SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-07-18 14:00:00	Apt41 est né de la poussière APT41 Has Arisen From the DUST (lien direct)	Written by: Mike Stokkel, Pierre Gerlings, Renato Fontana, Luis Rocha, Jared Wilson, Stephen Eckels, Jonathan Lepore Executive Summary In collaboration with Google\'s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since 2023, enabling them to extract sensitive data over an extended period. APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive. Overview Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON. As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access. Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis.	Ransomware Malware Tool Threat Patching Medical Cloud	APT 41
	2024-07-17 13:42:31	Le sénateur Warner fait pression pour une action immédiate sur les normes de cybersécurité obligatoires pour le secteur des soins de santé Senator Warner pushes for immediate action on mandatory cybersecurity standards for healthcare sector (lien direct)	U.S.Le sénateur Mark R. Warner appelle l'administration à développer et à mettre en œuvre rapidement des normes de cyber minimum obligatoires ... U.S. Senator Mark R. Warner calls upon the administration to swiftly develop and implement mandatory minimum cyber standards...	Industrial Medical	APT 42	★★★
	2024-07-15 11:27:07	Weekly OSINT Highlights, 15 July 2024 (lien direct)	## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, showcasing the prominence of sophisticated malware, information stealers, and ransomware attacks. Attack vectors frequently include compromised websites, phishing emails, malicious advertisements, and exploitation of known vulnerabilities, particularly in widely-used software like Oracle WebLogic and Microsoft Exchange. Threat actors range from organized state-sponsored groups, such as China\'s APT41 (tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6)) and APT40 (tracked by Microsoft as [Gingham Typhoon](https://security.microsoft.com/intel-profiles/a2fc1302354083f4e693158effdbc17987818a2433c04ba1f56f4f603268aab6)), to individual developers using platforms like GitHub to distribute malware. The targets are varied, encompassing financial institutions, cryptocurrency exchanges, government agencies, and sectors like healthcare, education, and manufacturing, with a notable focus on high-value data and critical infrastructure across multiple countries. ## Description 1. [Clickfix Infection Chain](https://security.microsoft.com/intel-explorer/articles/85fea057): McAfee Labs discovered the "Clickfix" malware delivery method that uses compromised websites and phishing emails to trick users into executing PowerShell scripts. This method is being used to deliver [Lumma](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad)[Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) and [DarkGate](https://security.microsoft.com/intel-profiles/52fa311203e55e65b161aa012eba65621f91be7c43bacaaad126192697e6b648) malware across multiple countries, including the US, Canada, and China. 2. [CRYSTALRAY Expands Targeting](https://security.microsoft.com/intel-explorer/articles/ecea26df): Sysdig researchers identified the threat actor CRYSTALRAY, who has scaled operations to over 1,500 victims using SSH-Snake and various vulnerabilities for lateral movement and data exfiltration. Targets include systems vulnerable to CVE-2022-44877, CVE-2021-3129, and CVE-2019-18394. 3. [DodgeBox Loader by APT41](https://security.microsoft.com/intel-explorer/articles/3524d2ae): Zscaler ThreatLabz reported on DodgeBox, a reflective DLL loader used by the Chinese APT41 group, also known as Brass Typhoon. The loader delivers the MoonWalk backdoor and employs sophisticated techniques like call stack spoofing to avoid detection. 4. [ViperSoftX Information Stealer](https://security.microsoft.com/intel-explorer/articles/8084ff7b): Trellix researchers highlighted ViperSoftX, an information stealer spread through cracked software and malicious eBooks. The malware uses PowerShell and AutoIt for data exfiltration and evasion, targeting cryptocurrency wallets and other sensitive information. 5. [Coyote Banking Trojan](https://security.microsoft.com/intel-explorer/articles/201d7c4d): BlackBerry detailed Coyote, a .NET banking trojan targeting Brazilian financial institutions. Delivered likely via phishing, it performs various malicious functions like screen capture and keylogging, communicating with C2 servers upon detecting target domains. 6. [Kematian-Stealer on GitHub](https://security.microsoft.com/intel-explorer/articles/4e00b1b4): CYFIRMA identified Kematian-Stealer, an open-source information stealer hosted on GitHub. It targets applications like messaging apps and cryptocurrency wallets, employing in-memory execution and anti-debugging measures to evade detection. 7. [Eldorado Ransomware-as-a-Service](https://security.microsoft.com/intel-explorer/articles/3603cd85): Group-IB reported on Eldorado, a RaaS targeting various industries and countries, primarily the US. Written in Golang, it uses Chacha20 and RSA-OAEP encryption and has customizable features for targeted attacks. 8. [DoNex Ransomware Flaw](https://security.microsoft.com	Ransomware Malware Tool Vulnerability Threat Legislation Prediction Medical	APT 41 APT 40
	2024-03-05 19:03:47	Rester en avance sur les acteurs de la menace à l'ère de l'IA Staying ahead of threat actors in the age of AI (lien direct)	## Snapshot Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI\'s blog on the research [here](https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors). Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors\' usage of AI. However, Microsoft and our partners continue to study this landscape closely. The objective of Microsoft\'s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including [Microsoft Copilot for Security](https://www.microsoft.com/security/business/ai-machine-learning/microsoft-security-copilot), to elevate defenders everywhere. ## Activity Overview ### A principled approach to detecting and blocking threat actors The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House\'s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order\'s request for comprehensive AI safety and security standards. In line with Microsoft\'s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft\'s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track. These principles include: - Identification and action against malicious threat actors\' use: Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources. - Notification to other AI service providers: When we detect a threat actor\'s use of another service provider\'s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies. - Collaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly exchange information a	Ransomware Malware Tool Vulnerability Threat Studies Medical Technical	APT 28 ChatGPT APT 4	★★
	2021-12-21 16:57:00	Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 \| [MITRE ATT&CK] File and Directory Discovery - T1083 \| [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group	Ransomware Malware Vulnerability Threat Guideline Medical	APT 41 APT 38 APT 28 APT 31
	2020-11-17 11:19:05	COVID-19 vaccine research firms targeted by Russian and North Korean hackers (lien direct)	Microsoft has recently alerted governments across the globe that the North Korean hacker groups Cerium and Zinc, as well as the Russian hacker group Strontium, have been targeting organisations involved in COVID-19 vaccine research using brute-force, credential stuffing and spear-phishing attacks. Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust, said in a […]	Medical	APT 38 APT 28 APT 43
	2020-11-13 17:18:12	Three APT groups have targeted at least seven COVID-19 vaccine makers (lien direct)	At least the three nation-state actors have targeted seven COVID-19 vaccine makers, they are Strontium, Lazarus Group, and Cerium, Microsoft warns. Microsoft revealed that at least three APT groups have targeted seven companies involved in COVID-19 vaccines research and treatments. “In recent months, we've detected cyberattacks from three nation-state actors targeting seven prominent companies directly […]	Medical	APT 38 APT 28 APT 43
	2020-11-13 14:00:00	Microsoft says three APTs have targeted seven COVID-19 vaccine makers (lien direct)	The three state-sponsored hacker groups (APTs) are Russia's Strontium (Fancy Bear) and North Korea's Zinc (Lazarus Group) and Cerium.	Medical	APT 38 APT 28 APT 43

Last update at: 2024-07-18 19:08:15
See our sources.

To see everything: Our RSS (filtrered)