<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em><img src="http://info.threatstop.com/hubfs/MW-AY155_cyber__20130111111154_MG.jpg" alt="MW-AY155_cyber__20130111111154_MG.jpg" width="454" height="318"></em></p> <!--more--><p>&nbsp;</p> <p><em>Malicious Content Identified and Inserted:</em></p> <ul> <li>IPs – 1363</li> <li>Domains – 868</li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li>IOCs involved in <strong>suspicious scanning activities</strong> on domains and hosts.</li> <li>IOCs involved in <strong>malspam.</strong></li> <li>IOCs involved in <strong>phishing</strong>.</li> <li><strong>Mirai</strong>, a Linux malware targeting IoT systems, is primarily used for DDoS attacks. This malware is distributed by identifying vulnerable devices (using a table of common factory default usernames and passwords) and subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber attack. You can read more in our blog <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions" data-hs-link-id="0" target="_blank">here</a>.</li> <li><strong>Nebula EK</strong> is a new variant of a previously known Exploit Kit, <strong>Sundown,</strong> with minor deviations. The only difference between the two, as mentioned by cyber researcher <a href="http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" data-hs-link-id="0" target="_blank">Kafeine</a>, is Nebula’s internal TDS. (TDS is a gate that is used to redirect visitors to various content)</li> <li>A site offering a free AV coupon led to a tech support scam, as <a href="https://blog.malwarebytes.com/threat-analysis/2017/03/free-antivirus-coupon-leads-tech-support-scam/" data-hs-link-id="0" target="_blank">reported</a> by Malwarebytes.</li> <li><strong>Snake\Turla</strong> is a cyber espionage group found to be active in APT campaigns. In 2016, they were <a href="https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/" data-hs-link-id="0" target="_blank">found</a> to infect <a href="http://blog.passivetotal.org/snakes-in-the-satellites-on-going-turla-infrastructure/" data-hs-link-id="0" target="_blank">targets</a> in over 45 countries. Their distribution of malware includes both direct spear phishing and watering hole attacks. Additionally, this group has a distinct modus operandi through consistent use of satellite-based Internet links.</li> <li><strong>Fareit</strong> aka <strong>Pony</strong> is a data stealer Trojan capable of collecting sensitive user information, including usernames and passwords in certain browsers, stored email credentials, bitcoin-related details and more. You can read more about it in our blog post <a href="https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit" data-hs-link-id="0" target="_blank">here</a>.</li> <li>Landing pages on <a href="https://blogs.forcepoint.com/security-labs/curious-case-reconnaissance-campaign-targeting-ministry-and-embassy-sites" data-hs-link-id="0" target="_blank">compromised embassy websites</a>, targeting multiple countries, are all embassies physically located within the US.</li> <li><strong>Luabot</strong> is a unique malware written in LUA scripting language, first published by <a href="http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html" data-hs-link-id="0" target="_blank">MalwareMustDie</a>. This malware is distributed by attempting to brute force SSH servers and exploit Linksys router command injections. Luabot targets ARM platforms, usually found in embedded (IoT) devices.</li> </ul> <p><em>Security Blog Roundup:</em></p> <ul> <li><span></span><a href="https://blog.threatstop.com/nebula-ek-the-rising-exploit-kit-variant" data-hs-link-id="0" target="_blank">Nebula EK: The Rising Exploit Kit Variant</a></li> </ul> <p>&nbsp;<em>New/Updated Targets:</em></p> <ul> <li>End of Life: <ul> <li>VOIP Honey</li> </ul> </li> <li>New: <ul> <li><strong>Botnets 2</strong> – A compound target to be used in addition to the “<strong>Botnets</strong>” target on devices that can support the larger MAX_POLICY size.</li> <li><strong>UNIX 2</strong> – A compound target to be used in addition to the “<strong>UNIX</strong>” target on devices that can support the larger&nbsp;MAX_POLICY size.</li> </ul> </li> </ul></span>
