches, so too, increases the opportunities for data and monetary theft for a threat actor. Every year it seems as if companies are moving their “deals” earlier and earlier than the well-known Black Friday and Cyber Monday shopping...
Read More
Weekly Threat Briefing: Save the Children Hit by $1m BEC Scam
The intelligence in this weekís iteration discuss the following threats: Android trojan, BEC, Charming Kitten, Coblat Group, Exploit kit, Malware, Novidade, Phishing, Seedworm, SplitSpectre, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check...
Read More
Cyber Threat Intelligence Malware Research
New Shamoon V3 Malware Targets Oil and Gas Sector in the Middle East and Europe
A new version of destructive wiper malware Shamoon was first identified by security researchers on December 5, 2018. This malware dubbed Shamoon V3, appears to be a new version of the destructive malware, which has historically been associated with advanced persistent threat actors aligned with the interests of the Iranian state. It...
Read More
