What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
RiskIQ.webp 2024-07-29 10:58:35 Weekly OSINT Highlights, 29 July 2024 (lien direct) ## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data. Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Mobile Industrial Medical APT 28 APT 36
The_Hackers_News.webp 2023-11-10 17:52:00 Des pirates russes Sandworm provoquent une panne de courant en Ukraine au milieu des frappes de missiles
Russian Hackers Sandworm Cause Power Outage in Ukraine Amidst Missile Strikes (lien direct)		 Les pirates russes notoires connus sous le nom de Sandworm ont ciblé une sous-station électrique en Ukraine l'année dernière, provoquant une brève panne de courant en octobre 2022. Les résultats proviennent du mandiant de Google \\, qui a décrit le hack comme une "cyberattaque multi-événements" en tirant parti d'une nouvelle technique pour avoir un impact sur les systèmes de contrôle industriel (CI). "L'acteur a d'abord utilisé
The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022. The findings come from Google\'s Mandiant, which described the hack as a "multi-event cyber attack" leveraging a novel technique for impacting industrial control systems (ICS). "The actor first used OT-level living-off-the-land (LotL) techniques to		 Hack Industrial APT 28 ★★★
Mandiant.webp 2023-11-09 15:00:00 Le ver de sable perturbe le pouvoir en Ukraine en utilisant une nouvelle attaque contre la technologie opérationnelle
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology (lien direct)		 fin 2022, Mandiant a répondu à un incident de cyber-physique perturbateur dans lequel l'acteur de menace lié à la Russie a ciblé une organisation d'infrastructure critique ukrainienne.Cet incident était une cyberattaque multi-événements qui a exploité une nouvelle technique pour avoir un impact sur les systèmes de contrôle industriel (CI) / technologie opérationnelle (OT).L'acteur a d'abord utilisé le niveau OT vivant des techniques terrestres (LOTL) pour déclencher probablement les disjoncteurs de sous-station de la victime, provoquant une panne de courant imprévue qui coïncidait avec les frappes de missiles de masse sur les infrastructures critiques à travers l'Ukraine.Sandworm plus tard
In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim\'s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later		 Threat Industrial APT 28 ★★
Anomali.webp 2021-07-20 15:00:00 Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers (published: July 19, 2021) On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity. Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists (published: July 18, 2021) Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial APT 41 APT 40 APT 28 APT 31
Last update at: 2024-07-29 19:19:05
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter