add speculoos bakdoor

This commit is contained in:
Deborah Servili 2020-04-27 09:36:23 +02:00
parent 6b49d81b13
commit f6fd07fbc9
No known key found for this signature in database
GPG key ID: 7E3A832850D4D7D1
2 changed files with 43 additions and 3 deletions

View file

@ -99,7 +99,26 @@
}, },
"uuid": "aefe3603-8f96-425c-9f71-9fe21334f224", "uuid": "aefe3603-8f96-425c-9f71-9fe21334f224",
"value": "FlowerPippi" "value": "FlowerPippi"
},
{
"description": "FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/"
]
},
"related": [
{
"dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "used-by"
} }
], ],
"version": 7 "uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
"value": "Speculoos"
}
],
"version": 8
} }

View file

@ -7749,9 +7749,19 @@
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html",
"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/"
] ]
}, },
"related": [
{
"dest-uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "uses"
}
],
"uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
"value": "APT41" "value": "APT41"
}, },
@ -8109,7 +8119,18 @@
}, },
"uuid": "f628b544-48b6-44e2-b794-950713353cf1", "uuid": "f628b544-48b6-44e2-b794-950713353cf1",
"value": "Operation Shadow Force" "value": "Operation Shadow Force"
},
{
"description": "Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.",
"meta": {
"refs": [
"https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/",
"https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html"
]
},
"uuid": "21d08f2c-97b2-444e-be49-8457093b841a",
"value": "NOTROBIN"
} }
], ],
"version": 157 "version": 158
} }