What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-18 17:10:00 | ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware (lien direct) | Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security. | Malware Threat Industrial | ★★ | |
 |
2023-01-18 16:35:00 | Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores
Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows
Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: FG-IR-22-398, CVE-2022-42 |
Malware Tool Vulnerability Threat Guideline | LastPass | ★★ |
 |
2023-01-18 16:35:00 | Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks (lien direct) | The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated | Malware Threat | ★★★ | |
 |
2023-01-18 16:00:00 | ChatGPT Creates Polymorphic Malware (lien direct) | The first step to creating the malware was to bypass ChatGPT content filters | Malware | ChatGPT | ★★ |
 |
2023-01-18 14:57:51 | Ukraine links data-wiping attack on news agency to Russian hackers (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country's National News Agency of Ukraine (Ukrinform) to Sandworm Russian military hackers. [...] | Malware | ★★★ | |
|
2023-01-18 11:45:00 | Almost Half of Critical Manufacturing at Risk of Breach (lien direct) | Critical manufacturing experienced an increase in severe vulnerabilities and malware infections in 2022 | Malware | ★★ | |
 |
2023-01-18 10:32:15 | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France (lien direct) | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France - Malwares | Malware | ★★★ | |
|
2023-01-17 18:15:00 | Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware (lien direct) | New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port | Malware Threat | ★★★ | |
|
2023-01-17 18:09:38 | (Déjà vu) Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner (lien direct) | Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. [...] | Malware | CCleaner CCleaner | ★ |
|
2023-01-17 18:09:38 | Hackers turn to Google search ads to push info-stealing malware (lien direct) | Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. [...] | Malware | ★★★ | |
 |
2023-01-17 17:15:00 | Phishing parti: la chasse aux e-mails malveillants sur le thème industriel pour prévenir les compromis technologiques opérationnels Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology Compromises (lien direct) |
Le phishing est l'une des techniques les plus courantes utilisées pour fournir des logiciels malveillants et accéder aux réseaux cibles.Ce n'est pas seulement en raison de sa simplicité et de son évolutivité, mais aussi en raison de son efficacité dans l'exploitation des vulnérabilités du comportement humain.Malgré l'existence d'outils de détection sophistiqués et la sensibilisation à la sécurité des techniques de phishing, les défenseurs de tous les secteurs verticaux de l'industrie continuent de lutter pour éviter les compromis de phishing.
mandiant observe régulièrement les acteurs qui propagent des e-mails de phishing contenant une terminologie et des concepts spécifiques aux secteurs industriels, tels que l'énergie
Phishing is one of the most common techniques used to deliver malware and gain access to target networks. This is not only because of its simplicity and scalability, but also because of its efficiency in exploiting vulnerabilities in human behavior. Despite the existence of sophisticated detection tooling and security awareness of phishing techniques, defenders across all industry verticals continue to struggle to avoid phishing compromises. Mandiant regularly observes actors spreading phishing emails that contain terminology and concepts specific to industrial sectors, such as energy |
Malware Vulnerability Industrial | ★★★★ | |
|
2023-01-17 14:53:40 | Hackers can use GitHub Codespaces to host and deliver malware (lien direct) | GitHub Codespaces, a cloud-hosted integrated development environment (IDE), has a port forwarding feature that malicious actors can abuse to host and distribute malware to unaware developers. [...] | Malware | ★ | |
 |
2023-01-17 13:53:00 | How attackers might use GitHub Codespaces to hide malware delivery (lien direct) | Attackers could start abusing GitHub Codespaces, a new service that allows developers to create and test applications inside development containers running on GitHub's servers. Developers can make their applications accessible via public GitHub URLs for preview by others, a functionality that can be abused to distribute malware payloads in a stealthy way."If the application port is shared privately, browser cookies are used and required for authentication," researchers from security firm Trend Micro said in a new report. "However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples."To read this article in full, please click here | Malware Prediction | ★ | |
 |
2023-01-17 13:09:56 | Attackers Can Abuse GitHub Codespaces for Malware Delivery (lien direct) | A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. | Malware Prediction | ★ | |
|
2023-01-17 12:06:00 | Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems (lien direct) | A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been | Malware Threat | ★★★ | |
 |
2023-01-17 00:31:00 | Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers) (lien direct) | On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post. When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server.... | Malware Threat | ★★ | |
 |
2023-01-17 00:00:00 | Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks (lien direct) | We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). | Malware | ★★ | |
|
2023-01-16 18:17:00 | Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software (lien direct) | A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. The infection chain "uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub," cybersecurity firm SEKOIA said in | Malware | ★★★ | |
|
2023-01-16 17:00:00 | CircleCI Confirms Data Breach Was Caused By Infostealer on Employee Laptop (lien direct) | According to CTO Rob Zuber, the malware was not detected by the CircleCI antivirus program | Data Breach Malware | Uber | ★★★★ |
|
2023-01-16 16:00:00 | Qbot Overtakes Emotet in December 2022\'s Most Wanted Malware List (lien direct) | The findings come from Check Point Software's latest Global Threat Index report | Malware Threat | ★★★ | |
|
2023-01-16 15:39:00 | New Backdoor Created Using Leaked CIA\'s Hive Malware Discovered in the Wild (lien direct) | Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33," | Malware Threat | ★★★★ | |
|
2023-01-16 13:54:36 | IcedID malware ATTACK comment (lien direct) | Stories on the IcedID malware ATTACK which gained access to organisations' networks through Active Directory (AD), please see comment below from Sean Deuby at Semperis. Semperis is a pioneer in identity security, specifically AD. Comment from Sean Deuby, Director of Services, Semperis on the reported IcedID malware ATTACK: - Opinion | Malware | ★★ | |
|
2023-01-16 11:53:44 | CircleCI Hacked via Malware on Employee Laptop (lien direct) | Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer's laptop. The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys. | Data Breach Malware | ★★★ | |
|
2023-01-16 11:41:30 | Malicious \'Lolip0p\' PyPi packages install info-stealing malware (lien direct) | A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems. [...] | Malware Threat | ★★★ | |
 |
2023-01-16 10:36:01 | Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens (lien direct) | Software provider CircleCI confirmed that a data breach in December resulted in the theft of some of... | Data Breach Malware | ★★ | |
|
2023-01-16 07:15:34 | Avast releases free BianLian ransomware decryptor (lien direct) | Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. [...] | Ransomware Malware | ★★ | |
 |
2023-01-16 05:00:03 | Ransomware Diaries: Undercover with the Leader of Lockbit (lien direct) |  An unusual announcement appeared in Russian Dark Web forums in June of 2020. Amid the hundreds of ads offering stolen credit card numbers and batches of personally identifiable information there was a Call for Papers. “We're kicking off the summer PAPER CONTEST,” it read. “Accepted article topics include any methods for popuring shells, malware and [… |
Ransomware Malware Guideline | ★★★ | |
 |
2023-01-16 00:00:00 | Abusing a GitHub Codespaces Feature For Malware Delivery (lien direct) | Proof of Concept (POC): We investigate one of the GitHub Codespaces' real-time code development and collaboration features that attackers can abuse for cloud-based trusted malware delivery. Once exploited, malicious actors can abuse legitimate GitHub accounts to create a malware file server. | Malware | ★★★ | |
 |
2023-01-15 22:05:17 | AI Can Write Malware Now. Are We Doomed? (lien direct) | >Today’s AI can beat humans at Jeopardy, chess, recognizing faces and diagnosing medical conditions. As of last Fall it can write malware, too. In fact, it can write an entire attack chain: phishing emails, macros, reverse shells, you name it. What do we do now? | Malware Medical | ★★ | |
|
2023-01-14 17:28:34 | CircleCI\'s hack caused by malware stealing engineer\'s 2FA-backed session (lien direct) | Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that stole the employee's 2FA-backed SSO session, allowing access to the company's internal systems. [...] | Malware Hack | ★★★★ | |
|
2023-01-14 14:11:00 | Malware Attack on CircleCI Engineer\'s Laptop Leads to Recent Security Incident (lien direct) | DevOps platform CircleCI on Friday disclosed that unidentified threat actors compromised an employee's laptop and leveraged malware to steal their two-factor authentication-backed credentials to breach the company's systems and data last month. The CI/CD service CircleCI said the "sophisticated attack" took place on December 16, 2022, and that the malware went undetected by its antivirus | Malware Threat | ★★★ | |
|
2023-01-13 22:09:00 | Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware (lien direct) | Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022. It uses "components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers," Bitdefender said in an analysis. A majority of the infections are said to originate in | Malware | ★★★ | |
|
2023-01-13 20:00:00 | Malware Comes Standard With This Android TV Box on Amazon (lien direct) | The bargain T95 Android TV device was delivered with preinstalled malware, adding to a trend of Droid devices coming out-of-the-box tainted. | Malware Prediction | ★★★★ | |
|
2023-01-13 16:56:00 | Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar (lien direct) | Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. "Attackers now use the polyglot technique to confuse security solutions that don't properly validate the JAR file format," Deep Instinct security researcher | Malware Threat | ★★★ | |
 |
2023-01-13 14:43:00 | 2022 IoT Threat Review (lien direct) | FortiGuard Labs continuously monitors the IoT botnet threat landscape for new and emerging campaigns. Read our blog with insights into malware campaigns that have been actively targeting IoT devices for infection. | Malware Threat | ★★★★ | |
|
2023-01-13 12:01:00 | Attackers deploy sophisticated Linux implant on Fortinet network security devices (lien direct) | In December network security vendor Fortinet disclosed that a critical vulnerability in its FortiOS operating system was being exploited by attackers in the wild. This week, after additional analysis, the company released more details about a sophisticated malware implant that those attackers deployed through the flaw.Based on currently available information, the original zero-day attack was highly targeted to government-related entities. However, since the vulnerability has been known for over a month, all customers should patch it as soon as possible as more attackers could start using it.Remote code execution in FortiOS SSL-VPN The vulnerability, tracked as CVE-2022-42475, is in the SSL-VPN functionality of FortiOS and can be exploited by remote attackers without authentication. Successful exploitation can result in the execution of arbitrary code and commands.To read this article in full, please click here | Malware Vulnerability | ★★★ | |
|
2023-01-13 11:00:40 | December 2022\'s Most Wanted Malware: Glupteba Entering Top Ten and Qbot in First Place (lien direct) | >Check Point Research reports that Glupteba has returned to the top ten list for the first time since July 2022. Qbot overtook Emotet as the most prevalent malware in December, while android malware Hiddad made a comeback Our latest Global Threat Index for December 2022 saw Glupteba Malware, an ambitious blockchain-enabled Trojan botnet, return to… | Malware Threat | ★★ | |
|
2023-01-13 04:32:36 | (Déjà vu) ASEC Weekly Malware Statistics (January 2nd, 2023 – January 8th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 2nd, 2023 (Monday) to January 8th, 2023 (Sunday). For the main category, downloader ranked top with 55.9%, followed by Infostealer with 21.3%, backdoor with 14.2%, ransomware with 7.9%, and CoinMiner with 0.8%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 32.3%. The malware is distributed via malware disguised... | Ransomware Malware | ★★ | |
|
2023-01-13 00:52:34 | Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack (lien direct) | The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware... | Malware Tool Threat | ★★ | |
|
2023-01-12 22:20:00 | Researchers Find \'Digital Crime Haven\' While Investigating Magecart Activity (lien direct) | A security vendor's investigation of infrastructure associated with a new, crypto-focused Magecart skimmer leads to discovery of cryptoscam sites, malware distribution marketplace, Bitcoin mixers, and more. | Malware Guideline | ★★★ | |
|
2023-01-12 20:16:00 | IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours (lien direct) | A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. "Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers said in | Malware Threat | ★★ | |
|
2023-01-12 19:11:00 | Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available (lien direct) | Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations. | Malware | ★★ | |
|
2023-01-12 17:24:02 | RAT malware campaign tries to evade detection using polyglot files (lien direct) | Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools. [...] | Malware | ★★★ | |
|
2023-01-12 15:41:56 | Android TV box on Amazon came pre-installed with malware (lien direct) | A Canadian system administrator discovered that an Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware. [...] | Malware | ★★★ | |
|
2023-01-12 09:58:00 | BrandPost: The Unrelenting Rise of Botnet Threats (lien direct) | As the world has moved to scalable online services for everything from video streaming to gaming to messaging, it's really no surprise that malware has followed close behind. Specifically, threats such as botnets are evolving and scaling at such speeds that it's more important than ever to proactively manage potential security threats. Botnets, a portmanteau or blend of the phrase robot networks, are collections of malware-infected computing resources that can be used to attack any connected target system. They're a growing risk for every organization, enabling cyber criminals to steal passwords and gain access to corporate systems, deploy disruptive attacks that shut down entire network, or even hijack corporate data with ransomware.To read this article in full, please click here | Malware | ★★★ | |
|
2023-01-11 23:05:00 | New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors (lien direct) | A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, | Malware Threat | ★★ | |
|
2023-01-11 19:54:00 | Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks (lien direct) | A wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player. Gootkit, also called Gootloader, is known to employ search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords | Malware | ★★ | |
|
2023-01-11 16:12:31 | Red Hat Announces General Availability of Malware Detection Service (lien direct) | Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems. | Malware | ★★ | |
 |
2023-01-11 14:13:11 | Kinsing Malware Hits Kubernetes Clusters By Flawed PostgreSQL (lien direct) | As of late, Kubernetes clusters have been actively breached by the Kinsing malware, which exploits vulnerabilities in container images and misconfigured, exposed PostgreSQL containers. While not new, the Defender for Cloud team at Microsoft has noticed a spike in recent months, suggesting that the threat actors are increasingly focusing on narrow access points. Kinsing is […] | Malware Threat | Uber | ★★ |
|
2023-01-11 14:11:14 | Analyse des Royal-Ransomware Exploits (lien direct) | Die Royal Ransomware wurde erstmals im Januar 2022 beobachtet und wurde unter anderem von den Bedrohungsakteuren DEV-0569 eingesetzt. Die Gruppe nutzt Google-Anzeigen, um Benutzer auf Foren, Beiträge und Blog-Kommentare umzuleiten, oder versendet Phishing-E-Mails, die Links zum Herunterladen der Malware enthalten. Bei einer anderen Kampagne wird der erste Zugang über „Callback“-Phishing-Angriffe erlangt. Bei dieser Art von Angriffen senden die Angreifer eine E-Mail mit der Aufforderung, ein Abonnement zu aktualisieren, und fordern das Opfer auf, die angegebene Nummer anzurufen. Wenn die Opfer den in der E-Mail erwähnten Anruf tätigen, - Sonderberichte | Ransomware Malware | ★★ |
To see everything:
Our RSS (filtrered)
