The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Credential theft, China, Exploits, Phishing, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
(published: May 15, 2023)
Symantec researchers detected a new cyberespionage campaign by the Lancefly China-sponsored group targeting organizations in South and Southeast Asia. From mid-2022 into 2023 the group has targeted the aviation, government, education, and telecom sectors. Indications of intrusion vectors show that Lancefly has possibly moved from phishing attacks to SSH brute force and exploiting publicly accessible devices such as load balancers. A small number of machines were infected in a highly-targeted fashion to deploy the custom Merdoor backdoor and a modification of the open-source ZXShell rootkit. Lancefly abuses a number of legitimate binaries for DLL side-loading, credential stealing, and other living-off-the-land (LOLBin) activities.Analyst Comment: Organizations are advised to monitor for suspicious SMB activity and LOLBin activities indicating a possible process injection or LSASS memory dumping. File hashes associated with the latest Lancefly campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | anomali cyber watch lancefly adopts alternatives phishing bpfdoor removed hardcoded indicators ordered russian malware destruct
