What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-07-31 22:40:07 | Rapport trimestriel de la cyber-menace: MITER ATT & CK Framework Trends in Osint (avril 2024 & # 8211; juin 2024) Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (April 2024 – June 2024) (lien direct) |
## Snapshot This report presents an analysis of recent trends in cyber threats based on 111 articles published by threat researchers across the security community between April and June 2024. These articles are curated by Microsoft Threat Intelligence from across a number of trusted sources and included in Microsoft Defender Threat Intelligence as open source intelligence (OSINT) articles. The analysis focuses on the nearly 1,000 MITRE ATT&CK framework tags correlated to the content in each article. By distilling insights from these tags and the related intelligence, we can highlight prevalent tactics, techniques, and procedures (TTPs) observed in the cyber security landscape over the past quarter. This dataset is not exhaustive but represents a curated set of most high-profile cyber threat intelligence reporting from across the security community. When prioritizing cyber security efforts, it\'s essential to understand the trending TTPs observed in the wild. This knowledge helps defenders make informed decisions about the most effective strategies to implement, especially where to focus engineering efforts and finite resources. ## Activity Overview - **Initial access: Phishing**: Phishing remains a prevalent initial access method, mentioned in a third of reports, including spear-phishing attachments and links. The persistence of this technique underscores its effectiveness and the ongoing need for robust user education and email security measures. - **Defense evasion: Obfuscated files or information:** Over a third of reports highlighted the use of obfuscation techniques, such as dynamic API resolution and steganography, to evade detection. This trend is likely underpinned by factors such as the cybercrime market for obfuscating even basic credential theft malware as well as the growing sophistication in some malware to bypass traditional security measures. - **Command and control: Ingress tool transfer:** Ingress tool transfer was the most frequently referenced technique, involving the transfer of tools from an external system to a compromised one. Key threats driving the prevalence of this tactic included an increase in OSINT reporting on threat actors misusing the ms-appinstaller URI scheme (App Installer) to distribute malware. - **Execution: Command and scripting interpreter/PowerShell:** Execution through PowerShell was prominent, continuing its trend of broad adoption in attacks over the past decade. The widespread adoption of PowerShell to launch malicious code is in part due to numerous toolkits that have been developed to allow quick deployment of a wide range of attacks. - **Exfiltration: Exfiltration over C2 channel:** The most commonly referenced exfiltration method was over the command-and-control (C2) channel, highlighting the critical need for network monitoring and anomaly detection to identify and mitigate data breaches. The frequent reports on infostealers such as Lumma and DarkGate-commodity malware used to steal information from a target device and send it to the threat actor-are likely key drivers of this MITRE tag\'s prominence. - **Impact: Data encrypted for impact:** Ransomware involving data encryption was the most frequently observed impact technique, with LockBit and other groups exploiting vulnerabilities. The use of Bring Your Own Vulnerable Driver (BYOVD) tactics, such as Warp AV Killer, remained common. #### Initial access: Phishing Phishing remains a significant initial access method in open-source research, with a third of the reports mentioning its use. This includes both spear-phishing attachments and spear-phishing links. Phishing involves deceptive attempts to trick individuals into divulging sensitive information or installing malicious software, often through seemingly legitimate emails. The persistence of this technique underscores its effectiveness and the ongoing need for robust user education and email security measures. Phishing remains a dominant method for initial access in cyber threat landscapes due to its effective | Threat Ransomware Spam Malware Cloud Tool Prediction Vulnerability Legislation | ★★★ | |
|
2024-07-31 21:17:43 | (Déjà vu) «Echospoofing» - une campagne de phishing massive exploitant la protection par e-mail de Proofpoint \\ pour envoyer des millions de courriels parfaitement usurpés “EchoSpoofing” - A Massive Phishing Campaign Exploiting Proofpoint\\'s Email Protection to Dispatch Millions of Perfectly Spoofed Emails (lien direct) |
## Snapshot In a coordinated report, Guardio Labs and Proofpoint detailed spam campaigns, which exploited weak permissions in Proofpoint\'s email protection service to send millions of spoofed emails impersonating major entities like Disney, Nike, IBM, and Coca-Cola to Fortune 100 companies. ## Description The campaign, which began in January 2024, involved an average of 3 million spoofed emails per day, peaking at 14 million emails in early June. Threat actors utilized their own SMTP (Simple Mail Transfer Protocol) servers to create spoofed emails with manipulated headers and relayed them through compromised or rogue Microsoft Office 365 accounts via Proofpoint\'s relay servers. As of July 30th, Guardio Labs reported that a number of the Microsoft accounts have been removed. The attackers leveraged Virtual Private Servers (VPS) hosted by OVHCloud and Centrilogic, as well as various domains registered through Namecheap to conduct the campaign. Proofpoint assesses that this activity was likely conducted by one actor, who is currently unknown. The phishing emails were designed to steal sensitive personal information and incur unauthorized charges, and they passed SPF and DKIM checks, allowing them to bypass spam filters and reach recipients\' inboxes. Proofpoint, after being notified by Guardio Labs, tightened security measures and provided new settings and advice to mitigate these attacks. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport) to defend against common credential theft techniques like LSASS access. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-credential-stealing-from-the-windows-local-security-authority-subsystem) LSA protection. - Microsoft Defender XDR customers can turn on the following [attack surface reduction rule](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction) to prevent common attack techniques used for ransomware. - - [Block](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-executable-content-from-email-client-and-webmai | Threat Ransomware Spam Tool | ★★★ | |
 |
2024-07-31 20:17:42 | Les imitations des dirigeants dirigés par l'IA émergent comme une menace importante pour les processus de paiement commercial AI-Driven Executive Impersonations Emerge As Significant Threat to Business Payment Processes (lien direct) |
Pas de details / No more details | Threat | ★★★ | |
|
2024-07-31 20:02:49 | (Déjà vu) Socgholish malware attaquant les utilisateurs de Windows à l'aide d'une fausse mise à jour du navigateur SocGholish Malware Attacking Windows Users Using Fake Browser Update (lien direct) |
## Snapshot GData Software analysts found that the [SocGholish](https://security.microsoft.com/intel-profiles/7e30959d011aa33939afaa2477fd0cd097cee346fa3b646446a6b1e55f0c007f) malware, favored by threat groups like Evil Corp (tracked by Microsoft as [Manatee Tempest](https://security.microsoft.com/intel-profiles/1b66d1619b5365957ba8c785bfd7936bfa9cf8b58ad9f55b7987f7f3b390f4fc)) and TA569 (tracked by Microsft as [Mustard Tempest](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9)), is actively targeting Windows users with fake browser updates. ## Description This complex JavaScript downloader uses drive-by download techniques to silently install malware on user machines. It has evolved to exploit vulnerable WordPress plugins using the Keitaro traffic distribution system, with its infrastructure traced to Russian-hosted servers. The malware employs advanced techniques such as user profiling, browser fingerprinting, and fake browser update pages as lures. Potential payloads associated with SocGholish include backdoors, information stealers, remote access Trojans, and ransomware. Recent infections indicate the use of PowerShell scripts for persistence on compromised systems, enhancing its adaptability and evasion capabilities. ## Microsoft Analysis Microsoft researchers have investigated multiple incidents involving fake software updates served by the SocGholish malware distribution framework. [SocGholish](https://security.microsoft.com/intel-profiles/7e30959d011aa33939afaa2477fd0cd097cee346fa3b646446a6b1e55f0c007f) is an attack framework that malicious attackers have used since at least 2020. The attacker framework entices users to install fake software updates that eventually let attackers infiltrate target organizations. SocGholish can be tweaked to deliver any payload an attacker chooses. Threat actors [Mustard Tempest](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9?tab=tradeCraft) and [Manatee Tempest](https://security.microsoft.com/intel-profiles/1b66d1619b5365957ba8c785bfd7936bfa9cf8b58ad9f55b7987f7f3b390f4fc) use SocGholish/FakeUpdates as their primary technique to gain intial access. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - [TrojanDownloader:JS/FakeUpdates](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:JS/FakeUpdates.J&threatId=-2147133367?ocid=magicti_ta_ency) - [Behavior:Win32/FakeUpdates](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/FakeUpdates.A&threatId=-2147140656?ocid=magicti_ta_ency) - [Trojan:JS/FakeUpdate](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/FakeUpdate.C) - [Behavior:Win32/Socgolsh](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Socgolsh.SB&threatId=-2147152249?ocid=magicti_ta_ency) - [TrojanDownloader:JS/SocGholish](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:JS/SocGholish!MSR&threatId=-2147135220?ocid=magicti_ta_ency) - [Trojan:JS/Socgolsh.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Socgolsh.A) - [Behavior:Win32/Socgolsh.SB](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Socgolsh.SB) - [Trojan:Win32/Blister](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Blister.A&threatId=-2147152044?ocid=magicti_ta_ency) - [Trojan:Win64/Blister](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Blister.A&threatId=-2147153518?ocid=magicti_ta_ency) - [Behavior:Win32/SuspRclone](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Sus | Threat Ransomware Malware Tool | ★★★ | |
|
2024-07-31 19:17:20 | Siri Bug permet le vol de données sur les appareils Apple verrouillés Siri Bug Enables Data Theft on Locked Apple Devices (lien direct) |
Les acteurs malveillants pourraient potentiellement exploiter cette vulnérabilité si elles ont un accès physique à un appareil utilisateur.
Malicious actors could potentially exploit this vulnerability if they gain physical access to a user\'s device. |
Threat Vulnerability | ★★★ | |
 |
2024-07-31 18:38:00 | Les logiciels malveillants liés à la Corée du Nord ciblent les développeurs sur Windows, Linux et MacOS North Korea-Linked Malware Targets Developers on Windows, Linux, and macOS (lien direct) |
Les acteurs de la menace derrière une campagne de logiciels malveillants en cours ciblant les développeurs de logiciels ont démontré de nouveaux logiciels malveillants et tactiques, élargissant leur objectif pour inclure les systèmes Windows, Linux et MacOS.
Le groupe d'activités, surnommé Dev # Popper et lié à la Corée du Nord, s'est avéré avoir distingué les victimes en Corée du Sud, en Amérique du Nord, en Europe et au Moyen-Orient.
"Cette forme d'attaque est un
The threat actors behind an ongoing malware campaign targeting software developers have demonstrated new malware and tactics, expanding their focus to include Windows, Linux, and macOS systems. The activity cluster, dubbed DEV#POPPER and linked to North Korea, has been found to have singled out victims across South Korea, North America, Europe, and the Middle East. "This form of attack is an |
Threat Malware | ★★★ | |
|
2024-07-31 18:17:54 | (Déjà vu) Donot APT GROUP ciblant le Pakistan Donot APT Group Targeting Pakistan (lien direct) |
#### Targeted Geolocations - United States - Eastern Europe - Northern Europe - Western Europe - Southern Europe - Central Asia - East Asia - South Asia - Southeast Asia #### Targeted Industries - Government Agencies & Services - Information Technology - Defense Industrial Base ## Snapshot Rewterz published a profile on APT-C-35, also known as the Donot APT group, a cyber espionage group active since at least 2013. ## Description The Donot APT group is known to target government and military organizations, as well as companies in the aerospace, defense, and high-tech industries. Their activities have been observed in several regions, including the United States, Europe, and Asia. The Donot group\'s motivations are information theft and espionage. The group is known for targeting Pakistani users with Android malware named StealJob, disguised under the name “Kashmiri Voice” to steal confidential information and intellectual property. In July 2022, they used Comodo\'s certificate to sign their spyware, demonstrating their high level of technical skill. The Donot APT group employs various tactics such as spear-phishing emails, malware, and custom-developed tools, often using third-party file-sharing websites for malware distribution. They are well-funded and use sophisticated techniques to evade detection, including encryption and file-less malware. ## Additional Analysis According to a number of additional sources, Donot group is likely [linked to the Indian government](https://socradar.io/apt-profile-apt-c-35-donot-team/). Initial access to victim environments is typically achieved through phishing campaigns and the group has been observed exploiting vulnerabilities in Microsoft Office, including [CVE-2018-0802](https://security.microsoft.com/intel-explorer/cves/CVE-2018-0802/), [CVE-2017-0199](https://security.microsoft.com/intel-explorer/cves/CVE-2017-0199/), and [CVE-2017-8570](https://security.microsoft.com/intel-explorer/cves/CVE-2017-8570/). Donot group is a persistent and consistent actor. [ESET researchers](https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/) note the group is known to repeatedly attacks the same target, even if they are removed fromt he victim environment. In some cases, the Donot group launched spearphishing campaigns against targets every two to four months. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender f | Threat Ransomware Malware Tool Technical Mobile Industrial Vulnerability | ★★★ | |
|
2024-07-31 16:40:35 | (Déjà vu) Phishing targeting Polish SMBs continues via ModiLoader (lien direct) | #### Géolocations ciblées - Pologne - Roumanie - Italie ## Instantané Des chercheurs de l'ESET ont détecté des campagnes de phishing généralisées ciblant les petites et moyennes entreprises (PME) en Pologne, en Roumanie et en Italie en mai 2024. ## Description Les campagnes visant à distribuer diverses familles de logiciels malveillants, y compris les remcos à distance à distance (rat), [agent Tesla] (https://security.microsoft.com/intel-profiles/0116783AB9DA099992EC014985D7C56BFE2D8C360C6E7DD6CD39C8D6555555538) et FormBook) et Forme Modiloader (également connu sous le nom de dbatloader).Cela marque un changement de tactique comme dans les campagnes précédentes, les acteurs de la menace ont exclusivement utilisé l'accryptor pour offrir des charges utiles de suivi. Dans les campagnes les plus récentes, les attaquants ont utilisé précédemment les comptes de messagerie et les serveurs d'entreprise pour diffuser des e-mails malveillants, héberger des logiciels malveillants et collecter des données volées.Les e-mails de phishing contenaient des pièces jointes avec des noms comme RFQ8219000045320004.TAR ou ZAM & OACUTE; WIENIE \ _NR.2405073.IMG, qui ont été utilisés pour livrer Modiloader.Une fois lancé, Modiloader a téléchargé et exécuté la charge utile finale, qui variait entre les différentes campagnes.Les attaquants ont exfiltré des données utilisant différentes techniques, y compris SMTP et des serveurs Web compromis. ## Détections / requêtes de chasse ** Microsoft Defender Antivirus ** Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [Trojan: Win32 / Modiloader] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojan:win32/modiloader) - [Backdoor: JS / REMCOS] (https://www.microsoft.com/en-us/wdsi/thereats/malware-encycopedia-dercription?name=backDoor:js/remcos) - [Backdoor: MSIL / REMCOS] (https://www.microsoft.com/en-us/wdsi/terats/malware-encycopedia-description?name=backdoor: MSIL / REMCOS) - [Backdoor: Win32 / Remcos] (https://www.microsoft.com/en-us/wdsi/terats/malware-encycopedia-dEscription? Name = Backdoor: Win32 / Remcos) - [Trojan: Win32 / Remcos] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-d-dEscription? Name = Trojan: Win32 / Remcos) - [Trojan: win32 / agenttesla] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-description?name=trojan:win32/agenttesla) - [Trojanspy: MSIL / AgentTesla] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojanspy:mil/agenttesla) - [Trojandownloader: MSIL / FormBook] (https://www.microsoft.com/en-us/wdsi/Threats/Malware-encyClopedia-Description?name=trojandownher:mil/formBook.kan!mtb&agne ;Threatid=-2147130651&ocid = magicti_ta_ency) ## Recommandations Microsoft recommande les atténuations suivantes to Réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) So que Microsoft Defender pour le point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defen | Threat Ransomware Malware Tool | ★★★ | |
|
2024-07-31 16:31:00 | Les pirates chinois ciblent les entreprises japonaises avec des logiciels malveillants Lodeinfo et Noopdoor Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware (lien direct) |
Les organisations japonaises sont la cible d'un acteur de menace nationale chinoise qui exploite les familles de logiciels malveillants comme Lodeinfo et Noopdoor pour récolter des informations sensibles auprès d'hôtes compromis tout en restant furtivement sous le radar dans certains cas pendant une période allant de deux à trois ans.
La société israélienne de cybersécurité Cybearason suit la campagne sous le nom de Cuckoo Spear,
Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while stealthily remaining under the radar in some cases for a time period ranging from two to three years. Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear, |
Threat Malware | ★★★ | |
|
2024-07-31 15:07:00 | Cyber Espionage Group XDSPY cible les entreprises en Russie et en Moldavie Cyber Espionage Group XDSpy Targets Companies in Russia and Moldova (lien direct) |
Les entreprises de Russie et de Moldavie ont été la cible d'une campagne de phishing orchestrée par un groupe de cyber-espionnage peu connu connu sous le nom de XDSPY.
Les résultats proviennent de la société de cybersécurité F.A.C.T., qui a déclaré que les chaînes d'infection conduisaient au déploiement d'un logiciel malveillant appelé DSDownloader.L'activité a été observée ce mois-ci, a-t-il ajouté.
XDSPY est un acteur de menace d'origine indéterminée qui était le premier
Companies in Russia and Moldova have been the target of a phishing campaign orchestrated by a little-known cyber espionage group known as XDSpy. The findings come from cybersecurity firm F.A.C.C.T., which said the infection chains lead to the deployment of a malware called DSDownloader. The activity was observed this month, it added. XDSpy is a threat actor of indeterminate origin that was first |
Threat Malware | ★★★ | |
|
2024-07-31 15:03:11 | Les fausses mises à jour du navigateur déploient un logiciel Asyncrat et malveillant BOINC Fake Browser Updates Deploy AsyncRAT and Malicious BOINC Software (lien direct) |
## Snapshot Researches at Huntress identified new behaviors associated with SocGholish, or FakeUpdates, malware. Typically, infections start when a user visits a compromised website and downloads a fake browser update, which executes malicious code to download further malware. . ## Description Initial access involves a malicious JavaScript file that downloads subsequent stages of the attack. In this case, two separate chains were identified: one leading to a fileless AsyncRAT installation and the other to a malicious BOINC (Berkeley Open Infrastructure Network Computing Client) installation. The AsyncRAT chain involved several stages with obfuscated PowerShell scripts and anti-VM techniques, eventually leading to a connection to a command and control (C2) server. The BOINC chain involved dropping multiple files, creating directories and scheduled tasks, and renaming executables to disguise their malicious intent. The BOINC software, typically used for legitimate distributed computing projects, was configured to connect to malicious servers, enabling threat actors to collect data and execute tasks on infected hosts. Persistence was maintained through scheduled tasks, and the use of BOINC in this context is relatively unusual. Both chains showed similarities with previous SocGholish activities, such as using fake browser updates and PowerShell scripts. The new campaigns utilized recently registered domains and shared infrastructure noted by other security researchers. ## Microsoft Analysis Microsoft researchers have investigated multiple incidents involving fake software updates served by the SocGholish malware distribution framework. [SocGholish](https://security.microsoft.com/intel-profiles/7e30959d011aa33939afaa2477fd0cd097cee346fa3b646446a6b1e55f0c007f) is an attack framework that malicious attackers have used since at least 2020. The attacker framework entices users to install fake software updates that eventually let attackers infiltrate target organizations. SocGholish can be tweaked to deliver any payload an attacker chooses. Threat actor, [Mustard Tempest](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9?tab=tradeCraft), uses SocGholish/FakeUpdates as their primary technique to gain intial access. Find out more about Mustard Tempest including indicators [here](https://security.microsoft.com/intel-profiles/79a9547522d81fe6c1f5e42d828009656892f3976c547360db52c33f0ba16db9?tab=description). [AsyncRAT](https://sip.security.microsoft.com/intel-profiles/e9216610feb409dfb620b28e510f2ae2582439dfc7c7e265815ff1a776016776) is a remote access tool (RAT) that allows a user to control a remote computer. It is designed to evade detection and is often used by attackers to gain unauthorized access to a victim\'s system. AsyncRAT is written in .NET and is capable of running on Windows machines. It can perform various malicious activities such as keylogging, file stealing, and ransomware deployment. Its name comes from its use of asynchronous programming techniques, which allow it to carry out multiple tasks simultaneously without blocking the program\'s main thread. Mirosoft researchers track the AsyncRAT portion of this attack to threat actor, [Storm-0426](https://security.microsoft.com/intel-profiles/2ef8bd6a2aa00638707e7eba5e86040ba0d88c4c0da6ad7bb0c95a8999e2af83). ## Detections/Hunting Queries #### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:JS/Socgolsh.A](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Socgolsh.A) - Trojan:JS/FakeUpdate.C - Trojan:JS/FakeUpdate.B - Behavior:Win32/Socgolsh.SB #### Microsoft Defender for Endpoint Alerts with the following titles in the security center can indicate threat activity on your network: - SocGholish command-and-control - Suspicious \'Socgolsh\' behavior was blocked The following aler | Threat Ransomware Malware Tool | ★★★ | |
 |
2024-07-31 14:42:52 | Cohesity renforce la cyber-résilience des entreprises grâce à de nouvelles capacités d\'IA générative (lien direct) | Les mises à jour de la plateforme Cohesity Data Cloud simplifient l'identification et la remédiation des menaces, pour une reprise après incident plus rapide. Cohesity a annoncé l'extension de ses capacités en matière d'Intelligence Artificielle Générative (GenAI) pour la détection et la restauration avec le déploiement d'améliorations sur sa plateforme Cohesity Data Cloud. - Produits | Threat Cloud | ★★★ | |
 |
2024-07-31 13:47:13 | Google Ads Push Fake Google Authenticator Site Installation de logiciels malveillants Google ads push fake Google Authenticator site installing malware (lien direct) |
Google a été victime de sa propre plate-forme publicitaire, permettant aux acteurs de menace de créer de fausses publicités Google Authenticator qui poussent le malware de voleur d'informations DeerStealeer.[...]
Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware. [...] |
Threat Malware | ★★★ | |
|
2024-07-31 12:04:11 | Le nouveau visage de la fraude: 40% des e-mails de compromis par e-mail (BEC) sont générés par AI-AI The New Face of Fraud: 40% of Business Email Compromise (BEC) Emails Are AI-Generated (lien direct) |
e-mails BEC Voir une augmentation de 20% en glissement annuel, les liens malveillants augmentent de 74% et les pièces jointes malveillantes doubles Vipre Security Group a dévoilé ses tendances de menace par e-mail du T2 2024Rapport.Le rapport met en évidence l'ingéniosité des cybercriminels dans l'utilisation de l'IA pour échapper à la détection et à l'escroquerie malicieusement des individus et des entreprises.VIPRE a traité 1,8 milliard de courriels à l'échelle mondiale, détectant 226,45 millions de courriels de spam et 16,91 millions d'URL malveillants pour identifier les tendances de la menace par e-mail qui ont le plus d'impact sur les entreprises.
-
rapports spéciaux
BEC emails see a 20% year-on-year increase, malicious links increase by 74%, and malicious attachments double VIPRE Security Group has unveiled its Q2 2024 Email Threat Trends Report. The report highlights the ingenuity of cyber criminals in using AI to evade detection and maliciously scam individuals and enterprises. VIPRE processed 1.8 billion emails globally, detecting 226.45 million spam emails and 16.91 million malicious URLs to identify the email threat trends that impact enterprises the most. - Special Reports |
Threat Spam Studies | ★★★★ | |
 |
2024-07-31 10:00:00 | Les attaques de ransomwares sont-elles toujours une menace croissante en 2024? Are Ransomware Attacks Still a Growing Threat in 2024? (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Ransomware attacks continue to pose a growing threat to organizations as it has emerged as the number one threat, affecting 66% of organizations in 2023 and pulling over $1 billion from the victims. These attacks have increased in frequency and sophistication, resulting in significant financial loss, operation disruption, theft of sensitive data, and reduced productivity rates. Also, it damages the organization\'s reputation and results in the loss of customer trust and compliance violations. An organization needs a comprehensive protection strategy to reduce the frequency of these attacks and the risks they pose. Ransomware Business Model: How These Attacks Are Evolving? In the past, ransomware attacks mainly relied on phishing emails, remote desktop protocol exploits, and vulnerable ports to increase their chances of success. Additionally, these attacks employ evasion techniques to bypass traditional security measures like firewalls or antivirus software. These methods have resulted in famous attacks like WannaCry, TeslaCrypt, and NotPetya. With time, ransomware attackers have evolved and have become more sophisticated, targeted, and profitable for cybercriminals. Below is an insight into the latest trends that hackers adopt to launch a successful ransomware attack: Exploiting Zero-Day Vulnerabilities The shift in ransomware gangs and their sophisticated tactics and procedures (TTPs) raise the number of ransomware attacks. . Previously, REvil, Conti, and LockBit were the famous ransomware gangs, but now Clop, Cuban, and Play are gaining immense popularity by employing advanced hacking techniques like zero-day vulnerabilities. Sophos\'s State of Ransomware 2024 revealed exploited vulnerabilities as the root cause of ransomware attacks. The Clop ransomware gang has used the zero-day vulnerability in the MOVEit Transfer platform to steal the sensitive data of different organizations. This group also targeted the GoAnywhere zero-day vulnerability in January 2023, affecting 130 organizations, and exploited the Accellion FTA servers in 2020. Similarly, Cuban and Play used the same attacking technique to compromise the unpatched Microsoft Exchange servers. Double and Triple Extortion Another reason for the rise in ransomware attacks is the introduction of the double or triple extortion technique. Cybersecurity firm Venafi reported that 83% of ransomware attacks included multiple ransom demands in 2022. Cybercriminals encrypt the data, exfiltrate sensitive information, and threaten to release it or sell it on the dark web if the ransom is not paid in a double extortion scheme. This tactic prove | Threat Ransomware Malware Studies Tool Technical Prediction Vulnerability Medical Legislation | NotPetya Wannacry Deloitte | ★★★ |
|
2024-07-30 21:34:07 | Rapport d'analyse technique des ransomwares Azzasec AzzaSec Ransomware Technical Analysis Report (lien direct) |
#### Géolocations ciblées - Israël - Ukraine ## Instantané Des chercheurs de ThreatMon ont publié un rapport sur Azzaseec Ransomware, A Ransomware As a Service (RAAS), développé par le groupe Azzasec Hacktivist. ## Description Utilisé par le groupe lui-même et vendu à d'autres acteurs de menace en tant que RAAS, les ransomwares azzasec ont été livrés via une attachement de phishing et via des serveurs Windows distants infectés.Une fois qu'Azzasec infecte un système cible, il peut chiffrer 120 formats de fichiers différents et supprime des points de restauration pour empêcher les victimes de pouvoir restaurer leur système à une date de pré-infection. ThreatMon évalue que le groupe Azzasec Hactivist a été fondé en février 2024 et a des motivations financières.Les analystes suggèrent que le groupe est basé en Italie, mais aligné avec la Russie, et collabore avec le groupe de menaces russes APT44.Le groupe et ses ransomwares sont une menace pour l'Ukraine, Israël et leurs alliés. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder au réseau.Interfaces de numérisation publique, telles que [Microsoft Defender External Attack Surface Management] (https://www.microsoft.com/security/business/cloud-security/microsoft-defender-extern-attack-surface-management?ocid=Magicti_TA_ABBReviatedMkTgpage),,,,,,peut être utilisé pour augmenter les données.Le tableau de bord du résumé de la surface d'attaque fait face à des actifs, tels que les serveurs d'échange, qui nécessitent des mises à jour de sécurité et fournissent des étapes de remédiation recommandées. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Exécuter [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_ta_learndoc) pour ce défenseurPour le point final, peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants détectés après la lutte. - Allumez [Protection Tamper] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=Magicti_TA_LearnDoc).Empêcher les attaquants d'empêcher les services de sécurité. - Activer [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=Magicti_TA_Learndoc) en mode entièrement automatisé pour permettre au Defender pour le point de terminaison de prendre des mesures immédiates sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate surAlertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Lire Microsoft \'s [Présentation des menaces de ransomware] (https: // secUrity.microsoft.com/Thereatanalytics3/05658B6C-DC62-496D-AD3C-C6A795A33C27/analyStre | Threat Ransomware Tool Technical | ★★ | |
|
2024-07-30 20:42:59 | Les pirates criminels ajoutent des références Genai aux marchés souterrains Criminal Hackers Add GenAI Credentials to Underground Markets (lien direct) |
Selon l'étude, environ 400 titres d'identification Genai volés sont vendus par des acteurs de la menace par jour.
According to the study, around 400 stolen GenAI credentials are being sold by threat actors per day. |
Threat Studies | ★★★ | |
|
2024-07-30 20:07:08 | Les gangs de ransomware exploitent le bug Esxi pour le cryptage de masse instantané des machines virtuelles Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs (lien direct) |
Avec des privilèges suffisants dans Active Directory, les attaquants n'ont qu'à créer un groupe "ESX Admins" dans le domaine ciblé et à y ajouter un utilisateur.
With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it. |
Threat Ransomware | ★★★ | |
 |
2024-07-30 19:04:29 | Exiger acquiert Adolus pour stimuler la visibilité de la chaîne d'approvisionnement des logiciels dans un environnement de cyber-menace accru Exiger acquires aDolus to boost software supply chain visibility in increased cyber threat environment (lien direct) |
Chaîne d'approvisionnement et risque tiers, AI Company Exiger a annoncé mardi l'acquisition du risque de chaîne d'approvisionnement en logiciels ...
Supply chain and third-party risk AI company Exiger announced on Tuesday the acquisition of software supply chain risk... |
Threat | ★★★ | |
|
2024-07-30 18:39:52 | Des pirates qui attaquent les utilisateurs à la recherche de formulaire W2 Hackers Attacking Users Searching For W2 Form (lien direct) |
## Instantané Une campagne malveillante a été découverte le 21 juin 2024, qui cible les utilisateurs à la recherche de formulaires W2.Ce fichier a exécuté un programme d'installation MSI, laissant tomber une DLL Brute Ratel Badger dans l'AppData de l'utilisateur \\.Le framework Brute Ratel a ensuite téléchargé et inséré la porte dérobée Latrodectus, offrant aux acteurs de la menace une télécommande, des capacités de vol de données et la possibilité de déployer des charges utiles supplémentaires. ## Description L'attaquant a exploité les résultats de recherche de Bing pour rediriger les utilisateurs de la dameropia de domaine lookalike \ [. \] Com vers un faux site Web IRS hébergé sur grupotefex \ [. \] Com, en lançant un défi CAPTCHA qui a entraîné le téléchargement d'un fichier javascript malveillant hébergé sur leUn seau de stockage Google Firebase.Ce fichier a utilisé des techniques d'obscurcissement du code et un certificat d'authentification valide pour cacher sa nature malveillante et initier l'installation de packages MSI à partir d'URL spécifiés, ciblant potentiellement des systèmes avec des charges utiles malveillantes identiques.Cet événement est Similair à un événement du 25 juin 2024 impliquant "neuro.msi", observé par [Rapid7] (https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-Usgers-with-Fake-w2-forme /).Le programme d'installation MSI installe un fichier DLL nommé capisp.dll dans le dossier appdata / roaming de l'utilisateur et l'exécute à l'aide de rundll32.exe avec une exportation nommée «REMI».Le fichier capisp.dll initie une infection de logiciels malveillants en plusieurs étapes.Il contient des données cryptées qui, lorsqu'elles sont déchiffrées, révèlent un chargeur pour le [Brute Ratel Badger(BRC4)] (https://security.microsoft.com/intel-profiles/a09b8112881d2dead66c1b277c92ac586d9791e60b3b284ef303439a18d91786).Cette charge utilese connecte à plusieurs domaines de commande et de contrôle (C2) pour télécharger et injecter le malware Latrodectus dans explorateur.exe, qui communique ensuite avec plusieurs URL C2 supplémentaires. ## Analyse Microsoft Chaque année, la saison fiscale est une opportunité pour les acteurs de la menace de voler des informations sur des cibles.Cet événement montre que les acteurs de la menace continuent de tirer parti des attaques fiscales en dehors de la saison fiscale traditionnelle.Les acteurs de la menace utilisent des techniques comme la malvertisation et plusieurs types de tactiques de phishing.Les campagnes de phishing peuvent inclure des sites Web d'usurpation, des domaines d'homoglyphes et la personnalisation des liens pour faire appel aux utilisateurs.Plus tôt cette année, Microsoft a rendu compte des campagnes liées à la saison fiscale qui ont mis à profit ces techniques d'ingénierie sociale, pour inclure des leurres liés aux paiements comme les fausses notifications fiscales W-2 et W-9 et des fonctionnalités comme les captchas.Captchas peut rendre les attaques plus légitimes pour ses victimes en plus d'être utilisées pour déclencher la prochaine étape d'une attaque.Ces attaques peuvent entraîner le vol des diplômes liés financiers, le vol d'identité et la perte monétaire.Dans certains cas, l'attaque pourrait être utilisée pour prendre pied dans un environnement compromis pour les futures opportunités de ransomware. En savoir plus à ce sujet et les moyens de défendre contre les menaces centrées sur l'impôt [ici] (https://security.microsoft.com/intel-explorer/articles/5cfe2fe9). ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: [Backdoor: win64 / bruteratel] (https://www.microsoft.com/en-us/wdsi/Threats/Malware-encyClopedia-dercription?name=backDoor:win64/bruteratel.a) [Trojan: Win64 / Bruteratel] (https: //www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-decription?name=trojan:win64/bruteratel.a) [Trojan: win64 / la | Threat Ransomware Malware | ★★★ | |
|
2024-07-30 18:19:19 | AppDome a annoncé son nouveau centre de résolution des menaces Appdome announced its new Threat Resolution Center (lien direct) |
AppDome dévoile la résolution des menaces mobiles alimentées par Genai
Le nouveau centre de résolution des menaces révolutionne le support du cyber, réduisant considérablement le temps de résolution et remettant les utilisateurs à utiliser les applications mobiles qu'ils aiment.
-
revues de produits
Appdome Unveils GenAI-Powered Mobile Threat Resolution New Threat Resolution Center revolutionizes cyber support, dramatically lowering resolution time and getting users back to using the mobile apps they love. - Product Reviews |
Threat Mobile | ★★★ | |
|
2024-07-30 18:15:04 | Les entreprises financières sont invitées à adopter une approche proactive de la résilience de la cybersécurité alors que le paysage des menaces continue d'évoluer Financial firms are urged to adopt a proactive approach to cybersecurity resilience as the threat landscape continues to evolve (lien direct) |
Les sociétés financières sont invitées à adopter une approche proactive de la résilience de la cybersécurité alors que le paysage des menaces continue d'évoluer
-
opinion
Financial firms are urged to adopt a proactive approach to cybersecurity resilience as the threat landscape continues to evolve - Opinion |
Threat | ★★★ | |
 |
2024-07-30 17:47:32 | Les organisations se préparent à des cyberattaques plus évoluées basées sur l'IA à mesure que Deepfakes deviennent les principales préoccupations Organizations Prepare for More Evolved AI-Based Cyber Attacks as Deepfakes Become Top Concern (lien direct) |
Threat | ★★★ | ||
|
2024-07-30 17:42:47 | (Déjà vu) SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea (lien direct) | #### Targeted Geolocations - Pakistan - Egypt - Sri Lanka - Bangladesh - Myanmar - Nepal - Maldives #### Targeted Industries - Transportation Systems - Maritime Transportation ## Snapshot The BlackBerry Threat Research and Intelligence team has uncovered a new campaign by the nation-state threat actor SideWinder, also known as Razor Tiger and Rattlesnake, which has upgraded its infrastructure and techniques since mid-2023. ## Description The campaign targets ports and maritime facilities in the Indian Ocean and Mediterranean Sea, with specific focus on Pakistan, Egypt, and Sri Lanka initially, and expanding to Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder employs spear-phishing emails using familiar logos and themes to lure victims into opening malicious documents, which exploit vulnerabilities in Microsoft Office to gain access to systems. The group\'s objective is believed to be espionage and intelligence gathering, consistent with its past campaigns targeting military, government, and business entities in South Asia. The malicious documents use visual bait, such as fake port authority letters, to provoke fear and urgency, leading victims to download malware. The documents exploit a known vulnerability ([CVE-2017-0199](https://security.microsoft.com/intel-explorer/cves/CVE-2017-0199/)) in Microsoft Office, relying on outdated or unpatched systems to deliver their payload. Once opened, the documents download additional malicious files that execute shellcode to ensure the system is not a virtual environment, before proceeding with further stages of the attack. The campaign\'s infrastructure includes the use of Tor nodes to mask network traffic and protective DNS data to evade detection. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Exploit:O97M/CVE-2017-0199](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:O97M/CVE-2017-0199!MSR) - [Trojan:Win32/Casdet](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Casdet!rfn) ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recom | Threat Ransomware Malware Tool Vulnerability | APT-C-17 | ★★★ |
|
2024-07-30 17:03:19 | Un rapport de recherche sur le Web sombre de Transmit Security révèle comment les acteurs de la menace utilisent Genai pour alimenter les attaques d'identité et la fraude A Dark Web Research Report by Transmit Security Reveals How Threat Actors Are Using GenAI to Fuel Identity Attacks and Fraud (lien direct) |
Un rapport de recherche sur le Web sombre par Transmit Security révèle comment les acteurs de la menace utilisent Genai pour alimenter les attaques d'identité et la fraude
-
rapports spéciaux
A Dark Web Research Report by Transmit Security Reveals How Threat Actors Are Using GenAI to Fuel Identity Attacks and Fraud - Special Reports |
Threat | ★★★ | |
|
2024-07-30 16:56:00 | La puissance et le péril des outils RMM The Power and Peril of RMM Tools (lien direct) |
Alors que de plus en plus de personnes travaillent à distance, les services informatiques doivent gérer les appareils distribués sur différentes villes et pays qui s'appuient sur les VPN et les outils de surveillance et de gestion à distance (RMM) pour l'administration du système. & NBSP;
Cependant, comme toute nouvelle technologie, les outils RMM peuvent également être utilisés avec malveillance.Les acteurs de menace peuvent établir des connexions à un appareil de victime et exécuter des commandes, exfilter les données et rester
As more people work remotely, IT departments must manage devices distributed over different cities and countries relying on VPNs and remote monitoring and management (RMM) tools for system administration. However, like any new technology, RMM tools can also be used maliciously. Threat actors can establish connections to a victim\'s device and run commands, exfiltrate data, and stay |
Threat Tool | ★★★ | |
|
2024-07-30 16:20:00 | Intelligence cyber-menace: illuminant le sous-sol en cybercriminal profond et sombre Cyber Threat Intelligence: Illuminating the Deep, Dark Cybercriminal Underground (lien direct) |
Découvrez les menaces critiques qui peuvent avoir un impact sur votre organisation et les mauvais acteurs derrière eux des experts des menaces de Cybersixgill.Chaque histoire met en lumière les activités souterraines, les acteurs de la menace impliqués et pourquoi vous devriez vous soucier, ainsi que ce que vous pouvez faire pour atténuer les risques. & NBSP;
La toile profonde et sombre, autrement connue sous le nom de sous-sol cybercriminal, est l'endroit où les acteurs malveillants se réunissent
Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill\'s threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk. The deep and dark web, otherwise known as the cybercriminal underground, is where malicious actors gather to |
Threat | ★★★ | |
|
2024-07-30 13:02:00 | Nouvelles cyberattaques Sidewinder ciblent les installations maritimes dans plusieurs pays New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries (lien direct) |
L'acteur de menace nationale connue sous le nom de Sidewinder a été attribué à une nouvelle campagne de cyber-espionnage ciblant les ports et les installations maritimes dans l'océan Indien et la mer Méditerranée.
L'équipe Blackberry Research and Intelligence, qui a découvert l'activité, a déclaré que les cibles de la campagne de phisces de lance comprennent des pays comme le Pakistan, l'Égypte, le Sri Lanka, le Bangladesh, le Myanmar, le Népal et le
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the |
Threat | APT-C-17 | |
 |
2024-07-30 13:00:00 | Tirer parti de la détection de Zimperium \\ pour lutter contre les chevaux de Troie à distance d'Oilalpha \\ Leveraging Zimperium\\'s Zero-Day Detection to Combat OilAlpha\\'s Remote Access Trojans (lien direct) |
> Les incidents récents impliquant le groupe pro-houthis Oilalpha, qui ciblait les organisations humanitaires au Yémen, soulignent le besoin critique d'une protection efficace contre les rats.
> The recent incidents involving the pro-Houthi group OilAlpha, which targeted humanitarian organizations in Yemen, underscore the critical need for effective protection against RATs. |
Threat Vulnerability | ★★★ | |
 |
2024-07-30 07:10:09 | Le rôle critique du temps de réponse dans la cybersécurité The Critical Role of Response Time in Cybersecurity (lien direct) |
Dans le paysage numérique d'aujourd'hui, les cybercriminels constituent une menace perpétuelle pour les organisations.On nous rappelle à plusieurs reprises les conséquences de mesures de cybersécurité inadéquates.Dans une violation de cybersécurité, le temps de réponse est essentiel pour atténuer les dommages.La plupart des cyberattaques sont comme des incendies de forêt.Sans l'intervention des pompiers et le soutien aérien, l'incendie continue de se propager, causant plus de dégâts par [...]
In today’s digital landscape, cybercriminals pose a perpetual threat to organisations. We are repeatedly reminded of the consequences of inadequate cybersecurity measures. In a cybersecurity breach, response time is critical to mitigating damage. Most cyber-attacks are like wildfires. Without the intervention of firefighters and aerial support, the fire continues to spread, causing more damage by [...] |
Threat | ||
|
2024-07-30 01:18:05 | Cyberattaques UAC-0102 visant à voler les données d'authentification des comptes d'utilisateurs UKR.NET UAC-0102 cyberattacks aimed at stealing authentication data of UKR.NET user accounts (lien direct) |
#### Géolocations ciblées - Ukraine #### Industries ciblées - agences et services gouvernementaux ## Instantané Le groupe UAC-0102 a ciblé les utilisateurs de l'UKR.NET avec des e-mails de phishing contenant des pièces jointes malveillantes conçues pour voler des informations d'authentification, selon les rapports de l'équipe d'intervention d'urgence informatique d'Ukraine (CERT-UA). ## Description En juillet 2024, le groupe UAC-0102 a effectué des cyberattaques impliquant des e-mails de phishing avec des pièces jointes qui contiennent des fichiers HTML, comme indiqué par CERT-UA.Lorsqu'ils sont ouverts, ces fichiers redirigent les utilisateurs vers une fausse page de connexion UKR.NET, capturant les informations d'authentification Targets \\ '.Les attaquants exploitent le manque d'outils de protection par e-mail pour cibler les employés des agences gouvernementales ukrainiennes, des militaires et d'autres organisations, en utilisant ces informations d'identification pour un accès non autorisé.Les documents téléchargés servent d'appât pour compromettre davantage l'ordinateur de la victime. ## Recommandations Microsoft recommande la mise en œuvre d'authentification multifactrice (MFA) pour réduire l'impact de cette menace et atténuer le vol d'identification des attaques de phishing.Le MFA peut être complété par les solutions et les meilleures pratiques suivantes pour protéger les organisations: - Activer [Accès conditionnel] (https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview?ocid=Magicti_TA_LearnDoc).Les polices d'accès conditionnelles sont évaluées et appliquées chaque fois qu'un attaquant tente d'utiliser un cookie de session volé.Les organisations peuvent se protéger contre les attaques qui exploitent les informations d'identification volées en activant des politiques concernant les appareils conformes ou les exigences d'adresse IP de confiance. - Configurer [Évaluation d'accès continu] (https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation?ocid=Magicti_ta_learndoc) dans votre locataire. - Investissez dans des solutions anti-phishing avancées qui surveilleront les e-mails entrants et les sites Web visités.[Microsoft Defender pour Office365] (https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-security-center-mdo?ocid=Magicti_TA_Learndoc) rassemble une gestion d'incident et d'alerte à travers le courrier électronique, les appareils, les appareilset identités, centraliser les enquêtes pour les menaces par courrier électronique.Les organisations peuvent également tirer parti des navigateurs Web qui identifient et bloquent automatiquement les sites Web malveillants, y compris ceux utilisés dans cette campagne de phishing.Pour renforcer la résilience contre les attaques de phishing en général, les organisations peuvent utiliser [les politiques anti-phishing] (https://learn.microsoft.com/en-us/defenderofice-365/anti-phishing-polices-about?view=o365-WorldWide) pour activer les paramètres d'intelligence de la boîte aux lettres, ainsi que la configuration des paramètres de protection d'identification pour des messages spécifiques et des domaines d'expéditeur.Activer [SafeLinks] (https://learn.microsoft.com/en-us/defenderofice-365/safe-links-about?view=o365-worldwide) garantit une protection en temps réel en scannant au moment de la livraison et à la livraisonheure du clic. - Surveillez les activités suspectes ou anormales et recherchez des tentatives de connexion avec des caractéristiques suspectes (par exemple l'emplacement, le fournisseur de services Internet \ [ISP \], l'agent utilisateur et l'utilisation des services d'anonymissage).L'activité peut être identifiée et étudiée avec [Microsoft Defender for Identity] (https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-security-center-mdi?ocid=Magicti_ta_learndoc), qui contribue à l'identité-Les informations ont concentré les incidents et les al | Threat Tool | ||
 |
2024-07-30 00:24:10 | Hacker Stracches et publie la liste IOC de 100 000 lignes Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List (lien direct) |
USDOD Hacker éraflue et fuit un indicateur de 100 000 lignes de la liste des compromis (CIO) de CrowdStrike, révélant une intelligence détaillée des menaces & # 8230;
USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence… |
Threat | ||
|
2024-07-29 22:17:20 | Mandrake spyware sneaks onto Google Play again, flying under the radar for two years (lien direct) | ## Instantané
Les analystes de Kaspersky ont constaté que le logiciel spymétrique Android Mandrake, précédemment analysé par Bitdefender en mai 2020, a refait surface en avril 2024 sur Google Play avec de nouvelles techniques d'évasion et des couches d'obfuscation.
## Description
Le logiciel espion a été distribué via plusieurs applications, accumulant plus de 32 000 téléchargements et présentait une évasion avancée de bac à sable, des méthodes anti-analyse et un épinglage de certificat pour les communications C2.La fonctionnalité malveillante de base a été cachée dans les bibliothèques indigènes obscurcis, et les acteurs de la menace ont ajouté [détection Frida] (https://www.appdome.com/how-to/mobile-malware-prevention/binary-instrumentation-dection/detecting-frida-And-Frida-Methods-in-android-ios-apps /) pour empêcher l'analyse, vérifie les appareils enracinés et les outils d'analyste.Les communications C2 ont été maintenues via la partie native des applications, en utilisant des certificats cryptés, avec des domaines C2 enregistrés en Russie.Les applications malveillantes étaient disponibles dans divers pays, avec la plupart des téléchargements du Canada, de l'Allemagne, de l'Italie, du Mexique, de l'Espagne, du Pérou et du Royaume-Uni.
## Recommandations
Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.
- Installez uniquement les applications à partir de sources de confiance et de magasins officiels, comme le Google Play Store et Apple App Store.
- Ne jamais cliquer sur les liens inconnus reçus via des annonces, des messages SMS, des e-mails ou des sources non fiables similaires.
- Utilisez des solutions mobiles telles que [Microsoft Defender pour Endpoint] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) sur Androidtodétecter les applications malveillantes
- Gardez toujours les applications inconnues inconnues sur le périphérique Android pour empêcher les applications d'être installées à partir de sources inconnues.
- Évitez d'accorder des autorisations SMS, un accès à l'auditeur de notification ou un accès à l'accessibilité à toute application sans comprendre pourquoi la demande en a besoin.Ce sont des autorisations puissantes qui ne sont pas généralement nécessaires.
- Si un appareil ne reçoit plus de mises à jour, envisagez fortement de le remplacer par un nouvel appareil.
## Les références
[Mandrake Spyware se faufile à nouveau sur Google Play, volant sous le radar pendant deux ans] (https://securelist.com/mandrake-apps-return-to-google-play/113147/).Kapersky (consulté en 2024-07-29)
## Droits d'auteur
**&copie;Microsoft 2024 **.Tous droits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
## Snapshot Kaspersky analysts found that the Mandrake Android spyware, previously analyzed by Bitdefender in May 2020, resurfaced in April 2024 on Google Play with new evasion techniques and obfuscation layers. ## Description The spyware was distributed through multiple applications, accumulating over 32,000 downloads, and exhibited advanced sandbox evasion, anti-analysis methods, and certificate pinning for C2 communications. The core malicious functionality was concealed within obfuscated native libraries, and the threat actors added [Frida detection](https://www.appdome.com/how-to/mobile-malware-prevention/binary-instrumentation-detection/detecting-frida-and-frida-methods-in-android-ios-apps/) to prevent analysis, checks for rooted devices, and analyst tools. C2 communications were maintained via the native part of the applications, using encrypted certificates, with C2 domains registered in Russia. The malicious applications were available in various countries, with most downloads from Canada, Germany, Italy, Mexico, Spain, Peru, and the Un |
Threat Tool Mobile | ||
|
2024-07-29 20:46:51 | PatchNow: ServiceNow Critical RCE Bugs sous Exploit actif PatchNow: ServiceNow Critical RCE Bugs Under Active Exploit (lien direct) |
Un acteur de menace prétend avoir déjà rassemblé des adresses e-mail et associé des hachages à partir de plus de 110 bases de données de gestion informatique à distance.
One threat actor claims to have already gathered email addresses and associated hashes from more than 110 remote IT management databases. |
Threat | ||
|
2024-07-29 20:27:03 | Fake CrowdStrike fixes target companies with malware, data wipers (lien direct) | ## Snapshot
CrowdStrike\'s recent update glitch has been exploited by threat actors who use phishing emails to deliver data wipers and remote access tools. A campaign targeting BBVA bank customers distributed the Remcos RAT under the guise of a CrowdStrike Hotfix, while the pro-Iranian hacktivist group Handala used similar tactics against Israeli companies. These attacks, stemming from a logic error in a channel file update, have significantly impacted millions of Windows systems across various sectors.
## Description
AnyRun has identified the exploitation of CrowdStrike\'s update issue by threat actors, including phishing emails and malware campaigns targeting organizations with data wipers and remote access tools. Phishing emails have been observed attempting to take advantage of the disruption, with a malware campaign targeting BBVA bank customers offering a fake CrowdStrike Hotfix update that installs the Remcos RAT. The pro-Iranian hacktivist group Handala has also leveraged the situation by sending phishing emails that impersonate CrowdStrike to Israeli companies to distribute the data wiper. Additionally, attackers are distributing a data wiper under the pretense of delivering an update from CrowdStrike, decimating systems by overwriting files with zero bytes and reporting it over Telegram.
The defect in CrowdStrike\'s software update had a massive impact on Windows systems at numerous organizations, making it too good an opportunity for cybercriminals to pass. The cause of the outage was identified as a channel file update to Windows hosts triggering a logic error, leading to a crash. The impact on Windows systems at numerous organizations was significant, with millions of devices affected and disruptions across various sectors.
## Detections/Hunting Queries
Microsoft Defender Antivirus detects threat components as the following malware:
- [Backdoor:JS/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Remcos)
- [Trojan:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Remcos)
- [PWS:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PWS:Win32/Remcos)
- [Backdoor:MSIL/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Remcos)
- [Backdoor:Win32/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Remcos)
- [TrojanDownloader:AutoIt/Remcos](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:AutoIt/Remcos)
- [Trojan:Win32/HijackLoader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/HijackLoader.AHJ!MTB&threatId=-2147058662)
## References
[Fake CrowdStrike fixes target companies with malware, data wipers.](https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/) Bleeping Computer (accessed 2024-07-22)
[Find Threats Exploiting CrowdStrike Outage with TI Lookup.](https://any.run/cybersecurity-blog/crowdstrike-outage-abuse/?utm_source=twitter&utm_medium=post&utm_campaign=outageabuse&utm_content=blog&utm_term=230724) Any Run (accessed 2024-07-24)
[HijackLoader Updates](https://security.microsoft.com/intel-explorer/articles/8c997d7c). Microsoft (accessed 2024-07-23)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot CrowdStrike\'s recent update glitch has been exploited by threat actors who use phishing emails to deliver data wipers and remote access tools. A campaign targeting BBVA bank customers distributed the Remcos RAT under the guise of a CrowdStrike Hotfix, while the pro-Iranian hacktivist group Handala used |
Threat Malware Tool | ||
|
2024-07-29 20:15:06 | SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining (lien direct) | ## Snapshot
Wiz researchers identified a threat campaign, referred to as "SeleniumGreed," exploiting a misconfiguration in Selenium Grid, a widely used web app testing framework, to deploy a modified XMRig tool for mining Monero cryptocurrency.
## Description
The attackers leverage the lack of default authentication in Selenium Grid to access app-testing instances, download files, and execute commands. By manipulating the Selenium WebDriver API, threat actors establish a reverse shell, drop a custom XMRig miner, and use compromised Selenium node workloads as intermediate command and control servers (C2) for subsequent infections and mining pool proxies. The campaign targets older versions of Selenium but is also possible on more recent versions, potentially evading detection by targeting less maintained and monitored instances.
## Additional Analysis
[XMRig miner](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/) is a popular open-source software designed for mining cryptocurrencies, particularly Monero (XMR). Developed in C++, XMRig is efficient and versatile, supporting various algorithms, mining pools, and running on multiple platforms like Windows, Linux, and macOS. However, it has been widely misused by cybercriminals who deploy it through malware to hijack the computing resources of unsuspecting victims, a practice known as cryptojacking. This unauthorized use of systems significantly degrades performance, increases energy consumption, and can cause hardware damage over time. Due to its frequent abuse in malicious campaigns, XMRig miner has become a focal point in discussions about cybersecurity threats related to resource hijacking and cryptomining.
## References
[SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining](https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps). Wiz (accessed 2024-07-29)
[XMRig Malware](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/). Check Point (accessed 2024-07-29)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Wiz researchers identified a threat campaign, referred to as "SeleniumGreed," exploiting a misconfiguration in Selenium Grid, a widely used web app testing framework, to deploy a modified XMRig tool for mining Monero cryptocurrency. ## Description The attackers leverage the lack of default authentication in Selenium Grid to access app-testing instances, download files, and execute commands. By manipulating the Selenium WebDriver API, threat actors establish a reverse shell, drop a custom XMRig miner, and use compromised Selenium node workloads as intermediate command and control servers (C2) for subsequent infections and mining pool proxies. The campaign targets older versions of Selenium but is also possible on more recent versions, potentially evading detection by targeting less maintained and monitored instances. ## Additional Analysis [XMRig miner](https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/) is a popular open-source software designed for mining cryptocurrencies, particularly Monero (XMR). Developed in C++, XMRig is efficient and versatile, supporting various algorithms, mining pools, and running on multiple platforms like Windows, Linux, and macOS. However, it has been widely misused by cybercriminals who deploy it through malware to hijack the computing resources of unsuspecting victims, a practice known as cryptojacking. This unauthorized use of systems significantly degrades performance, increases energy consumption, and can cause hardware damage over time. Due to its frequent abuse in malicious campaigns, XMRig miner has become a focal point in discussions about cybersecurity threats related to resource hijacking and cryp |
Threat Malware Tool | ||
|
2024-07-29 20:07:18 | Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure (lien direct) | ## Snapshot CrowdStrike Intelligence identified a phishing domain which impersonates CrowdStrike and delivers malicious ZIP and RAR files that ultimately executes Lumma Stealer packed with CypherIt. Read more about [Lumma Stealer here.](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) ## Description The campaign is likely linked to a June 2024 Lumma Stealer distribution campaign in which a threat actor leveraged advanced social-engineering techniques, such as using spam floods and voice phishing (vishing), to deliver malicious binaries. The MSI loader displays a decoy installation and upon execution, it extracts and executes a self-extracting RAR (SFX) file, plenrco.exe, with the command line plenrco.exe -pqwerty2023 -s1. This extracts another RAR SFX archive file stored in the PE overlay plenrco.exe. The RAR archive contains a Nullsoft Scriptable Install System (NSIS) installer with the filename SymposiumTaiwan.exe. The NSIS installer contains fragments of a legitimate AutoIt executable and a compiled AutoIt script. The NSIS also contains a batch script loader named Open.cmd, which includes useless code to hide the actual functionality. The final payload is RC4-encrypted and LZNT1-compressed, resulting in a Lumma Stealer sample. The decompiled AutoIt script is a CypherIt loader that is heavily obfuscated to hinder static analysis. The loader implements string obfuscation and terminates if certain checks are met, such as specific hostnames or antivirus processes running. The AutoIt loader contains two shellcodes for 32-bit and 64-bit systems that implement the RC4 algorithm to decrypt the final payload, which is also hardcoded within the AutoIt loader. The final payload is a Lumma Stealer executable that contacts the command-and-control (C2) server included in IOCs at the time of analysis. Additionally, the same C2 domain identified in this activity was observed in a recent widespread opportunistic spam flood and voice phishing (vishing) campaign in June 2024. Based on the shared infrastructure between the campaigns and apparent targeting of corporate networks, CrowdStrike Intelligence assesses with moderate confidence that the activity is likely attributable to the same unnamed threat actor. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc). - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block- | Threat Spam Tool | ||
|
2024-07-29 18:49:00 | ProofPoint Email Routing Flaw exploité pour envoyer des millions d'e-mails de phishing usurpés Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails (lien direct) |
Un acteur de menace inconnue a été lié à une campagne d'arnaque massive qui a exploité une mauvaise configuration de la routage des e-mails dans les défenses du fournisseur de sécurité par courrier électronique \\ pour envoyer des millions de messages usurpant diverses entreprises légitimes.
"Ces e-mails ont fait écho à partir des relais de messagerie de point de preuve officiel avec des signatures SPF et DKIM authentifiées, contournant ainsi les principales protections de sécurité - tout cela à tromper
An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint\'s defenses to send millions of messages spoofing various legitimate companies. "These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections - all to deceive |
Threat | ||
|
2024-07-29 18:01:57 | Malicious Inauthentic Falcon Crash Reporter Installer Distributed to German Entity via Spearphishing Website (lien direct) | #### Géolocations ciblées - Allemagne ## Instantané Crowdsstrike Intelligence a identifié une tentative de sportinging offrant un faux installateur de reporter crash cowdsstrike via un site Web imitant une entité allemande. ## Description Le site a été enregistré le 20 juillet 2024, peu de temps après un problème de mise à jour du capteur Falcon CrowdStrike, et a utilisé JavaScript déguisé en jQuery pour télécharger et désobfusquer le programme d'installation.Ce programme d'installation, marqué de contenu Crowdsstrike et localisé en allemand, a nécessité un mot de passe pour l'installation.La page de phishing liée à un fichier zip contenant un installateur innosetup malveillant et affiché la marque de Crowdstrike \\ semble légitime. Le JavaScript a masqué son code malveillant dans un véritable code jQuery pour échapper à la détection.Lorsque l'utilisateur a cliqué sur le bouton de téléchargement, le site a exécuté une fonction pour télécharger un fichier exécutable portable déguisé.Le programme d'installation, qui est apparu le 20 juillet 2024, avait un horodatage aligné avec la mise à jour du capteur, suggérant l'utilisation de l'horodatage pour éviter la détection. Le programme d'installation a incité les utilisateurs à saisir un mot de passe spécifique "serveur backend", probablement connu uniquement des cibles, indiquant une attaque très ciblée.Crowdstrike Intelligence a évalué avec une grande confiance que les attaquants se sont concentrés sur les clients germanophones touchés par le problème du capteur Falcon et ont utilisé des techniques avancées antiformes, notamment l'enregistrement des sous-domaines sous un registraire légitime et le contenu des installateurs. ## Analyse supplémentaire Les acteurs du cybermenace exploitent les événements actuels pour perpétrer une activité malveillante car ces situations créent souvent de la confusion et de l'urgence, rendant les individus et les organisations plus vulnérables à la tromperie.Ils capitalisent sur l'intérêt accru et l'attention entourant de tels événements pour augmenter la probabilité que leurs tentatives de phishing et d'autres attaques réussissent.En alignant leurs campagnes malveillantes avec des incidents ou des mises à jour bien connues, les acteurs de la menace peuvent plus facilement masquer leurs intentions et attirer les victimes pour compromettre involontairement leur sécurité. Cette campagne de phishing ciblant les clients germanophones est le dernier exemple de cyberattaques exploitant le chaos de la mise à jour de Falcon de Crowdsstrike.Les rapports antérieurs d'activité malveillante lors des pannes incluent [les essuie-glaces de données réparties par le groupe hacktiviste pro-iranien handala] (https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/), [HijackLoader dropping Remcos Remote Access Trojan](https://x.com/anyrun_app/status/1814567576858427410) disguised as a CrowdStrike hotfix, and information stealer[Daolpu] (https://www.crowdstrike.com/blog/fake-recovery-manUAL-UND-TO-DIVER-UNDENDIFIED SECELER /) Se propager par des e-mails de phishing se faisant passer pour un outil de récupération. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point f | Threat Ransomware Malware Tool | ||
 |
2024-07-29 14:58:44 | 29 juillet & # 8211;Rapport de renseignement sur les menaces 29th July – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes en cyberLes meilleures attaques et violation de la Cour supérieure de Los Angeles ont été contraints de fermer son réseau à la suite d'une attaque de ransomware.La Cour, la plus grande des États-Unis, a clôturé tous ses 36 palais de justice [& # 8230;]
>For the latest discoveries in cyber research for the week of 29th July, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Superior Court of Los Angeles was forced to shut down its network following a ransomware attack. The court, the largest in the United States, has closed all of its 36 courthouse […] |
Threat Ransomware | ||
 |
2024-07-29 14:16:16 | Agir: comment lutter contre les répercussions financières d'un cyber-incident Taking action: how to combat the financial repercussions of a cyber incident (lien direct) |
Paying hackers not to release the data they have stolen from you is not the best way to manage the financial repercussions of a cyber-attack. Nor is trying hide the attack from the authorities…. Even the most vigilant companies can\'t escape the possibility of having to handle a cyber threat - and the cost of […]
The post Taking action: how to combat the financial repercussions of a cyber incident first appeared on IT Security Guru.
Paying hackers not to release the data they have stolen from you is not the best way to manage the financial repercussions of a cyber-attack. Nor is trying hide the attack from the authorities…. Even the most vigilant companies can\'t escape the possibility of having to handle a cyber threat - and the cost of […] The post Taking action: how to combat the financial repercussions of a cyber incident first appeared on IT Security Guru. |
Threat | ||
 |
2024-07-29 14:00:00 | Unc4393 entre doucement dans la nuit silencieuse UNC4393 Goes Gently into the SILENTNIGHT (lien direct) |
Written by: Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko, Raymond Leong
Overview In mid-2022, Mandiant\'s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant\'s initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster\'s victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393\'s operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster\'s transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques. 
Figure 1: UNC4393 intrusion lifecycle
Attribution and Targeting
UNC4393 is a financially motivated threat cluster, and the primary user of BASTA ransomware, tracked since mid-2022 but likely active since early 2022 based on activity on the BASTA DLS. The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments. In some cases, HTML smuggling has also been used to distribute ZIP files containing IMG files that house LNK files and QAKBOT payloads.
Mandiant suspects BASTA operators maintain a private or small, closed-invitation affiliate model whereby only trusted third-party actors are provided with use of the BASTA encryptor. Unlike traditional ransomware-as-a-service (RaaS), BASTA is not publicly marketed and its operators do not appear to actively recruit affiliates to deploy the ransomware. Instead, they focus on acquiring initial access via partnerships or purchases in underground communities. This deviates from traditional RaaS models, which focus on the ransomware development and related services such as the data leak site (DLS) that are provided to affiliates in exchange for directly distributing the ransomware. While UNC4393 is the only currently active threat cluster deploying BASTA that Mandiant tracks, we cannot rule out the possibility that other, vetted threat actors may also be given access to the encrypter.
The hundreds of BASTA ransomware victims claimed on the DLS appear credible due to UNC4393\'s rapid operational tempo. With a median time to ransom of approximately 42 hours, UNC4393 has demonstrated p |
Threat Ransomware Malware Cloud Tool Prediction Medical | ||
|
2024-07-29 12:35:00 | \\ 'Stargazer Goblin \\' crée 3 000 faux comptes GitHub pour la diffusion de logiciels malveillants \\'Stargazer Goblin\\' Creates 3,000 Fake GitHub Accounts for Malware Spread (lien direct) |
Un acteur de menace connu sous le nom de Stargazer Goblin a mis en place un réseau de comptes GitHub inauthentiques pour alimenter une distribution en tant que service (DAAS) qui propage une variété de logiciels malveillants qui volent l'information et leur rapportent 100 000 $ en bénéfices illicites au cours de la dernière année.
Le réseau, qui comprend plus de 3 000 comptes sur la plate-forme d'hébergement de code basé sur le cloud, couvre des milliers de référentiels utilisés
A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to |
Threat Malware | ||
|
2024-07-29 12:20:53 | Pour contrer les menaces graves à la sécurité de l\'information, Apacer fournit des solutions pour la récupération des systèmes d\'entreprise et la sécurité des données (lien direct) | Avec le développement rapide des applications de l'IA dans divers domaines, les entreprises s'appuient de plus en plus sur les données. Les questions de sécurité de l'information, telles que les mesures pour s'assurer que les données ne sont pas perdues ou utilisées de manière inappropriée, sont devenues cruciales. Apacer comprend parfaitement à quel point les données des entreprises peuvent être irremplaçables. Grâce à l'amélioration continue de sa technologie exclusive de sauvegarde et de restauration au fil des ans, Apacer (8271) s'efforce de répondre aux nombreux besoins générés par diverses applications industrielles. - Produits | Threat | ||
|
2024-07-29 11:20:29 | Ce que chaque entreprise doit savoir sur les ransomwares What Every Business Needs to Know About Ransomware (lien direct) |
Les entreprises d'aujourd'hui comptent fortement sur la technologie pour rationaliser les opérations, améliorer la productivité et se connecter avec les clients.Cependant, cette dépendance a également ouvert la porte à une menace croissante: les attaques du ransomware.D'ici 2031, le coût des attaques de ransomwares devrait atteindre 265 milliards de dollars (USD) par an.La croissance rapide des attaques de ransomwares a fait de cette cyber-menace [...]
Today\'s businesses rely heavily on technology to streamline operations, enhance productivity, and connect with customers. However, this dependency has also opened the door to a growing threat: ransomware attacks. By 2031, the cost of ransomware attacks is estimated to reach $265 billion (USD) annually. The rapid growth of ransomware attacks has made this cyber threat [...] |
Threat Ransomware | ||
|
2024-07-29 10:58:35 | Weekly OSINT Highlights, 29 July 2024 (lien direct) | ## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data. | Threat Ransomware Data Breach Spam Malware Tool Mobile Industrial Vulnerability Medical Legislation | APT 28 APT 36 | |
 |
2024-07-29 10:07:25 | Capgemini piratée par l\'un de ses employés (lien direct) | Insider threat : le pirate de l\'entreprise Capgemini n\'était autre qu\'un de ses employés....
Insider threat : le pirate de l\'entreprise Capgemini n\'était autre qu\'un de ses employés.... |
Threat | ||
 |
2024-07-29 10:00:05 | Mandrake Spyware se faufile à nouveau sur Google Play, volant sous le radar pendant deux ans Mandrake spyware sneaks onto Google Play again, flying under the radar for two years (lien direct) |
Les acteurs de menace spyware de Mandrake reprennent des attaques avec de nouvelles fonctionnalités ciblant les appareils Android tout en étant accessible au public sur Google Play.
Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play. |
Threat Mobile | ||
|
2024-07-29 10:00:00 | Pourquoi vous avez besoin d'un pare-feu d'application Web en 2024 Why You Need a Web Application Firewall in 2024 (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Over the last decade, web applications have become integral to everyday life. This includes business and personal activities, facilitating everything from banking and transactions to marketing and social networking. This rise in popularity has made web applications a prime target for cybercriminals. According to Verizon’s 2024 Data Breach Investigation Report, nearly 40% of cybersecurity incidents result from web application vulnerabilities. Businesses relying on these applications for everyday operations must implement robust security measures to ensure their app stack is resilient to threats and capable of maintaining uninterrupted service. One of the most effective tools for safeguarding web applications is a web application firewall (WAF), which provides critical protection against a wide range of cyber threats. Most Common Threats to Web App Security Before we dive into how web application firewalls protect our web assets, let’s look at the most pressing security threats facing web applications in 2024. Stolen credentials are top of mind, as millions are available for sale on the dark web. One of the most significant cyberattacks of the year involved compromised credentials from a third-party application in an attack on UnitedHealth, which jeopardized the data of one-third of Americans. Attackers were nested inside the victim’s systems for months before striking, highlighting how important real-time monitoring capabilities are for detecting suspicious behavior. Zero-day exploits are also a common vector attackers have used in recent years to breach web applications. A zero-day vulnerability is unknown to the application vendor or the public at the time it is discovered and exploited by attackers. They can be quite dangerous if they’re not identified and patched quickly. In 2023, there were 97 reported zero-day vulnerabilities, a 50% increase from the year before. Additionally, as web applications increasingly rely on each other to provide maximum functionality to the end user, API-related attacks have also become prevalent. App integrations must be executed correctly with strong authentication and authorization mechanisms. Input validation is also required to prevent injection attacks. Modern WAF Solutions Are Essential to Improving Security A web application firewall is a hardware or software-based solution used to monitor and filter HTTP traffic between a web application and the internet. WAFs provide two essential security features: traffic filtering and real-time monitoring. WAFs use rule-based filters to inspect HTTP requests and responses. These filters detect and block a wide spectrum of attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). By analyzing traffic in real time, a WAF solution can identify and mitigate threats as they occur, foiling attacks before | Threat Data Breach Tool Vulnerability | ||
 |
2024-07-29 06:00:58 | De réactif à proactif: identifier les utilisateurs risqués en temps réel pour arrêter les menaces d'initié From Reactive to Proactive: Identify Risky Users in Real Time to Stop Insider Threats (lien direct) |
Insider threats can come from anywhere at any time. Although there are well-known insider threat indicators and trigger events, one of the most challenging aspects of containing insider threats is identifying a user who may cause harm to the business-intentionally or not. This uncertainty can be daunting. And it is one of the reasons that insider threats are a leading challenge for CISOs globally. Insider threat investigations are typically reactive. Cybersecurity administrators focus on risky users like leavers, employees on a performance improvement plan, or contractors once they learn about their potential risk to the company. This is a valid way to manage known risks. But how can a business manage unknown risks? Proofpoint Insider Threat Management (ITM) has capabilities to help security teams do exactly that with dynamic policies on the endpoint. Reactive monitoring poses challenges The riskiest users in a business tend to fall into several categories. They include users who: Exhibit risky behavior, like downloading a high volume of sensitive files Belong to a predetermined risky user group; some examples include departing employees, privileged users with access to sensitive data and systems, and Very Attacked People™ Have a high-risk score based on a number of indicators Security teams typically build manual policies to monitor these users for unusual or risky behavior. When a user\'s activity violates corporate policy, their activity is detected by and visible to security teams. Security teams can continue to monitor the user and apply prevention controls when needed. This is a sound approach. But it relies on identifying the risky user ahead of time, monitoring their behavior and making manual changes to policies. For teams who may not have an approach to identify risky users, they may decide to monitor all users as “risky.” However, collecting data on all users is inefficient. It burdens the security team with too many alerts and false positives. Another challenge for security teams is protecting users\' privacy to meet compliance requirements. Capturing visuals like screenshots in an insider threat investigation is crucial. It can provide irrefutable evidence that can be used to prove a user\'s intentions. However, the collection of such information all the time poses privacy concerns, especially in regions with strict privacy regulations. Balancing security with privacy controls requires that data collection occur on a need-to-know basis. Identify risky users with dynamic policies Proofpoint ITM alleviates the challenge of knowing who your riskiest users are at all times. With dynamic policies for the endpoint, security teams do not need to write policies based on specific users or groups. Instead, they can dynamically and flexibly change a user\'s monitoring policy in real time if a user triggers an alert. Dynamic policies allow security teams to do the following: Change the endpoint agent policy from metadata-only to screenshot mode for a specified time frame before and after an alert Capture screenshots only when behavior is risky and an alert is generated, thereby protecting the privacy of the user Define when visibility and control policies are scaled up or down on the endpoint User scenario: a departing employee Let\'s walk through an example of a departing employee. Evan is a researcher at a global life sciences company. She has access to sensitive vaccine data due to the nature of her role. Evan is being monitored as a low-risk user. That means metadata is being captured when she moves data, such as uploading a PPT file with sensitive data to a partner\'s website or uploading a strategy document to the company\'s cloud sync folder. However, Evan\'s behavior, such as tampering with the Windows registry or any security controls, or downloading an unapproved application, are not captured. Evan is goin | Threat Cloud |
To see everything:
Our RSS (filtrered)
