What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-05-02 21:58:00 | Sous-groupes APT41 laboure à travers l'Asie-Pacifique, en utilisant des tactiques furtives en couches APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics (lien direct) |
L'APT chinois notoire propage la cyber-malveillance autour de l'Asie du Sud-Est, et ses prochaines cibles sont déjà en vue.
The notorious Chinese APT is spreading cyber maliciousness around Southeast Asia, and its next targets are already in sight. |
APT 41 APT 41 | ★★ | |
 |
2023-05-02 00:00:00 | Attaque contre les titans de sécurité: la Terre Longzhi revient avec de nouvelles astuces Attack on Security Titans: Earth Longzhi Returns With New Tricks (lien direct) |
Après des mois de dormance, la Terre Longzhi, un sous-groupe de groupe avancé de menace persistante (APT), APT41, a réapparu avec de nouvelles techniques dans sa routine d'infection.Cette entrée de blog préfère les lecteurs de la résilience de la Terre Longzhi \\ comme une menace remarquable.
After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi\'s resilience as a noteworthy threat. |
Threat | APT 41 | ★★ |
 |
2023-05-01 11:32:18 | Réaction en chaîne: le lien manquant de Rokrat \\ Chain Reaction: ROKRAT\\'s Missing Link (lien direct) |
> Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]
>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] |
Threat | APT 37 APT 43 | ★★ |
 |
2023-04-30 16:51:00 | Iran apt utilisant \\ 'Bellaciao \\' malware contre les cibles aux États-Unis, en Europe et en Asie Iran APT using \\'BellaCiao\\' malware against targets in US, Europe and Asia (lien direct) |
Un groupe de piratage parrainé par l'État iranien a été accusé d'avoir déployé une nouvelle souche de logiciels malveillants nommé Bellaciao contre plusieurs victimes aux États-Unis, en Europe, en Inde, en Turquie et dans d'autres pays.Des chercheurs de la société de cybersécurité Bitdefender [attribuée] (https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciaooo-a-closer-look-at-irans-latest-malware/) le maline à APT35 / APT42 & #8211;également connu sous le nom de Mint Sandstorm ou Charming Kitten & # 8211;un groupe de menaces persistantes avancé qui
An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries. Researchers from cybersecurity firm Bitdefender [attributed](https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/) the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that |
Malware Threat | APT 35 APT 42 | ★★★ |
 |
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
|
2023-04-18 17:58:00 | APT41 Taps Google Red Teaming Tool dans les attaques de vol d'informations ciblées APT41 Taps Google Red Teaming Tool in Targeted Info-Stealing Attacks (lien direct) |
Le groupe APT41 lié à la Chine a ciblé une organisation médiatique taïwanaise et une agence d'emploi italienne avec des outils de test de pénétration standard et open source, dans un changement de stratégie.
China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy. |
Tool | APT 41 APT 41 | ★★★ |
 |
2023-04-17 17:16:00 | Google découvre l'utilisation par APT41 \\ de l'outil GC2 open source pour cibler les médias et les sites d'emploi Google Uncovers APT41\\'s Use of Open Source GC2 Tool to Target Media and Job Sites (lien direct) |
Un groupe chinois de l'État-nation a ciblé une organisation médiatique taïwanaise anonyme pour fournir un outil d'association rouge open source connu sous le nom de Google Command and Control (GC2) au milieu d'une abus plus large de l'infrastructure de Google \\ pour les fins malveillantes.
Le groupe d'analyse des menaces du géant de la technologie (TAG) a attribué la campagne à un acteur de menace qu'il suit en vertu du hoodoo de surnom géologique et géographique, qui est
A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google\'s infrastructure for malicious ends. The tech giant\'s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO, which is |
Tool Threat | APT 41 APT 41 | ★★★ |
|
2023-04-05 17:49:00 | Google Tag met en garde contre les cyberattaques archipelles liées à la coréenne nord-coréenne Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (lien direct) |
Un acteur de menace soutenu par le gouvernement nord-coréen a été lié à des attaques ciblant le gouvernement et le personnel militaire, les groupes de réflexion, les décideurs politiques, les universitaires et les chercheurs en Corée du Sud et aux États-Unis.
Le groupe d'analyse des menaces de Google (TAG) suit le cluster sous le nom Archipelago, qui, selon lui, est un sous-ensemble d'un autre groupe de menaces suivi par Mandiant sous le nom d'APT43.
Le géant de la technologie
A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. Google\'s Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43. The tech giant |
Threat | APT 43 | ★★ |
|
2023-04-05 12:00:00 | Les pirates se sont présentés comme des journalistes dans des attaques contre des experts en Corée du Nord, dit Google Hackers posed as reporters in attacks on North Korea experts, Google says (lien direct) |
Les pirates soutenus par le gouvernement seraient liés à l'armée nord-coréenne ciblée des personnes ayant une expertise en matière de questions politiques de Corée du Nord en se faisant passer pour des journalistes, selon un nouveau rapport.Des chercheurs du groupe d'analyse des menaces de Google (TAG) ont publié mercredi le rapport comme un suivi de One [publié la semaine dernière] (https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) par la société de cybersécurité Mandiant - qui appartient à
Government-backed hackers allegedly connected to the North Korean military targeted people with expertise in North Korea policy issues by posing as journalists, according to a new report. Researchers from Google\'s Threat Analysis Group (TAG) released the report Wednesday as a follow-up to one [published last week](https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) by cybersecurity firm Mandiant - which is owned by |
Threat | APT 43 | ★★★★ |
 |
2023-04-04 13:00:00 | CyberheistNews Vol 13 # 14 [Eyes sur le prix] Comment les inconvénients croissants ont tenté un courteur par e-mail de 36 millions de vendeurs CyberheistNews Vol 13 #14 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist (lien direct) |
CyberheistNews Vol 13 #14 | April 4th, 2023
[Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist
The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam.
It\'s not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes.
This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor\'s domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there\'s the now-obvious problem with it looking very much like .com to the cursory glance).
The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT).
This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests.
Blog post with screenshots and links:https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 i |
Ransomware Malware Hack Threat | ChatGPT ChatGPT APT 43 | ★★ |
 |
2023-03-30 04:40:47 | Une autre année, un autre gang nord-coréen dépassant les logiciels malveillants et crypto-vole nommé [Another year, another North Korean malware-spreading, crypto-stealing gang named] (lien direct) | mandiant identifie \\ 'modérément sophistiqué \' mais \\ 'prolifique \' apt43 comme la menace mondiale la tenue de sécurité récemment acquise de Google Cloud \\ a nommé un nouveau méchant de NorthCorée: un gang de cybercriminalité, il appelle APT43 et accuse un déchaînement de cinq ans.…
Mandiant identifies \'moderately sophisticated\' but \'prolific\' APT43 as global menace Google Cloud\'s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.… |
Studies Prediction | APT 43 | ★★ |
|
2023-03-29 11:02:00 | Le groupe nord-coréen APT43 utilise la cybercriminalité pour financer les opérations d'espionnage [North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations] (lien direct) | Un nouveau cyber-opérateur nord-coréen national a été attribué à une série de campagnes orchestrées pour rassembler des renseignements stratégiques qui s'alignent sur les intérêts géopolitiques de Pyongyang \\ depuis 2018.
Mandiant appartenant à Google, qui suit le cluster d'activités sous le surnom APT43, a déclaré que les motifs du groupe sont à la fois des techniques d'espionnage et financièrement motivées comme des informations d'identification
A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang\'s geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group\'s motives are both espionage- and financially-motivated, leveraging techniques like credential |
APT 43 | ★★ | |
 |
2023-03-29 08:30:00 | Les experts mettent en garde contre le groupe nord-coréen auto-financé APT43 [Experts Warn of Self-Funding North Korean Group APT43] (lien direct) | Mandiant dit que l'unité est axée sur l'espionnage et le vol cryptographique
Mandiant says unit is focused on espionage and crypto theft |
APT 43 | ★★ | |
 |
2023-03-28 21:57:06 | Mandiant attrape un autre groupe de pirates gouvernementaux nord-coréens [Mandiant Catches Another North Korean Gov Hacker Group] (lien direct) | > Mandiant Flags APT43 comme un «cyber opérateur modérément sophistiqué qui soutient les intérêts du régime nord-coréen». "
>Mandiant flags APT43 as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime." |
APT 43 | ★★ | |
|
2023-03-28 21:28:00 | Anomali Cyber Watch: Takeover comptable, APT, Banking Trojans, Chine, Cyberespionage, Inde, Malspam, Corée du Nord, Phishing, Skimmers, Ukraine et Vulnérabilités [Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities] (lien direct) | Aucun Sélectionné Sauter vers le contenu à l'aide d'Anomali Inc Mail avec les lecteurs d'écran Yury 1 sur 52 ACW CONSEIL POLOZOV ACCORDS MAR 27 MAR, 2023, 10: 11 & # 8239; AM (1 jour) pour moi, marketing, recherche Cher Jarom etMarketing, ACW est prêt https://ui.thereatstream.com/tip/6397663 - Yury Polozov |Analyste de renseignement sur la menace de Sr. |ATR |www.anomali.com Téléphone: + 1-347-276-5554 3 pièces jointes et taureau;Scanné par gmail
& nbsp;
Anomali Cyber Watch: Spies amer sur l'énergie nucléaire chinoise, Kimsuky prend le contrôle de Google pour infecter les appareils Android connectés, les mauvaises cibles magiques occupées des parties de l'Ukraine, et plus encore.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent des sujets suivants: Takeover, APT, Banking Trojans, China, Cyberspionage, Inde, Malspam, North Corée, Phishing, Skimmers, Ukraine, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
campagne de phishingCible l'industrie chinoise de l'énergie nucléaire
(Publié: 24 mars 2023)
Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection.
Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at |
Malware Tool Threat Cloud | APT 37 APT 43 | ★★ |
|
2023-03-28 17:05:00 | Kimsuky de la Corée du Nord évolue en APT à part entière et prolifique [North Korea\\'s Kimsuky Evolves into Full-Fledged, Prolific APT] (lien direct) | Dans les cyberattaques contre les États-Unis, la Corée du Sud et le Japon, le groupe (alias APT43 ou Thallium) utilise des tactiques avancées d'ingénierie sociale et de cryptomiminage qui le distinguent des autres acteurs de la menace.
In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors. |
Threat Cloud | APT 37 APT 43 | ★★★★ |
 |
2023-03-28 15:08:13 | Les pirates nord-coréens se tournent vers \\ 'Cloud Mining \\' pour la crypto pour éviter l'examen de l'application des lois [North Korean hackers turn to \\'cloud mining\\' for crypto to avoid law enforcement scrutiny] (lien direct) | Les chercheurs de Mandiant ont identifié un nouveau groupe de piratage connu sous le nom d'APT 43 qui utilise le bitcoin volé pour financer les opérations de cyberespionnage.
Researchers at Mandiant identified a new hacking group knowns as APT 43 that uses stolen bitcoin to fund cyberespionage operations. |
Threat | APT 43 | ★★ |
 |
2023-03-28 15:03:38 | APT43 : Un groupe nord-coréen utilise la cybercriminalité pour financer des opérations d\'espionnage (lien direct) | L'APT43 est un cyber-opérateur très actif qui soutient les intérêts du régime nord-coréen. Le groupe combine des compétences techniques modérément sophistiquées avec des tactiques agressives d'ingénierie sociale, en particulier contre des organisations gouvernementales, des universitaires et des groupes de réflexion basés en Corée du Sud et aux États-Unis qui s'intéressent aux questions géopolitiques de la péninsule coréenne. - Malwares | General Information | APT 43 | ★★★ |
 |
2023-03-28 10:00:00 | APT43: le groupe nord-coréen utilise la cybercriminalité pour financer les opérations d'espionnage APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (lien direct) |
 Aujourd'hui, nous publions un rapport sur |
Threat | APT 43 APT 43 | ★★★★ |
|
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-02-28 16:10:00 | China\'s BlackFly Targets Materials Sector in \'Relentless\' Quest for IP (lien direct) | Separate attacks on two subsidiaries of an Asian conglomerate reflect a surge of cyber-espionage activity in the region in the last 12 months. | APT 41 | ★★★ | |
|
2023-01-26 00:01:00 | British cyber agency issues warning over Russian and Iranian espionage campaigns (lien direct) |  Two separate but similar espionage campaigns from Russian and Iranian-linked groups have prompted a warning from Britain's National Cyber Security Centre. In a document published on Thursday local time the NCSC warned how instead of sending surprise phishing emails, the hacking groups – identified as “Russia-based” SEABORGIUM and “Iran-based” APT42, or Charming Kitten – are [… |
Conference | APT 35 APT 42 | ★★ |
|
2022-12-14 10:20:58 | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research (lien direct) | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research Cybersecurity researchers at Proofpoint have released new threat intelligence into Iranian state-aligned threat actor TA453 (AKA Charming Kitten, PHOSPHORUS, APT42), showing how the group has deviated from its traditional phishing techniques and is targeting new victims. - Malware Update | Threat Conference | APT 35 APT 42 | ★★ |
 |
2022-11-15 08:46:34 | Previously undetected Earth Longzhi APT group is a subgroup of APT41 (lien direct) | >Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries. Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions […] | Threat Guideline | APT 41 | ★★★★ |
|
2022-11-14 18:33:00 | New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders (lien direct) | Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims | Threat Guideline | APT 41 | ★★ |
 |
2022-11-09 00:00:00 | Hack the Real Box: APT41\'s New Subgroup Earth Longzhi (lien direct) | We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August. | Threat Guideline | APT 41 | |
|
2022-11-01 15:00:00 | Anomali Cyber Watch: Active Probing Revealed ShadowPad C2s, Fodcha Hides Behind Obscure TLDs, Awaiting OpenSSL 3.0 Patch, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
(published: October 27, 2022)
ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).
Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP
Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity
(published: October 27, 2022)
The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).
Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.
MITRE ATT&CK: [MITRE ATT&CK] Replicat |
Ransomware Malware Hack Tool Vulnerability Threat Guideline | APT 41 | |
|
2022-10-26 09:00:00 | Pro-PRC Dragonbridge Influencer la campagne La campagne exploite de nouveaux TTP pour cibler agressivement les intérêts américains, y compris les élections à mi-parcours Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections (lien direct) |
Mandiant a récemment observé Dragonbridge, un InfluencerCampagne Nous évaluons avec une grande confiance pour fonctionner à l'appui des intérêts politiques de la République de Chine du peuple, ciblant agressivement les États-Unis parCherchant à semer la division entre les États-Unis et ses alliés et au sein du système politique américain lui-même.Les récits récents incluent:
affirme que le China-Nexus Threat Group apt41 est plutôt un acteur soutenu par le gouvernement américain.
Tentatives agressives de discréditer le processus démocratique américain, y compris les tentatives de décourager les Américains de voter aux États-Unis
Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People\'s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include: Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor. Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S |
Threat | APT 41 | ★★★ |
|
2022-10-18 15:41:00 | Chinese \'Spyder Loader\' Malware Spotted Targeting Organizations in Hong Kong (lien direct) | The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly | Malware Threat Guideline | APT 41 | |
|
2022-10-18 14:15:09 | China-linked APT41 group targets Hong Kong with Spyder Loader (lien direct) | >China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage […] | Threat Guideline | APT 41 APT 17 | |
 |
2022-10-18 06:00:00 | Hackers compromised Hong Kong govt agency network for a year (lien direct) | Researchers at Symantec have uncovered cyberattacks attributed to the China-linked espionage actor APT41 (a.k.a. Winnti) that breached government agencies in Hong Kong and remained undetected for a year in some cases. [...] | Guideline | APT 41 | |
 |
2022-10-11 19:22:42 | Google Pixel 7 and Pixel 7 Pro: The next evolution in mobile security (lien direct) | Dave Kleidermacher, Jesse Seed, Brandon Barbello, Sherif Hanna, Eugene Liderman, Android, Pixel, and Silicon Security Teams Every day, billions of people around the world trust Google products to enrich their lives and provide helpful features – across mobile devices, smart home devices, health and fitness devices, and more. We keep more people safe online than anyone else in the world, with products that are secure by default, private by design and that put you in control. As our advancements in knowledge and computing grow to deliver more help across contexts, locations and languages, our unwavering commitment to protecting your information remains. That's why Pixel phones are designed from the ground up to help protect you and your sensitive data while keeping you in control. We're taking our industry-leading approach to security and privacy to the next level with Google Pixel 7 and Pixel 7 Pro, our most secure and private phones yet, which were recently recognized as the highest rated for security when tested among other smartphones by a third-party global research firm.1 Pixel phones also get better every few months with Feature Drops that provide the latest product updates, tips and tricks from Google. And Pixel 7 and Pixel 7 Pro users will receive at least five years of security updates2, so your Pixel gets even more secure over time. Your protection, built into PixelYour digital life and most sensitive information lives on your phone: financial information, passwords, personal data, photos – you name it. With Google Tensor G2 and our custom Titan M2 security chip, Pixel 7 and Pixel 7 Pro have multiple layers of hardware security to help keep you and your personal information safe. We take a comprehensive, end-to-end approach to security with verifiable protections at each layer - the network, application, operating system and multiple layers on the silicon itself. If you use Pixel for your business, this approach helps protect your company data, too.  Google Tensor G2 is Pixel's newest powerful processor custom built with Google AI, and makes Pixel 7 faster, more efficient and secure3. Every aspect of Tensor G2 was designed to improve Pixel's performance and efficiency for great battery life, amazing photos and videos. Tensor's built-in security core works with our Titan M2 security chip to keep your personal information, PINs and passwords safe. Titan family chips are also used to protect Google Cloud data centers and Chromebooks, so the same hardware that protects Google servers also secures your sensitive information stored on Pixel. And, in a first for Google, Titan M2 hardware has now been certified under Common Criteria PP0084: the international gold standard for hardware security components also used for identity, SIM cards, and bankcard security chips. |
Spam Malware Vulnerability Guideline Industrial | APT 40 | |
|
2022-09-20 15:00:00 | Anomali Cyber Watch: Uber and GTA 6 Were Breached, RedLine Bundle File Advertises Itself on YouTube, Supply-Chain Attack via eCommerce Fishpig Extensions, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Iran, Ransomware, Stealers, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hacker Pwns Uber Via Compromised VPN Account
(published: September 16, 2022)
On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.
Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer
Self-Spreading Stealer Attacks Gamers via YouTube
(published: September 15, 2022)
Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”
Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub |
Ransomware Malware Tool Vulnerability Threat Guideline | Uber Uber APT 41 APT 15 | |
 |
2022-09-14 05:09:00 | Iranian cyberspies use multi-persona impersonation in phishing threads (lien direct) | One of the most prolific state-sponsored Iranian cyber espionage groups is targeting researchers from different fields by setting up sophisticated spear-phishing lures in which they use multiple fake personas inside the same email thread for increased credibility.Security firm Proofpoint tracks the group as TA453, but it overlaps with activity that other companies have attributed to Charming Kitten, PHOSPHORUS and APT42. Incident response company Mandiant recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here | Conference | APT 35 APT 42 | |
|
2022-09-11 13:31:49 | Iran-linked APT42 is behind over 30 espionage attacks (lien direct) | >Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents. Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788). The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against […] | APT 42 | ||
|
2022-09-11 09:51:00 | Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (lien direct) | A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps ( | Threat | APT 42 | |
|
2022-09-08 13:20:00 | Researchers Reveal New Iranian Threat Group APT42 (lien direct) | Group has been active since at least 2015 | Threat | APT 42 | |
|
2022-09-07 16:32:32 | Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report (lien direct) | >The Iranian cyberespionage group known as APT 42 is characterized by targeted spear phishing campaigns and extensive surveillance operations. | APT 42 | ||
|
2022-09-07 15:07:57 | Nouveau groupe de cyberespionnage découvert : APT42 - Charmes tortueux, inconvénients et compromis (lien direct) | Nouveau groupe de cyberespionnage découvert : APT42 - Charmes tortueux, inconvénients et compromis. Mandiant publie un rapport détaillé sur le groupe APT42, un groupe de cyberespionnage parrainé par l'État iranien et chargé de mener des opérations de collecte d'informations et de surveillance contre des individus et des organisations présentant un intérêt stratégique pour le gouvernement iranien. - Malwares | APT 42 | ||
|
2022-09-07 14:37:13 | Iran-Linked APT Cozies Up to \'Enemies\' in Trust-Based Spy Game (lien direct) | APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance. | APT 42 | ||
|
2022-09-07 10:18:39 | New Iranian hacking group APT42 deploys custom Android spyware (lien direct) | A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest. [...] | Malware | APT 42 | |
|
2022-09-07 09:00:00 | APT42: Charmes, inconvénients et compromis tordus APT42: Crooked Charms, Cons, and Compromises (lien direct) |
Aujourd'hui, Mandiant publie un rapport complet détaillant APT42, un groupe de cyber-espionnage parrainé par l'État iranien chargé de mener des opérations de collecte et de surveillance d'informations contre des individus et des organisations d'intérêt stratégique pour le gouvernement iranien.Nous estimons avec une confiance modérée que l'APT42 opère au nom de l'organisation de renseignement de la Garde de la révolution islamique (IRGC) (IRGC-IO) sur la base de modèles de ciblage qui s'alignent avec les mandats et priorités opérationnels de l'organisation \\.
Le rapport complet publié couvre le récent et historique de l'APT42
Today, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)\'s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization\'s operational mandates and priorities. The full published report covers APT42\'s recent and historical |
APT 42 APT 42 | ★★★★ | |
|
2022-08-31 13:03:30 | China-linked APT40 used ScanBox Framework in a long-running espionage campaign (lien direct) | >Experts uncovered a cyber espionage campaign conducted by a China-linked APT group and aimed at several entities in the South China Sea. Proofpoint's Threat Research Team uncovered a cyber espionage campaign targeting entities across the world that was orchestrated by a China-linked threat actor. The campaign aimed at entities in Australia, Malaysia, and Europe, as […] | Threat | APT 40 | |
|
2022-08-31 05:02:05 | China-linked APT40 gang targets wind farms, Australian government (lien direct) | ScanBox installed after victims lured to fake Murdoch news sites with phishing emails Researchers at security company Proofpoint and PricewaterhouseCoopers (PWC) said on Tuesday they had identified a cyber espionage campaign that delivers the ScanBox exploitation framework through a malicious fake Australian news site.… | APT 40 | ||
 |
2022-08-30 16:00:43 | Watering Hole Attacks Push ScanBox Keylogger (lien direct) | Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. | Industrial | APT 40 | |
|
2022-08-19 16:30:00 | China-backed APT41 Group Hacked at Least 13 Victims in 2021 (lien direct) | The majority of the attacks spotted relied primarily on SQL injections on targeted domains | APT 41 | ||
|
2022-08-18 18:34:08 | China\'s APT41 Embraces Baffling Approach for Dropping Cobalt Strike Payload (lien direct) | The state-sponsored threat actor has switched up its tactics, also adding an automated SQL-injection tool to its bag of tricks for initial access. | Tool Threat | APT 41 | |
|
2022-08-18 06:33:50 | China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year (lien direct) | The Chinese advanced persistent threat (APT) actor tracked as Winnti (aka APT41) has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021. "The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and | Threat Guideline | APT 41 | ★★ |
 |
2022-06-30 13:49:56 | China lured graduate jobseekers into digital espionage (lien direct) | Student translators were targeted by front company for Beijing-backed hacking group APT40. | Industrial | APT 40 | |
|
2022-06-02 11:00:00 | Tendance Evil: Spotlight on Mandiant MDR Prevention of Destructive Campaies Againt Ukrainian Entities Trending Evil: Spotlight on Mandiant MDR Prevention of Destructive Campaigns Against Ukrainian Entities (lien direct) |
disponible aujourd'hui est la dernière édition de mal de tendance, Notre rapport trimestriel qui décompose leMenaces les plus récentes observées par Manialiant Managed Defense .
Dans cette édition, nous fournissons un aperçu de notre défense des entités ukrainiennes après avoir initié des mesures de protection supplémentaires pour les clients, observationsd'APT41, et une ventilation des attaques Web:
perturber les attaques russes : en prévision de la poursuiteLes cyberattaques russes à l'appui de son invasion de l'Ukraine ont géré la défense améliorée des services de surveillance et de menace pour les clients à partir de février 2022 . Cela a conduit au
Available today is the latest edition of Trending Evil, our quarterly report that breaks down the most recent threats observed by Mandiant Managed Defense. In this edition we provide an inside look at our defense of Ukrainian entities after initiating additional protective measures for customers, observations of APT41, and a breakdown of web attacks: Disrupting Russian Attacks: In anticipation of continued Russian cyber attacks in support of its invasion of Ukraine, Managed Defense enhanced monitoring and threat hunting services for customers beginning in February 2022. This led to the |
Threat | APT 41 | ★★★ |
To see everything:
Our RSS (filtrered)
