What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-12-07 22:33:02 | Warning: Yet Another Bitcoin Mining Malware Targeting QNAP NAS Devices (lien direct) | Network-attached storage (NAS) appliance maker QNAP on Tuesday released a new advisory warning of a cryptocurrency mining malware targeting its devices, urging customers to take preventive steps with immediate effect. "A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named '[oom_reaper]' could occupy around 50% of the | Malware Cloud | APT 37 | |
 |
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
 |
2021-12-07 15:28:27 | Bitcoin Miner [oom_reaper] targets QNAP NAS devices (lien direct) | Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners. Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin The above process could occupy […] | Threat Cloud | APT 37 | |
 |
2021-11-30 12:24:19 | North Korean Hackers Use New \'Chinotto\' Malware to Target Windows, Android Devices (lien direct) | Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm's researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices. | Malware Threat Cloud | APT 37 | |
 |
2021-11-30 11:24:48 | Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct) | FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si | Malware Threat Patching Cloud | APT 37 | |
 |
2021-11-29 10:00:31 | ScarCruft surveilling North Korean defectors and human rights activists (lien direct) | The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group. | Cloud | APT 37 | |
 |
2021-11-29 08:43:29 | APT37 targets journalists with Chinotto multi-platform malware (lien direct) | North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. [...] | Malware Cloud | APT 37 | |
|
2021-11-29 05:14:10 | New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists (lien direct) | North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper | Threat Cloud | APT 37 APT 37 | |
|
2021-11-19 15:14:40 | North Korea-linked TA406 cyberespionage group activity in 2021 (lien direct) | North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns. A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (Kimsuky, Thallium, and Konni, Black Banshee, Velvet Chollima) has intensified its operations in 2021. The TA406 cyber espionage group was first spotted by Kaspersky researchers in 2013. At the end of October […] | Cloud | APT 37 | |
 |
2021-11-10 14:11:03 | North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets (lien direct) |
By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.
Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Cloud | APT 37 | |
 |
2021-11-02 08:01:01 | Mandiant Data Science présente la dernière recherche sur l'apprentissage de la machine de sécurité à Camlis \\ '21 Mandiant Data Science Showcases Latest Security Machine Learning Research at CAMLIS \\'21 (lien direct) |
La mission de l'équipe de science des données mandialiants (MDS) est de développer des solutions d'apprentissage automatique innovantes qui appliquent l'expertise unique et l'intelligence des menaces de Maniant \\ à l'échelle pour nos clients.MDS est impliqué dans de nombreux projets divers dispensés dans le cadre de la Mandiant Advantage SaaS Platform, mais nous présentons égalementet publier des recherches de pointe à l'intersection de la sécurité et de l'apprentissage automatique lors des principales conférences de l'industrie et des universitaires.Nous sommes fiers d'annoncer que notre équipe a récemment eu quatre conférences acceptées au Conférence sur l'apprentissage appliqué en matière de sécurité de l'information (CAMLIS)
The Mandiant Data Science (MDS) team\'s mission is to develop innovative machine learning solutions that apply Mandiant\'s unique expertise and threat intelligence at scale for our customers. MDS is involved in many diverse projects delivered as part of the Mandiant Advantage SaaS platform, but we also present and publish cutting-edge research at the intersection of security and machine learning at leading industry and academic conferences. We are proud to announce that our team recently had four talks accepted at the Conference on Applied Machine Learning in Information Security (CAMLIS) |
Threat Cloud | ★★★ | |
 |
2021-11-01 00:00:00 | Cyber Skills - ce que vous devez savoir Cyber Skills - What You Need to Know (lien direct) |
Cyber Skills – Building Ireland Cyber Security Skills
Cyber Skills is national programme funded by the Higher Education Authority Pillar 3 Human Capital Initiative. In collaboration with Munster Technological University, University College Dublin, Technological University Dublin, and University of Limerick we are committed to addressing the skill shortage in Cyber Security.
We provide online, fully flexible university accredited micro-credentials and pathways. We empower the learner by offering a wide range of modules or specifically designed courses all of which have been aligned to the NIST NICE Cyber Security framework. As a Cyber Skills graduate you will be workplace ready with the skills and knowledge needed to advance in your career.
Micro-Credentials
A micro-credential is a short, accredited module of learning. Cyber Skills micro-credentials are 5-10 credits and can be used towards a major award. We offer the control and flexibility to choose the micro-credentials you need to build your own training programme.
To view our micro-credentials, click here
Pathways
Choose a pathway that has been specially designed in close collaboration with industry based on the needs of the workplace. Our pathways consist of micro-credentials which are tailored to a specific in-demand job roles needed by industry.
To view our pathways, click here
Why should I up-skill my team?
Cyber Security is now a priority for every business across all industries. A high percentage of cyber-attacks come through a lack of knowledge. Managers can no longer solely rely on cyber security software; but invest in staff education to identify a cyber threat and the upskilling needed to prevent it. By educating your staff through Cyber Skills you are ensuring that they can protect and recover computer systems, devices, programs and networks from any type of cyber-attack.
Why should I up-skill?
Cyber Security is the fastest growing, in-demand field of ICT and there is a significant shortage of skills in this sector globally. Therefore, with cybersecurity qualifications your skillset is among the most sought after in organisations. Become part of a highly dynamic industry and know that your role is playing an important part in society today.
Why Choose Cyber Skills
“We are committed to empowering the individual in order to eradicate cyber vulnerability.”
Cyber Skills is the only place where you can find a course that has been specifically designed and created by industry and academia experts. Working closely with our industry partners Dell and MasterCard we have designed courses informed by the needs of the workplace to enhance the skills of networking and software development professionals. Our lecturers come from multi-disciplinary backgrounds, with a passion for cybersecurity. Combining years of experience and with expert knowledge our lecturers enable students to achieve their goals.
Cyber Range
Cyber Skills benefits from the first of its kind world class cloud based Cyber Range. The Cyber Range provides a secure, sandboxed area which simulates real-world feel scenarios and environments where students can test their new skills. Labs and assignments will be used to reinforce the content from the lectures. A full range of scenarios will provide the opportunity to test the vast array of techniques required to keep ahead in this challenging ever-changing environment.
Recognition of Prior Learning
Candidates who have gained relevant knowledge and skills through informal study or experiential means can apply for Cyber Skills Pathways and Micro-Credentials. We will discuss with an applicant their experiences to ensure our courses will be of benefit to their career.
Cyber Skills – Building Ireland Cyber Security Skills Cyber Skills is national programme funded by the Higher Education Authority Pillar 3 Human Capital Initiative. In collaboration with Munster Technological University, University College Dublin, Technological University Dublin, and University of Limerick we are committed to addressing t |
Vulnerability Threat Studies Cloud | ★★ | |
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-19 06:47:34 | NK-linked InkySquid APT leverages IE exploits in recent attacks (lien direct) | North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper. Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the […] | Cloud | APT 37 | |
|
2021-08-18 01:33:33 | NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware (lien direct) | A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the |
Malware Threat Cloud | APT 37 | |
|
2021-08-10 03:38:14 | Une mise à jour intrigante de l'avantage mandiant An Intriguing Update to Mandiant Advantage (lien direct) |
Aujourd'hui, Mandiant a fait une annonce significative dans la promotion des capacités de la plate-forme SaaS de mandiant avantage avec l'acquisition d'unEmerging Attack Surface Management (ASM) Leader, intrigue.Avec cette acquisition, nous nous réjouissons également de Jonathan Cran et de l'équipe d'intrigue auprès de la famille Mandiant.Nous sommes très heureux que Jonathan, un visionnaire et entrepreneur connu de l'industrie, se joigne à Maniant alors que nous continuons à développer nos capacités d'avantage.
ASM émerge rapidement, conduisant la valeur grâce à la visibilité des actifs et de l'exposition dans la surface d'attaque destinée à Internet.Il comble une lacune entre l'actif
Today Mandiant made a significant announcement in furthering the capabilities of the Mandiant Advantage SaaS platform with the acquisition of an emerging Attack Surface Management (ASM) leader, Intrigue. With this acquisition we also welcome Jonathan Cran and the Intrigue team to the Mandiant family. We are very excited to have Jonathan, a known industry visionary and entrepreneur, join Mandiant as we continue to build out our Advantage capabilities. ASM is quickly emerging, driving value through asset and exposure visibility in internet-facing attack surface. It fills a gap between asset |
Cloud | ★★★★ | |
|
2021-06-02 10:00:00 | Un nouvel avenir pour Fireeye et Mandiant: Accélération des opportunités A New Future for FireEye and Mandiant: Accelerating Opportunities (lien direct) |
avec ANNONCE D'AUJOURD'HUI De la vente de l'entreprise FireEye Products To Symphony Technology Group (STG), nous avons fait un pas en avant important pour nous aider à mieux servir nos clients et accélérer les stratégies qui sontDéfinir l'avenir de la cybersécurité.
La transaction séparera les produits de sécurité de Fireeye \\, des e-mails, des points de terminaison et des produits de sécurité cloud, ainsi que la plate-forme de gestion et d'orchestration de la sécurité connexe à partir de logiciels et services d'agnostiques mandiant solutions \\ '.Le résultat: les deux organisations seront en mesure d'accélérer les investissements en croissance, de poursuivre de nouvelles voies de mise sur le marché et
With today\'s announcement of the sale of the FireEye Products business to Symphony Technology Group (STG), we have taken an important step forward to help us better serve our customers and accelerate strategies that are defining the future of cyber security. The transaction will separate FireEye\'s network, email, endpoint, and cloud security products, and related security management and orchestration platform from Mandiant Solutions\' controls-agnostic software and services. The result: both organizations will be able to accelerate growth investments, pursue new go-to-market pathways, and |
Cloud | ★★★ | |
 |
2021-02-11 11:00:00 | UN Links North Korea to $281m Crypto Exchange Heist (lien direct) | Most funds recovered but attack bears hallmarks of hermit kingdom | Cloud | APT 37 | |
|
2021-01-08 01:54:44 | ALERT: North Korean hackers targeting South Korea with RokRat Trojan (lien direct) | A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The |
Tool Cloud | APT 37 | |
 |
2021-01-06 15:14:45 | Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat (lien direct) |
A North Korean threat group has swapped the usual Hangul Office lures for a cleverly packed Office macro.
Categories: Social engineeringThreat analysis
Tags: APT37HangulkoreaOfficerokratVBA
(Read more...)
|
Threat Cloud | APT 37 | |
|
2021-01-05 11:55:57 | North Korean software supply chain attack targets stock investors (lien direct) | North Korean hacking group Thallium aka APT37 has been targeting a private stock investment messenger service in a supply chain attack, as reported this week. [...] | Cloud | APT 37 | |
 |
2020-11-17 00:00:00 | CRIMZONâ¢: The Data Behind the FrameworkA report that highlights a subset of the empirical validation for the CRIMZON⢠framework.Read More (lien direct) | âAbstract The CRIMZON⢠framework defines the minimal elements needed to provide a view of accumulated cyber risk. For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones.Similarly, cyber exposures can be aggregated using CRIMZONâ¢. Location also holds importance when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk accumulation: industry and company size. Insured companies with common characteristics related to location, industry, and entity size tend to be exposed to similar types of cyber events because these elements also correspond to technologies or service providers used. Based on an analysis of millions of cyber events in the last 20 years, Kovrr conducted extensive research, to serve as the core empirical validation for the CRIMZON framework. Below is a subset of the research, in which a study group of 120 CRIMZON was determined by selecting CRIMZON with the highest relevance to the cyber insurance market(he research group was compiled according to criteria detailed in (Appendix A) The total number of unique companies in the study group is 20,000, with an average number of 152 companies within a CRIMZON, and a median of 86 companies. The research criteria focused on companiesâ location industry, entity size, and the hosting and mail technology and service providers used by companies. The results showed a concentration of technologies and services when grouping by location, and further concentration when adding the additional elements of the CRIMZON, entity size and industry to the analysis. The research shows that companies within the same CRIMZON have the tendency to use the same service providers and technologies, and that different compositions of service providers and technologies can be found across CRIMZON. When trying to estimate accumulations of potential losses from cyber, insurance and reinsurance companies face two main challenges: identifying which policies are exposed to the same cyber events and determining how many policies will be affected at the same time. The former is related to the problem of enumerating all technologies and service providers each insured relies upon, the latter is equivalent to estimating the footprint of a cyber event. Analyzing accumulations by CRIMZON enables risk professionals to make sense of the size and extent of potential losses from cyber, without necessarily needing to collect detailed information about technologies and service providers for each insured. The framework is completely agnostic to the line of business, therefore unlocking a full range of possible applications across both silent and affirmative cyber coverages. Among these applications is the development of aggregate models. This research shows it is possible to estimate the two key ingredients needed for the development of industry loss curves, the hazard and the exposure, using the CRIMZON as the atomic unit of aggregation. By identifying the correlation across CRIMZON, an aggregate model can then be developed.âIntroduction - What are CRIMZONâ¢? The Cyber Risk Accumulation Zones (CRIMZONâ¢) framework defines the minimal elements needed to provide a view of aggregated cyber exposure. Kovrr launched CRIMZON during participation in the fourth cohort of the Lloydâs Lab, the insurance technology accelerator operated by Lloydâs of London. CRIMZON is an open framework created to facilitate better communication across players in the cyber insurance value chain. The framework allows users to overlay their data pertaining to loss, cyber attack frequency, as well as additional data onto the CRIMZON for additional insights of risk per zone and to detect correlations between different zones. The framework was created to support efforts for setting a standard for data collection for cyber risk management.The CRIMZON are composed of the following three elements:Location - country-level worldwide a | Vulnerability Studies Cloud | ★★★ | |
|
2020-11-03 03:49:37 | New Kimsuky Module Makes North Korean Spyware More Powerful (lien direct) | A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean state-sponsored hackers, new findings have emerged about the threat group's spyware capabilities.
The APT - dubbed "Kimsuky" (aka Black Banshee or Thallium) and believed to be active as early as 2012 - has been now linked to as many as three hitherto undocumented malware, |
Threat Cloud | APT 37 | |
|
2020-11-02 16:40:03 | North Korea-Linked APT Group Kimsuky spotted using new malware (lien direct) | North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists. North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists. The Kimsuky APT […] | Malware Cloud | APT 37 | |
 |
2020-09-15 11:22:27 | De nouvelles vulnérabilités permettent de contourner l\'authentification multifacteur de Microsoft 365 (lien direct) | L'authentification multifacteur (MFA) est rapidement devenue une sécurité indispensable pour les applications cloud pendant la pandémie mondiale de Covid-19. Avec l'accélération du télétravail, la demande d'applications basées sur le cloud, telles que les plateformes de messagerie et de collaboration a explosé. The post De nouvelles vulnérabilités permettent de contourner l'authentification multifacteur de Microsoft 365 first appeared on UnderNews. | Cloud | ||
 |
2020-08-18 04:35:04 | US Army report says many North Korean hackers operate from abroad (lien direct) | US Army says many North Korean hackers are actually located outside the hermit kingdom, in countries like Belarus, China, India, Malaysia, and Russia. | Cloud | APT 37 | |
|
2020-07-30 14:00:00 | Obscurci par les nuages: aperçu des attaques du bureau 365 et comment la défense gérée mandiante enquête Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates (lien direct) |
Avec les compromis par e-mail commerciaux (BECS) ne montrant aucun signe de ralentissement Comprendre les violations du bureau 365 (O365) et comment les enquêter correctement.Ce billet de blog est destiné à ceux qui n'ont pas encore plongé les orteils dans les eaux d'un O365 BEC, fournissant un cours intensif sur la suite de productivité cloud de Microsoft et son assortiment de journaux et de sources de données utiles aux enquêteurs.Nous allons également passer en revue les tactiques d'attaquant courantes que nous avons observées en répondant aux BEC et fournissant un aperçu de la façon dont les analystes de défense gérés mandiants abordent ces
With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft\'s cloud productivity suite and its assortment of logs and data sources useful to investigators. We\'ll also go over common attacker tactics we\'ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these |
Cloud | ★★★★ | |
 |
2020-04-29 14:00:00 | 6 Best Board Games You Can Play With Friends Over Zoom (Video Chat) (lien direct) | Don't let the Covid-19 quarantine turn you into a hermit. Video chat with some friends and play a game together. | Cloud | APT 37 | |
 |
2020-01-03 10:40:14 | Microsoft helps shutter domains run by North Korean cybergang Thallium (lien direct) | A U.S. district court issued an order enabling Microsoft to take over 50 domains used by a North Korea-based cybercrime gang to conduct spear phishing campaigns. Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center took down the domains controlled by a group it named Thallium after researching the malicious actors activity and filing […] | Threat Cloud | APT 37 | |
 |
2019-12-31 02:39:43 | Microsoft élimine 50 noms de domaine exploités par de redoutables hackers nord-coréens (lien direct) | Le groupe Thallium s'en servait pour infiltrer des institutions américaines, japonaises et sud-coréennes. Pour y parvenir, Microsoft a reçu une ordonnance des autorités américaines.  |
Cloud | APT 37 | |
|
2019-12-30 21:57:04 | Microsoft sued North Korea-linked Thallium group (lien direct) | Microsoft sued Thallium North Korea-linked APT for hacking into its customers’ accounts and networks via spear-phishing attacks. Microsoft sued a North Korea-linked cyber espionage group tracked as Thallium for hacking into its customers’ accounts and networks via spear-phishing attacks. The hackers target Microsoft users impersonating the company, according to a lawsuit unsealed Dec. 27 in […] | Cloud | APT 37 | |
|
2019-12-30 21:53:41 | Microsoft takes down 50 domains operated by North Korean hackers (lien direct) | Microsoft takes control of 50 domains operated by Thallium (APT37), a North Korean cyber-espionage group. | Cloud | APT 37 | |
|
2019-12-30 13:01:33 | Microsoft Takes North Korean Hacking Group Thallium to Court (lien direct) | Microsoft sued a cyber-espionage group with North Korean links tracked as Thallium for breaking into its customers' accounts and networks via spear-phishing attacks with the end goal of stealing sensitive information, as shown by a complaint unsealed on December 27. [...] | Cloud | APT 37 | |
|
2019-05-14 12:48:00 | North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal (lien direct) | The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. ScarCruft has been active since at least 2012, it made the headlines in early February […] | Cloud | APT 37 | |
|
2019-05-13 15:29:00 | North Korea-Linked \'ScarCruft\' Adds Bluetooth Harvester to Toolkit (lien direct) | A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 continues to evolve and expand its toolkit, Kaspersky Lab reported on Monday. | Threat Cloud | APT 37 | |
|
2018-10-01 11:00:00 | Report Ties North Korean Attacks to New Malware, Linked by Word Macros (lien direct) | Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. [...] | Malware Cloud | APT 37 | |
 |
2018-08-15 12:30:04 | July\'s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 (lien direct) | Three IoT vulnerabilities entered July's top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018. During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution… | Threat Cloud | APT 37 | |
|
2018-08-10 16:15:03 | The analysis of the code reuse revealed many links between North Korea malware (lien direct) | Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123. The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code […] | Malware Medical Cloud | APT 38 APT 37 | |
 |
2018-08-09 13:00:01 | Examining Code Reuse Reveals Undiscovered Links Among North Korea\'s Malware Families (lien direct) | 
This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to …
|
Malware Guideline Medical Cloud | APT 38 APT 37 | |
|
2018-07-21 12:00:00 | Space Photos of the Week: Sweeping the Clouds Away on Titan (lien direct) | With infrared eyes, astronomers are more than scratching the surface of Saturn's hazy moon. | Cloud | APT 37 | |
 |
2018-07-12 14:35:00 | Military documents about MQ-9 Reaper drone leaked on dark web (lien direct) | Hackers have put up for sale on the dark web sensitive military documents, some associated with the U.S. military’s MQ-9 Reaper drone aircraft, one of its most lethal and technologically advanced drones, security research firm Recorded Future recently discovered. The firms’ Insikt Group on June 1 observed a bad actor trying to sell...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/557965066/0/thesecurityledger -->» | Cloud | APT 37 | |
|
2018-07-11 11:49:04 | Hacker offered for sale US Military Reaper Drone documents for $200 (lien direct) | Researchers at threat intelligence firm Recorded Future have reported that a hacker was trying to sell US Military Reaper drone documents for less than $200. The news is disconcerting, the hackers may have obtained the documents related to the Reaper drone by hacking into at least two computers belonging to U.S. military personnel. “Specifically, an English-speaking hacker claimed […] | Threat Cloud | APT 37 | |
 |
2018-06-04 16:54:00 | (Déjà vu) US-North Korea Summit News Used as Lure In New Malware Campaign (lien direct) | Previously known threat actor Group 123 likely behind NavRAT malware, security vendor says. | Cloud | APT 37 | |
|
2018-06-04 16:54:00 | US-North Korea Summit News Being Used as Lure In New Malware Campaign (lien direct) | Previously known threat actor Group 123 likely behind NavRAT malware, security vendor says. | Cloud | APT 37 | |
 |
2018-05-08 20:27:00 | Sierra Wireless Patches Critical Vulns in Range of Wireless Routers (lien direct) | The flaws would leave the enterprise devices helpless to a range of remote threats, including the charms of the Reaper IoT botnet. | Cloud | APT 37 | |
|
2018-04-06 19:24:04 | Mirai Variant Targets Financial Sector With IoT DDoS Attacks (lien direct) | Researchers said a Mirai botnet variant, possibly linked to the IoTroop or Reaper botnet, was leveraged in attacks against the financial sector. | Cloud | APT 37 | |
 |
2018-04-06 17:15:05 | Reaper Botnet (lien direct) | The ISBuzz Post: This Post Reaper Botnet | Cloud | APT 37 | |
|
2018-04-06 14:54:05 | Researchers Link New Android Backdoor to North Korean Hackers (lien direct) | The recently discovered KevDroid Android backdoor is tied to the North Korean hacking group APT37, Palo Alto Networks researchers say. | Cloud | APT 37 | |
|
2018-04-06 12:08:04 | New Strain of ATM Jackpotting Malware Discovered (lien direct) | >A new type of ATM jackpotting malware has been discovered. Dubbed ATMJackpot, the malware appears to be still under development, and to have originated in Hong Kong. There are no current details of any deployment or use. ATMJackpot was discovered and analyzed by Netskope Threat Research Labs. It has a smaller footprint than earlier strains of jackpotting malware, but serves the same purpose: to steal money from automated teller machines (ATMs). ATM jackpotting -- also known as a logical attack -- is the use of malware to control cash dispensing from individual ATMs. The malware can be delivered locally to each ATM via a USB port, or remotely by compromising the ATM operator network. Jackpotting has become an increasing problem in recent years, originally and primarily in Europe and Asia. In 2017, Europol warned that ATM attacks were increasing. "The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately," said Steven Wilson, head of Europol's EC3 cybercrime center. The first attacks against ATMs in the U.S. were discovered in January 2018 following an alert issued by the Secret Service. In March 2018, the alleged leader of the Carbanak group was arrested in Spain. Carbanak is believed to have stolen around $1.24 million over the preceding years. Its method was to compromise the servers controlling ATM networks by spear-phishing bank employers, and then use foot soldiers (mules) to collect money dispensed from specific ATMs at specific times. It is not clear whether the ATMJackpot malware discovered by Netskope is intended to be manually installed via USB on individual ATMs, or downloaded from a compromised network. Physical installation on an ATM is not always difficult. In July 2017, IOActive described how its researchers could gain access to the Diebold Opteva ATM. It was achieved by inserting a metal rod through a speaker hole and raising a metal locking bar. From there they were able to reverse engineer software to get access to the money vault. Jackpotting malware is designed to avoid the need to physically break into the vault. It can be transferred via a USB port to the computer part of the ATM that controls the vault. Most ATMs use a version of Windows that is well understood by criminals. ATMJackpot malware first registers the windows class name 'Win' with a procedure for the malware activity. The malware then populates the options on the window and initiates a connection with the XFS manager. The XFS subsystem provides a common API to access and manipulate the ATM devices from different vendors. The malware then opens a session with the service providers and registers to monitor events. It opens a session with the cash dispenser, the card reader and the PIN pad servic | Guideline Cloud | APT 37 | |
|
2018-04-05 16:59:01 | Financial Services DDoS Attacks Tied to Reaper Botnet (lien direct) | >Recorded Future's "Insikt" threat intelligence research group has linked the Mirai variant IoTroop (aka Reaper) botnet with attacks on the Netherlands financial sector in January 2018. The existence of IoTroop was first noted by Check Point in October 2017. At that point the botnet had not been used to deliver any known DDoS attacks, and its size was disputed. What was clear, however, was its potential for growth. In January 2018, the financial services sector in the Netherlands was hit by a number of DDoS attacks. Targets included ABN Amro, Rabobank and Ing; but at that time the source of the attack was unknown. Insikt researchers now report that at least one these financial services attacks -- and possibly more -- was the first known use of IoTroop to deliver a DDoS attack. "IoTroop is a powerful internet of things (IoT) botnet," reports Insikt, "primarily comprised of compromised home routers, TVs, DVRs, and IP cameras exploiting vulnerabilities in products from major vendors including MikroTik, Ubiquity and GoAhead." The attack itself was not excessively high by modern standards. "The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s," reports Insikt -- far short of the 1.7Tb/s attack that occurred in February. If the IoTroop assumption is correct, it is clear the botnet has evolved extensively since its discovery last year. Fortinet's SVP products and solutions reported last month, "the Reaper [IoTroop] exploit was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive, in-place botnets to run new and more malicious attacks as soon as they become available." Insikt reports that the malware can use at least a dozen vulnerabilities and can be updated by the attackers as new vulnerabilities are exposed. "Our analysis," it says, "shows the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers to routers from Ubiquity, Cisco and ZyXEL. We also discovered Webcams, TVs and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link and Dahua." This list adds new devices now vulnerable to IoTroop in addition to those noted in the original October 2017 research -- which suggests, says Insikt, "a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices." | Cloud | APT 37 |
To see everything:
Our RSS (filtrered)
