What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-14 20:40:25 | Cent pranskraut: Blazk Basta StopRansomware: Black Basta (lien direct) |
## Instantané
The joint Cybersecurity Advisory (CSA) released by the FBI, CISA, HHS, and MS-ISAC provides detailed information on the Black Basta ransomware variant, a ransomware-as-a-service (RaaS) that has targeted critical infrastructure sectors, including healthcare.
## Description
Les affiliés Black Basta ont un accès initial par le biais de techniques telles que le phishing, l'exploitation des vulnérabilités et abuser des références valides.Une fois à l'intérieur du réseau de la victime, ils utilisent un modèle à double expression, cryptant les systèmes et exfiltrant des données.
Les acteurs de la menace utilisent divers outils pour la numérisation du réseau, la reconnaissance, le mouvement latéral, l'escalade des privilèges, l'exfiltration et le chiffrement, y compris le scanner de réseau SoftPerfect, BitsAdmin, Psexec, Rclone et Mimikatz.
La variante des ransomwares Black Basta, fonctionnant en tant que RAAS, a eu un impact sur 500 organisations dans le monde en mai 2024, en gagnant principalement un accès initial par la spectre, en exploitant des vulnérabilités connues et en abusant des références valides.Les notes de rançon n'incluent généralement pas une première demande de rançon ou des instructions de paiement, mais fournissent plutôt que les victimes un code unique et leur demander de contacter le groupe de ransomware via une URL .onion accessible via le navigateur TOR.
Le conseil exhorte les organisations d'infrastructures critiques, en particulier celles du secteur de la santé et de la santé publique (HPH), à appliquer des atténuations recommandées pour réduire la probabilité de compromis de Black Basta et d'autres attaques de rançongiciels, et les victimes de ransomwares sont encouragées à signaler l'incident à leurBureau de terrain du FBI local ou CISA.
## Les références
["#Stopransomware: Black Basta"] (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) cisa.(Consulté en 2024-05-13)
## Snapshot The joint Cybersecurity Advisory (CSA) released by the FBI, CISA, HHS, and MS-ISAC provides detailed information on the Black Basta ransomware variant, a ransomware-as-a-service (RaaS) that has targeted critical infrastructure sectors, including healthcare. ## Description Black Basta affiliates gain initial access through techniques such as phishing, exploiting vulnerabilities, and abusing valid credentials. Once inside the victim\'s network, they employ a double-extortion model, encrypting systems and exfiltrating data. The threat actors use various tools for network scanning, reconnaissance, lateral movement, privilege escalation, exfiltration, and encryption, including SoftPerfect network scanner, BITSAdmin, PsExec, RClone, and Mimikatz. The Black Basta ransomware variant, operating as a RaaS, has impacted over 500 organizations globally as of May 2024, primarily gaining initial access through spearphishing, exploiting known vulnerabilities, and abusing valid credentials. The ransom notes do not generally include an initial ransom demand or payment instructions, but instead provide victims with a unique code and instruct them to contact the ransomware group via a .onion URL reachable through the Tor browser. The advisory urges critical infrastructure organizations, especially those in the Healthcare and Public Health (HPH) Sector, to apply recommended mitigations to reduce the likelihood of compromise from Black Basta and other ransomware attacks, and victims of ransomware are encouraged to report the incident to their local FBI field office or CISA. ## References ["#StopRansomware: Black Basta"](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) CISA. (Accessed 2024-05-13) |
Ransomware Tool Vulnerability Threat Medical | ★★★ | |
|
2024-05-01 19:01:06 | Muddywater Campaign abuse d'agents Atera MuddyWater Campaign Abusing Atera Agents (lien direct) |
#### Targeted Geolocations - Israel - India - Algeria - Italy - Egypt - Türkiye #### Targeted Industries - Transportation Systems - Aviation - Information Technology - Healthcare & Public Health - Government Agencies & Services - General Public Services - Federal ## Snapshot Researchers at HarfangLab have been monitoring a campaign by Iran-based threat group MuddyWater, tracked by Microsoft as [Mango Sandstorm](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340), characterized by the use of Remote Monitoring and Management (RMM) tools. Microsoft tracks this actor as Mango Sandstorm, [read more about them here](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340). ## Description According to HarfangLab, MuddyWater has been utilizing legitimate RMM software in its attacks since at least 2021, but has been monitoring this campaign using Atera Agent since October 2023. Leveraging Atera\'s free trial offers, the agents seen in this campaign have been registered using both compromised enterprise and personal email accounts. The infection chain in this campaign begins with the deployment of spearphishing emails. These emails are highly tailored to the victim organization and contain malicious attachments or links. Upon interaction, MuddyWater leverages free file sharing sites to host the RMM software, in this case Atera Agent, giving the group remote access and control over compromised systems. The group likely does not rely on the Subsequently, the group is able to execute commands, conduct reconnaissance, and move laterally across the network facilitating the deployment of additional malware payloads enabling the group to maintain persistence and exfiltrate sensitive data. ## Microsoft Analysis Microsoft Threat Intelligence has identified that this campaign is likely attributed to the actor Microsoft tracks as Mango Sandstorm, an Iranian nation-state actor with ties to Iran\'s Ministry of Intelligence and Security (MOIS). In past operations, Mango Sandstorm has primarily, but not exclusively, sought to collect information assessed to have strategic value, typically from organizations in the aviation, education, defense, energy, government, and telecommunications sectors in the Middle East and North Africa. Mango Sandstorm tends to favor spearphishing attacks. In this and prior campaigns, the group has been observed using commercial RMM tools to achieve persistence in a target environment. Mango Sandstorm has been identified attempting to deliver Atera, SimpleHelp, RPort, N-able Advanced Monitoring Agent, Splashtop, Syncro, and AnyConnect. ## Detections As tools used in these types of campaigns might have legitimate uses, they are not typically detected as malicious, and proactive hunting is recommended. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of activity associated with Mango Sandstorm\'s operations. - Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application\'s consent screen as well as spoofed app names, logos and domain URLs appearing to originate from legitimate applications or companies. Note: Attack Simulator testing currently only supports phishing emails containing links. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. - Harden internet-facing assets and identify and se | Malware Tool Threat Medical Commercial | ★★★ | |
|
2024-03-06 01:05:06 | Faits saillants hebdomadaires d'osint, 4 mars 2024 Weekly OSINT Highlights, 4 March 2024 (lien direct) |
## Weekly OSINT Highlights, 4 March 2024 Ransomware loomed large in cyber security research news this week, with our curated OSINT featuring research on Abyss Locker, BlackCat, and Phobos. Phishing attacks, information stealers, and spyware are also in the mix, highlighting the notable diversity in the cyber threat landscape. The OSINT reporting this week showcases the evolving tactics of threat actors, with operators increasingly employing multifaceted strategies across different operating systems. Further, the targets of these attacks span a wide range, from civil society figures targeted by spyware in the Middle East and North Africa to state and local governments victimized by ransomware. The prevalence of attacks on sectors like healthcare underscores the significant impact on critical infrastructure and the potential for substantial financial gain through ransom payments. 1. [**Abyss Locker Ransomware Evolution and Tactics**](https://ti.defender.microsoft.com/articles/fc80abff): Abyss Locker ransomware, derived from HelloKitty, exfiltrates victim data before encryption and targets Windows systems, with a subsequent Linux variant observed. Its capabilities include deleting backups and employing different tactics for virtual machines, indicating a growing sophistication in ransomware attacks. 2. [**ALPHV Blackcat Ransomware-as-a-Service (RaaS)**:](https://ti.defender.microsoft.com/articles/b85e83eb) The FBI and CISA warn of ALPHV Blackcat RaaS, which targets multiple sectors, particularly healthcare. Recent updates to ALPHV Blackcat include improved defense evasion, encryption capabilities for Windows and Linux, reflecting the increasing sophistication in ransomware operations. 3. [**Phobos RaaS Model**](https://ti.defender.microsoft.com/articles/ad1bfcb4): Phobos ransomware, operating as a RaaS model, frequently targets state and local governments. Its use of accessible open-source tools enhances its popularity among threat actors, emphasizing the ease of deployment and customization for various environments. 4. [**TimbreStealer Phishing Campaign**](https://ti.defender.microsoft.com/articles/b61544ba): Talos identifies a phishing campaign distributing TimbreStealer, an information stealer disguised as Mexican tax-related themes. The threat actor was previously associated with banking trojans, underscoring the adaptability and persistence of malicious actors. 5. [**Nood RAT Malware Features and Stealth**](https://ti.defender.microsoft.com/articles/cc509147): ASEC uncovers Nood RAT, a Linux-based variant of Gh0st RAT, equipped with encryption and disguised as legitimate software. The malware\'s flexibility in binary creation and process naming underscores the threat actor\'s intent to evade detection and carry out malicious activities with sophistication. 6. [**Predator Spyware Infrastructure and Targeting**](https://ti.defender.microsoft.com/articles/7287eb1b): The Insikt Group\'s discovery highlights the widespread use of Predator spyware, primarily targeting journalists, politicians, and activists in various countries. Despite its purported use for counterterrorism and law enforcement, Predator is employed by threat actors outside these contexts, posing significant privacy and safety risks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog) and the following blog posts: - [Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself](https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/?ocid=magicti_ta_blog#defending-against-ransomware) Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this summary. The following | Ransomware Spam Malware Tool Threat Legislation Medical | ★★★★ | |
|
2024-03-05 19:03:47 | Rester en avance sur les acteurs de la menace à l'ère de l'IA Staying ahead of threat actors in the age of AI (lien direct) |
## Snapshot Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI\'s blog on the research [here](https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors). Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors\' usage of AI. However, Microsoft and our partners continue to study this landscape closely. The objective of Microsoft\'s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including [Microsoft Copilot for Security](https://www.microsoft.com/security/business/ai-machine-learning/microsoft-security-copilot), to elevate defenders everywhere. ## Activity Overview ### **A principled approach to detecting and blocking threat actors** The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House\'s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order\'s request for comprehensive AI safety and security standards. In line with Microsoft\'s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft\'s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track. These principles include: - **Identification and action against malicious threat actors\' use:** Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources. - **Notification to other AI service providers:** When we detect a threat actor\'s use of another service provider\'s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies. - **Collaboration with other stakeholders:** Microsoft will collaborate with other stakeholders to regularly exchange information a | Ransomware Malware Tool Vulnerability Threat Studies Medical Technical | APT 28 ChatGPT APT 4 | ★★ |
1
We have: 4 articles.
We have: 4 articles.
To see everything:
Our RSS (filtrered)
