What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-06-27 17:10:00 | Les secrets de la formation d'IA cachée sur vos données The Secrets of Hidden AI Training on Your Data (lien direct) |
Bien que certaines menaces SaaS soient claires et visibles, d'autres sont cachées à la vue, tous deux constituant des risques importants pour votre organisation.Les recherches de Wing \\ indiquent qu'un étonnant 99,7% des organisations utilisent des applications intégrées aux fonctionnalités d'IA.Ces outils axés sur l'IA sont indispensables, offrant des expériences transparentes de la collaboration et de la communication à la gestion du travail et
While some SaaS threats are clear and visible, others are hidden in plain sight, both posing significant risks to your organization. Wing\'s research indicates that an astounding 99.7% of organizations utilize applications embedded with AI functionalities. These AI-driven tools are indispensable, providing seamless experiences from collaboration and communication to work management and |
Tool Cloud | ||
 |
2024-06-27 14:00:00 | Le renouveau mondial du hacktivisme nécessite une vigilance accrue des défenseurs Global Revival of Hacktivism Requires Increased Vigilance from Defenders (lien direct) |
Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario
Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives. Today\'s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain. This blog post presents Mandiant\'s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities. 
Figure 1: Sample of imagery used by hacktivists to promote their threat activity
Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks
Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism\'s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive moni |
Malware Tool Threat Legislation Industrial Cloud Commercial | APT 38 | |
 |
2024-06-27 12:12:56 | DMARC: Pourquoi il passe d'une meilleure pratique à un incontournable DMARC: Why It\\'s Moving from a Best Practice to a Must-Have (lien direct) |
It is widely understood that email is the number one threat vector for cyberattacks. This stems from the fact that email was not designed with security in mind, and cybercriminals do not need highly technical skills to exploit it. In this blog, we\'ll look at how threat actors exploit human vulnerabilities by impersonating people and brands, why DMARC is becoming mandatory, and how Proofpoint can help. Are you for real? Looking legitimate to gain trust Most cyberattacks today are initiated via email. As a result, many users have started to block or delete emails from unknown sources as a precautionary measure. Cybercriminals realize this and have learned that their best chance is to fool the receiver into believing that they are dealing with a known source-ideally, a trusted source. And this is where sender impersonation comes into play. Spoofing is a common form of sender impersonation. There are two main types: Domain spoofing. This is when a bad actor forges a sender\'s domain in an email to make it appear as if the email is from a trusted source. Header spoofing. In this case, an attacker manipulates the email\'s header information-including various fields such as “From,” “To,” “Reply-To” and others-so that it looks like the email is from a different source than its true source (the attacker). Both tactics are designed to make recipients believe that they are interacting with a trusted source and can appear very legitimate. If someone believes they are communicating with a trusted person, they are more likely to divulge sensitive information or perform actions that compromise their security, such as handing over their credentials. If an attacker is spoofing your company to target your partners or customers, it can cause significant damage to your brand\'s reputation. To prevent this type of brand abuse, some companies have implemented email authentication technology as a “best practice.” But this trend is not as widespread as you might expect. An overview of email authentication technology To combat domain spoofing, Sender Policy Framework (SPF) was introduced, followed by Domain Key Identified Mail (DKIM), with the goal of validating that email is coming from an approved sending IP address and the message hasn\'t been tampered with en route. A company can create an SPF record that contains a list of all the “approved” IP addresses that can send email on the organization\'s behalf. This allows a system receiving an email to do a quick check to determine if the email is coming from an authorized server. If the sending IP address isn\'t on the SPF list, it fails authentication. DKIM goes a step further by using public and private keys, allowing a receiving system to compare the keys in the email to confirm that it came from who it says it did and that nothing in the email was changed after it was sent. Someone sending a domain-spoofed email would fail both SPF and DKIM authentication. Email authentication is becoming mandatory Email authentication tools have been available for years, so you would think that all companies would have implemented them by now. However, some businesses have been slow to act for various reasons, including: Resource limitations Budget limitations Concerns about legitimate email being blocked Whatever the cause for the lag in implementing these tools, the delay has allowed cybercriminals to continue to exploit the lack of security to initiate their attacks. Major email providers are making moves to force companies to catch up and use email authentication. Some highly publicized examples include the October 2023 announcements from Google, Yahoo and Apple around mandatory email authentication requirements (including DMARC) for bulk senders sending email to Gmail, Yahoo and iCloud accounts. This should significantly reduce spam and fraudulent emails hitting their customers\' inboxes. | Spam Tool Vulnerability Threat Prediction Technical | Yahoo | |
 |
2024-06-27 10:00:00 | Analyse du vidage de mémoire: Utilisation de la chaux pour l'acquisition et la volatilité pour la configuration initiale Memory Dump Analysis: Using LiME for Acquisition and Volatility for Initial Setup (lien direct) |
Le contenu de ce post est uniquement la responsabilité de l'auteur. & nbsp;LevelBlue n'adopte ni n'approuve aucune des vues, positions ou informations fournies par l'auteur dans cet article. & Nbsp;
L'analyse du vidage de mémoire est un aspect crucial de la criminalistique numérique, offrant un instantané de la mémoire volatile d'un système à un moment spécifique.Cela peut révéler des preuves critiques telles que les processus en cours d'exécution, les connexions de réseau ouvertes et l'exécution de logiciels malveillants en mémoire que l'analyse du disque pourrait manquer.Dans un précédent blog , nous avons appris à utiliser le FMEM pour l'acquisition de la mémoire volatile.Dans ce blog, nous explorerons comment créer des vidages de mémoire à l'aide de chaux (extracteur de mémoire Linux) et comment commencer par notre processus d'analyse en utilisant le cadre de volatilité dans nos prochains blogs.
Qu'est-ce que la chaux?
Un module de noyau chargé (LKM) qui permet une acquisition de mémoire volatile à partir de périphériques basés sur Linux et Linux, tels que Android.Cela rend la chaux unique car c'est le premier outil qui permet des captures de mémoire complète sur les appareils Android.Il minimise également son interaction entre les processus d'espace utilisateur et du noyau pendant l'acquisition, ce qui lui permet de produire des captures de mémoire qui sont plus judiciques que celles d'autres outils conçus pour l'acquisition de mémoire Linux.
Pourquoi l'analyse du vidage de mémoire est-elle importante?
L'analyse du vidage de mémoire est vitale en médecine légale numérique pour plusieurs raisons:
Découvrir les données cachées: RAM contient des données transitoires non stockées sur le disque, telles que les clés de chiffrement et les logiciels malveillants en mémoire.
Comprendre l'état du système: Les vidages de mémoire fournissent un snapot des processus actifs, des fichiers ouverts et des connexions réseau.
détection d'activité malveillante: L'analyse peut révéler la présence et le comportement des logiciels malveillants qui fonctionnent principalement en mémoire.
Installation et configuration de chaux
Pour utiliser la chaux, vous devez le construire à partir de la source.Suivez ces étapes pour installer et configurer la chaux:
Clone Le référentiel de chaux: Pour clone dans le référentiel de chaux, vous pouvez utiliser Git Clone:
Git Clone https://github.com/504ensicslabs/lime.git
Assurez-vous que les en-têtes de noyau Linux et les outils de construction sont installés.
Pour installer des éléments essentiels de construction, vous pouvez utiliser: sudo apt installer build-essentiel
maintenant, accédez au sous-répertoire SRC sous Lime Directory:
cd chaux / src
compiler le module de chaux:
Maintenant, utilisez Make pour compiler le module de chaux:
faire
Chargez le module:
Utilisez INSMOD pour charger le module dans le noyau.
|
Malware Tool Mobile | ||
 |
2024-06-27 09:51:33 | The Windows Registry Adventure # 3: Ressources d'apprentissage The Windows Registry Adventure #3: Learning resources (lien direct) |
Posted by Mateusz Jurczyk, Google Project Zero When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. This gets especially interesting when it\'s a subsystem as old and fundamental as the Windows registry. In that case, tidbits of valuable data can lurk in forgotten documentation, out-of-print books, and dusty open-source code – each potentially offering a critical piece of the puzzle. Uncovering them takes some effort, but the payoff is often immense. Scraps of information can contain hints as to how certain parts of the software are implemented, as well as why – what were the design decisions that lead to certain outcomes etc. When seeing the big picture, it becomes much easier to reason about the software, understand the intentions of the original developers, and think of the possible corner cases. At other times, it simply speeds up the process of reverse engineering and saves the time spent on deducing certain parts of the logic, if someone else had already put in the time and effort. One great explanation for how to go beyond the binary and utilize all available sources of information was presented by Alex Ionescu in the keynote of OffensiveCon 2019 titled "Reversing Without Reversing". My registry security audit did involve a lot of hands-on reverse engineering too, but it was heavily supplemented with information not coming directly from ntoskrnl.exe. And while Alex\'s talk discussed researching Windows as a whole, this blog post provides a concrete case study of how to apply these ideas in practice. The second goal of the post is to consolidate all collected materials into a single, comprehensive summary that can be easily accessed by future researchers on this topic. The full list may seem overwhelming as it includes some references to overlapping information, so the ones I find key have been marked with the 🔑 symbol. I highly recommend reviewing these resources, as they provide context that will be helpful for understanding future posts. Microsoft Learn Official documentation is probably the first and most intuitive thing to study when dealing with a new API. For Microsoft, this means the Microsoft Learn (formerly MSDN Library), a vast body of technical information maintained for the benefit of Windows software developers. It is wholly available online, and includes the following sections and articles devoted to the registry: 🔑 | Tool Vulnerability Studies Technical | ||
 |
2024-06-27 07:00:00 | Les outils de crise indispensables pour Linux (lien direct) | Découvrez les outils Linux essentiels à installer pour gérer efficacement les crises de performance. Soyez paré à toute éventualité ! | Tool | ||
 |
2024-06-27 01:46:12 | Les télécommunications coréens auraient infecté ses utilisateurs P2P par malware Korean telco allegedly infected its P2P users with malware (lien direct) |
kt a peut-être eu une équipe entière dédiée à l'infecticule de ses propres clients Un média sud-coréen a allégué que les télécommunications locales KT ont délibérément infecté certains clients malveillants en raison de leur utilisation excessive de pair-to-Peer (P2P) Téléchargement des outils.… | Malware Tool | ||
 |
2024-06-27 00:25:52 | Nouveau logiciel malveillant innosetup créé à chaque tentative de téléchargement New InnoSetup Malware Created Upon Each Download Attempt (lien direct) |
Ahnlab Security Intelligence Center (ASEC) a découvert la distribution d'un nouveau type de logiciel malveillant déguisé carfissures et outils commerciaux.Contrairement aux logiciels malveillants antérieurs qui ont effectué des comportements malveillants immédiatement après avoir été exécutés, ce malware affiche une interface utilisateur d'installation et des comportements malveillants sont exécutés lors de la cliquetis sur les boutons pendant le processus d'installation.Il est considéré que lorsque l'utilisateur fait une demande de téléchargement, un logiciel malveillant est instantanément créé pour donner une réponse au lieu de distribuer des logiciels malveillants préfabriqués.Cela signifie que ...
AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process. It is deemed that when the user makes a download request, a malware is instantly created to give a reply instead of distributing pre-made malware. This means that... |
Malware Tool Commercial | ||
 |
2024-06-26 19:07:50 | (Déjà vu) Fickle Stealer Distributed via Multiple Attack Chain (lien direct) | ## Instantané Fortiguard Labs Menace Research a identifié un voleur basé sur la rouille appelée Sceneer Fickle, observé en mai 2024. ## Description Ce voleur est distribué à l'aide de diverses méthodes telles que le dropper VBA, le téléchargeur VBA, le téléchargeur de liens et le téléchargeur exécutable.La chaîne d'attaque est divisée en trois étapes: livraison, travail préparatoire et charge utile des emballeurs et du voleur. Le travail préparatoire consiste à contourner le contrôle des comptes d'utilisateurs (UAC) et à exécuter le voleur capricieux, à créer une nouvelle tâche pour exécuter le moteur.PS1 après 15 minutes, et à envoyer des messages au bot télégramme de l'attaquant \\.De plus, Fickle Stealer est protégé par un packer déguisé en exécutable légal, ce qui rend difficile la détection en utilisant certaines règles de détection.Le malware laisse tomber une copie de lui-même dans le dossier temporaire avec un nom aléatoire, exécute la copie et termine le voleur en cours d'exécution.Il communique ensuite avec le serveur pour envoyer des données volées, y compris les informations de victime, les applications cibles et les mots clés et le contenu de fichiers spécifique au format JSON.Le serveur répond par une liste cible cryptée à l'aide d'un algorithme RC4, et le malware traite diverses cibles telles que les portefeuilles crypto, les plugins, les extensions de fichiers, les chemins partiels, les applications, les navigateurs de moteur Gecko et les navigateurs à base de chrome.Enfin, le malware envoie une capture d'écran au serveur et se supprime.Fickle Stealer est conçu pour recevoir une liste cible du serveur, le rendant plus flexible, et est observé comme ayant mis à jour des variantes, indiquant un développement continu. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact des menaces d'information sur les voleurs. - Vérifiez les paramètres de filtrage des e-mails Office 365 pour vous assurer de bloquer les e-mails, le spam et les e-mails avec des logiciels malveillants.Utilisez [Microsoft Defender pour Office 365] (https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-forzice-365?ocid=Magicti_TA_Learnddoc) pour une protection et une couverture de phishing améliorées contrenouvelles menaces et variantes polymorphes.Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) et [delete SenteMail] (https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=Magicti_TA_Learndoc) en réponse à l'intelligence des menaces nouvellement acquise.Allumez [les politiques de pièces jointes de sécurité] (https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-polies-configure?ocid=Magicti_TA_LearnDoc) pour vérifier les pièces jointes à l'e-mail entrant. - Encourager les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-overview?ocid=Magicti_TA_LearnDDoc), qui identifieet bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir les outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/azur | Ransomware Spam Malware Tool Threat | ||
 |
2024-06-26 10:00:41 | Levier Plateforme & # 8211;Renforcer, unifier et simplifier les outils de cybersécurité Leverage Platformization – Strengthen, Unify and Simplify Cybersecurity Tools (lien direct) |
> Cette série de plate-forme élargit les complexités de différents outils de cybersécurité et comment l'unification en une seule simplifie les opérations.
>This platformization series expands on the complexities of different cybersecurity tools and how unifying into one simplifies operations. |
Tool | ||
|
2024-06-26 10:00:00 | Les tenants et aboutissants de l'évaluation de la posture de cybersécurité en 2024 The Ins and Outs of Cybersecurity Posture Assessment in 2024 (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Whether you\'re working with on-premises infrastructure, fully embracing the cloud, or running a hybrid solution, one thing is certain: a robust security posture is essential to safeguarding the environment. This article will explore today’s fundamentals of security posture assessment in both on-premises and cloud environments while briefly touching on the added complexities a hybrid setup will entail. What Is Security Posture Assessment? Before going any further, it is good to understand what security posture assessment really is and why knowing your security posture is essential to every organization. In short, a security posture assessment is a comprehensive evaluation of the currently utilized security measures safeguarding essential organizational data, processes to prevent breaches, and decisions to maintain business continuity. Any company should have a comprehensive assessment of its environment conducted at least annually. These assessments are used to identify vulnerabilities in processes and systems, point out areas for improvement, and comprehensively assess the overall resiliency of the organization’s entire IT ecosystem. The main goal is to fully understand the current security level and be able to take the necessary steps to remediate possible issues. Assessing On-Premises Security With on-premises system management, all the responsibility falls on the local IT team, so they need to have a comprehensive view of the currently deployed hardware and software to be able to successfully secure both. Let’s go over the components of such an exercise: ● Asset inventory: It is imperative to know the total scope of the organization\'s assets, including workstations, mobile devices, servers, network equipment, and all the software applications in use. This helps pinpoint outdated assets that either need to be removed from the environment or brought up-to-date with hardware or software upgrades. ● Patch management: New software vulnerabilities are being constantly unearthed, so prompt software updating and comprehensive patch management are instrumental in every environment. While it is a good idea to verify the stability of new updates first, automated patch management tools can help streamline this process. ● Network segmentation: Adversaries are always looking for opportunities for lateral movement in a network, so the isolation of systems and processes through network segmentation is an important step in limiting the potential damage a breach can cause. All in all, the evaluation of on-premises security requires an all-around review of the physical and digital protections within the organization’s data centers. This additionally includes vetting firewalls, intrusion detection systems, and access controls to thwart unauthorized access. Regular security audits and penetration tests are crucial to identify and address vulnerabilities before they can be weaponized. Assessing Cloud Security Working with cloud-based solutions keeps growing in popularity, since it effectively outsources the underlying hardware management to the cloud service provider, lessening the burden on the local IT team. This isn\'t to say that there is n | Tool Vulnerability Threat Patching Mobile Cloud | ||
 |
2024-06-26 00:00:00 | Attaquants dans le profil: Menupass et Alphv / Blackcat Attackers in Profile: menuPass and ALPHV/BlackCat (lien direct) |
Pour tester l'efficacité des services gérés comme notre offre de détection et de réponse à la micro-géré, Mitre Encenuity ™ a combiné les outils, les techniques et les pratiques de deux méchants acteurs mondiaux: Menupass et alphv / blackcat.Ce blog raconte pourquoi ils ont été choisis et ce qui en fait des menaces à compter.
To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. This blog tells the story of why they were chosen and what makes them threats to be reckoned with. |
Tool Prediction | APT 10 | |
|
2024-06-25 21:14:40 | Resurgence de Strelastealer: suivi d'un voleur d'identification axé sur JavaScript ciblant l'Europe StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe (lien direct) |
#### Targeted Geolocations - Poland - Spain - Italy - Germany ## Snapshot The SonicWall Capture Labs threat research team has been monitoring an increase in the spread of StrelaStealer, an information stealer (infostealer) malware that first emerged in 2022. Read Microsoft\'s write-up on information stealers [here](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6). ## Description In mid-June, there was a notable surge in JavaScript spreading StrelaStealer, which targets Outlook and Thunderbird email credentials. StrelaStealer\'s infection chain remains similar to previous versions but now includes checks to avoid infecting Russian systems. Its targets are primarily in Poland, Spain, Italy, and Germany. The initial infection vector is an obfuscated JavaScript file sent via email in archive files. This file drops a copy in the user\'s directory with a random name and then executes a batch file to check the system language, excluding Russian users by detecting the OSLanguage code "1049". If non-Russian, a base64-encoded PE file is dropped, decoded, and a DLL is created and executed using regsvr32.exe. The DLL\'s obfuscated code decrypts the actual PE file and injects it into the current process. The stealer dynamically loads necessary APIs and checks the keyboard layout to determine the system\'s geographic location. It targets languages such as Spanish, Basque, Polish, Catalan, Italian, and German. The malware starts its stealing functionality with Mozilla Thunderbird, looking for specific files and sending data to a designated IP address. It also targets Outlook by retrieving information from specific registry keys and sending this data to the same IP. ## Additional Analysis OSINT reporting about StrelaStealer indicates that its operators tend to initiate large-scale campaigns targeting organizations in specific geographic regions or countries. Initially, the malware primarily targeted Spanish-speaking users, but has since evolved to target users speaking English and other European languages. According to Palo Alto Network\'s 2024 [report](https://unit42.paloaltonetworks.com/strelastealer-campaign/) on StrelaStealer, the malware\'s main goal, to steal email login data from email clients, has not changed. However, the malware\'s infection chain and packer have been modified to evade detection and make analysis more difficult. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - *[Trojan:JS/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/StrelaStealer!MSR&threatId=-2147061639)* - *[Trojan:Win64/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/StrelaStealer.GPAX!MTB&threatId=-2147056969)* - *[Trojan:Win32/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/StrelaStealer.ASS!MTB&threatId=-2147054947)* ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly a | Ransomware Spam Malware Tool Threat | ||
 |
2024-06-25 14:15:59 | Utilisation d\'outils d\'IA personnels dans un cadre professionnel : attention aux risques pour la sécurité des données (lien direct) | L'un des plus grands dangers est que les utilisateurs cherchent constamment à optimiser leur productivité, souvent en recourant à des outils non validés par l'entreprise, ce qui augmente les risques de vol ou de mauvaise utilisation des données. | Tool | ||
 |
2024-06-25 12:50:11 | CISA met en garde contre un éventuel vol de données des installations chimiques en raison d'une violation de son outil CSAT CISA warns of possible data theft from Chemical facilities due to a breach in its CSAT tool (lien direct) |
CISA met en garde contre le vol de données possible à partir des installations chimiques en raison d'une violation de son outil CSAT
-
mise à jour malveillant
CISA warns of possible data theft from Chemical facilities due to a breach in its CSAT tool - Malware Update |
Tool | ||
|
2024-06-25 10:00:00 | Le rôle de la cybersécurité dans la construction et la fabrication modernes The Role of Cybersecurity in Modern Construction and Manufacturing (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Cybersecurity and threat preparedness may be at the forefront of your mind, and you may have protections in place against more common threats. Yet, as these threats continue to evolve, vigilance and adaptation are crucial for construction and manufacturing organizations. Cybercriminals have gotten both more prolific and more creative. 2023 saw a record-breaking spike in cyberattacks, with well over 300 million victims falling prey to data breaches, and the average corporate data breach cost 4.45 million dollars. In an industry where reputation is everything, a single breach could sink your ship in more ways than one. As we proceed, we’ll unpack the many ways that a cyberattack could impact your ability to turn a profit, making you aware of vulnerabilities that exist within your organization’s structure. Then we’ll provide you with practical suggestions to patch these vulnerabilities, insulating you from outside threats and keeping you on track to remain profitable. Computer Vision and Vulnerabilities As you use new technologies to support your existing processes, you must be aware of vulnerabilities that new systems can create. If you’ve looked into leveraging recent tech advancements in your field, you’re probably familiar with computer vision technology. Computer vision technology uses data gathered from physical images, importing them into the digital realm and unlocking a variety of potential benefits. Takeoff software and AI-powered planning systems streamline the project liftoff process by, simplifying cost estimation, identifying and correcting blueprint errors, and even advancing sustainability goals. While these systems can be leveraged to optimize a wide variety of processes, they also shift the balance of project planning from human input to automated computing processes. This in turn puts you more at risk for being a victim of a cyberattack. Malefactors can access automated systems through a wide variety of channels. Whether they break into your network via access to an IoT-connected device that someone misplaced in the workspace, or secret malicious code into the data sources your devices consume to function, increasing your use of technology also increases their windows of opportunity. As these systems increase in scope and importance, leaving windows like these open increases the risk of potentially profitable projects turning belly up. Process Disruption However, cybercriminals don’t need you to use newfangled technology solutions to cause havoc throughout your processes. Cybercriminals already have a tried-and-true playbook that they’ve been using on your competitors for years, and to great effect. Some of the ways cyberthreats can fracture manufacturers’ processes include: ● Ransomware: If a cybercriminal gains access to mission-critical data, they can then lock that data behind a ransomware program. Ransomware holds company d | Ransomware Malware Tool Vulnerability Threat Patching | ||
|
2024-06-25 06:00:45 | Email mal réalisé: un problème commun et coûteux qui est facile à résoudre Misdirected Email: A Common and Costly Issue That\\'s Easy to Fix (lien direct) |
Sensitive data loss has long been an issue for organizations of all sizes, leaving them exposed to compliance and reputation risks. From phishing and ransomware to advanced threats, there is a long and growing list of ways that sensitive information can find itself outside your defenses. That said, it never really “finds itself” there. It ends up there incidentally, or intentionally-and usually, by employees. So much so that two-thirds of chief information security officers (CISOs) surveyed for our 2024 State of the Phish report said their business has experienced data loss due to an insider. Once again, there are many ways this can happen. Even today\'s most security-oblivious users likely understand that weak passwords and errant clicks or downloads pose a risk. However, another prevalent factor behind data loss does not garner the same level of focus. It may surprise many to learn that misdirected emails-legitimate messages sent to incorrect recipients-are the number one General Data Protection Regulation (GDPR)-related cyber incident reported to the U.K.\'s Information Commissioner\'s Office (ICO). Misdirected email happens all the time-and it\'s difficult to stop with traditional tools. These errors are not usually flagged by standard rule-based data loss prevention (DLP) products. That leaves users solely responsible for ensuring that their emails are always sent to the intended recipients. Unfortunately, this human line of defense is not fully equipped for the task. Why doesn\'t traditional DLP solve misdelivery? Traditional rule based DLP tools do what they do very well. Such tools remain a critical part of any effective cyber defense when it comes to protecting sensitive data. However, they have a major shortcoming in that they only check messaging against predefined risks. Traditional DLP can identify whether: Recipients are on deny lists The content contains Social Security numbers or patient identifiers (RegEx patterns) Attached documents have classification tags; for example, if an admin has tagged a document as “sensitive” Assuming your email passes these checks, it is deemed safe to send. A misdirected email to a legitimate (albeit incorrect) recipient would not raise any red flags. A rule-based system would determine that this type of email is good to go. But based on Verizon\'s Data Breach Investigations Report (DBIR) data, which shows that email misdelivery is prevalent across all industries, we know that it\'s not. An adaptive, artificial intelligence (AI)-powered DLP solution goes much further. It doesn\'t just look for common predefined risks. Rather, it analyzes all aspects of an email for anything that looks anomalous. So, on top of checking for common red flags, it can detect abnormal groupings of recipients and flag sensitive words, phrases or content that are not ordinarily shared with the intended recipients-whether in the body of the message or in any attachments. The solution will then determine whether an email is safe to send. Overview showing how Tessian automatically detects what rule-based DLP misses. Should it detect a potential mistake or sensitive data loss incident, Proofpoint Adaptive Email DLP will intervene to question the accuracy of the recipient, offer a brief explanation of the potential issue and ask whether the sender wishes to proceed or cancel. Error message: Is this the correct recipient message? Put simply, traditional DLP cannot stop incidents like these because they can\'t be predefined. But Adaptive Email DLP can avert potential disasters in real time with simple, on-screen prompts for users so that they can correct any mistakes. With a complete timeline of each incident-what was being sent, who it was being sent to and why it was stopped-security teams get actionable insight into common mistakes and intentional attempts to misdirect company data to personal or | Ransomware Data Breach Tool | ||
 |
2024-06-25 00:00:00 | WatchGuard lance la solution ThreatSync+ NDR assistée par l\'IA, pour renforcer la détection et la réponse globales aux cybermenaces (lien direct) | Paris, le 25 juin 2024. WatchGuard® Technologies, l\'un des leaders mondiaux de la cybersécurité unifiée, annonce le lancement de ThreatSync+ NDR et de WatchGuard Compliance Reporting. ThreatSync+ NDR est une solution adaptée aux entreprises de toute taille, qui disposent d\'équipes informatiques réduites ou de ressources limitées en matière de cybersécurité. Premier produit de la nouvelle gamme ThreatSync+, ThreatSync+ NDR automatise et simplifie le monitoring continu, ainsi que la détection des menaces et la prise de mesures correctives à l\'aide d\'un moteur de détection avancé basé sur l\'IA. La solution se fraye un chemin à travers les milliards de flux du réseau pour mettre en évidence les risques et les menaces exploitables, avec rapidité et efficacité. Cette solution XDR ouverte offre une visibilité sur le trafic réseau est-ouest et nord-sud qui n\'était auparavant accessible qu\'aux grandes entreprises disposant des ressources nécessaires pour gérer leur propre SOC (centre d\'opérations de sécurité). L\'IA moderne pour une détection et une réponse améliorées aux menaces ThreatSync+ NDR utilise un moteur d\'IA avancé reposant sur une approche de réseau neuronal à double couche, une technologie clé issue de l\'acquisition de CyGlass par WatchGuard en 2023. Le moteur d\'IA de ThreatSync+ corrèle et présente les anomalies sous forme d\'incidents classés par risque et par ordre de priorité. Les fournisseurs de services managés (MSP) et les professionnels de la sécurité informatique disposent ainsi d\'un tableau de bord intuitif indiquant l\'emplacement de l\'incident, les appareils, les utilisateurs et la chronologie, ce qui leur permet de se concentrer sur les menaces les plus critiques, de passer en revue les directives de mitigation et, en fin de compte, de mieux protéger leurs organisations. Gilles Macchioni, Directeur Technique Régional d\'OCI Informatique et Digital. explique : " WatchGuard ThreatSync+ NDR fournit une couche de protection avancée supplémentaire qui était auparavant hors de portée. Auparavant, la mise en œuvre du NDR était difficile en raison de sa complexité et des coûts d\'exploitation élevés qu\'il entraînait. Étant donné que l\'architecture de WatchGuard basée dans le Cloud ne nous oblige pas à installer ou à gérer du matériel complémentaire, nous pouvons déployer ThreatSync+ NDR pour nos clients rapidement, aisément et de manière rentable. Grâce à la protection avancée et abordable basée sur l\'IA proposée par WatchGuard ThreatSync+NDR, nous pouvons désormais offrir à nos clients une protection accrue tout en créant des opportunités de croissance significatives pour notre entreprise ". ThreatSync+ NDR en action ThreatSync+ NDR surveille les attaques à mesure qu\'elles surviennent sur le réseau et excelle dans la détection des attaques qui ont échappé aux défenses périmétriques, notamment les ransomwares, les vulnérabilités et les attaques touchant la supply chain. Les attaquants ne peuvent pas déceler ThreatSync+ NDR car la solution utilise l\'IA pour rechercher les actions des attaquants dissimulées dans le trafic du réseau. Par ailleurs, les attaquants ne peuvent pas se cacher de ThreatSync+, car ils doivent utiliser le réseau pour étendre leur attaque. Cela signifie que le NDR est le seul à pouvoir détecter les différentes étapes d\'une attaque, notamment les appels de commande et de contrôle, les mo | Tool Threat Cloud | ||
|
2024-06-24 21:29:22 | RedJuliett parrainé par l'État chinois s'intensifie le cyber-espionnage taïwanais via l'exploitation du périmètre du réseau Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation (lien direct) |
#### Targeted Geolocations - Taiwan #### Targeted Industries - Government Agencies & Services - Diplomacy/International Relations - Information Technology - Education - Higher Education ## Snapshot Recorded Future\'s Insikt Group identified cyber-espionage activities conducted by RedJuliett, tracked by Microsoft as [Flax Typhoon](https://security.microsoft.com/intel-profiles/1d86849881abbb395d908d2739d9ad57e901d557fa8c25e0b3fd281e13764ff0), targeting government, academic, technology, and diplomatic organizations in Taiwan. ## Description Researchers have identified that RedJuliett has compromised 24 organizations, including government entities in Taiwan, Laos, Kenya, and Rwanda. They have also conducted network reconnaissance and exploitation attempts against over 70 academic, government, think tank, and technology organizations in Taiwan, as well as a number of de facto embassies on the island. RedJuliett\'s exploitation techniques involve creating SoftEther VPN bridges or clients within victim networks. They use Acunetix Web Application Security Scanners for reconnaissance and exploit attempts, focusing on SQL injection and directory traversal attacks against web and SQL applications. After gaining access, they employ open-source web shells and exploit privilege escalation vulnerabilities in the Linux operating system. Their infrastructure management involves SoftEther VPN, utilizing both threat actor-controlled leased servers and compromised infrastructure from Taiwanese universities. These activities align with Beijing\'s strategic goals to gather intelligence on Taiwan\'s economic policies, trade, and diplomatic relations. Additionally, the group has targeted critical technology companies, underscoring the sector\'s significance to Chinese state-sponsored threat actors. ## Microsoft Analysis Active since 2021, Flax Typhoon is a nation-state activity group based in China. The group is known to primarily target government, education, critical manufacturing, and information technology organizations in Taiwan. Flax Typhoon typically conducts espionage, data theft, and credential access. Microsoft has [previously reported](https://security.microsoft.com/intel-explorer/articles/3a50641d) on Flax Typhoon leveraging SoftEther VPN and living-off-the-land (LOTL) techniques to gain initial access and maintain persistince within Taiwanese victim networks. LOTL techniques leverage trusted tools and processes to bypass security detections. ## Recommendations ### Defending against Flax Typhoon attacks - Keep public-facing servers up to date to defend against malicious activity. As prime targets for threat actors, public-facing servers need additional monitoring and security. User input validation, file integrity monitoring, behavioral monitoring, and web application firewalls can all help to better secure these servers. - Monitor the Windows registry for unauthorized changes. The [Audit Registry](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-registry) feature allows administrators to generate events when specific registry keys are modified. Such policies can detect registry changes that undermine the security of a system, like those made by Flax Typhoon. - Use network monitoring and intrusion detection systems to identify unusual or unauthorized network traffic. If an organization does not use RDP for a specific business purpose, any RDP traffic should be considered unauthorized and generate alerts. - Ensure that Windows systems are kept updated with the latest security patches. - Mitigate the risk of compromised valid accounts by enforcing strong multifactor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. [Passwordless sign-in methods](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless) (for example, Windows Hello, FID | Tool Vulnerability Threat | ||
|
2024-06-24 19:22:00 | Vulnérabilité critique RCE découverte dans l'outil d'infrastructure de l'ICLAMA Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (lien direct) |
Les chercheurs en cybersécurité ont détaillé une faille de sécurité désormais paires affectant la plate-forme d'infrastructure de l'intelligence artificielle open-source (IA) d'Ollla qui pourrait être exploitée pour réaliser l'exécution du code distant.
Suivi sous le nom de CVE-2024-37032, la vulnérabilité a été nommée Problama par la société de sécurité cloud Wiz.Après la divulgation responsable le 5 mai 2024, le problème a été résolu en version
Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version |
Tool Vulnerability Cloud | ||
 |
2024-06-24 16:53:18 | Installations chimiques averties d'un éventuel vol de données dans la violation de la CISA CSAT Chemical facilities warned of possible data theft in CISA CSAT breach (lien direct) |
La CISA avertit que son environnement d'outil d'évaluation de la sécurité chimique (CSAT) a été violé en janvier après que les pirates ont déployé un webshell sur son appareil Ivanti, exposant potentiellement des évaluations et des plans de sécurité sensibles.[...]
CISA is warning that its Chemical Security Assessment Tool (CSAT) environment was breached in January after hackers deployed a webshell on its Ivanti device, potentially exposing sensitive security assessments and plans. [...] |
Tool | ||
 |
2024-06-24 14:59:36 | Symantec avertit la campagne d'espionnage par le renseignement chinois ciblant les opérateurs de télécommunications asiatiques Symantec warns of espionage campaign by Chinese Intelligence targeting Asian telecom operators (lien direct) |
Les chercheurs de l'équipe Hunter de Symantec \\ ont émis une alerte sur une vaste campagne d'espionnage en utilisant des outils liés à ...
Researchers from Symantec\'s Threat Hunter Team issued an alert over an extensive espionage campaign using tools related to... |
Tool Threat | ||
|
2024-06-24 14:46:29 | La nouvelle plate-forme PHAAS permet aux attaquants de contourner l'authentification à deux facteurs New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication (lien direct) |
#### Targeted Geolocations - Eastern Europe - Northern Europe - Southern Europe - Western Europe - Middle East - Central America and the Caribbean - North America - South America #### Targeted Industries - Financial Services ## Snapshot EclecticIQ analysts discovered phishing campaigns targeting financial institutions using QR codes embedded in PDF attachments to direct victims to phishing URLs. ## Description The attacks were facilitated by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which operates through Telegram bots. ONNX Store includes a two-factor authentication (2FA) bypass mechanism that intercepts 2FA requests, increasing the success rate of Business Email Compromise (BEC) attacks. The phishing pages mimic Microsoft 365 login interfaces, tricking targets into entering their authentication details. Analysts believe with high confidence that ONNX Store is likely a rebranded version of the Caffeine phishing kit, discovered by Mandiant in 2022, based on overlapping infrastructure and Telegram advertisements. The Arabic-speaking threat actor MRxC0DER is thought to be the developer and maintainer of Caffeine, and likely provides client support for ONNX Store. ONNX Store offers various services via Telegram bots, including phishing templates, webmail services, and bulletproof hosting. It leverages Cloudflare to delay takedown processes and evade detection, using features like CAPTCHA and IP proxying to protect malicious sites. ONNX Store distributes PDF documents with embedded QR codes that direct victims to phishing pages, often impersonating reputable services like Adobe or Microsoft 365. These QR codes are difficult for organizations to detect, especially on mobile devices. Most phishing campaigns target financial institutions in the EMEA and AMER regions, including banks and credit unions. The phishing kit uses encrypted JavaScript to evade detection and captures 2FA tokens in real-time, relaying them to attackers. ONNX Store also provides bulletproof hosting, allowing cybercriminals to operate without shutdown risks. The broader implications of these phishing toolkits include aiding credential theft and ransomware attacks. ## Microsoft Analysis ## Detections/Hunting Queries EclecticIQ identified two YARA Rules that can be used to identifiy potentially malicious domains or PDF Files from the ONNX Store. HUNT\_CRIME\_ONNX\_PHISHING\_URL is designed to identify specific patterns associated with malicious domains that utilize ONNX Store API such as default error messages and Telegram support links. | rule HUNT\_CRIME\_ONNX\_PHISHING\_URL { meta: description = "Searches for default ONNX Store API error" author = "Arda Buyukkaya" date = "2024-05-23" hash = "77e03c77a2bdbc09d5279fa316a35db0" strings: $contact\_link = "https://t.me/ONNXIT" $support\_message = "Please contact ONNX SUPPORT" $expired\_api = "Your API has been expired" condition: all of them } | | --- | MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR is designed to detect potenetioally malcioius QR codes with PDF files. | rule MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR { meta: description = "Detects potentially malicious PDFs based on structural patterns" author = "Arda Buyukkaya" date = "2024-05-17" hash = "0250a5ba26791e7ffddb4b294d486479" strings: $pdf = "%PDF-" $magic\_classic = "%!FontType1-1." $magic\_font = /obj\s\*]\*\/Subtype\s\*\/Type1/ $magic\_font2 = /obj\s\* | Ransomware Tool Threat Mobile | ||
 |
2024-06-24 14:24:06 | Ce qu\'il faut savoir sur les totems d\'affichage dynamique d\'intérieur (lien direct) | Dans un monde où la communication visuelle prend de plus en plus d'importance, les totems d'affichage dynamique d'intérieur se révèlent être des outils indispensables pour capter l'attention et transmettre efficacement des messages. | Tool | ||
|
2024-06-24 14:16:35 | Sécurité centrée sur l'homme dans l'écosystème de cybersécurité et la stratégie Better Together de Pointpoint \\ Human Centric Security in the Cybersecurity Ecosystem and Proofpoint\\'s Better Together Strategy (lien direct) |
In my previous blog, I detailed how Proofpoint has redefined email security, a central pillar of what Gartner has termed Human-Centric Security, one of their three strategic priorities for CISOs in 2024 and 2025. Now I\'d like to give you an idea of how we think human-centric security fits with the rest of the modern security stack and how the current trend toward more comprehensive security solution architectures is influencing our strategic direction. The Third Era It\'s worthwhile to start with a bit of history. In our view, we\'ve entered the third major evolution of cybersecurity. In the earliest period, the perimeter was established, and basic controls were put in place. The technologies were fewer and less capable, but the consequences of security failures were nowhere near as severe as they are now. In the second era, the perimeter largely dissolved and the rapid adoption of new technologies during the heyday of digital transformation led to a massive proliferation of point security solutions, cropping up nearly as fast as the tools they were meant to secure. Unfortunately, the cost of the security engineering, operational integration, and alert response required for these tools to be effective often outweighed the risk mitigation they provided. Now we\'ve arrived a phase where the security architectures of the future are finally taking shape. They share several key characteristics: they\'re highly integrated, cloud-deployed, and align to what security teams really need to protect: their infrastructure, the apps that run on it, the data that powers those applications, and of course the humans that simultaneously constitute their organization\'s greatest asset and biggest risk. The Pillars of a Modern Security Architecture To protect the spectrum between infrastructure and people, five key control planes have emerged. The first of those components is the network, where controls have moved past the classic confines of the firewall, proxy, VPN, and other network devices to the cloud-based consolidated services that make up the modern Secure Access Services Edge (SASE). Secondly, endpoint and server protection evolved into first Endpoint Detection and Response (EDR) and then XDR as servers were increasingly replaced by cloud workloads. That of course leaves the human element, to which I\'ll return shortly, and the two cross-architecture layers: the operational processes, increasingly automated, that drive the controls and respond to the alerts they generate, and the identity fabric, both human and machine, that ties everything together. These architectures are powerful on their own, and their effectiveness compounds when they\'re well integrated. Attackers have often exploited the gaps between poorly implemented and monitored security controls to pass from a compromise of a person\'s credentials through the network to the administrative privileges that make ransomware so disruptive. Frustrating adversaries becomes much more achievable when well-integrated security controls reinforce each other, providing not just defense in depth but also defense in breadth. For example, an attacker\'s job is much harder when the malicious attachment they use to try and target a person is blocked and analyzed, with the resulting intelligence shared across SASE and XDR. Human-Centric Security and the Ecosystem With the rise of these modern security architectures, our controls for protecting networks, endpoints, and infrastructure have evolved, becoming more comprehensive, adaptive, and effective. With over 90% of breaches involving the human element, Proofpoint\'s human-centric security platform uniquely does the same for people and integrates with the key leaders across the other five components of the modern security stack. In pioneering human-centric security, we\'ve brought together previously disconnected functionality to accomplish two critical goals. The first is helping organizations protect their people from targeted attacks, impersonation, and supplier risk, along with making their people more resilien | Ransomware Tool Threat Prediction Cloud | ||
|
2024-06-24 12:48:47 | Faits saillants hebdomadaires OSINT, 24 juin 2024 Weekly OSINT Highlights, 24 June 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a persistent focus on sophisticated cyber espionage and ransomware campaigns by state-sponsored threat actors and advanced cybercriminal groups. Key trends include the exploitation of known vulnerabilities in network devices and hypervisors by Chinese groups like Velvet Ant and UNC3886, leveraging custom malware for long-term access and data theft. Meanwhile, actors active in the Middle Eastern and South Asian such as Arid Viper and UTA0137 continue to target adversaries with trojanized apps and Linux malware, respectively. Additionally, innovative social engineering techniques, like those used by TA571 and ClearFake, highlight the evolving methods threat actors employ to deliver diverse payloads, including ransomware and information stealers. The consistent targeting of critical infrastructure, government entities, and high-value enterprises underscores the need for robust, multi-layered cybersecurity defenses to mitigate these sophisticated and persistent threats. ## Description 1. **[Arid Viper Espionage Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/19d9cd7d)**: ESET researchers uncovered Arid Viper\'s espionage campaigns targeting Android users in Egypt and Palestine. The campaigns distribute trojanized apps through dedicated websites, focusing on user data espionage with their AridSpy malware, a sophisticated multistage Android spyware. 2. **[Velvet Ant Exploits F5 BIG-IP](https://sip.security.microsoft.com/intel-explorer/articles/e232b93d)**: Sygnia analysts revealed that the Chinese cyberespionage group Velvet Ant exploited vulnerabilities in F5 BIG-IP appliances to deploy malware like PlugX, enabling long-term access and data theft. These incidents emphasize the threat posed by persistent threat groups exploiting network device vulnerabilities. 3. **[UNC3886 Targets Hypervisors](https://sip.security.microsoft.com/intel-explorer/articles/faed9cc0)**: Google Cloud reported that Mandiant investigated UNC3886, a suspected Chinese cyberespionage group, targeting hypervisors with sophisticated malware and exploiting vulnerabilities in FortiOS and VMware technologies. The group utilized rootkits and custom malware for persistence and command and control. 4. **[UTA0137 Cyber-Espionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/bc2b5c55)**: Volexity identified Pakistan-based UTA0137 targeting Indian government entities with DISGOMOJI malware, which uses Discord for command and control. The campaign targets Linux systems, employing various persistence mechanisms and exploiting vulnerabilities like DirtyPipe for privilege escalation. 5. **[Proofpoint Highlights Copy-Paste Attacks](https://sip.security.microsoft.com/intel-explorer/articles/c75089e9)**: Proofpoint researchers reported that threat actors, including TA571 and ClearFake, are using techniques that prompt users to copy and paste malicious PowerShell scripts. These campaigns deliver various malware, including DarkGate and NetSupport, through clever social engineering tactics that trick users into compromising their systems. 6. **[Shinra and Limpopo Ransomware](https://sip.security.microsoft.com/intel-explorer/articles/b7a96cbd)**: FortiGuard Labs identified the emergence of Shinra and Limpopo ransomware strains in early 2024. Shinra ransomware exfiltrates data before encryption, while Limpopo targets ESXi environments, affecting multiple countries and causing significant disruptions. 7. **[CVE-2024-4577 Vulnerability Exploits](https://sip.security.microsoft.com/intel-explorer/articles/8635c515)**: Cyble Global Sensor Intelligence detected multiple scanning attempts exploiting CVE-2024-4577, a vulnerability in Windows affecting PHP installations. Threat actors are using this flaw to deploy ransomware and malware, emphasizing the urgent need for organizations to upgrade PHP versions to mitigate risks. 8. **[SmallTiger Malware Targets South Korea](https://sip.security.microsoft.com/intel-explorer/articles/3f29a6c8)**: The AhnLab Securi | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | APT-C-23 | |
|
2024-06-24 10:34:00 | Multiples acteurs de menace déploient un rat Rafel open source pour cibler les appareils Android Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices (lien direct) |
Les acteurs de menaces multiples, y compris les groupes de cyber-espionnage, utilisent un outil d'administration à distance Android open source appelé Rafel Rat pour atteindre leurs objectifs opérationnels en le faisant passer pour Instagram, WhatsApp et diverses applications de commerce électronique et antivirus.
"Il offre aux acteurs malveillants une boîte à outils puissante pour l'administration et le contrôle à distance, permettant une gamme d'activités malveillantes
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities |
Tool Threat Mobile | ||
|
2024-06-24 10:00:00 | COMMERCIAL BUSINESS COMPROMISSE (BEC): Suivi des affaires d'un acteur de menace \\ Business Email Compromise (BEC): Tracking a Threat Actor\\'s Funny Business (lien direct) |
Executive Summary
In a recent LevelBlue incident response engagement, an analyst in our managed detection and response (MDR) security operations center (SOC) responded to an alarm that was triggered by a suspicious email/inbox rule. The rule aimed to conceal responses to an internal phishing attempt from the account user, so the attacker could solicit funds from the company\'s users. According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), “Email systems are the preferred attack vector for malicious phishing campaigns. Recent reporting shows 32 percent of breaches involve phishing attacks.”
What are inbox/email rules? These are automated instructions set up within an email client to manage incoming emails based on specified criteria. They can perform various actions such as moving emails to specific folders, marking them as read, forwarding them to other addresses, or even deleting them. While email rules are designed to streamline email management and improve user productivity, they can also be exploited by malicious actors. Why are they a powerful tool for attackers? They allow for the automation of malicious activities with minimal manual intervention. The MITRE ATT&CK framework classifies these techniques under ID: T1564.008 (Hide Artifacts: Email Rules) and ID: T1114 (Email Collection). By setting up rules to hide, forward, or delete specific emails, attackers can effectively manage their intrusion and avoid detection.
During the triage of the alarm, the analyst analyzed various artifacts and event logs to understand the extent of the compromise. They examined email logs and account activity to identify the initial point of entry and the methods used by the attacker. Their rapid detection of the suspicious rule and subsequent analysis of the user activity logs was crucial in uncovering the attacker’s strategy and preventing further damage.
Introduction
In this incident, the attacker used an email rule to hide responses to an internal phishing email, ensuring that the compromised user would remain unaware of the ongoing malicious activity. This approach aligns with tactics seen in the MITRE ATT&CK framework, where attackers use email rules to hide evidence of their activities and maintain persistence (T1564.008). This allows them to maintain control over compromised accounts for longer periods, increasing the potential for data exfiltration and other malicious actions.
Investigation
The Alarm
The SOC analyst received an alarm from a Microsoft Exchange data source indicating that a suspicious inbox rule had been created. They examined the event that activated the alarm and quickly discerned from the rule parameters that this was case of business email compromise (BEC).
Figure 1: Alarm for suspicious inbox rule
Below, you can see the email parameters included within the newly created inbox rule, which was later identified to be created by the malicious actor who compromised the user’s account.
Figure 2: Snippet of the raw log showing the created rule parameters
Each parameter’s function is as follows:
AlwaysDeleteOutlookRulesBlob: False – Indicates that the rule blob (a data structure used to store rules) is not set to be deleted automatically, allowing the rule to remain active and persistent
Force: False – Suggests that the rule was not forcibly applied, which might imply that the attacker wanted to avoid drawing attention by making the c |
Tool Threat | ||
|
2024-06-24 09:56:44 | L'outil d'évaluation de la sécurité chimique de CISA \\ frappé par la cyberattaque, documents sensibles potentiellement exposés CISA\\'s Chemical Security Assessment Tool hit by cyberattack, sensitive documents potentially exposed (lien direct) |
L'Agence américaine de sécurité de la cybersécurité et de l'infrastructure & # 8217; s (CISA) outil d'évaluation de la sécurité chimique (CSAT) a connu une violation de cybersécurité par ...
The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) experienced a cybersecurity breach by... |
Tool | ||
 |
2024-06-24 03:00:36 | Règlement sur la sécurité IoT: une liste de contrôle de conformité & # 8211;Partie 1 IoT Security Regulations: A Compliance Checklist – Part 1 (lien direct) |
L'Internet des objets (IoT) fait référence au réseau mondial d'appareils physiques connectés à Internet, capable de collecter et de partager des données.Les appareils IoT vont des articles ménagers quotidiens aux outils industriels sophistiqués.En intégrant les capteurs et le matériel de communication, l'IoT comble l'écart entre les mondes physiques et numériques, permettant des environnements où les appareils intelligents fonctionnent de manière interconnectée et autonome.La croissance de l'IoT \\ est tirée par la disponibilité croissante de la puissance et de la connectivité de calcul abordables, des progrès de l'analyse des données et de l'intelligence artificielle, et le coût ...
The Internet of Things (IoT) refers to the global network of physical devices connected to the internet, capable of collecting and sharing data. IoT devices range from everyday household items to sophisticated industrial tools. By integrating sensors and communication hardware, IoT bridges the gap between the physical and digital worlds, enabling environments where smart devices operate interconnectedly and autonomously. IoT\'s growth is driven by the increasing availability of affordable computing power and connectivity, advances in data analytics and artificial intelligence, and the cost... |
Tool Industrial | ||
|
2024-06-24 02:14:10 | Snowflake Breach Balles de neige alors que de plus en plus de victimes, Perps, se manifestent Snowflake breach snowballs as more victims, perps, come forward (lien direct) |
Aussi: les outils internes d'Apple divulgués qui n'étaient pas \\ 't;Les pirates de pirates de télévision condamnés;et certaines vulnes critiques aussi infosec en bref La boule de difficulté descendante à Snowflake continue de croître, avec plus de victimes & # 8211;et même l'un des intrus présumés & # 8211;se manifester la semaine dernière.…
Also: The leaked Apple internal tools that weren\'t; TV pirate pirates convicted; and some critical vulns, too Infosec in brief The descending ball of trouble over at Snowflake keeps growing larger, with more victims – and even one of the alleged intruders – coming forward last week.… |
Tool | ||
|
2024-06-22 18:38:53 | Nouvelle campagne NetSupport livrée via des packages MSIX New NetSupport Campaign Delivered Through MSIX Packages (lien direct) |
## Instantané Xavier Mertens a identifié une nouvelle campagne NetSupport qui offre un client NetSupport malveillant via des packages MSIX.Les attaquants tirent parti de cette technique pour communiquer avec des ordinateurs infectés sans avoir besoin de développer leur propre infrastructure de commandement et de contrôle (C2). ## Description Le fichier MALICIET MSIX contient tous les composants pour télécharger et installer le client NetSupport, y compris une version portable 7ZIP utilisée pour déballer le client.Le script dans le fichier ouvre d'abord un navigateur pour afficher la page de téléchargement Chrome, vérifie alors si l'ordinateur fait partie d'un domaine Microsoft avant d'installer le client.Le client NetSupport est double compressé et le fichier de configuration révèle l'adresse IP du serveur C2, qui est en baisse pour le moment.Cette campagne représente une méthode à faible coût pour que les attaquants compromettent davantage de victimes. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - Trojan: Win32 / Seheq ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [Microsoft Defender SmartScreen] (https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), qui identifie)et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites contenant des exploits et des logiciels malveillants hôte. - Allumez [Protection du réseau] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide& ;ocid=Magicti_TA_LearnDdoc) pour bloquerConnexions avec des domaines malveillants et des adresses IP. - Éduquer les utilisateurs à utiliser le navigateur URL du navigateur pour valider cela en cliquant sur un lien dans les résultats de recherche, ils sont arrivés dans un domaine légitime attendu. - Éduquer les utilisateurs à vérifier que le logiciel installé devrait être publié par un éditeur légitime. - Allumez [Protection en cas de nuage] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antvirus?View = O365 Worldwide & ocid = magicti_ta_learndoc) dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre rapidement les outils et techniques d'attaquant en évolution.Les protections d'apprentissage automatique basées sur le cloud bloquent la plupart des variantes nouvelles et inconnues. - Exécutez [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=O365-Worldwide & ocid = magicti_ta_learndoc) afin que Microsoft Defender pour le point final puisse bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Activer [Investigation and Remediation] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide& ;ocid=magicti_ta_learndoc) en mode automatisé complet en mode automatisé;Pour permettre à Microsoft Defender for Endpoint de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Allumez [Tamper Protection] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=O365 worldwide & ocid = magicti_ta_learndoc) pour empêcher les attaquants d'empêcher les ser | Malware Tool Threat | ||
 |
2024-06-21 13:30:00 | Installations chimiques avertis d'une éventuelle exfiltration des données après une violation de la CISA Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach (lien direct) |
La CISA a informé les installations chimiques que son outil d'évaluation de la sécurité chimique (CSAT) était infiltré par un acteur malveillant et les données sensibles potentiellement exfiltrées
CISA has informed chemical facilities that its Chemical Security Assessment Tool (CSAT) was infiltrated by a malicious actor, and potentially exfiltrated sensitive data |
Tool | ||
 |
2024-06-21 13:00:00 | Comment l'IA génératrice élargit la surface d'attaque des menaces d'initié How generative AI Is expanding the insider threat attack surface (lien direct) |
> À mesure que l'adoption de l'IA générative (Genai) monte, il en va de même pour le risque de menaces d'initiés.Cela exerce encore plus de pression sur les entreprises pour repenser les politiques de sécurité et de confidentialité.En quelques années seulement, l'intelligence artificielle (IA) a radicalement changé le monde du travail.61% des travailleurs du savoir utilisent désormais Genai Tools & # 8212;particulièrement openai & # 8217; s [& # 8230;]
>As the adoption of generative AI (GenAI) soars, so too does the risk of insider threats. This puts even more pressure on businesses to rethink security and confidentiality policies. In just a few years, artificial intelligence (AI) has radically changed the world of work. 61% of knowledge workers now use GenAI tools — particularly OpenAI’s […] |
Tool Threat | ||
 |
2024-06-21 09:13:00 | Les détecteurs de l'IA peuvent-ils nous sauver de Chatgpt?J'ai essayé 6 outils en ligne pour découvrir Can AI detectors save us from ChatGPT? I tried 6 online tools to find out (lien direct) |
Avec l'arrivée soudaine de Chatgpt, les éducateurs et les éditeurs sont confrontés à une poussée inquiétante de soumissions de contenu automatisées.Nous regardons le problème et ce qui peut être fait à ce sujet.
With the sudden arrival of ChatGPT, educators and editors face a worrying surge of automated content submissions. We look at the problem and what can be done about it. |
Tool | ChatGPT | ★★ |
|
2024-06-20 16:19:00 | Surcharge d'outils: pourquoi les MSP se noient toujours avec d'innombrables outils de cybersécurité en 2024 Tool Overload: Why MSPs Are Still Drowning with Countless Cybersecurity Tools in 2024 (lien direct) |
Points forts
Paysage des outils complexes: explorez le large éventail d'outils de cybersécurité utilisés par les MSP, mettant en évidence le défi commun de la gestion de plusieurs systèmes qui peuvent chevaucher les fonctionnalités mais manquer d'intégration.systèmes, ainsi que le coût élevé et la complexité du maintien
Highlights Complex Tool Landscape: Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration.Top Cybersecurity Challenges: Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining |
Tool | ★★★ | |
 |
2024-06-20 15:15:55 | Cyber Assaut de décennie sur les télécommunications asiatiques a été retracée aux pirates d'État chinois Decade-Long Cyber Assault on Asian Telecoms Traced to Chinese State Hackers (lien direct) |
> Une campagne d'espionnage de plusieurs années a ciblé les entreprises de télécommunications en Asie avec des outils associés aux groupes chinois.
>A years-long espionage campaign has targeted telecoms companies in Asia with tools associated with Chinese groups. |
Tool | ★★★ | |
 |
2024-06-20 14:04:21 | Disponible maintenant: Veracode Scan pour les ides de jetbrains Available Now: Veracode Scan for JetBrains IDEs (lien direct) |
Veracode SCAN pour le code VS a été l'un des grands succès de l'Expo Floor lors de la conférence de sécurité RSA en mai de cette année.Les gens ont aimé l'intégration de Veracode Static, Veracode SCA et Veracode Fix en une seule extension, donnant aux développeurs les outils pour scanner leur code et résoudre les problèmes avec l'assistance en IA pendant qu'ils développent activement du code.
Ce qu'ils ont demandé, c'était plus d'assistance IDE, et nous sommes donc ravis d'annoncer la disponibilité de Veracode Sast, Veracode SCA et Veracode Fix en trois ides de JetBrains:
Intellij
Pycharme
Ryder
L'installation est simple, recherchez simplement le Veracode Scan à partir de la boîte de dialogue des plugins et l'installation.Si vous n'avez pas les informations d'identification de l'API Veracode, vous devrez les générer et configurer un fichier d'identification ou définir des variables d'environnement.
Une fois que vous avez fait cela, vous serez prêt à commencer à scanner votre code pour des défauts, à analyser votre logiciel tiers pour des vulnérabilités, puis à résoudre les problèmes avec le correctif Veracode.
Laissez \\ jeter un coup d'œil rapidement…
Veracode Scan for VS Code was one of the big hits on the expo floor at the RSA Security conference in May this year. People liked the integration of Veracode Static, Veracode SCA, and Veracode Fix into a single extension, giving developers the tools to scan their code and resolve problems with AI assistance while they are actively developing code. What they asked for was more IDE support, and so we\'re pleased to announce the availability of Veracode SAST, Veracode SCA, and Veracode Fix in three IDEs from JetBrains: IntelliJ Pycharm Ryder Installation is simple, simply search for Veracode Scan from the Plugins dialog and install. If you don\'t have Veracode API credentials, you will need to generate them and configure a credentials file or set environment variables. Once you\'ve done that, you will be ready to start scanning your code for flaws, analyzing your third-party software for vulnerabilities, and then remediating problems with Veracode Fix. Let\'s take a quick look at… |
Tool Vulnerability Conference | ||
 |
2024-06-20 12:00:06 | Augmentez votre qualité de vie avec un centre MSP sécurisé et un centre MSP sécurisé Up your Quality of Life with Secure MSP Hub and Secure MSP Center (lien direct) |
Toute la technologie MSP qui nous entoure est destinée à augmenter notre productivité grâce aux outils et à l'automatisation afin que notre qualité de vie puisse être améliorée.La réalité peut être différente 
All the MSP technology around us is meant to increase our productivity through tools and automation so that our quality of life can be improved. The reality can be different |
Tool | ★★★ | |
 |
2024-06-20 10:17:52 | Opérations de SoC axées sur l'efficacité Efficiency driven SOC operations (lien direct) |
> Dans mon article précédent, j'ai donné un aperçu de la transformation actuelle du marché de la cybersécurité, marquée par des acquisitions et des fusions majeures parmi les acteurs clés, et comment les joueurs de la nouvelle génération affectent profondément les modèles SOC et MSSP.Nous continuons cette série d'articles avec une plongée profonde dans ce que ces nouveaux outils signifient pour les SOC et [& # 8230;]
la Publication Suivante opérations de SoC axées sur l'efficacité est un article de ssekoia.io blog .
>In my previous article, I gave an overview of the current transformation of the cybersecurity market, marked by major acquisitions and mergers among key players, and how new generation players profoundly affect SOC and MSSP models. We continue this series of articles with a deep dive into what these new tools mean for SOCs and, […] La publication suivante Efficiency driven SOC operations est un article de Sekoia.io Blog. |
Tool | ★★★ | |
|
2024-06-20 10:00:14 | Projet Nap-temps: évaluation des capacités de sécurité offensive des modèles de gros langues Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models (lien direct) |
Posted by Sergei Glazunov and Mark Brand, Google Project Zero IntroductionAt Project Zero, we constantly seek to expand the scope and effectiveness of our vulnerability research. Though much of our work still relies on traditional methods like manual source code audits and reverse engineering, we\'re always looking for new approaches. As the code comprehension and general reasoning ability of Large Language Models (LLMs) has improved, we have been exploring how these models can reproduce the systematic approach of a human security researcher when identifying and demonstrating security vulnerabilities. We hope that in the future, this can close some of the blind spots of current automated vulnerability discovery approaches, and enable automated detection of "unfuzzable" vulnerabilities. Earlier this year, Meta released CyberSecEval 2 (Bhatt et al., 2024), which includes new LLM benchmarks for discovering and exploiting memory safety issues. The authors presented the following conclusion: Another theme is that none of the LLMs do very well on these challenges. For each challenge, scoring a 1.0 means the challenge has been passed, with any lower score meaning the LLM only partially succeeded. The average scores of all LLMs over all tests suggests that LLMs have a ways to go before performing well on this benchmark, and aren’t likely to disrupt cyber exploitation attack and defense in their present states. We find that, by refining the testing methodology to take advantage of modern LLM capabilities, significantly better performance in vulnerability discovery can be achieved. To facilitate effective evaluation of LLMs for vulnerability discovery, we propose below a set of guiding principles. We\'ve implemented these principles in our LLM-powered vulnerability research framework, which increased CyberSecEval2 benchmark performance by up to 20x from the original paper. This approach achieves new top scores of 1.00 on the “Buffer Overflow" tests (from 0.05) and 0.76 on the "Advanced Memory Corruption" tests (from 0.24). We have included a full example trajectory/log in Appendix A. While we have shown that principled agent design can greatly improve the performance of general-purpose LLMs on challenges in the security domain, it\'s the opinion of the Project Zero team that substantial progress is still needed before these tools can have a meaningful impact on the daily work of security researchers. | Tool Vulnerability Threat | ★★ | |
|
2024-06-20 10:00:00 | Les meilleurs serveurs proxy pour la multi-contrat The Best Proxy Servers for Multi-Accounting (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Business owners are increasingly recognizing its positive impact on business growth. Many marketing and sales strategies use different accounts on a single platform. However, despite its effectiveness in business, not all platforms allow multi-accounting. That’s where residential proxy comes in as an effective solution for multi-accounting. What Proxy Server is the Best for Multi-Accounting? There are several types of proxy servers. You can divide them into datacenter servers, residential servers, or a mix of both. Below, we look at these types and see which is better for this marketing tactic. 1. Datacenter An online datacenter generates and stores the IP addresses of datacenter proxies. As such, they are cloud-generated IPs and often more detectable than residential ones. These proxies aren’t affiliated with any ISP (Internet Server Provider). However, they still provide complete IP authenticity and anonymity. Remember that datacenter IPs are generally part of a large IP pool. Unless they\'re dedicated servers, several users can access them. 2. Residential Residential proxies differ from datacenter ones on a fundamental level, as they source their IPs from ISPs. The IP address a residential server uses belongs to an actual device. As such, it’s more authentic-looking than datacenter-generated ones. This increases its security, geo-targeting abilities, and anonymity. It’s often the better choice for multi-accounting because it better mimics a real user’s behavior. 3. Rotating Rotating proxies are a sub-type of proxy that generates a new IP address for every new connection. You can also set it to generate new IPs within a specific timeframe. Residential rotating proxies are the best option for creating several accounts, as they help avoid IP bans. Its IP rotation lets you manage different accounts from a single device by changing the IP address. As such, it’s our first choice for when you need to manage various logins on platforms. Benefits of Creating Multiple Accounts You might wonder why you need to create multiple logins for one platform. Before we discuss why proxies will benefit you, let’s discuss the advantages of multi-accounting. ● Increased Brand Exposure Managing multiple social media accounts can increase your brand exposure. By liking, sharing, and reposting your content, you spread it further than a single account can. These operations mean you can better engage with clients and create logins dedicated to specific aspects of your brand. ● Improved Customer Stickiness Clients are more loyal to brands that treat them better. By interacting more with clients and facilitating quick sales, you can build trust in the brand. Multiple e-commerce and social media logins ensure you can always complete a sale. ● Branch Out Your Market Share With different logins, you can create accounts geared towards several markets. This helps you grow your market share by releasing various products and services to specific customers. It also enhances your geo-targeted marketing campaigns to become more effective and far-reaching. ● Boosts Marketing Efforts Boosting your marketing efforts will optimize the | Tool | ★★★ | |
|
2024-06-19 10:50:09 | Intelbroker Hacker revendique la violation d'Apple, vole le code source pour les outils internes IntelBroker Hacker Claims Apple Breach, Steals Source Code for Internal Tools (lien direct) |
Notorious Hacker Intelbroker prétend avoir violé Apple, volant le code source pour les outils internes.Découvrez la violation présumée et l'histoire d'Intelbroker de cibler les grandes entreprises et les entités gouvernementales.
Notorious hacker IntelBroker claims to have breached Apple, stealing source code for internal tools. Learn about the alleged breach and IntelBroker\'s history of targeting major companies and government entities. |
Tool | ★★ | |
|
2024-06-19 03:28:35 | Où la sécurité commence dans vos projets de sécurité Where Security Starts in Your Security Projects (lien direct) |
La mise en œuvre réussie de nouveaux outils et processus dépend non seulement de la technologie elle-même, mais de la gestion méticuleuse de projet.De garantir un accès sécurisé à l'infrastructure sous-jacente, un nouvel outil sera mis en œuvre lors de la définition d'objectifs clairs et de la compréhension de l'empreinte de sécurité du service.Même les premières étapes de votre déploiement peuvent être importantes à long terme.Obtenir toutes les pièces dès le début permet de vous assurer que vous pouvez profiter des avantages d'un déploiement réussi beaucoup plus rapide et plus facile que ceux qui pourraient trébucher aux premières étapes.Définir des objectifs clairs ...
The successful implementation of new tools and processes hinges not just on the technology itself but on meticulous project management. From ensuring secure access to the underlying infrastructure, a new tool will be implemented upon defining clear goals and understanding the security footprint of the service. Even the earliest steps of your rollout can be important in the long run. Getting all the parts right from the onset helps to ensure that you can reap the benefits of a successful deployment far faster and easier than those who might stumble at the initial stages. Defining Clear Goals... |
Tool | ★★★ | |
|
2024-06-18 20:33:27 | From Clipboard to Compromise: A PowerShell Self-Pwn (lien direct) | ## Instantané Les chercheurs de ProofPoint ont identifié une technique qui ordonne aux utilisateurs de copier et de coller des scripts PowerShell malveillants pour infecter leurs ordinateurs par des logiciels malveillants.Des acteurs de menace, dont TA571 et les acteurs derrière le cluster d'activités Clearfake, utilisent cette méthode pour fournir des logiciels malveillants, notamment Darkgate, Matanbuchus, Netsupport et divers voleurs d'informations. ## Description Proofpoint a observé cette technique dans plusieurs campagnes récentes impliquant plusieurs acteurs de menace, y compris ceux qui sont derrière Clearfake et l'acteur de menace TA571, connu pour la distribution des spams menant à des logiciels malveillants et à des infections au ransomware.La chaîne d'attaque nécessite une interaction importante des utilisateurs pour réussir, mais l'ingénierie sociale est suffisamment intelligente pour présenter à quelqu'un ce qui ressemble à un vrai problème et une solution simultanément, ce qui peut inciter un utilisateur à prendre des mesures sans considérer le risque. La campagne Clearfake est un faux cluster d'activités de mise à jour du navigateur qui compromet les sites Web légitimes avec un HTML et un JavaScript malveillants.Le script initial a ensuite chargé un deuxième script à partir d'un domaine qui a utilisé Keitaro TDS pour le filtrage.Si ce deuxième script se chargeait et passait divers chèques, et si la victime continuait de parcourir le site Web, il a été présenté avec une fausse superposition d'avertissement sur le site Web compromis.Cet avertissement leur a demandé d'installer un "certificat racine" pour afficher correctement le site Web. La campagne TA571 comprenait plus de 100 000 messages et ciblé des milliers d'organisations dans le monde.Les e-mails contenaient une pièce jointe HTML qui affichait une page ressemblant à Microsoft Word.La page a également affiché un message d'erreur qui disait l'extension «\\» word en ligne \\ 'n'est pas installée »et a présenté deux options pour continuer:« comment réparer »et« automatique ». Les charges utiles observées comprennent Darkgate, Matanbuchus, Netsupport, Amadey Loader, XMRIG et Lummma Stealer.Les acteurs de la menace expérimentent activement différentes méthodes pour améliorer l'efficacité et trouver plus de voies d'infection pour compromettre un plus grand nombre de systèmes. ## Analyse Microsoft Ces dernières années, Microsoft a suivi le risque croissant que les infostateurs présentent à la sécurité des entreprises.Les infostateurs sont des logiciels malveillants de marchandises utilisés pour voler des informations à un appareil cible et l'envoyer à l'acteur de menace.La popularité de cette classe de logiciels malveillants a conduit à l'émergence d'un écosystème d'infosteller et à une nouvelle classe d'acteurs de menace qui a exploité ces capacités pour mener leurs attaques.Les infostelleurs sont annoncés comme un logiciel malveillant en tant que service (MAAS) offrant & # 8211;Un modèle d'entreprise où les développeurs louent la charge utile de l'infostealer aux distributeurs moyennant des frais. Les voleurs d'informations sont polyvalents et peuvent être distribués sous diverses formes, notamment par le biais de campagnes par e-mail de phishing, de malvertising et de logiciels, de jeux et d'outils maladucs.En règle générale, une fois que l'utilisateur télécharge et lance la charge utile malveillante, il établit des connexions de commande et de contrôle (C2) avec des domaines suspects.Une fois infecté, l'infostaler tente de collecter et finalement exfilter les informations du système, y compris les fichiers, les navigateurs, les appareils et les applications orientés sur Internet aux serveurs C2.En savoir plus [ici sur l'analyse des infostelleurs de Microsoft \\] (https://security.microsoft.com/intel-profileS / 2296D491EA381B532B24F2575F9418D4B6723C17B8A1F507D20C2140A75D16D6). - [darkgate] (https://securit | Ransomware Spam Malware Tool Threat | ★★★★ | |
|
2024-06-18 18:22:59 | Ransomware Roundup _ Shinra et Limpopo Ransomware Ransomware Roundup _ Shinra and Limpopo Ransomware (lien direct) |
#### Géolocations ciblées - Israël - Pologne - Russie - Royaume-Uni - États-Unis ## Instantané Fortiguard Labs Researcha identifié le ransomware Shinra et Limpopo dans leur rapport Ransomware Roundup.Les souches de ransomware de Shinra et Limpopo, émergeant au début de 2024, présentent des techniques avancées et ont ciblé plusieurs pays, provoquant des perturbations importantes en cryptant des fichiers et en exigeant des rançons. ## Description Le ransomware de Shinra, vu pour la première fois en avril 2024, exfiltre les données de la victime avant de chiffrer les fichiers et de supprimer des copies fantômes de volume.Il affecte les victimes en Israël, en Pologne, en Russie, au Royaume-Uni et aux États-Unis, met fin aux processus et aux services, modifie le papier peint de bureau et évite de crypter des fichiers et des répertoires spécifiques. Les ransomwares limpopo, liés aux ransomwares Socotra, ciblent les environnements ESXi et ont été soumis pour scanning en février 2024. Le vecteur d'infection pour les ransomwares limpopo est inconnu, mais il affecte plusieurs pays et crypte des fichiers avec des extensions spécifiques, ajoutant une prolongation ".limpopo" ".aux fichiers de liste blanche.Il laisse tomber une note de rançon exigeant la coopération et fournit un lien pour d'autres instructions. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menaceComme les logiciels malveillants suivants: - Ransom: Linux / Babuk - Ransom: win64 / akira - rançon: win32 / conti - Trojan: Linux / Filecoder ## ReCommensions Microsoft recommande les atténuations suivantes pour réduire l'impact des menaces de ransomware. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une énorme majorité de variantes nouvelles et inconnues. - Allumez [Protection Tamper] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=Magicti_TA_LearnDoc).Empêcher les attaquants d'empêcher les services de sécurité. - Exécutez [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_TA_Learndoc), de sorte que celaLe défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque l'antivirus Microsoft Defender fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants détectés après la lutte. - Activer [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=Magicti_TA_Learndoc) en mode automatisé complet pour permettre au défenseur de terminer l'action immédiatement sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate surAlertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Les clients de Microsoft Defender peuvent activer [Règles de réduction de la surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=Magicti_TA_LearnDoc) pour prévenir les techniques d'attaque communes utilisées utilisées utiliséDans les attaques de ransomwares.Les règles de réduction de la surface d'attaque sont des pa | Ransomware Malware Tool Threat | ★★★ | |
|
2024-06-18 15:11:00 | De nouveaux cibles malwares cibles exposées Docker API pour l'exploitation de crypto-monnaie New Malware Targets Exposed Docker APIs for Cryptocurrency Mining (lien direct) |
Les chercheurs en cybersécurité ont découvert une nouvelle campagne de logiciels malveillants qui cible les points de terminaison publiquement exposés de l'API dans le but de livrer des mineurs de crypto-monnaie et d'autres charges utiles.
Parmi les outils déployés est un outil d'accès à distance qui est capable de télécharger et d'exécuter plus de programmes malveillants ainsi qu'un utilitaire pour propager les logiciels malveillants via SSH, Cloud Analytics Platform Datadog
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that\'s capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog |
Malware Tool Cloud | ★★★ | |
|
2024-06-18 14:00:00 | Couchée et secrète: Découvrir les opérations d'espionnage UNC3886 Cloaked and Covert: Uncovering UNC3886 Espionage Operations (lien direct) |
Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi
Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer |
Malware Tool Vulnerability Threat Cloud Technical | APT 41 | ★★★ |
|
2024-06-18 11:03:00 | LevelBlue Labs découvre un nouveau chargeur très évasif ciblant les organisations chinoises LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations (lien direct) |
Executive Summary LevelBlue Labs recently discovered a new highly evasive loader that is being delivered to specific targets through phishing attachments. A loader is a type of malware used to load second-stage payload malware onto a victim’s system. Due to the lack of previous samples observed in the wild, LevelBlue Labs has named this malware “SquidLoader,” given its clear efforts at decoy and evasion. After analysis of the sample LevelBlue Labs retrieved, we uncovered several techniques SquidLoader is using to avoid being statically or dynamically analyzed. LevelBlue Labs first observed SquidLoader in campaigns in late April 2024, and we predict it had been active for at least a month prior. The second-stage payload malware that SquidLoader delivered in our sample is a Cobalt Strike sample, which had been modified to harden it against static analysis. Based on SquidLoader’s configuration, LevelBlue Labs has assessed that this same unknown actor has been observed delivering sporadic campaigns during the last two years, mainly targeting Chinese-speaking victims. Despite studying a threat actor who seems to focus on a specific country, their techniques and tactics may be replicated, possibly against non-Chinese speaking organizations in the near future by other actors or malware creators who try to avoid detections. Loader Analysis In late April 2024, LevelBlue Labs observed a few executables potentially attached to phishing emails. One of the samples observed was ‘914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635’ with a Chinese filename translating to “Huawei industrial-grade router related product introduction and excellent customer cases.” All the samples LevelBlue Labs observed were named for Chinese companies, such as: China Mobile Group Shaanxi Co Ltd, Jiaqi Intelligent Technology, or Yellow River Conservancy Technical Institute (YRCTI). All the samples had descriptive filenames aimed at luring employees to open them, and they carried an icon corresponding to a Word Document, while in fact being executable binaries. These samples are loaders that download and execute a shellcode payload via a GET HTTPS request to the /flag.jpg URI. These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis. The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected. Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware “SquidLoader”. Most of the samples LevelBlue Labs observed use a legitimate expired certificate to make the file look less suspicious. The invalid certificate (which expired on July 15, 2021) was issued to Hangzhou Infogo Tech Co., Ltd. It has the thumbprint “3F984B8706702DB13F26AE73BD4C591C5936344F” and serial number “02 0E B5 27 BA C0 10 99 59 3E 2E A9 02 E3 97 CB.” However, it is not the only invalid certificate used to sign the malicious samples. The command and control (C&C) servers SquidLoader uses employ a self-signed certificate. In the course of this investigation all the discovered C&C servers use a certificate with the following fields for both the issuer and the subject: Common Name: localhost Organizational Unit: group Organization: Company Locality: Nanjing State/Province: Jiangsu Country: CN When first executed, the SquidLoader duplicates to a predefined location (unless the loader is already present) and then restarts from the new location. In this case the target location was C:\BakFiles\install.exe. This action appears to be an intentional decoy, executing the loader with a non-suspicio | Malware Tool Threat Mobile Prediction Technical | ★★ | |
 |
2024-06-17 17:00:00 | Certaines compétences ne doivent pas être cédées à l'IA Some Skills Should Not Be Ceded to AI (lien direct) |
Les outils d'IA continuent d'essayer de retirer tous les emplois amusants.Voici quelques-unes des raisons pour lesquelles les gens de la cybersécurité (et autres) sautent les tricheurs d'écriture.
AI tools keep trying to take away all the fun jobs. Here are just a few of the reasons for cybersecurity folks (and others) to skip the writing cheats. |
Tool | ★★ |
To see everything:
Our RSS (filtrered)
