What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-01 08:18:43 | 1er avril & # 8211;Rapport de renseignement sur les menaces 1st April – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes de cyber-recherche pour la semaine du 1er avril, veuillez télécharger notre bulletin Threat_Intelligence.Les meilleures attaques et violations que les gouvernements américains et britanniques ont annoncé un acte d'accusation criminel et des sanctions contre l'APT31, un groupe de pirates chinois, pour leur rôle dans les attaques prétendument contre des entreprises aux États-Unis, ainsi que [& # 8230;]
>For the latest discoveries in cyber research for the week of 1st April, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES The US and UK governments have announced a criminal indictment and sanctions against APT31, a group of Chinese hackers, for their role in allegedly conducting attacks against companies in the US, as well […] |
Threat | APT 31 | ★★ |
 |
2024-03-28 22:20:00 | La Finlande blâme le groupe de piratage chinois Apt31 pour la cyberattaque du Parlement Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack (lien direct) |
La police de Finlande (alias Poliisi) a officiellement accusé un acteur chinois de l'État-nation suivi comme APT31 pour avoir orchestré une cyberattaque ciblant le Parlement du pays en 2020.
L'intrusion, selon les autorités, se serait produite entre l'automne 2020 et le début de 2021. L'agence a décrit la sonde criminelle en cours comme à la fois exigeante et longue, impliquant une analyse approfondie de A "
The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country\'s Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a " |
Legislation | APT 31 | ★★★ |
 |
2024-03-26 17:23:54 | La Finlande confirme les pirates pirates de l'APT31 derrière la violation du Parlement en 2021 Finland confirms APT31 hackers behind 2021 parliament breach (lien direct) |
La police finlandaise a confirmé mardi que le groupe de piratage de l'APT31 lié au ministère chinois de la sécurité de l'État (MSS) était à l'origine d'une violation du Parlement du pays divulgué en mars 2021. [...]
The Finnish Police confirmed on Tuesday that the APT31 hacking group linked to the Chinese Ministry of State Security (MSS) was behind a breach of the country\'s parliament disclosed in March 2021. [...] |
Legislation | APT 31 | ★★★ |
|
2024-03-26 14:57:51 | Les gouvernements américains et britanniques s'opposent à l'APT31, groupe de piratage affilié à l'État US and UK Governments Take Stand Against APT31, State-Affiliated Hacking Group (lien direct) |
> lundi, l'administration Biden a annoncé un acte d'accusation criminel et des sanctions contre un groupe de pirates chinois pour leur rôle dans la conduite prétendument des hacks contre les entreprises aux États-Unis, ainsi que des représentants du gouvernement.Le gouvernement américain a inculpé sept pirates, du groupe connu sous le nom d'APT31;Dans une décision connexe, le gouvernement britannique a annoncé des sanctions contre une entreprise de front, ainsi que deux personnes en lien avec une violation à la Commission électorale du Royaume-Uni.Le gouvernement américain a noté que le groupe avait passé environ 14 ans à cibler les entreprises américaines et étrangères et les responsables politiques.«Aujourd'hui, les gouvernements du Royaume-Uni et des États-Unis [& # 8230;]
>On Monday, the Biden administration announced a criminal indictment and sanctions against a group of Chinese hackers for their role in allegedly conducting hacks against companies in the US, as well as government officials. The US government charged seven hackers, from the group known as APT31; in a related move, the British government announced sanctions on a front company, as well as two individuals in connection with a breach at the UK\'s Electoral Commission. The US government noted that the group spent about 14 years targeting US and foreign businesses and political officials. “Today both the UK and US governments […] |
APT 31 | ★★★ | |
 |
2024-03-25 21:20:40 | Des pirates chinois parrainés par l'État chargés, des sanctions perçues par nous Chinese State-Sponsored Hackers Charged, Sanctions Levied by US (lien direct) |
Les États-Unis et le Royaume-Uni facturent à sept ressortissants chinois pour avoir fonctionné dans le cadre du groupe de menaces APT31.
The US and the UK charge seven Chinese nationals for operating as part of threat group APT31. |
Threat | APT 31 | ★★★ |
 |
2024-03-25 18:50:17 | Le Trésor américain gifle les sanctions contre les pirates APT31 liés à la Chine US Treasury Slaps Sanctions on China-Linked APT31 Hackers (lien direct) |
> Le Département du Trésor américain sanctionne une paire de pirates chinois liés à des «cyber-opérations malveillantes ciblant les secteurs des infrastructures critiques».
>The US Treasury Department sanctions a pair of Chinese hackers linked to “malicious cyber operations targeting US critical infrastructure sectors.” |
APT 31 | ★★ | |
 |
2024-03-25 17:50:21 | Les sanctions américaines ont allégué des pirates d'État chinois pour des attaques contre les infrastructures critiques US sanctions alleged Chinese state hackers for attacks on critical infrastructure (lien direct) |
Les États-Unis ont sanctionné une société basée à Wuhan qui serait un front pour le ministère d'État de la Sécurité de la Chine lundi à la suite de dizaines d'attaques contre des infrastructures critiques. & NBSP;Les départements de la justice et du trésor ont accusé Wuhan Xiaoruizhi Science and Technology Company d'être une couverture pour APT31 - un groupe de piratage basé en Chine connu pour son ciblage précédemment
The U.S. sanctioned a Wuhan-based company believed to be a front for China\'s Ministry of State Security on Monday following dozens of attacks on critical infrastructure. The Justice and Treasury Departments accused Wuhan Xiaoruizhi Science and Technology Company of being a cover for APT31 - a notorious China-based hacking group known for previously targeting |
APT 31 | ★★ | |
 |
2024-03-25 15:50:00 | Le Royaume-Uni blâme la Chine pour 2021 Hack ciblant des millions d'électeurs \\ 'Data UK Blames China for 2021 Hack Targeting Millions of Voters\\' Data (lien direct) |
Le NCSC du Royaume-Uni évalue que l'APT31 soutenu par la Chine était «presque» responsable du piratage des comptes de messagerie des parlementaires britanniques
The UK\'s NCSC assesses that China-backed APT31 was “almost certainly” responsible for hacking the email accounts of UK parliamentarians |
Hack | APT 31 | ★★ |
 |
2023-10-23 02:22:16 | 2023 août & # 8211;Rapport de tendance des menaces sur les groupes APT 2023 Aug – Threat Trend Report on APT Groups (lien direct) |
août 2023 Problèmes majeurs sur les groupes de l'APT 1) Andariel 2) APT29 3) APT31 4) amer 5)Bronze Starlight 6) Callisto 7) Cardinbee 8) Typhoon de charbon de bois (Redhotel) 9) Terre estrie 10) Typhon de lin 11) Groundpeony 12) Chisel infâme 13) Kimsuky 14) Lazarus 15)Moustachedbouncher 16) Éléphant mystérieux (APT-K-47) 17) Nobelium (Blizzard de minuit) 18) Red Eyes (APT37) Aug_Thereat Trend Rapport sur les groupes APT
August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 38 APT 37 APT 29 APT 31 | ★★★ |
|
2023-09-11 05:02:48 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juillet 2023 Threat Trend Report on APT Groups – July 2023 (lien direct) |
juillet 2023 Problèmes majeurs sur les groupes APT 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Chicheur charmant 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Eyes rouges 13) Pirates d'espace 14) Turla 15) ATIP_2023_JUL_JULAT RAPPORT D'APTER LE Rapport sur les APT
July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 29 APT 29 APT 28 APT 28 APT 31 | ★★ |
|
2023-08-11 15:42:00 | Les chercheurs mettent en lumière les déposées avancées et les tactiques d'exfiltration des données d'APT31 \\ Researchers Shed Light on APT31\\'s Advanced Backdoors and Data Exfiltration Tactics (lien direct) |
L'acteur de menace chinois connue sous le nom d'APT31 (alias Bronze Vinewood, Judgment Panda ou Violet Typhoon) a été lié à un ensemble de déambulations avancées qui sont capables d'exfiltration d'informations sensibles récoltées à Dropbox.
Le malware fait partie d'une collection plus large de plus de 15 implants qui ont été utilisés par l'adversaire dans les attaques ciblant les organisations industrielles en Europe de l'Est
The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe |
Malware Threat Industrial | APT 31 APT 31 | ★★ |
|
2023-08-10 16:00:00 | APT31 lié aux récentes attaques industrielles en Europe de l'Est APT31 Linked to Recent Industrial Attacks in Eastern Europe (lien direct) |
Kaspersky a publié le troisième épisode de leur enquête sur cette campagne plus tôt dans la journée
Kaspersky published the third installment of their investigation on this campaign earlier today |
Industrial | APT 31 APT 31 | ★★★ |
|
2023-08-01 14:31:00 | L'APT31 de la Chine soupçonnée dans les attaques contre des systèmes à air en Europe de l'Est China\\'s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe (lien direct) |
Un acteur de l'État-nation avec des liens avec la Chine est soupçonné d'être derrière une série d'attaques contre des organisations industrielles en Europe de l'Est qui ont eu lieu l'année dernière pour siphon les données stockées sur des systèmes à air.
La société de cybersécurité Kaspersky a attribué les intrusions avec une confiance moyenne à élevée à une équipe de piratage appelée APT31, qui est également suivie sous les surnoms en bronze,
A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31, which is also tracked under the monikers Bronze Vinewood, |
Industrial | APT 31 | ★★ |
|
2023-07-31 17:30:00 | Les implants APT31 ciblent les organisations industrielles APT31 Implants Target Industrial Organizations (lien direct) |
Les attaquants ont établi un canal d'exfiltration de données, y compris à partir de systèmes à air
The attackers established a channel for data exfiltration, including from air-gapped systems |
Industrial | APT 31 | ★★ |
|
2023-07-10 23:30:00 | Analyse de la porte dérobée Rekoobe utilisée dans les attaques contre les systèmes Linux en Corée Analysis of the Rekoobe Backdoor Being Used In Attacks Against Linux Systems in Korea (lien direct) |
Rekoobe est une porte dérobée connue pour être utilisée par APT31, un groupe de menaces basé en Chine.Ahnlab Security Emergency Response Center (ASEC) reçoit des rapports sur les logiciels malveillants Rekoobe des locataires en Corée depuis plusieurs années et partagera par la présente sa brève analyse.De plus, les variantes de Rekoobe seront classées avec un résumé de celles utilisées pour cibler les entreprises coréennes.1. La vue d'ensemble Rekoobe est une porte dérobée qui cible les environnements Linux.Il a été découvert pour la première fois en 2015, [1] ...
Rekoobe is a backdoor known to be used by APT31, a threat group based in China. AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies. 1. Overview Rekoobe is a backdoor that targets Linux environments. It was first discovered in 2015, [1]... |
Malware Threat | APT 31 | ★★ |
|
2023-02-17 17:00:00 | EU Cybersecurity Agency Warns Against Chinese APTs (lien direct) | The document directly mentions APT27, APT30, APT31, Ke3chang, Gallium and Mustang Panda | APT 30 APT 27 APT 15 APT 25 APT 31 | ★★ | |
|
2022-07-20 08:37:31 | Belgium Says Chinese APTs Targeted Interior, Defense Ministries (lien direct) | Belgium on Monday accused Chinese state-sponsored hackers of launching cyberattacks against its interior and defense ministries. Belgium noted in a statement that it has detected cyber intrusions from hacking groups tracked as APT27, APT30, APT31, and Gallium. | APT 30 APT 27 APT 31 | ||
 |
2022-03-09 21:09:28 | (Déjà vu) Google blocked China-linked APT31\'s attacks targeting U.S. Government (lien direct) | Google has blocked a phishing campaign conducted by China-linked group APT31 aimed at Gmail users associated with the U.S. government. Google announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) and aimed at Gmail users associated with the U.S. government. The campaign took […] | APT 31 | ||
 |
2021-12-21 16:57:00 | Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NSW Government Casual Recruiter Suffers Ransomware Hit
(published: December 17, 2021)
Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.
Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029
Tags: Conti, Wizard Spider, Ransomware, Banking and Finance
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
(published: December 16, 2021)
Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.
Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115
Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin
‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems
(published: December 16, 2021)
Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group |
Ransomware Malware Vulnerability Threat Guideline Medical | APT 41 APT 38 APT 28 APT 31 | |
|
2021-08-04 15:25:01 | China-linked APT31 targets Russia for the first time (lien direct) | China-linked APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia. Researchers from Positive Technologies reported that China-linked APT31 group has been using a new piece of malware in a recent wave of attacks targeting Mongolia, Belarus, Canada, the United States, and Russia. Experts […] | Malware | APT 31 | |
|
2021-08-04 12:03:07 | Chinese Cyberspy Group APT31 Starts Targeting Russia (lien direct) | China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and - for the first time - Russia, according to enterprise cybersecurity firm Positive Technologies. | Malware | APT 31 | |
|
2021-08-04 03:28:13 | New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks (lien direct) | A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research.
The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the |
Threat | APT 31 | |
 |
2021-08-03 14:13:41 | Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) (lien direct) | Alors que l'ANSSI vient de rapporter qu'une campagne de cyberattaques menée par APT31, un groupe de hackers affilié à l'État chinois, est en cours sur des entités françaises, de son côté Cybereason vient de découvrir plusieurs campagnes de cyberattaques à des fins de cyberespionnage menées par des acteurs de la menace chinois et infiltrant d'importants opérateurs télécoms en Asie du Sud-Est. The post Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) first appeared on UnderNews. | APT 31 | ||
|
2021-07-31 10:10:28 | Attaques APT31 – réaction de Kaspersky (lien direct) | L'ANSSI (Agence nationale de la sécurité des systèmes d'information) a récemment alerté sur une campagne de cyberattaques menée par le groupe APT31 à l'encontre de routeurs en France. Les routeurs seraient utilisés en tant que relais d'anonymisation afin de réaliser des actions de reconnaissance et malveillantes. The post Attaques APT31 – réaction de Kaspersky first appeared on UnderNews. | APT 31 | ||
 |
2021-07-29 10:00:46 | APT trends report Q2 2021 (lien direct) | This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. | Threat | APT 29 APT 31 | |
|
2021-07-27 15:00:00 | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
Malware Tool Vulnerability Threat | Uber APT 31 | |
|
2021-07-22 12:54:44 | China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns (lien direct) | The French National Agency for the Security of Information Systems (ANSSI) on Wednesday issued an alert to warn organizations that a threat group tracked as APT31 has been abusing compromised routers in its recent attacks. | Threat | APT 31 | |
|
2021-07-21 18:15:54 | France ANSSI agency warns of APT31 campaign against French organizations (lien direct) | French cyber-security agency ANSSI warned of an ongoing cyberespionage campaign aimed at French organizations carried out by China-linked APT31 group. The French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers are hijacking home routers to set up a […] | APT 31 | ||
|
2021-07-21 10:13:53 | France warns of APT31 cyberspies targeting French organizations (lien direct) | The French national cyber-security agency today warned of an ongoing series of attacks against a large number of French organizations coordinated by the Chinese-backed APT31 cyberespionage group. [...] | APT 31 | ||
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-06-27 11:25:36 | Security Affairs newsletter Round 320 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the international press subscribe here. Norway blames China-linked APT31 for 2018 government hack Poland: The leader of the PiS party blames Russia for […] | Hack Guideline | APT 31 | |
|
2021-06-20 16:36:59 | Norway blames China-linked APT31 for 2018 government hack (lien direct) | Norway police secret service states said that China-linked APT31 group was behind the 2018 cyberattack on the government's IT network. Norway's Police Security Service (PST) said that the China-linked APT31 cyberespionage group was behind the attack that breached the government's IT network in 2018. The attribution of the attack to the APT31 grouo is based […] | Hack | APT 31 | |
|
2021-03-19 15:37:00 | APT31 Fingered for Cyber-Attack on Finnish Parliament (lien direct) | Finland says its government was spied on by threat group with links to Chinese government | Threat | APT 31 | |
|
2021-03-18 18:30:27 | Finland IDs Hackers Linked to Parliament Spying Attack (lien direct) | Finland's domestic security agency said Thursday that the cybergroup APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country's parliament. | APT 31 | ||
|
2021-03-18 16:21:29 | China-linked APT31 group was behind the attack on Finnish Parliament (lien direct) | China-linked cyber espionage group APT31 is believed to be behind an attack on the Parliament of Finland that took place in 2020. China-linked cyber espionage group APT31 is believed to be behind an attack on the Parliament of Finland that took place in 2020. According to the government experts, the hackers breached some parliament email […] | APT 31 | ||
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
 |
2021-02-22 21:07:03 | Chinese Hackers Hijacked NSA-Linked Hacking Tool: Report (lien direct) | APT31, a Chinese-affiliated threat group, copied a Microsoft Windows exploit previously used by the Equation Group, said researchers. | Threat | APT 31 | |
|
2021-02-22 15:06:35 | Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak (lien direct) | A Chinese threat actor known as APT31 likely acquired and cloned one of the Equation Group's exploits three years before the targeted vulnerability was publicly exposed as part of Shadow Brokers' “Lost in Translation” leak, cybersecurity firm Check Point says in a new report. | Vulnerability Threat | APT 31 | |
|
2020-09-15 15:00:00 | Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal
(published: September 14, 2020)
A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system.
Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online.
Tags: China, spying
US Criminal Court Hit by Conti Ransomware; Critical Data at Risk
(published: September 11, 2020)
The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns.
Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks.
Tags: conti, ryuk, ransomware
|
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 28 APT 31 | ★★★ |
|
2017-03-28 21:12:08 | Microsoft Offers Analysis of Zero-Day Exploited By Zirconium Group (lien direct) | Microsoft patched a zero-day vulnerability actively used in a campaign by a hacking group known as Zirconium. | APT 31 | ||
|
2017-03-27 16:55:51 | Microsoft Quietly Patched Windows Zero-Day Used in Attacks by Zirconium Group (lien direct) | Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium. The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions. [...] | APT 31 |
1
We have: 41 articles.
We have: 41 articles.
To see everything:
Our RSS (filtrered)
