July 30, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Notorious MyDoom Worm Still on AutoPilot After 15 Years

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>APT, Data exposure, Malspam, Phishing, Ransomware, Targeted attacks, Threat groups, </strong>and<strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.helpnetsecurity.com/2019/07/29/vxworks-rtos-vulnerabilities/" target="_blank"><b>200 Million Enterprise, Industrial, and Medical Devices Affected by RCE Flaws in VxWorks RTOS</b></a> (July 29, 2019)<br/> Armis researchers have discovered 11 vulnerabilities in the real-time operating system, “VxWorks,” that is used by over 200 million devices. VxWorks is used by organizations in the industrial and medical sectors and is utilized by numerous types of devices and equipment such as elevators, firewalls, industrial controllers, patient monitors, printers, MRI machines, and VOIP phones. Six of the vulnerabilities can result in Remote Code Execution (RCE) and are registered as CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, and CVE-2019-12257. The other five vulnerabilities can result in denial-of-service, information exposure, and logical errors are registered as CVE-2019-12258, CVE-2019-12262, CVE-2019-12264, CVE-2019-12259, and CVE-2019-12265. At the time of this writing, no observations of these vulnerabilities have been identified in the wild.<br/> <a href="https://forum.anomali.com/t/200-million-enterprise-industrial-and-medical-devices-affected-by-rce-flaws-in-vxworks-rtos/4013" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://latesthackingnews.com/2019/07/28/brazilian-financial-service-exposed-250gb-of-local-banks-customers-data-via-unsecured-server/" target="_blank"><b>Brazilian Financial Service Exposed 250GB of Local Banks’ Customer Data via Unsecured Server</b></a> (July 28, 2019)<br/> An unsecured server owned by an unnamed Brazilian financial service provider and containing approximately 250GB of data has been identified, according to Data Group researchers. The data consisted of Personally Identifiable Information (PII) including scanned ID cards, social security numbers, and documents related to proof of address and service request forms. Researchers found that a majority of the data belonged to customers of Banco Pan, and the bank has stated that the server and the information is managed by a commercial partner in response.<br/> <a href="https://forum.anomali.com/t/brazilian-financial-service-exposed-250gb-of-local-banks-customer-data-via-unsecured-server/4014" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/notorious-mydoom-worm-still-on-autopilot-after-15-years/" target="_blank"><b>Notorious MyDoom Worm Still on AutoPilot After 15 Years</b></a> (July 26, 2019)<br/> A prolific malware strain dating back to 2004 called “MyDoom” has been found to still be automatically conducting its malicious activity. MyDoom is distributed via email with malicious attachments or links, or directly through peer-to-peer connections. Once a machine has been infected, the malware will open TCP ports 3127 and 3198 to grant threat actors remote access for additional malicious purposes. The malware’s automatic features are conducted after infection by collecting email addresses from a user and then send itself to the addresses with an attached copy of itself.<br/> <a href="https://forum.anomali.com/t/notorious-mydoom-worm-still-on-autopilot-after-15-years/4015" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&amp;CK] Automated Collection - T1119</a></p><p><a href="https://blog.ensilo.com/txhollower-process-doppelganging" target="_blank"><b>GandCrab Doppelgänging His Shell</b></a> (July 25, 2019)<br/> EnSilo researchers have a new downloader, dubbed “TxHollower,” that uses a variation of the Process Doppelgänging technique. Process Doppelgänging “involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection,” according to MITRE. Analysis of the now defunct GandCrab ransomware led to the discovery of seven versions of TxHollower. The downloader is a shellcode that “in contrast to the original technique [Process Doppelgänging], instead of using an existing executable on disk a new file [is] created inside the transaction in %TEMP% folder.” TXHollower is used by over 20 different malware families and is likely distributed in a variety of ways such as malspam and malvertising, among others<br/> <a href="https://forum.anomali.com/t/gandcrab-doppelganging-his-shell/4016" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a></p><p><a href="https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" target="_blank"><b>Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia</b></a> (July 24, 2019)<br/> An Advanced Persistent Threat (APT) email campaign has been targeting government agencies in Eastern Asia since early 2019, according to Proofpoint researchers. The campaign, dubbed “Operation LagTime IT,” consists of threat actors distributing malicious Rich Text Format (RTF) documents to government entities associated to various sectors including: domestic affairs, economic development, foreign affairs, information technology, and political process. The RTF documents are distributed in attempts to exploit a Microsoft Equation Editor vulnerability registered as CVE-2018-0798. Analysts attribute this activity to a Chinese APT group dubbed, “TA428.”<br/> <a href="https://forum.anomali.com/t/chinese-apt-operation-lagtime-it-targets-government-information-technology-agencies-in-eastern-asia/4017" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a></p><p><a href="https://www.zdnet.com/article/this-android-malware-can-take-photos-and-videos-and-spy-on-your-app-history/" target="_blank"><b>This Android Malware Can Take Photos and Videos and Spy on You App History</b></a> (July 24, 2019)<br/> A new custom malware, dubbed “Monokle,” is being utilized by unknown threat actors to conduct surveillance on chosen individuals, according to Lookout researchers. Monokle functions as a Remote Access Trojan (RAT) that has multiple malicious capabilities such as keylogging, taking photos/video, tracking user location, and stealing application and web browser history, among others. The malware will install trusted certificates to gain root access to the device that allows Monokle to further conduct its theft and monitoring functionalities. Researchers believe that Monokle has been active since at least 2016 with its activity consisting of small bursts targeting individuals in the Caucasus region. The Lookout infrastructure has been connected to the Russian company Special Technology Centre based in St. Petersburg. While this activity is targeting Android users, researchers have also identified iOS components in the malware, likely indicating that targeting iOS is under development or may be already underway.<br/> <a href="https://forum.anomali.com/t/this-android-malware-can-take-photos-and-videos-and-spy-on-you-app-history/4018" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260047">[MITRE MOBILE-ATT&amp;CK] Abuse Accessibility Features - T1453</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947265">[MITRE ATT&amp;CK] Install Root Certificate - T1130</a> | <a href="https://ui.threatstream.com/ttp/947093">[MITRE ATT&amp;CK] Audio Capture - T1123</a> | <a href="https://ui.threatstream.com/ttp/1260108">[MITRE MOBILE-ATT&amp;CK] Premium SMS Toll Fraud - T1448</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a></p><p><a href="https://www.cyberscoop.com/robinhood-passwords-internal-system/" target="_blank"><b>Stock Trading App Robinhood Says User Passwords were Readable on Internal Systems</b></a> (July 24, 2019)<br/> The stock-trading application “Robinhood” has confirmed that its security team detected on July 22, 2019 that the application was storing usernames and associated passwords in plain text inside the company’s systems. A spokesperson for Robinhood stated that customers who may be affected by this incorrect data storage were notified by email and that, as of this writing, it appears that the data was not accessed by anyone who was unauthorized.<br/> <a href="https://forum.anomali.com/t/stock-trading-app-robinhood-says-user-passwords-were-readable-on-internal-systems/4019" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.infosecurity-magazine.com/news/iranian-threat-group-targets-1/" target="_blank"><b>Iranian Threat Group Targets LinkedIn Users</b></a> (July 23, 2019)<br/> The Iranian Advanced Persistent Threat (APT) group “APT34,” (also known as OilRig), has once again been found to be conducting malicious activity on the social networking site, LinkedIn, according to FireEye researchers. The threat actors created LinkedIn profiles pretending to a member of Cambridge University to distribute malicious documents. These malicious documents were found to be infecting users with APT34’s custom credential-stealing malware “PICKPOCKET.” Researchers also identified three new malware families the group has added to their arsenal dubbed “LONGWATCH” (keylogger), “ToneDeaf” (backdoor), and “VALUEVAULT” (credential stealer).<br/> <a href="https://forum.anomali.com/t/iranian-threat-group-targets-linkedin-users/4020" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a></p><p><a href="https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank"><b>Discovering BADHATCH and a Detailed Look at FIN8’s Tooling</b></a> (July 23, 2019)<br/> The financially-motivated threat group “FIN8,” which was first identified by FireEye researchers in 2016, have added a new tool to their malicious arsenal, according to Gigamon researchers. The new tool, dubbed “BADHATCH,” is likely distributed through malspam emails and is capable of reverse shell functionality and transferring files. The emails contain Microsoft Word document attachments with malicious macros that, once enabled, will execute a PowerShell command to begin the BADHATCH infection process. Researchers believe that malspam email is likely the initial infection method, however, as of this writing they were unable to retrieve a document sample.<br/> <a href="https://forum.anomali.com/t/discovering-badhatch-and-a-detailed-look-at-fin8-s-tooling/4021" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&amp;CK] Data Staged - T1074</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947133">[MITRE ATT&amp;CK] Custom Cryptographic Protocol - T1024</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947213">[MITRE ATT&amp;CK] Multiband Communication - T1026</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/2402542">[MITRE ATT&amp;CK] Execution Guardrails - T1480</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/2336968">[MITRE ATT&amp;CK] File Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947123">[MITRE ATT&amp;CK] Network Share Discovery - T1135</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/multistage-attack-delivers-billgates-setag-backdoor-can-turn-elasticsearch-databases-into-ddos-botnet-zombies/" target="_blank"><b>Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet “Zombies”</b></a> (July 23, 2019)<br/> Threat actors are targeting Elasticsearch servers with the objective of installing backdoors that use the infected hosts for a larger botnet used to conduct Distributed Denial-of-Service (DDoS) attacks. The actors behind this campaign are scanning the internet for publicly accessible Elasticsearch servers to exploit a previously-patched vulnerability, registered as “CVE-2017-1427,” located in the Groovy scripting engine. CVE-2015-1427 affects Elasticsearch. Post exploitation, the “Setag” backdoor is installed that is capable of stealing system information and launching DDoS attacks. Setag is also capable of exploiting a vulnerability in Apache Struts 2 registered as CVE-2017-5638 and appears to be similar to “BillGates” malware which is also capable of hijacking systems and DDoS attacks.<br/> <a href="https://forum.anomali.com/t/multistage-attack-delivers-billgates-setag-backdoor-can-turn-elasticsearch-databases-into-ddos-botnet-zombies/4022" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a></p><p><a href="https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later" target="_blank"><b>BrushaLoader Still Sweeping Up Victims One Year Later</b></a> (July 22, 2019)<br/> Proofpoint researchers have published their research conducted on the downloader called “BrushaLoader” and found that malware actors are utilizing this tool in attempts to be more stealthy in their malicious operations. BrushaLoader, which first appeared in June 2018, is distributed malspam emails with containing malicious attachments, typically compressed VBS attachments. The malware is used by threat actors to download other payloads onto an infected machine, taking advantage of the fact that BrushaLoader has relatively effective in previous campaigns.<br/> <a href="https://forum.anomali.com/t/brushaloader-still-sweeping-up-victims-one-year-later/4023" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a></p><p><a href="https://latesthackingnews.com/2019/07/22/gandcrab-out-sodinokibi-in-meet-the-new-sodinokibi-ransomware/" target="_blank"><b>GandCrab Out – Sodinokibi In! Meet The New Sodinokibi Ransomware</b></a> (July 22, 2019)<br/> The Ransomware-as-a-Service (RaaS) called “Sodinokibi,” was discovered approximately three months ago and since then it appears that it is filling the void left by now defunct RaaS called GandCrab. Researchers believe that Sodinokibi is more advanced than GandCrab and is distributed via exploitation of an Oracle WebLogic vulnerability, (CVE-2019-2725), malspam and phishing emails with links and/or attachments, malvertisements leading to the RIG exploit kit, and compromised managed service providers. An infected machine will have its desktop picture changed to a notice of file encryption and provides a ransom notice to pay approximately $1,300 USD (0.13490081 bitcoins) for the decryptor.<br/> <a href="https://forum.anomali.com/t/gandcrab-out-sodinokibi-in-meet-the-new-sodinokibi-ransomware/4024" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/proftpd-remote-code-execution-bug-exposes-over-1-million-servers/" target="_blank"><b>ProFTPD Remote Code Execution Bug Exposes Over 1 Million Servers</b></a> (July 22, 2019)<br/> The publicly-available and cross-platform FTP server, “ProFTPD,” is affected by a Remote Code Execution (RCE) vulnerability, registered as “CVE-2019-12815,” that puts over one million servers at risk. The vulnerability was identified by security researcher Tobias Mädel and reported to ProFTPD in September 2018. A temporary fix was issued on July 17 , however, no official patch has been issued.<br/> <a href="https://forum.anomali.com/t/proftpd-remote-code-execution-bug-exposes-over-1-million-servers/4025" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://threatpost.com/critical-rce-flaw-palo-alto-gateways-uber/146606/" target="_blank"><b>Critical RCE Flaw in Palo Alto Gateways Hits Uber</b></a> (July 22, 2019)<br/> Researchers identified an interesting Remote Code Execution (RCE) vulnerability located in Palo Alto Networks’ GlobalProtect portal and GlobalProtect Gateway security software products. The critical-rated vulnerability, registered as “CVE-2019-1579,” could be exploited by a threat actor by sending a custom-created request to a vulnerable system to allow the remote execution of arbitrary code. Interestingly, while CVE-2019-1579 was still unknown it was unintentionally fixed in later versions of GlobalProtect. The vulnerability affects the following PAN versions: PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2.<br/> <a href="https://forum.anomali.com/t/critical-rce-flaw-in-palo-alto-gateways-hits-uber/4026" target="_blank">Click here for Anomali recommendation</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a></p><div id="threat_model_actors"><div><a href="https://ui.threatstream.com/actor/4411" target="_blank">OilRig</a><br/> The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.</div></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.