SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-07-22 10:33:31	Faits saillants hebdomadaires, 22 juillet 2024 Weekly OSINT Highlights, 22 July 2024 (lien direct)	## Instantané La semaine dernière, le rapport OSINT de \\ présente des groupes APT alignés par l'État et des cybercriminels motivés par l'État, tels que les ransomwares APT41 et Akira, exploitant des vulnérabilités zéro-jour et tirant parti des campagnes de phishing pour accéder au premier accès.Les attaques ciblaient principalement des secteurs comme le gouvernement, le monde universitaire et les institutions financières, ainsi que des régions géographiques spécifiques, notamment le Moyen-Orient, l'Amérique du Nord et l'Asie du Sud-Est.De plus, les réseaux sociaux et les menaces basés sur le téléphone étaient proéminents, avec des attaquants utilisant des plates-formes comme WhatsApp et des services cloud, et en tirant parti du contenu généré par l'IA.Les tactiques utilisées par ces acteurs de menace comprenaient l'utilisation d'homoglyphes, de tissage IL, de vulnérabilités de jour zéro et de techniques d'évasion sophistiquées, mettant en évidence la nature en constante évolution des cyber-menaces et la nécessité de mesures de cybersécurité robustes. ## Description 1. [APT41 cible les organisations mondiales] (https://sip.security.microsoft.com/intel-explorer/articles/3ecd0e46): mandiant et google \'s tag ont rapporté des organisations ciblant APT41 en Italie, en Espagne, Taiwan, Thaïlande, Turquie et Royaume-Uni.Le groupe a utilisé des compromis de la chaîne d'approvisionnement, des certificats numériques volés et des outils sophistiqués comme Dustpan et Dusttrap pour exécuter des charges utiles et des données d'exfiltrat. 2. [Play Ransomware cible les environnements VMware ESXi] (https://sip.security.microsoft.com/intel-explorer/articles/2435682e): Trend Micro a découvert une variante lineux de Play Ransomware ciblant les environnements VMware ESXi, marquant la première instance de Playd'une telle attaque.Le ransomware utilise des commandes ESXi spécifiques pour arrêter les machines virtuelles avant le chiffrement, montrant un élargissement potentiel des cibles à traversPlates-formes Linux. 3. [Campagne de Nuget malveillante] (https://sip.security.microsoft.com/intel-explorer/articles/186ac750): REVERSINGLABSLes chercheurs ont trouvé une campagne de Nuget malveillante où les acteurs de la menace ont utilisé des homoglyphes et un tissage pour tromper les développeurs.Ils ont inséré les téléchargeurs obscurcis dans des fichiers binaires PE légitimes et exploité les intégrations MSBuild de NuGet \\ pour exécuter du code malveillant lors des builds de projet. 4. [Attaques DDOS par des groupes hacktivistes russes] (https://sip.security.microsoft.com/intel-explorer/articles/e9fbb909): Des chercheurs de Cyble ont été signalés sur les attaques DDOHacknet, ciblant les sites Web français avant les Jeux olympiques de Paris.Ces groupes d'opération d'influence se concentrent souvent surCibles des membres ukrainiens et de l'OTAN. 5. [AndroxGh0st Maleware cible les applications Laravel] (https://sip.security.microsoft.com/intel-explorer/articles/753Beb5a): les chercheurs de Centre d'orage Internet ont identifié AndroxGh0st, un malware python-scriptCiblage des fichiers .env dans les applications Web Laravel, exploitant les vulnérabilités RCE.Le malware effectue une numérisation de vulnérabilité, déploie des shells Web et exfiltre des données sensibles. 6. [TAG-100 Activités de cyber-espionage] (https://sip.security.microsoft.com/intel-explorer/articles/7df80747): le groupe insikt de Future \\ a enregistré Future \\ découvert TAG-100 \\ s \\ 's Cyber Future.Activités ciblant les organisations gouvernementales, intergouvernementales et du secteur privé dans le monde, probablement pour l'espionnage.Le groupe utilise des outils open source et exploite les vulnérabilités nouvellement publiées dans les appareils orientés Internet. 7. [Dragonbridge Influence Operations] (https://sip.security.microsoft.com/intel-explorer/articles/3e4f73d5): le groupe d'analyse des menaces de Google \\ a été rapporté sur Dragonbridge	Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud	APT 41
	2024-07-15 11:27:07	Weekly OSINT Highlights, 15 July 2024 (lien direct)	## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, showcasing the prominence of sophisticated malware, information stealers, and ransomware attacks. Attack vectors frequently include compromised websites, phishing emails, malicious advertisements, and exploitation of known vulnerabilities, particularly in widely-used software like Oracle WebLogic and Microsoft Exchange. Threat actors range from organized state-sponsored groups, such as China\'s APT41 (tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6)) and APT40 (tracked by Microsoft as [Gingham Typhoon](https://security.microsoft.com/intel-profiles/a2fc1302354083f4e693158effdbc17987818a2433c04ba1f56f4f603268aab6)), to individual developers using platforms like GitHub to distribute malware. The targets are varied, encompassing financial institutions, cryptocurrency exchanges, government agencies, and sectors like healthcare, education, and manufacturing, with a notable focus on high-value data and critical infrastructure across multiple countries. ## Description 1. [Clickfix Infection Chain](https://security.microsoft.com/intel-explorer/articles/85fea057): McAfee Labs discovered the "Clickfix" malware delivery method that uses compromised websites and phishing emails to trick users into executing PowerShell scripts. This method is being used to deliver [Lumma](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad)[Stealer](https://security.microsoft.com/intel-profiles/33933578825488511c30b0728dd3c4f8b5ca20e41c285a56f796eb39f57531ad) and [DarkGate](https://security.microsoft.com/intel-profiles/52fa311203e55e65b161aa012eba65621f91be7c43bacaaad126192697e6b648) malware across multiple countries, including the US, Canada, and China. 2. [CRYSTALRAY Expands Targeting](https://security.microsoft.com/intel-explorer/articles/ecea26df): Sysdig researchers identified the threat actor CRYSTALRAY, who has scaled operations to over 1,500 victims using SSH-Snake and various vulnerabilities for lateral movement and data exfiltration. Targets include systems vulnerable to CVE-2022-44877, CVE-2021-3129, and CVE-2019-18394. 3. [DodgeBox Loader by APT41](https://security.microsoft.com/intel-explorer/articles/3524d2ae): Zscaler ThreatLabz reported on DodgeBox, a reflective DLL loader used by the Chinese APT41 group, also known as Brass Typhoon. The loader delivers the MoonWalk backdoor and employs sophisticated techniques like call stack spoofing to avoid detection. 4. [ViperSoftX Information Stealer](https://security.microsoft.com/intel-explorer/articles/8084ff7b): Trellix researchers highlighted ViperSoftX, an information stealer spread through cracked software and malicious eBooks. The malware uses PowerShell and AutoIt for data exfiltration and evasion, targeting cryptocurrency wallets and other sensitive information. 5. [Coyote Banking Trojan](https://security.microsoft.com/intel-explorer/articles/201d7c4d): BlackBerry detailed Coyote, a .NET banking trojan targeting Brazilian financial institutions. Delivered likely via phishing, it performs various malicious functions like screen capture and keylogging, communicating with C2 servers upon detecting target domains. 6. [Kematian-Stealer on GitHub](https://security.microsoft.com/intel-explorer/articles/4e00b1b4): CYFIRMA identified Kematian-Stealer, an open-source information stealer hosted on GitHub. It targets applications like messaging apps and cryptocurrency wallets, employing in-memory execution and anti-debugging measures to evade detection. 7. [Eldorado Ransomware-as-a-Service](https://security.microsoft.com/intel-explorer/articles/3603cd85): Group-IB reported on Eldorado, a RaaS targeting various industries and countries, primarily the US. Written in Golang, it uses Chacha20 and RSA-OAEP encryption and has customizable features for targeted attacks. 8. [DoNex Ransomware Flaw](https://security.microsoft.com	Ransomware Malware Tool Vulnerability Threat Legislation Prediction Medical	APT 41 APT 40
	2024-04-08 15:09:15	Faits saillants hebdomadaires, 8 avril 2024 Weekly OSINT Highlights, 8 April 2024 (lien direct)	Last week\'s OSINT reporting reveals several key trends emerge in the realm of cybersecurity threats. Firstly, there is a notable diversification and sophistication in attack techniques employed by threat actors, ranging from traditional malware distribution through phishing emails to advanced methods like DLL hijacking and API unhooking for evading detection. Secondly, the threat landscape is characterized by the presence of various actors, including state-sponsored groups like Earth Freybug (a subset of APT41) engaging in cyberespionage and financially motivated attacks, as well as cybercrime actors orchestrating malware campaigns such as Agent Tesla and Rhadamanthys. Thirdly, the targets of these attacks span across different sectors and regions, with organizations in America, Australia, and European countries facing significant threats. Additionally, the emergence of cross-platform malware like DinodasRAT highlights the adaptability of threat actors to target diverse systems, emphasizing the need for robust cybersecurity measures across all platforms. Overall, these trends underscore the dynamic and evolving nature of cyber threats, necessitating continuous vigilance and proactive defense strategies from organizations and cybersecurity professionals. 1. [Latrodectus Loader Malware Overview](https://sip.security.microsoft.com/intel-explorer/articles/b4fe59bf) Latrodectus is a new downloader malware, distinct from IcedID, designed to download payloads and execute arbitrary commands. It shares characteristics with IcedID, indicating possible common developers. 2. [Earth Freybug Cyberespionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/327771c8) Earth Freybug, a subset of APT41, engages in cyberespionage and financially motivated attacks since at least 2012. The attack involved sophisticated techniques like DLL hijacking and API unhooking to deploy UNAPIMON, evading detection and enabling malicious commands execution. 3. [Agent Tesla Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/cbdfe243) Agent Tesla malware targets American and Australian organizations through phishing campaigns aimed at stealing email credentials. Check Point Research identified two connected cybercrime actors behind the operation. 4. [DinodasRAT Linux Version Analysis](https://sip.security.microsoft.com/intel-explorer/articles/57ab8662) DinodasRAT, associated with the Chinese threat actor LuoYu, is a cross-platform backdoor primarily targeting Linux servers. The latest version introduces advanced evasion capabilities and is installed to gain additional footholds in networks. 5. [Rhadamanthys Information Stealer Malware](https://sip.security.microsoft.com/intel-explorer/articles/bf8b5bc1) Rhadamanthys utilizes Google Ads tracking to distribute itself, disguising as popular software installers. After installation, it injects into legitimate Windows files for data theft, exploiting users through deceptive ad redirects. 6. [Sophisticated Phishing Email Malware](https://sip.security.microsoft.com/intel-explorer/articles/abfabfa1) A phishing email campaign employs ZIP file attachments leading to a series of malicious file downloads, culminating in the deployment of PowerShell scripts to gather system information and download further malware. 7. [AceCryptor Cryptors-as-a-Service (CaaS)](https://sip.security.microsoft.com/intel-explorer/articles/e3595388) AceCryptor is a prevalent cryptor-as-a-service utilized in Rescoms campaigns, particularly in European countries. Threat actors behind these campaigns abuse compromised accounts to send spam emails, aiming to obtain credentials for further attacks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog). Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to ge	Ransomware Spam Malware Tool Threat Cloud	APT 41	★★★

Last update at: 2024-07-24 03:07:25
See our sources.

To see everything: Our RSS (filtrered)