Today activity has been moderate. We have observed a large phishing campaign as well as several malware families activity including APT28, Sandworm and APT33. Our daily report has been added to our threat intelligence platform and there will be many updates throughout the day as new events are being processed.
Activity Observations
Phishing activity on JP Morgan Chase, PayPal, Bank of the West, Western Union, Salesforce, Docusign (Large targeted campaign), American Express, Capital One, USPS, and Adobe themes
Daily report is being worked on currently with more updates
Pyvil and Evilnum activity
List of defacements has been published
Aggregate feeds are also up to date
Web server attack patterns
VPN scans for targeting Fortinet VPN and unpatched VPN vulnerabilities
Russian phishing activity uptick
Noted uptick in CEV-2012-3152 - we are not sure why this older vulnerability is being targeted
Strange activity from 169[.]50[.]13[.]61, 191[.]101[.]5[.]183, 68[.]65[.]122[.]109 and 198[.]202[.]242[.]72 which includes malware payloads and other malicious scanning
Malicious ads (tracking) for Home Depot ads through Google Ads
Chinese malware capaigns targeting Alibaba users
Matryosh Botnet
Chopper Web Shell utilization in targeted attacks
Trickbot masrv activity
Charming Kitten new techniques (Targeting Iran)
Fake Whatsapp application distribution noted
Fake Google Chrome installers
Most active CVE attacks and scans CVE-2021-25276, CVE-2021-25274 and CVE-2021-25275 are all being actively exploited
ICS attacks on CVE-2020-10145 vulnerabilities in several sectors
We recommend blocking habr[.]ru as we are finding code there that is being utilized to hack into php deployments as well as code that is used to build webshell from source that can be built remotely once an exploit is successfully executed
South Korea notes North Korean hacking activity targeting Pfixer vaccine
Some security experts are saying that the Solar Winds activity may have been going on for over 3 years, this matches the data we have observed with updates and CDN so we concur with this assessment
In addition we added the following documents for reference
AA21-042A: Compromise of U.S. Water Treatment Facility
AA21-008A: Detecting Post Compromise Threat Activity in Microsoft Cloud Environments
Some of our ISAC partners have also provided additional context on some of the above listed events that has been included in our threat intelligence data.
Other Notes
We have been letting customers know to monitor DNS and CDN network activity since 2017. We believe with the Solar Winds Orion incident and others similar to this story by show that we can expect continued targeting of supply chain on companies that would be presumed to have network level access at these companies. We have previously warned that DNS RPZ could be used to backdoor companies computing systems as well as the strange and sometimes unbelievable backdoors in common software observed on the CDN networks. Stay vigilant as we are seeing more and more of this activity. We will be publishing an in dept report on this in the coming days outlining specific examples, samples and other data that will allow you to make your own conclusions.
These are some of the most recent observations. In addition we are still seeing CDN and DNS manipulation that points to malware infections locations. It is not known whom is responsible for these as they are distributed far and wide.
Last Updated: 4:06 PM EST