What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-07-24 23:34:10 | Onyx Sleet utilise une gamme de logiciels malveillants pour recueillir l'intelligence pour la Corée du Nord Onyx Sleet uses array of malware to gather intelligence for North Korea (lien direct) |
#### Targeted Geolocations - India - Korea - United States - Southeast Asia - North America #### Targeted Industries - Information Technology - Defense Industrial Base - Government Agencies & Services ## Snapshot On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet\'s activity to assess changes following the indictment. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. ## Activity Overview ### Who is Onyx Sleet? Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet [exploited the TeamCity CVE-2023-42793 vulnerability](https://security.microsoft.com/intel-explorer/articles/b4f39b04) [as a part of a targeted attack](https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2023-42793/overview). Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server. Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2). Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2. **Affiliations with other threat actors originating from North Korea** Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed [an overlap](https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/) between Onyx Sleet and [Storm-0530](https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/). Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022. **Onyx Sleet targets** In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent att | Ransomware Malware Tool Vulnerability Threat Industrial Cloud Technical Commercial | APT 38 | ★★★ |
 |
2024-06-27 14:00:00 | Le renouveau mondial du hacktivisme nécessite une vigilance accrue des défenseurs Global Revival of Hacktivism Requires Increased Vigilance from Defenders (lien direct) |
Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario
Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives. Today\'s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain. This blog post presents Mandiant\'s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities. 
Figure 1: Sample of imagery used by hacktivists to promote their threat activity
Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks
Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism\'s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive moni |
Malware Tool Threat Legislation Industrial Cloud Commercial | APT 38 | ★★★ |
|
2024-05-22 14:00:00 | Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (lien direct) |
Written by: Michael Raggi
Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp |
Malware Tool Vulnerability Threat Prediction Cloud Commercial | APT 15 APT 5 APT 31 | ★★★ |
1
We have: 3 articles.
We have: 3 articles.
To see everything:
Our RSS (filtrered)
