What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-30 17:16:47 | Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server (lien direct) |  Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers. While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.Vulnerability details and ongoing exploitationExploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:autodiscover/autodiscover.json?@evil.com/&Email=autodiscover/autodiscover.json%3f@evil.comSuccessful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:C:\inetpub\wwwroot\aspnet_client\Xml.ashxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxC:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashxC:\Program Files\Microsoft\Exchange Server\V15 |
Malware Threat Guideline | ||
 |
2022-09-30 17:02:00 | Hackers Hide Malware in Windows Logo, Target Middle East Governments (lien direct) | The group continued to use the LookBack backdoor, but also several new types of malware | Malware | ||
 |
2022-09-30 15:50:00 | New Malware Campaign Targeting Job Seekers with Cobalt Strike Beacons (lien direct) | A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts. "The payload discovered is a leaked version of a Cobalt Strike beacon," Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday. "The beacon configuration contains | Malware | ||
 |
2022-09-30 13:15:12 | New Botnet \'Chaos\' Targeting Linux, Windows Systems (lien direct) | Lumen's Black Lotus Labs blogs about discovering a new rapidly growing, multipurpose malware written in the Go programming language. Dubbed “Chaos” by the author, the malware was developed for Windows, Linux, and a wide array of consumer devices, small office/home office (SOHO) routers and enterprise servers. “We are seeing a complex malware that has quadrupled […] | Malware | ||
 |
2022-09-30 13:12:00 | Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors (lien direct) | Researchers have identified a new malware family that was designed to backdoor and create persistence on VMware ESXi servers by leveraging legitimate functionality the hypervisor software supports. According to researchers from Mandiant who found and analyzed the backdoors, they were packaged and deployed on infected servers as vSphere Installation Bundles (VIBs). VIBs are software packages used to distribute components that extend VMware ESXi functionality. The malicious VIBs provided hackers with remote command execution and persistence capabilities on the servers and the ability to execute commands on the guest virtual machines running on the servers.To read this article in full, please click here | Malware | ||
 |
2022-09-30 12:37:27 | Prilex, un groupe malveillant reconnu, vend de nouveaux malwares sophistiqués pour infecter des terminaux de paiement partout dans le monde (lien direct) | Prilex, un groupe malveillant reconnu, vend de nouveaux malwares sophistiqués pour infecter des terminaux de paiement partout dans le monde. Prilex est aujourd'hui devenu un malware sophistiqué aux méthodes complexes, prenant pour cible les terminaux de points de vente (PoS). De plus, les agents malveillants opérant derrière cette campagne vendent activement leurs logiciels sur le darknet en tant que Malware-as-a-Service (MaaS), ce qui signifie qu'ils sont désormais entre les mains d'autres cybercriminels, et que le risque pour les entreprises de devenir la cible de ransomwares n'a jamais été aussi grand. - Malwares | Malware | ★★★★ | |
 |
2022-09-30 05:17:30 | Experts uncovered novel Malware persistence within VMware ESXi Hypervisors (lien direct) | >Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors. Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux to perform the following actions: Send commands to the hypervisor that will […] | Malware | ||
 |
2022-09-29 21:37:02 | New Chaos malware spreads over multiple architectures (lien direct) | >A new malware named Chaos raises concerns as it spreads on multiple architectures and operating systems. | Malware | ||
|
2022-09-29 19:45:00 | Brazilian Prilex Hackers Resurfaced With Sophisticated Point-of-Sale Malware (lien direct) | A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions. "The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works," Kaspersky researchers said. "This enables the attackers to keep | Malware Threat | ||
 |
2022-09-29 17:14:07 | Hacking group hides backdoor malware inside Windows logo image (lien direct) | Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo. [...] | Malware | ||
 |
2022-09-29 17:05:59 | North Korean Gov Hackers Caught Rigging Legit Software (lien direct) | Threat hunters at Microsoft have intercepted a notorious North Korean government hacking group lacing legitimate open source software with custom malware capable of data theft, espionage, financial gain and network destruction. | Malware | ||
 |
2022-09-29 15:50:23 | New Kaiji Modular Malware Variant "Chaos" Targets Europe (lien direct) | FortiGuard Labs is aware of a new variant of modular malware "Kaiji" targeting Windows and Linux machines and devices belonging to both consumers and enterprises in Europe. Dubbed "Chaos", the malware connects to command and control (C2) servers and performs various activities including launching Distributed Denial of Service (DDoS) attacks and mining crypto currencies.Why is this Significant?This is significant because the Chaos malware targets both consumers and enterprises in Europe by exploiting various vulnerabilities. Infected machines will join a botnet which are then used for malicious activities such as DDoS attacks and cryptocurrency mining.What is Chaos Malware?Chaos is a Go-based modular malware for Windows and Linux and is allegedly an updated version of Kaiji malware. Chaos malware connects to C2 servers and receives remote commands as well as modules for additional functionality. According to security vendor Black Lotus Labs, Chaos is primarily used for DDoS attacks and cryptocurrency mining. It is also designed to spread to other systems through SSH and exploitation of various vulnerabilities.It is important to note that ransomware with a similar name exists (Chaos ransomware), but they are completely unrelated.What Vulnerabilities Does Chaos Exploit for Propagation?The following vulnerabilities were exploited by Chaos malware according to Black Lotus Labs:Command Execution vulnerability in Huawei HG532 Router (CVE-2017-17215)Command Injection Vulnerability in Zyxel firewalls (CVE-2022-30525)Note - that since Chaos is a modular malware and receives remote commands, it may exploit other vulnerabilities including Authentication Bypass Vulnerability in F5 BIG-IP (CVE-2022-1388).Have Vendors Released Patches for CVE-2017-17215, CVE-2022-30525 and CVE-2022-1388?Patches are available for CVE-2022-30525 and CVE-2022-1388. We are currently unaware of any vendor supplied patches for CVE-2017-17215.What is the Status of Protection?FortiGuard Labs will detect Chaos DDoS malware with the following AV signatures:Linux/Kaiji.C!trW32/Ransom_Foreign.R002C0WG222W32/PossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Chaos malware:Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388) | Ransomware Malware Vulnerability | ||
 |
2022-09-29 13:00:09 | Covert malware targets VMware for hypervisor-level espionage (lien direct) | VMware, Mandiant track back operators, finding ties to China Emerging covert malware families that target VMware environments could allow criminals to gain persistent administrative access to the hypervisor, transfer files, and execute arbitrary commands between virtual machines, according to VMware and Mandiant, which discovered the software nasty earlier this year.… | Malware | ||
 |
2022-09-29 11:00:25 | Check Point MIND Announces new partnership with training vendor Monnappa K.A. (lien direct) | >Customers can now learn Malware Analysis and Threat Hunting using Memory Forensics from the author of the best selling book and the Black Hat Trainer Monnappa K.A MIND – Check Point Software's learning & Training organization announced a new partnership with training vendor Monnappa K.A, providing customer and partners the ability to advance their skills… | Malware Threat | ||
|
2022-09-29 09:00:18 | New malware backdoors VMware ESXi servers to hijack virtual machines (lien direct) | Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. [...] | Malware | ||
 |
2022-09-29 08:01:00 | Mauvaise vib (e) S deuxième partie: détection et durcissement dans les hyperviseurs ESXi Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors (lien direct) |
dans partie la première , nous avons couvert les attaquants \\«Utilisation de malveillants paquets d'installation vsphere (« vibs ») à installerPlusieurs déroges sur les hyperviseurs ESXi, en se concentrant sur les logiciels malveillants présents dans les charges utiles VIB.Dans cet épisode, nous continuerons à élaborer davantage sur d'autres actions de l'attaquant telles que les horodomages, à décrire les méthodologies de détection ESXi pour vider la mémoire du processus et effectuer des scans YARA, et discuter de la façon de durcir davantage les hyperviseurs pour minimiser la surface d'attaque des hôtes ESXi.Pour plus de détails, VMware a publié Informations supplémentaires sur la protection de vsphere .
Loggation ESXi
les deux
In part one, we covered attackers\' usage of malicious vSphere Installation Bundles (“VIBs”) to install multiple backdoors across ESXi hypervisors, focusing on the malware present within the VIB payloads. In this installment, we will continue to elaborate further on other attacker actions such as timestomping, describe ESXi detection methodologies to dump process memory and perform YARA scans, and discuss how to further harden hypervisors to minimize the attack surface of ESXi hosts. For more details, VMware has released additional information on protecting vSphere. ESXI Logging Both |
Malware | ★★★ | |
|
2022-09-29 08:00:00 | Bad VIB (E) S première partie: enquêter sur une nouvelle persistance de logiciels malveillants dans les hyperviseurs ESXi Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors (lien direct) |
Comme les solutions de détection et de réponse (EDR) (EDR) améliorent l'efficacité de détection des logiciels malveillants sur les systèmes Windows, certains acteurs de menace parrainés par l'État se sont déplacés vers le développement et le déploiement de logiciels malveillants sur des systèmes qui ne prends généralement pas en charge EDR tels que les appareils réseau, les tableaux SAN et les serveurs ESXi VMware.
Plus tôt cette année, Mandiant a identifié un nouvel écosystème de logiciels malveillants ayant un impact sur VMware ESXi, les serveurs Linux VCenter et les machines virtuelles Windows qui permet à un acteur de menace de prendre les actions suivantes:
Maintenir un accès administratif persistant à l'hyperviseur
Envoyez des commandes au
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers. Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions: Maintain persistent administrative access to the hypervisor Send commands to the |
Malware Threat | ★★★ | |
|
2022-09-29 07:28:01 | Go-based Chaos malware is rapidly growing targeting Windows, Linux and more (lien direct) | >A new multifunctional Go-based malware dubbed Chaos is targeting both Windows and Linux systems, experts warn. Researchers from Black Lotus Labs at Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed to target devices based on multiple architectures, including Windows and Linux. The malicious code was developed to target a broad range of devices, […] | Malware | ||
|
2022-09-29 03:05:27 | Upgraded Prilex Point-of-Sale malware bypasses credit card security (lien direct) | Security analysts have observed three new versions of Prilex this year, indicating that the authors and operators of the PoS-targeting malware are back to action. [...] | Malware | ||
 |
2022-09-28 23:48:03 | Never-before-seen malware has infected hundreds of Linux and Windows devices (lien direct) | Small office routers? FreeBSD machines? Enterprise servers? Chaos infects them all. | Malware | ||
 |
2022-09-28 21:15:00 | APT28 attack uses old PowerPoint trick to download malware (lien direct) | >Categories: NewsTags: APT28 Tags: Fancy Bear Tags: PowerPoint Tags: PowerShell Tags: One Drive Tags: SyncAppvPublishingServer The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros (Read more...) | Malware | APT 28 | |
 |
2022-09-28 20:59:09 | Sophisticated Covert Cyberattack Campaign Targets Military Contractors (lien direct) | Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities. | Malware | ||
|
2022-09-28 19:30:00 | Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems (lien direct) | A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through | Malware | ||
|
2022-09-28 18:06:00 | Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware (lien direct) | A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for € | Malware | ||
|
2022-09-28 17:00:07 | Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web (lien direct) | Beware what could be hiding in those LNK shortcuts A tool sold on the dark web that allows cybercriminals to build malicious shortcuts for delivering malware is being used in a campaign pushing a longtime .NET keylogger and remote access trojan (RAT) named Agent Tesla.… | Malware Tool | ||
|
2022-09-28 17:00:00 | WatchGuard Report: Malware Decreases but Encrypted Malware Up in Q2 2022 (lien direct) | This could reflect threat actors shifting their tactics to rely on more elusive malware | Malware Threat | ||
|
2022-09-28 16:12:09 | Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules (lien direct) | The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys. | Ransomware Malware | ||
|
2022-09-28 15:43:32 | Threat actors use Quantum Builder to deliver Agent Tesla malware (lien direct) | >The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT. A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn. “Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut […] | Malware Threat | ||
|
2022-09-28 15:39:00 | Hackers Using PowerPoint Mouseover Trick to Infect System with Malware (lien direct) | The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a | Malware Threat | APT 28 | ★★★ |
|
2022-09-28 13:47:10 | APT28 relies on PowerPoint Mouseover to deliver Graphite malware (lien direct) | >The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware. The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported. Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used […] | Malware | APT 28 | |
|
2022-09-28 11:22:22 | New Chaos malware infects Windows, Linux devices for DDoS attacks (lien direct) | A quickly expanding botnet called Chaos is targeting and infecting Windows and Linux devices to use them for cryptomining and launching DDoS attacks. [...] | Malware | ||
|
2022-09-28 10:30:00 | Erbium stealer on the hunt for data (lien direct) | >Categories: NewsTags: erbium Tags: malware Tags: data theft Tags: stealer Tags: wallets Tags: cryptocurrency Tags: browsers Tags: browser Tags: infection Tags: malware as a service We take a look at reports of new data theft malware relying on sold old tricks (Read more...) | Malware | ||
 |
2022-09-28 10:00:00 | Stories from the SOC - C2 over port 22 (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. The botnet malware utilizes malicious IP addresses that serve as intermediaries between compromised hosts and the central command server, which can use a wide range of Technique’s, Tactics, and Procedures (TTP’s) to deliver a payload in line with the malicious actor's goals.
Recently, one of these malicious IP addresses reached out to an asset in an organization over port 22 and created an unmitigated Secure Shell (SSH) session to the company's file server, a breach that was mitigated by the security best practices of this company preventing any follow up or lateral movement in the environment. This breach ultimately resulted in the IP getting blocklisted and stopped due to a healthy security posture that prevented malicious pivoting or exploitation.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The alarm initially came in due to an inbound connection from a known malicious IP as reported by the Open Threat Exchange (OTX) pulse related to Mirai botnet activity. OTX is open source threat sharing platform that contains a wide variety of Indicators of Compromise (IOC’s) that leverage user submitted data and the collective cybersecurity world to form an ever-evolving threat landscape.
The evidenced corresponding action ‘InboundConnectionAccepted’ is self-explanatory in that the connection was not mitigated and there was communication taking place over port 22. The associated event further detailed this inbound connection with the initiating processes, logged on user, and process parents. This revealed that the affected asset is a fileserver managed by SolarWinds software and it was likely this inbound connection was accepted in part due to typical network behavior and stateful firewall rules.
Expanded investigation
Events search
C2 activity typically utilizes positive feedback to gain persistence, relying on some sort of beacon placed in the victim’s environment that lets the attacker know there is a device or network ready for command execution. After seeing a successful connection occur with the malicious IP, the next step was to determine if the malicious IP address had further infiltrated the environment or attempted any lateral movement. A thorough search in the instance showed only the single referenced event as it pertains to the malicious IP however, the contextual events surrounding this successful connection corroborate attempted C2 activity.
Event deep dive
A further look into the event associated with the alarm shows that this is a fileserver utilizing Serv-U.exe, a File Transfer Protocol (FTP) software created by SolarWinds. The destination port 22 successfully hosted communication with the malicious IP and appears to have been automatically proxied by the software, which could also contribute to the reason this connection was accepte |
Malware Tool Threat | ||
|
2022-09-28 08:18:45 | New campaign uses government, union-themed lures to deliver Cobalt Strike beacons (lien direct) |  By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic. Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads. This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats. Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain. Initial vectorThe initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information.  Initial malicious email message.The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determ |
Malware Vulnerability Threat Guideline | ||
|
2022-09-28 08:03:00 | UK organizations, Ukraine\'s allies warned of potential "massive" cyberattacks by Russia (lien direct) | The head of the UK National Cyber Security Centre (NCSC) Lindy Cameron has given an update on Russia's cyber activity amid its war with Ukraine. Her speech at Chatham House today comes just a few days after Ukraine's military intelligence agency issued a warning that Russia was “preparing massive cyberattacks on the critical infrastructure of Ukraine and its allies.” This coincides with a new Forrester report that reveals the extent to which the cyber impact of the Russia-Ukraine conflict has expanded beyond the conflict zone with malware attacks propagating into European entities.UK NCSC CEO urges UK businesses to prepare for elevated alert Addressing Russian cyber activity this year, Cameron stated that, while we have not seen the “cyber-Armageddon” some predicted, there has been a “very significant conflict in cyberspace – probably the most sustained and intensive cyber campaign on record – with the Russian State launching a series of major cyberattacks in support of their illegal invasion in February.”To read this article in full, please click here | Malware | ||
 |
2022-09-28 04:06:47 | (Déjà vu) ASEC Weekly Malware Statistics (September 19th, 2022 – September 25th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday). For the main category, info-stealer ranked top with 51.3%, followed by backdoor with 21.1%, downloader with 17.2%, and ransomware with 10.3%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 20.7%. It is an info-stealer that leaks user credentials saved... | Ransomware Malware | ||
|
2022-09-28 03:39:14 | (Déjà vu) ASEC Weekly Malware Statistics (September 12th, 2022 – September 18th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 12th, 2022 (Monday) to September 18th, 2022 (Sunday). For the main category, info-stealer ranked top with 41.5%, followed by downloader with 27.5%, backdoor with 19.9%, ransomware with 8.2%, and banking malware with 2.9%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 18.1%. It is an info-stealer that... | Ransomware Malware | ||
 |
2022-09-28 00:00:00 | Rapport WatchGuard : Le volume général d\'attaques de malware est en baisse ; à l\'inverse, les malwares chiffrés et l\'exploitation active de failles Office sont en hausse (lien direct) | Paris, le 28 septembre 2022 - WatchGuard® Technologies, leader mondial en matière de cybersécurité unifiée, présente aujourd'hui les résultats de son tout dernier rapport sur la sécurité Internet. Ce rapport décrit les principales tendances en matière de logiciels malveillants et les menaces pour la sécurité du réseau, analysées par les chercheurs du WatchGuard Threat Lab au deuxième trimestre 2022. Les données analysées par les chercheurs de WatchGuard permettent notamment de conclure à une réduction du nombre total de détections de logiciels malveillants par rapport aux pics observés au premier semestre 2021, à une augmentation des menaces visant Chrome et Microsoft Office, à la résurgence toujours en cours du botnet Emotet, et bien plus encore. Corey Nachreiner, Chief Security Officer chez WatchGuard explique : " Bien que les attaques globales de logiciels malveillants au deuxième trimestre ont diminué par rapport aux sommets historiques atteints les trimestres précédents, plus de 81 % des détections ont concerné des connexions chiffrées TLS, poursuivant une inquiétante tendance à la hausse. Cela pourrait indiquer que les auteurs de menaces changent de tactiques, pour s'appuyer sur des malwares plus insaisissables ". Le rapport WatchGuard sur la sécurité Internet du 2nd trimestre contient d'autres conclusions clés, parmi lesquelles : Les exploits Office continuent de se propager plus que toute autre catégorie de logiciels malveillants. En fait, le principal incident du trimestre est l'exploit Follina Office (CVE-2022-30190), signalé pour la première fois en avril, et qui n'a pas été corrigé avant la fin mai. Transmis par un document malveillant, Follina est parvenu à contourner Windows Protected View et Windows Defender, avant d'être exploité activement par des cybercriminels, y compris par des États. Trois autres exploits Office (CVE-2018-0802, RTF-ObfsObjDat.Gen et CVE-2017-11882) ont été largement détectés en Allemagne et en Grèce. Un recul global, mais inégal, des détections de malware ciblant les endpoints : Malgré une baisse de 20 % du nombre total de détections au niveau des endpoints, on note une augmentation de 23 % des logiciels malveillants exploitant les navigateurs, Chrome enregistrant une hausse de 50 %. L'une des raisons possibles de l'augmentation des détections concernant Chrome est la persistance de divers exploits de type " Zero-Day ". Les scripts ont continué de progresser dans la détection des endpoints (87 %) au deuxième trimestre. Les 10 premières signatures ont représenté plus de 75 % des détections d'attaques réseau. Au cours de ce trimestre, les systèmes ICS et SCADA qui contrôlent les équipements et les processus industriels ont été davantage visés, notamment par de nouvelles signatures (WEB Directory Traversal -7 et WEB Directory Traversal -8). Les deux signatures sont très similaires : la première exploite une vulnérabilité découverte pour la première fois en 2012 dans un logiciel d'interface SCADA spécifique, tandis que la seconde est plus largement détectée en Allemagne. Emotet est bien de retour : Malgré un recul en volume depuis le dernier trimestre, Emotet reste l'une des plus grandes menaces pour la sécurité des réseaux. XLM.Trojan.abracadabra, un injecteur de Win Code qui propage le botnet Emotet, figure parmi les 10 premières détections de logiciels malveillants et parmi les 5 premières détections de logiciels malveillants chiffré | Malware Threat | ★★ | |
|
2022-09-27 20:39:33 | North Korea-linked Lazarus continues to target job seekers with macOS malware (lien direct) | >North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry. North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets. Last week, SentinelOne researchers discovered a decoy documents advertising positions […] | Malware | APT 38 | |
|
2022-09-27 18:49:00 | New NullMixer Malware Campaign Stealing Users\' Payment Data and Credentials (lien direct) | Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems. "When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety | Malware | ||
|
2022-09-27 18:44:39 | Researchers Crowdsourcing Effort to Identify Mysterious Metador APT (lien direct) | Cybersecurity sleuths at SentinelLabs are calling on the wider threat hunting community to help decipher a new mysterious malware campaign hitting telcos, ISPs and universities in the Middle East and Africa. | Malware Threat | ||
|
2022-09-27 17:08:49 | New NullMixer dropper infects your PC with a dozen malware families (lien direct) | A new malware dropper named 'NullMixer' is infecting Windows devices with a dozen different malware families simultaneously through fake software cracks promoted on malicious sites in Google Search results. [...] | Malware | ||
 |
2022-09-27 16:51:00 | Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Fraud, Inbound connectors, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Multimillion Dollar Global Online Credit Card Scam Uncovered
(published: September 23, 2022)
ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment.
Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing.
Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52
Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam
(published: September 22, 2022)
Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers.
Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam
NFT Malware Gets New Evasion Abilities
(published: September 22, 2022)
Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user |
Ransomware Spam Malware Tool Threat | ||
|
2022-09-27 15:00:00 | Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery (lien direct) | Most phishing attack vectors observed involved clicking a direct link to a phishing page | Malware | ||
|
2022-09-27 14:55:43 | Lazarus hackers drop macOS malware via Crypto.com job offers (lien direct) | The North Korean Lazarus hacking group is now using fake 'Crypto.com' job offers to hack developers and artists in the crypto space, likely with a long-term goal of stealing digital assets and cryptocurrency. [...] | Malware Hack | APT 38 | |
|
2022-09-27 13:24:21 | New Infostealer Malware \'Erbium\' Offered as MaaS for Thousands of Dollars (lien direct) | Security researchers are warning of a new information stealer named Erbium being distributed under the Malware-as-a-Service (MaaS) model. The threat made its initial appearance in late July, when a Russian speaking threat actor started advertising it on a dark web forum. | Malware Threat | ||
|
2022-09-27 09:40:39 | (Déjà vu) Erbium info-stealing malware, a new option in the threat landscape (lien direct) | >The recently discovered Erbium information-stealer is being distributed as fake cracks and cheats for popular video games. Threat actors behind the new ‘Erbium’ information-stealing malware are distributing it as fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets. The Erbium info-stealing malware was first spotted by researchers at threat […] | Malware Threat | ||
|
2022-09-26 16:03:00 | BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal (lien direct) | The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach. "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec | Ransomware Malware | ||
|
2022-09-26 15:54:17 | New Erbium password-stealing malware spreads as game cracks, cheats (lien direct) | The new 'Erbium' information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims' credentials and cryptocurrency wallets. [...] | Malware | ||
|
2022-09-26 15:00:00 | Hackers Use NullMixer and SEO to Spread Malware More Efficiently (lien direct) | The websites are often related to crack, keygen and activators for illegal software | Malware |
To see everything:
Our RSS (filtrered)
