Examining targeted Threat Intelligence
RiskIQ Threat Intelligence Roundup: Trickbot, Magecart, and More Fake Sites Targeting Ukraine
APRIL 07, 2022, BY TEAM RISKIQ
Threat intelligence is more crucial than ever to attack surface management and cyber resilience in today's volatile threat landscape. RiskIQ continues to leverage our global telemetry to develop relevant, actionable intelligence that gives security teams line-of-sight to attackers and threat systems and infrastructure.
This week's roundup again builds on powerful research published by the cybersecurity community about cyberattacks against Ukrainian citizens, refugees, and armed forces, including fraudulent sites attempting to fool people that want to donate money. It also breaks down new research in collaboration with the Microsoft Defender for IoT Section 52 research team about Trickbot malware targeting Mikrotik routers, updates with Magecart, and additional insight into nation-state activity targeting Chinese casinos.
What's New in C2
Trickbot Abuse of Compromised MikroTik Routers for Command and Control: In collaboration with Section 52, RiskIQ researchers investigated MikroTik routers acting as reverse proxies for Trickbot command and control (C2). Section 52's article details how threat actors compromise MikroTik devices and configure them to work as C2 reverse-proxies for Trickbot malware. We analyzed examples of compromised MikroTik routers in RiskIQ data and document indicators that can help identify devices under threat actor control.
Based on new findings, indicators surfaced by Section 52, and previous third-party research, RiskIQ created detection logic that enables our systems to flag compromised MikroTik routers working as communication channels for Trickbot C2. Be sure to read more about our findings and access the more than 70 new indicators in our Threat Intelligence Portal (TIP).
Recent Magecart-Injected URLs and C2 Domains: Today, digital credit skimming malware like Magecart affects hundreds of e-commerce sites and shouldn't be overlooked. February saw a wave of attacks, which showed "low-hanging fruit" is still available for these actors, which take advantage of new vulnerabilities and issues with plugins and other third-party code. Between March 15th and 21st, RiskIQ detected 149 Magecart and skimmer-injected URLs and 186 unique C2 domains used by known Magecart operatives.
A Closer Look at Campaigns Targeting Ukraine (See remainder of article at link)
No comments:
Post a Comment