What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-07 18:55:00 | Les pirates APT42 se présentent en tant que journalistes pour récolter les informations d'identification et accéder aux données du cloud APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data (lien direct) |
La tenue de piratage soutenue par l'État iranien & nbsp; appelé & nbsp; apt42 & nbsp; utilise & nbsp; schémas d'ingénierie sociale améliorés pour infiltrer les réseaux cibles et les environnements cloud.
Les cibles de l'attaque comprennent & NBSP; ONG occidentales et du Moyen-Orient, organisations médiatiques, université, services juridiques et NBSP; et les militants, a déclaré la filiale de Google Cloud Mandiant dans un rapport publié la semaine dernière.
"APT42 était
The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week. "APT42 was |
Cloud | APT 42 | ★★★★ |
 |
2024-05-06 19:54:46 | Uncharmed: les opérations APT42 de l'Iran démêle Uncharmed: Untangling Iran\\'s APT42 Operations (lien direct) |
#### Géolocations ciblées - Moyen-Orient - Amérique du Nord - Europe de l'Ouest #### Industries ciblées - agences et services gouvernementaux - Organisation non gouvernementale ## Instantané Mandiant discute des activités de l'APT42, acteur iranien de cyber-espionnage parrainé par l'État, ciblant les ONG occidentales et moyen-orientales, les organisations médiatiques, les universités, les services juridiques et les militants. ** Les activités de l'APT42 se chevauchent avec le suivi de Microsoft \\ de Mint Sandstorm.[En savoir plus ABOut Mint Sandstorm ici.] (https://sip.security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3) ** ## descript APT42 utilise des programmes d'ingénierie sociale améliorés pour gagner en confiance et fournir des invitations aux conférences ou aux documents légitimes, leur permettant de récolter des informations d'identification et d'obtenir un accès initial aux environnements cloud.Les opérations récentes impliquent l'utilisation de délais personnalisés tels que NiceCurl et Tamecat, livrés via le phishing de lance. Les opérations cloud d'APT42 \\ impliquent une exfiltration d'exfiltration secrète des environnements Microsoft 365 victimes, en utilisant des schémas d'ingénierie sociale améliorés pour obtenir un accès initial et contourner l'authentification multi-facteurs.L'acteur de menace se précipita comme des ONG légitimes, se fait passer pour le personnel de haut rang et déploie du matériel de leurre pour gagner la confiance de la victime.APT42 déploie également diverses méthodes pour contourner l'authentification multi-facteurs, notamment en utilisant de fausses pages duo et en servant des sites de phishing pour capturer les jetons MFA. APT42 déploie des logiciels malveillants personnalisés tels que Tamecat et NiceCurl pour cibler les ONG, le gouvernement ou les organisations intergouvernementales gantant les problèmes liés à l'Iran et au Moyen-Orient.Ces délais offrent aux opérateurs APT42 un accès initial aux cibles et à une interface de code-Exécution flexible. ## Recommandations Les techniques utilisées par les sous-ensembles de la tempête de menthe peuvent être atténuées à travers les actions suivantes: ### durcissant les actifs orientés Internet et compréhension de votre périmètre Les organisations doivent identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder au réseau.Les interfaces de balayage publique, telles que Microsoft Defender External Attack Surface Management, peuvent être utilisées pour améliorer les données. Les vulnérabilités observées dans les campagnes récentes attribuées aux sous-groupes de sable à la menthe que les défenseurs peuvent identifier et atténuer: inclure: - IBM ASPERA FASPEX affecté par CVE-2022-47986: Les organisations peuvent corriger CVE-2022-47986 en mettant à niveau vers FASPEX 4.4.2 Niveau 2 du patch 2 ou en utilisant FasPex 5.x qui ne contient pas cette vulnérabilité. - Zoho ManageEngine affecté par CVE-2022-47966: les organisations utilisant des produits Zoho Manage Engine vulnérables au CVE-2022-47966 devraient télécharger et appliquer des mises à niveau de l'avis officiel dès que possible.Le correctif de cette vulnérabilité est utile au-delà de cette campagne spécifique, car plusieurs adversaires exploitent le CVE-2022-47966 pour l'accès initial. - Apache Log4j2 (aka log4shell) (CVE-2021-44228 et CVE-2021-45046): [Microsoft \\ S GOIDANCE pour les organisations utilisant des applications vulnérables à l'exploitation de log4.com / en-us / security / blog / 2021/12/11 / guidance-for-préventing-détectant et chasseur-pour-CVE-2021-44228-LOG4J-2-Exploitation /) Cette direction est utile pour toutOrganisation avec des applications vulnérables et utile au-delà de cette campagne spécifique, car plusieurs adversaires exploitent Log4Shell pour obten | Malware Vulnerability Threat Patching Cloud | APT 42 | ★★★ |
 |
2024-05-04 10:17:34 | Les pirates iraniens se présentent en tant que journalistes pour pousser les logiciels malveillants de porte dérobée Iranian hackers pose as journalists to push backdoor malware (lien direct) |
L'acteur de menace soutenu par l'État iranien suivi comme APT42 utilise des attaques d'ingénierie sociale, notamment en se faisant passer pour des journalistes, pour violer les réseaux d'entreprise et les environnements cloud des cibles occidentales et du Moyen-Orient.[...]
The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. [...] |
Malware Threat Cloud | APT 42 | ★★★ |
 |
2024-04-17 15:30:00 | Le groupe nord-coréen Kimsuk exploite DMARC et les balises Web North Korean Group Kimsuky Exploits DMARC and Web Beacons (lien direct) |
ProofPoint a confirmé que Kimsuky a directement contacté des experts en politique étrangère depuis 2023 par le biais de conversations par e-mail apparemment bénignes
Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations |
APT 43 | ★★★ | |
 |
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
|
2024-04-09 14:30:00 | Recherche Unarths Assaut multi-mineur de Rumbycarp \\ sur crypto Research Unearths RUBYCARP\\'s Multi-Miner Assault on Crypto (lien direct) |
Sysdig a déclaré qu'en déploiement de plusieurs mineurs, le groupe a diminué le temps d'attaque et le risque de détection
Sysdig stated that by deploying multiple miners, the group decreased attack time and detection risk |
APT 40 | ★★★ | |
|
2024-04-08 15:09:15 | Faits saillants hebdomadaires, 8 avril 2024 Weekly OSINT Highlights, 8 April 2024 (lien direct) |
Last week\'s OSINT reporting reveals several key trends emerge in the realm of cybersecurity threats. Firstly, there is a notable diversification and sophistication in attack techniques employed by threat actors, ranging from traditional malware distribution through phishing emails to advanced methods like DLL hijacking and API unhooking for evading detection. Secondly, the threat landscape is characterized by the presence of various actors, including state-sponsored groups like Earth Freybug (a subset of APT41) engaging in cyberespionage and financially motivated attacks, as well as cybercrime actors orchestrating malware campaigns such as Agent Tesla and Rhadamanthys. Thirdly, the targets of these attacks span across different sectors and regions, with organizations in America, Australia, and European countries facing significant threats. Additionally, the emergence of cross-platform malware like DinodasRAT highlights the adaptability of threat actors to target diverse systems, emphasizing the need for robust cybersecurity measures across all platforms. Overall, these trends underscore the dynamic and evolving nature of cyber threats, necessitating continuous vigilance and proactive defense strategies from organizations and cybersecurity professionals. **1. [Latrodectus Loader Malware Overview](https://sip.security.microsoft.com/intel-explorer/articles/b4fe59bf)** Latrodectus is a new downloader malware, distinct from IcedID, designed to download payloads and execute arbitrary commands. It shares characteristics with IcedID, indicating possible common developers. **2. [Earth Freybug Cyberespionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/327771c8)** Earth Freybug, a subset of APT41, engages in cyberespionage and financially motivated attacks since at least 2012. The attack involved sophisticated techniques like DLL hijacking and API unhooking to deploy UNAPIMON, evading detection and enabling malicious commands execution. **3. [Agent Tesla Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/cbdfe243)** Agent Tesla malware targets American and Australian organizations through phishing campaigns aimed at stealing email credentials. Check Point Research identified two connected cybercrime actors behind the operation. **4. [DinodasRAT Linux Version Analysis](https://sip.security.microsoft.com/intel-explorer/articles/57ab8662)** DinodasRAT, associated with the Chinese threat actor LuoYu, is a cross-platform backdoor primarily targeting Linux servers. The latest version introduces advanced evasion capabilities and is installed to gain additional footholds in networks. **5. [Rhadamanthys Information Stealer Malware](https://sip.security.microsoft.com/intel-explorer/articles/bf8b5bc1)** Rhadamanthys utilizes Google Ads tracking to distribute itself, disguising as popular software installers. After installation, it injects into legitimate Windows files for data theft, exploiting users through deceptive ad redirects. **6. [Sophisticated Phishing Email Malware](https://sip.security.microsoft.com/intel-explorer/articles/abfabfa1)** A phishing email campaign employs ZIP file attachments leading to a series of malicious file downloads, culminating in the deployment of PowerShell scripts to gather system information and download further malware. **7. [AceCryptor Cryptors-as-a-Service (CaaS)](https://sip.security.microsoft.com/intel-explorer/articles/e3595388)** AceCryptor is a prevalent cryptor-as-a-service utilized in Rescoms campaigns, particularly in European countries. Threat actors behind these campaigns abuse compromised accounts to send spam emails, aiming to obtain credentials for further attacks. ## Learn More For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [https://aka.ms/threatintelblog](https://aka.ms/threatintelblog). Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to ge | Ransomware Spam Malware Tool Threat Cloud | APT 41 | ★★★ |
|
2024-04-03 20:46:53 | Earth Freybug Uses UNAPIMON for Unhooking Critical APIs (lien direct) | #### Description
Trend Micro a analysé une attaque de cyberespionnage que la société a attribuée à Earth Freybug, un sous-ensemble d'APT41 (suivi par Microsoft comme [typhon en laiton] (https: // sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05afc0d4158b0e389b4078112d37c6?)).Selon Trend Micro, Earth Freybug est actif depuis àAu moins 2012 et le groupe lié au chinois a été actif dans l'espionnage et les attaques financièrement motivées.Earth Freybug utilise divers outils tels que Lolbins et les logiciels malveillants personnalisés, ciblant les organisations à l'échelle mondiale.L'attaque a utilisé des techniques telles que Dynamic Link Library (DLL) détournement et décrocheur API pour éviter la surveillance d'un nouveau malware appelé Unapimon.Unapimon élude la détection en empêchant les processus enfants d'être surveillés.
Le flux d'attaque a consisté à créer des tâches planifiées à distance et à exécuter des commandes de reconnaissance pour recueillir des informations système.Par la suite, une porte dérobée a été lancée à l'aide d'un chargement latéral DLL via un service appelé sessionnv, qui charge une DLL malveillante.Unapimon, la DLL injectée, utilise le crochet de l'API pour échapper à la surveillance et à l'exécution de commandes malveillantes non détectées, présentant les attaquants \\ 'sophistication.
[Consultez la rédaction de Microsoft \\ sur Dynamic-Link Library (DLL) Rijacking ici.] (Https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?)
#### URL de référence (s)
1. https://www.trendmicro.com/en_us/research/24/d/arth-freybug.html
#### Date de publication
2 avril 2024
#### Auteurs)
Christopher So
#### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So |
Malware Tool Prediction | APT 41 | ★★ |
|
2024-03-24 11:08:00 | Kimsuky de Kimsuky, en coréen, les déplacements pour les fichiers HTML compilés dans les cyberattaques en cours N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks (lien direct) |
L'acteur de menace lié à la Corée du Nord connue sous le nom de & NBSP; Kimsuky & nbsp; (aka Black Banshee, Emerald Sleet ou Springtail) a été observé en déplacement de ses tactiques, en levant des fichiers HTML compilés compilés (CHM) en tant que vecteurs pour offrir des logiciels malinés pour la récolte des données sensibles.
Kimsuky, actif depuis au moins 2012, est connu pour cibler des entités situées en Corée du Sud ainsi qu'en Amérique du Nord, en Asie et en Europe.
Selon
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According |
Malware Threat | APT 43 | ★★★ |
|
2024-03-05 19:03:47 | Rester en avance sur les acteurs de la menace à l'ère de l'IA Staying ahead of threat actors in the age of AI (lien direct) |
## Snapshot Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI\'s blog on the research [here](https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors). Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors\' usage of AI. However, Microsoft and our partners continue to study this landscape closely. The objective of Microsoft\'s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including [Microsoft Copilot for Security](https://www.microsoft.com/security/business/ai-machine-learning/microsoft-security-copilot), to elevate defenders everywhere. ## Activity Overview ### **A principled approach to detecting and blocking threat actors** The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House\'s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order\'s request for comprehensive AI safety and security standards. In line with Microsoft\'s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft\'s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track. These principles include: - **Identification and action against malicious threat actors\' use:** Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources. - **Notification to other AI service providers:** When we detect a threat actor\'s use of another service provider\'s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies. - **Collaboration with other stakeholders:** Microsoft will collaborate with other stakeholders to regularly exchange information a | Ransomware Malware Tool Vulnerability Threat Studies Medical Technical | APT 28 ChatGPT APT 4 | ★★ |
 |
2024-02-14 22:14:54 | Microsoft, Openai: les États-nations armement l'IA dans les cyberattaques Microsoft, OpenAI: Nation-States Are Weaponizing AI in Cyberattacks (lien direct) |
Ce n'est plus théorique: les principaux pouvoirs du monde sont des modèles de grands langues pour améliorer leurs cyber-opérations offensives.
It\'s not theoretical anymore: the world\'s major powers are working with large language models to enhance their offensive cyber operations. |
APT 40 | ★★ | |
 |
2024-02-13 14:47:15 | CharmingCypress: innovation de persistance CharmingCypress: Innovating Persistence (lien direct) |
> Grâce à ses offres de services de sécurité gérées, la volexité identifie régulièrement des campagnes de phisseur de lance ciblant ses clients.Un acteur de menace persistant, dont la volexité des campagnes observe fréquemment, est l'acteur de menace d'origine iranienne CharmingCypress (alias Charming Kitten, Apt42, TA453).La volexité évalue que CharmingCypress est chargé de collecter des renseignements politiques contre les cibles étrangères, en particulier en se concentrant sur les groupes de réflexion, les ONG et les journalistes.Dans leurs campagnes de phishing, CharmingCypress utilise souvent des tactiques inhabituelles d'ingénierie sociale, comme engager des cibles dans des conversations prolongées par e-mail avant d'envoyer des liens vers un contenu malveillant.Dans une campagne de lance de lance particulièrement notable observée par volexité, CharmingCypress est allé jusqu'à créer une plate-forme de webinaire entièrement fausse à utiliser dans le cadre de l'attrait.CharmingCypress contrôlé un accès à cette plate-forme, nécessitant des cibles pour installer des applications VPN chargées de logiciels malveillants avant d'accorder l'accès.Remarque: Un contenu dans ce blog a récemment été discuté dans le rapport de Microsoft \\, de nouveaux TTP observés dans la campagne de Sandstorm de Mint ciblant des individus de haut niveau dans les universités et [& # 8230;]
>Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists. In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. In a particularly notable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications prior to granting access. Note: Some content in this blog was recently discussed in Microsoft\'s report, New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and […] |
Threat | APT 35 APT 42 | ★★★ |
|
2023-12-29 14:39:00 | Des pirates Kimsuky déploient Appleseed, Meterpreter et Tinynuke dans les dernières attaques Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks (lien direct) |
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky. “A notable point about attacks that |
Tool Threat | APT 43 | ★★★ |
|
2023-12-28 19:18:50 | Trend Analysis on Kimsuky Group\'s Attacks Using AppleSeed (lien direct) | #### Description
Le groupe de menaces Kimsuky, connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, les industries de la défense, les médias, la diplomatie, les organisations nationales et les secteurs académiques.
Leurs attaques visent à voler des informations internes et des technologies auprès des organisations.Alors que le groupe Kimsuky utilise généralement des attaques de phishing de lance pour un accès initial, la plupart de leurs attaques récentes impliquent l'utilisation de logiciels malveillants de type raccourci au format de fichier LNK.Bien que les logiciels malveillants LNK constituent une grande partie des attaques récentes, des cas utilisant des javascripts ou des documents malveillants continuent d'être détectés.Ces cas d'attaque qui utilisent des logiciels malveillants de type JavaScript impliquent généralement la distribution d'applications.En plus de JavaScript, des logiciels malwares de macro Excel sont également utilisés pour installer Appleseed.Appleseed est une porte dérobée qui peut recevoir les commandes de la menace acteur \\ du serveur C&C et exécuter les commandes reçues.L'acteur de menace peut utiliser Appleseed pour contrôler le système infecté.Il propose également des fonctionnalités telles qu'un téléchargeur qui installe des logiciels malveillants supplémentaires, Keylogging et prenant des captures d'écran, et en volant des informations en collectant des fichiers dans le système utilisateur et en les envoyant.Alphaseed est un logiciel malveillant développé dans Golang et prend en charge des fonctionnalités similaires à Appleseed telles que l'exécution des commandes et l'infostoritration.
#### URL de référence (s)
1. https://asec.ahnlab.com/en/60054/
#### Date de publication
27 décembre 2023
#### Auteurs)
Sanseo
#### Description The Kimsuky threat group, known to be supported by North Korea, has been active since 2013. The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed. In addition to JavaScript, Excel macro malware are also used to install AppleSeed. AppleSeed is a backdoor that can receive the threat actor\'s commands from the C&C server and execute the received commands. The threat actor can use AppleSeed to control the infected system. It also offers features such as a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by collecting files from the user system and sending them. AlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command execution and infostealing. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60054/ #### Publication Date December 27, 2023 #### Author(s) Sanseo |
Malware Threat Prediction | APT 43 | ★★★ |
|
2023-12-08 19:03:00 | N. Corée Kimsuky ciblant les instituts de recherche sud-coréens avec des attaques de porte dérobée N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks (lien direct) |
L'acteur de menace nord-coréenne connue sous le nom de & nbsp; Kimsuky & nbsp; a été observé ciblant les instituts de recherche en Corée du Sud dans le cadre d'une campagne de phisces de lance dans l'objectif ultime de distribuer des déambulations sur des systèmes compromis.
"L'acteur de menace utilise finalement une porte dérobée pour voler des informations et exécuter des commandes", le centre d'intervention d'urgence de sécurité AHNLAB (ASEC) & NBSP; dit & nbsp; dans un
The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an |
Threat | APT 43 | ★★★ |
|
2023-12-01 21:00:00 | La Corée du Nord APT a giflé des cyber-sanctions après le lancement par satellite North Korea APT Slapped With Cyber Sanctions After Satellite Launch (lien direct) |
Les sanctions contre Kimsuky / APT43 se concentrent sur le monde sur la perturbation des opérations de cybercriminalité du régime de la RPRC, dit Expert.
Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime\'s sprawling cybercrime operations, expert says. |
APT 43 APT 43 | ★★★ | |
 |
2023-12-01 18:15:00 | US Sanctions North Coréen \\ 'Kimsuky \\' Hackers après le lancement de satellite de surveillance US sanctions North Korean \\'Kimsuky\\' hackers after surveillance satellite launch (lien direct) |
Les États-Unis se sont associés à plusieurs nations du Pacifique pour transmettre des sanctions contre la Corée du Nord - en particulier le groupe de cyber-espionnage du pays \\ du pays - après le pays Lancé Un satellite de surveillance la semaine dernière.Jeudi soir, le Office du Contrôle des actifs étrangers (OFAC) du Département américain du Trésor du Trésor a sanctionné huit agents nord-coréens pour
The U.S. partnered with several nations in the Pacific to hand down sanctions on North Korea - particularly the country\'s Kimsuky cyber espionage group - after the country launched a surveillance satellite last week. On Thursday evening, the U.S. Department of the Treasury\'s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for |
APT 43 | ★★★ | |
|
2023-11-23 20:16:00 | Groupe Konni utilisant des documents de mots malveillants en langue russe dans les dernières attaques Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks (lien direct) |
Une nouvelle attaque de phishing a été observée en tirant parti d'un document Microsoft Word en langue russe pour fournir des logiciels malveillants capables de récolter des informations sensibles auprès d'hôtes Windows compromis.
L'activité a été attribuée à un acteur de menace appelé Konni, qui est évalué pour partager les chevauchements avec un cluster nord-coréen suivi comme Kimsuky (aka apt43).
"Cette campagne repose sur un cheval de Troie à distance
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan |
APT 43 | ★★ | |
 |
2023-10-23 02:21:45 | 2023 août & # 8211;Rapport de tendance des menaces sur le groupe Kimsuky 2023 Aug – Threat Trend Report on Kimsuky Group (lien direct) |
Les activités de Kimsuky Group & # 8217;Les activités d'autres types étaient relativement faibles.De plus, des échantillons de phishing ont été trouvés dans l'infrastructure connue pour la distribution de logiciels malveillants antérieurs (fleurs, randomquery et appleseed), et des échantillons de babyshark ont été découverts dans l'infrastructure RandomQuery.Cela suggère la probabilité de plusieurs types de logiciels malveillants en utilisant une seule infrastructure.Rapport de tendance AUG_TRÉTÉE sur le groupe Kimsuk
The Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities of other types were relatively low. Also, phishing samples were found in the infrastructure known for distributing previous malware (FlowerPower, RandomQuery, and AppleSeed), and BabyShark samples were discovered in the RandomQuery infrastructure. This suggests the likelihood of multiple types of malware utilizing a single infrastructure. Aug_Threat Trend Report on Kimsuky Group |
Malware Threat Prediction | APT 43 | ★★★ |
|
2023-10-18 16:11:47 | Kimsuky de la Corée du Nord se double de la commande de bureau à distance North Korea\\'s Kimsuky Doubles Down on Remote Desktop Control (lien direct) |
L'APT sophistiqué utilise diverses tactiques pour abuser des fenêtres et d'autres protocoles intégrés avec des logiciels malveillants personnalisés et publics pour prendre le contrôle des systèmes de victimes.
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems. |
Malware | APT 43 | ★★ |
|
2023-10-17 09:08:51 | Kimsuky Threat Group utilise RDP pour contrôler les systèmes infectés Kimsuky Threat Group Uses RDP to Control Infected Systems (lien direct) |
Kimsuky, un groupe de menaces connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Au début, ils ont attaqué les instituts de recherche liés à la Corée du Nord en Corée du Sud avant d'attaquer une agence d'énergie sud-coréenne en 2014. D'autres pays sont également devenus des cibles de leur attaque depuis 2017. [1] Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, diplomatique diplomatique,, et les secteurs universitaires, les industries de la défense et des médias, ainsi que des organisations nationales.Leur objectif est d'exfiltrer les informations et la technologie internes ...
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as national organizations. Their goal is to exfiltrate internal information and technology... |
Threat | APT 43 | ★★★ |
|
2023-10-04 20:39:00 | Les chercheurs relient DragOnegg Android Spyware à LightSpy iOS Surveillanceware Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware (lien direct) |
De nouvelles découvertes ont identifié des connexions entre un logiciel espion Android appelé DragOnegg etUn autre outil sophistiqué modulaire de surveillance iOS nommé LightSpy.
DragOnegg, aux côtés de Wyrmspy (aka AndroidControl),a été divulgué pour la première fois par Lookout en juillet 2023 comme une souche de logiciels malveillants capables de collecter des données sensibles à partir d'appareils Android.Il a été attribué au groupe national chinois Apt41.
Sur
New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy. DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On |
Malware Tool | APT 41 APT 41 | ★★★ |
|
2023-10-04 15:30:00 | Lightspy iPhone Spyware lié au groupe chinois APT41 LightSpy iPhone Spyware Linked to Chinese APT41 Group (lien direct) |
ThreatFabric a trouvé des preuves que Lighspy est lié à Android Spyware DragOnegg, attribué au groupe parrainé par les Chinois
ThreatFabric found evidence that LighSpy is linked to Android spyware DragonEgg, attributed to the Chinese-sponsored group |
APT 41 APT 41 | ★★ | |
 |
2023-09-27 12:51:29 | Les lacunes de sécurité et de confidentialité SMS montrent clairement que les utilisateurs ont besoin d'une mise à niveau de messagerie SMS Security & Privacy Gaps Make It Clear Users Need a Messaging Upgrade (lien direct) |
Posted by Eugene Liderman and Roger Piqueras Jover
SMS texting is frozen in time.
People still use and rely on trillions of SMS texts each year to exchange messages with friends, share family photos, and copy two-factor authentication codes to access sensitive data in their bank accounts. It\'s hard to believe that at a time where technologies like AI are transforming our world, a forty-year old mobile messaging standard is still so prevalent.
Like any forty-year-old technology, SMS is antiquated compared to its modern counterparts. That\'s especially concerning when it comes to security.
The World Has Changed, But SMS Hasn\'t Changed With It
According to a recent whitepaper from Dekra, a safety certifications and testing lab, the security shortcomings of SMS can notably lead to:
SMS Interception: Attackers can intercept SMS messages by exploiting vulnerabilities in mobile carrier networks. This can allow them to read the contents of SMS messages, including sensitive information such as two-factor authentication codes, passwords, and credit card numbers due to the lack of encryption offered by SMS.
SMS Spoofing: Attackers can spoof SMS messages to launch phishing attacks to make it appear as if they are from a legitimate sender. This can be used to trick users into clicking on malicious links or revealing sensitive information. And because carrier networks have independently developed their approaches to deploying SMS texts over the years, the inability for carriers to exchange reputation signals to help identify fraudulent messages has made it tough to detect spoofed senders distributing potentially malicious messages.
These findings add to the well-established facts about SMS\' weaknesses, lack of encryption chief among them.
Dekra also compared SMS against a modern secure messaging protocol and found it lacked any built-in security functionality. According to Dekra, SMS users can\'t answer \'yes\' to any of the following basic security questions:
Confidentiality: Can I trust that no one else can read my SMSs?
Integrity: Can I trust that the content of the SMS that I receive is not modified?
Authentication: Can I trust the identity of the sender of the SMS that I receive?
But this isn\'t just theoretical: cybercriminals have also caught on to the lack of security protections SMS provides and have repeatedly exploited its weakness. Both novice hackers and advanced threat actor groups (such as UNC3944 / Scattered Spider and APT41 investigated by Mandiant, part of Google Cloud) leverage the security deficiencies in SMS to launch different |
Vulnerability Threat Studies | APT 41 | ★★★ |
 |
2023-07-20 09:34:15 | Lookout découvre un logiciel de surveillance Android avancée lié à l'APT41 de la Chine Lookout Uncovers Advanced Android Surveillanceware Linked To China\\'s APT41 (lien direct) |
Hier, Lookout, Inc., a annoncé la découverte de logiciels de surveillance Android sophistiqués connus sous le nom de Wyrmspy et Dragonegg, qui a été lié au groupe d'espionnage chinois Apt41 (aka Double Dragon, Barium et Winnti).Bien qu'il ait été inculpé de plusieurs accusations du gouvernement américain pour ses attaques contre plus de 100 entreprises privées et publiques aux États-Unis [& # 8230;]
Yesterday, Lookout, Inc., announced the discovery of sophisticated Android surveillanceware known as WyrmSpy and DragonEgg, which has been linked to the Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti). Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. […] |
Mobile | APT 41 APT 41 | ★★★ |
|
2023-07-20 07:01:12 | APT41 Hackers ciblent les utilisateurs Android avec Wyrmspy, DragOnegg Spyware APT41 hackers target Android users with WyrmSpy, DragonEgg spyware (lien direct) |
Le groupe de piratage APT41 soutenu par l'État chinois cible les appareils Android avec deux souches de logiciels espions nouvellement découvertes surnommées Wyrmspy et DragOnegg par des chercheurs en sécurité.[...]
The Chinese state-backed APT41 hacking group is targeting Android devices with two newly discovered spyware strains dubbed WyrmSpy and DragonEgg by Lookout security researchers. [...] |
APT 41 APT 41 | ★★ | |
|
2023-07-19 20:40:00 | APT41 de Chine \\ lié à Wyrmspy, DragOnegg Mobile Spyware China\\'s APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware (lien direct) |
Les États-nations voient l'opportunité de cibler directement les gens via leurs téléphones mobiles, dans ce cas avec des logiciels de surveillance Android sophistiqués.
Nation-states see the opportunity in targeting people directly through their mobile phones, in this case with sophisticated Android surveillanceware. |
APT 41 APT 41 | ★★ | |
|
2023-07-19 19:36:00 | Les pirates liés à la Chine ciblent les appareils mobiles avec Wyrmspy et DragOnegg Spyware China-linked hackers target mobile devices with WyrmSpy and DragonEgg spyware (lien direct) |
Le tristement célèbre groupe de piratage chinois suivi en tant qu'APT41 a utilisé deux souches de logiciels espions nouvellement identifiées pour infecter les appareils Android, ont déclaré des chercheurs en cybersécurité.APT41, également connu sous le nom de Winnti et Brass Typhoon (anciennement Barium), est un groupe d'espionnage parrainé par l'État qui a été actif pour Plus d'une décennie et est connu pour cibler les organisations gouvernementales pour le renseignement
The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said. APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence |
APT 41 APT 41 APT-C-17 | ★★ | |
|
2023-07-19 16:00:00 | APT41 chinois lié à Wyrmspy et à DragOnegg Surveillanceware Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware (lien direct) |
Lookout attribué Wyrmspy et DragOnegg vers APT41 en raison de certificats de signature Android qui se chevauchent
Lookout attributed WyrmSpy and DragonEgg to APT41 due to overlapping Android signing certificates |
APT 41 APT 41 | ★★ | |
|
2023-07-19 15:50:00 | Les pirates chinois APT41 ciblent les appareils mobiles avec de nouveaux logiciels espions Wyrmspy et DragOnegg Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware (lien direct) |
L'acteur prolifique lié à l'État-nation connu sous le nom d'APT41 a été lié à deux souches de logiciels spymétriques Android auparavant sans papiers appelés Wyrmspy et DragOnegg.
"Connu pour son exploitation d'applications orientées Web et son infiltration des appareils de point de terminaison traditionnels, un acteur de menace établi comme APT 41, y compris le mobile dans son arsenal de logiciels malveillants, montre comment les points de terminaison mobiles sont à grande valeur
The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value |
Malware Threat | APT 41 APT 41 | ★★ |
 |
2023-07-19 12:04:07 | Lookout découvre un logiciel de surveillance Android avancé attribué au groupe chinois APT41 (lien direct) | Lookout découvre un logiciel de surveillance Android avancé attribué au groupe chinois APT41 Un groupe de hackers établi comme l'APT41 et se concentrant sur les appareils mobiles montre comment les terminaux mobiles sont des cibles de grande valeur avec des données professionnelles et personnelles convoitées. - Malwares | APT 41 APT 41 | ★★★ | |
|
2023-07-07 02:33:29 | Rapport de tendance des menaces sur les groupes APT & # 8211;Mai 2023 Threat Trend Report on APT Groups – May 2023 (lien direct) |
Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609
The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 |
Threat Prediction | APT 41 APT 38 APT 37 APT 37 APT 29 APT 29 APT 28 APT 28 APT 36 APT 36 Guam Guam APT-C-17 APT-C-17 GoldenJackal GoldenJackal APT-C-36 | ★★★ |
|
2023-07-06 17:42:00 | Des pirates basés en Iran ciblant les experts en sécurité nucléaire via Mac, Windows Malware Iran-based hackers targeting nuclear security experts through Mac, Windows malware (lien direct) |
Les pirates soutenant le gouvernement de l'Iran ciblent des experts des affaires du Moyen-Orient et de la sécurité nucléaire dans une nouvelle campagne qui, selon les chercheurs, impliquait des logiciels malveillants pour les produits Apple et Microsoft.Les experts en cybersécurité de Proofpoint ont attribué la campagne à un groupe qu'ils appellent TA453 mais est également connu sous le nom de Charming Kitten, Mint Sandstorm ou APT42,
Hackers supporting the government of Iran are targeting experts in Middle Eastern affairs and nuclear security in a new campaign that researchers said involved malware for both Apple and Microsoft products. Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42, |
Malware | APT 35 APT 42 | ★★★ |
 |
2023-06-13 13:00:00 | CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks (lien direct) |
CyberheistNews Vol 13 #24 | June 13th, 2023
[The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks
The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section.
They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill.
"The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top."
A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear.
BEC Attacks Have Nearly Doubled
It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor.
Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category.
Financially Motivated External Attackers Double Down on Social Engineering
Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection.
However, unlike the times we live in, this section isn\'t all doom and |
Spam Malware Vulnerability Threat Patching | Uber APT 37 ChatGPT ChatGPT APT 43 | ★★ |
|
2023-06-08 09:53:00 | Kimsuky cible les groupes de réflexion et les médias avec des attaques d'ingénierie sociale Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks (lien direct) |
L'acteur de menace nord-coréenne de l'État-nation connu sous le nom de Kimsuky a été lié à une campagne d'ingénierie sociale ciblant les experts des affaires nord-coréennes dans le but de voler des informations d'identification Google et de livrer des logiciels malveillants de reconnaissance.
"De plus, l'objectif de Kimsuky \\ s'étend au vol de titres d'abonnement de NK News", a déclaré la société de cybersécurité Sentineone dans un rapport partagé avec le
The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky\'s objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The |
Threat | APT 43 | ★★★ |
|
2023-06-07 16:00:00 | Le groupe nord-coréen APT Kimsuky étend les tactiques d'ingénierie sociale North Korean APT Group Kimsuky Expands Social Engineering Tactics (lien direct) |
Sentinélone a déclaré que la campagne cible spécifiquement des experts des affaires nord-coréennes
SentinelOne said the campaign specifically targets experts in North Korean affairs |
APT 43 | ★★★ | |
|
2023-06-06 19:33:00 | Groupe de piratage nord-coréen Kimsuky ciblant les experts régionaux, les médias North Korean hacking group Kimsuky targeting regional experts, news outlets (lien direct) |
Le groupe de piratage soutenu par le gouvernement nord-coréen Kimsuky vise des experts dans les affaires nord-coréennes et les médias dans le cadre d'une campagne pour recueillir des renseignements - même en recourant à voler des informations sur l'abonnement aux médias signalant des actualités sur les affaires du pays.Les résultats, publié mardi par Sentineone, coïncidant avec une alerte de la National Security Agency
The North Korean government-backed hacking group Kimsuky is targeting experts in North Korean affairs and media as part of a campaign to gather intelligence - even resorting to stealing subscription information for news outlets reporting on the country\'s affairs. The findings, published on Tuesday by SentinelOne, coincide with an alert from the National Security Agency |
APT 43 | ★★ | |
 |
2023-06-05 16:17:19 | Kimuky, le code malveillant made un Corée du Nord (lien direct) | Les États-Unis et la Corée du Sud avertissent sur les méthodes d'espionnage du groupe de piratage nord-coréen Kimsuky, alias Thallium. | APT 37 APT 43 | ★★ | |
|
2023-06-02 16:00:00 | Les agences américaines et coréennes émettent un avertissement sur les cyberattaques nord-coréennes US and Korean Agencies Issue Warning on North Korean Cyber-Attacks (lien direct) |
L'avis identifie plusieurs acteurs: Kimsuky, Thallium, APT43, Velvet Chollima et Black Banshee
The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee |
APT 37 APT 43 APT 43 | ★★★ | |
|
2023-06-02 14:42:00 | Les cyber-espaces de Kimsuky de la Corée du Nord gagnent une alerte de Washington, Séoul North Korea\\'s Kimsuky cyber-spies earn an alert from Washington, Seoul (lien direct) |
Les agences de renseignement des États-Unis et de la Corée du Sud ont émis un avertissement qui décrit les méthodes d'espionnage de Kimsuky, un groupe de piratage nord-coréen nord-coréen qui cible les chars, le monde universitaire et les médias.Selon le consultatif publié jeudi, kimsuky piratesUtilisez des tactiques d'identification, se faisant passer pour des sources fiables pour gagner la confiance de
Intelligence agencies from the U.S. and South Korea have issued a warning that describes the spying methods of Kimsuky, a notorious North Korean nation-state hacking group that targets think tanks, academia and news media. According to the advisory published on Thursday, Kimsuky hackers use impersonation tactics, masquerading as reliable sources to gain the trust of |
APT 43 | ★★ | |
|
2023-06-02 11:15:00 | Le groupe Kimsuky de la Corée du Nord imite les chiffres clés des cyberattaques ciblées North Korea\\'s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks (lien direct) |
Les agences de renseignement américaines et sud-coréennes ont émis un nouvel avertissement d'alerte des cyber-acteurs nord-coréens \\ '' Utilisation de tactiques d'ingénierie sociale pour frapper les groupes de réflexion, les universités et les secteurs des médias.
Les "efforts soutenus de la collecte d'informations" ont été attribués à un cluster parrainé par l'État surnommé Kimsuky, qui est également connu sous les noms apt43, archipel, Black Banshee, Emerald Sheet (
U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors\' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet ( |
APT 43 | ★★ | |
 |
2023-05-09 20:02:00 | Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
(published: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information
Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows
Eastern Asian Android Assault – FluHorse
(published: May 4, 2023)
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com |
Malware Tool Threat | APT 37 APT 43 | ★★★ |
|
2023-05-05 16:00:00 | L'APT nord-coréen Kimsuky lance la campagne mondiale de phisces de lance North Korean APT Kimsuky Launches Global Spear-Phishing Campaign (lien direct) |
Renshark est envoyé par e-mail contenant des liens OneDrive menant à des documents avec des macros malveillants
ReconShark is sent via emails containing OneDrive links leading to documents with malicious macros |
APT 43 | ★★ | |
|
2023-05-05 15:49:00 | N. Corée des pirates de Kimsuky utilisant un nouvel outil Recon Reonshark dans les dernières cyberattaques N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks (lien direct) |
L'acteur de menace nord-coréen parrainé par l'État connu sous le nom de Kimsuky a été découvert à l'aide d'un nouvel outil de reconnaissance appelé Reonshark dans le cadre d'une campagne mondiale en cours.
"[Reonshark] est activement livré à des individus spécifiquement ciblés par le biais de courriels de lance-phishing, des liens OneDrive menant à des téléchargements de documents et à l'exécution de macros malveillants", cherche aux chercheurs de Sentinélone Tom Hegel
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel |
Tool Threat | APT 43 | ★★★ |
|
2023-05-03 18:57:00 | Groupe de pirates chinois Earth Longzhi refait surface avec des tactiques de logiciels malveillants avancés Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics (lien direct) |
Une tenue de piratage chinoise parrainée par l'État a refait surface avec une nouvelle campagne ciblant le gouvernement, les soins de santé, la technologie et les entités manufacturières basées à Taïwan, en Thaïlande, aux Philippines et aux Fidji après plus de six mois sans activité.
Trend Micro a attribué l'ensemble d'intrusion à un groupe de cyber-espionnage qu'il suit sous le nom de Terre Longzhi, qui est un sous-groupe au sein de l'APT41 (alias Hoodoo
A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO |
Malware | APT 41 | ★★ |
 |
2023-05-03 10:46:02 | Chinois Apt utilise la nouvelle technique \\ 'Stack Rubling \\' pour désactiver les logiciels de sécurité Chinese APT Uses New \\'Stack Rumbling\\' Technique to Disable Security Software (lien direct) |
Un sous-groupe du groupe de pirates lié à la Chine APT41 utilise une nouvelle technique \\ 'stack grond \' DOS pour désactiver les logiciels de sécurité.
A subgroup of China-linked hacker group APT41 is using a new \'stack rumbling\' DoS technique to disable security software. |
APT 41 | ★★ | |
|
2023-05-02 21:58:00 | Sous-groupes APT41 laboure à travers l'Asie-Pacifique, en utilisant des tactiques furtives en couches APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics (lien direct) |
L'APT chinois notoire propage la cyber-malveillance autour de l'Asie du Sud-Est, et ses prochaines cibles sont déjà en vue.
The notorious Chinese APT is spreading cyber maliciousness around Southeast Asia, and its next targets are already in sight. |
APT 41 APT 41 | ★★ | |
 |
2023-05-02 00:00:00 | Attaque contre les titans de sécurité: la Terre Longzhi revient avec de nouvelles astuces Attack on Security Titans: Earth Longzhi Returns With New Tricks (lien direct) |
Après des mois de dormance, la Terre Longzhi, un sous-groupe de groupe avancé de menace persistante (APT), APT41, a réapparu avec de nouvelles techniques dans sa routine d'infection.Cette entrée de blog préfère les lecteurs de la résilience de la Terre Longzhi \\ comme une menace remarquable.
After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi\'s resilience as a noteworthy threat. |
Threat | APT 41 | ★★ |
 |
2023-05-01 11:32:18 | Réaction en chaîne: le lien manquant de Rokrat \\ Chain Reaction: ROKRAT\\'s Missing Link (lien direct) |
> Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]
>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] |
Threat | APT 37 APT 43 | ★★ |
|
2023-04-30 16:51:00 | Iran apt utilisant \\ 'Bellaciao \\' malware contre les cibles aux États-Unis, en Europe et en Asie Iran APT using \\'BellaCiao\\' malware against targets in US, Europe and Asia (lien direct) |
Un groupe de piratage parrainé par l'État iranien a été accusé d'avoir déployé une nouvelle souche de logiciels malveillants nommé Bellaciao contre plusieurs victimes aux États-Unis, en Europe, en Inde, en Turquie et dans d'autres pays.Des chercheurs de la société de cybersécurité Bitdefender [attribuée] (https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciaooo-a-closer-look-at-irans-latest-malware/) le maline à APT35 / APT42 & #8211;également connu sous le nom de Mint Sandstorm ou Charming Kitten & # 8211;un groupe de menaces persistantes avancé qui
An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries. Researchers from cybersecurity firm Bitdefender [attributed](https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/) the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that |
Malware Threat | APT 35 APT 42 | ★★★ |
To see everything:
Our RSS (filtrered)
