What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-29 16:05:00 | Microsoft Uncovers \\ 'Moonstone Sheet \\' - Nouveau groupe de pirates nord Microsoft Uncovers \\'Moonstone Sleet\\' - New North Korean Hacker Group (lien direct) |
Un acteur de menace nord-coréen jamais vu auparavant, le nom de manche de Moonstone Sleet a été attribué comme derrière les cyberattaques ciblant les individus et les organisations dans les secteurs de base industrielle des technologies et des technologies de l'information, de l'éducation et de la défense avec un ransomware et un malware sur mesure auparavant associé au célèbre groupe Lazarus Lazare.
"On observe que le grésil de la pierre de lune installe de fausses entreprises et
A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and |
Threat Ransomware Malware Industrial | APT 38 | |
 |
2024-05-29 10:15:00 | Nouveau groupe de piratage nord-coréen identifié par Microsoft New North Korean Hacking Group Identified by Microsoft (lien direct) |
Moonstone Sheet est un groupe de menaces nouvellement observé ciblant les sociétés pour les objectifs financiers et cyber-espionnages
Moonstone Sleet is a newly observed threat group targeting companies for financial and cyber espionage objectives |
Threat | ||
|
2024-05-29 09:30:00 | # Infosec2024: Décodage de la Sentinelone \\'s Ai Mende Hugning Assistant #Infosec2024: Decoding SentinelOne\\'s AI Threat Hunting Assistant (lien direct) |
Sentinélone présentera une manifestation de chasse aux menaces au cours de laquelle un analyste de la sécurité concurrencera une personne non technique utilisant son assistant d'IA
SentinelOne will present a threat-hunting demonstration during which a security analyst will compete against a non-technical person using its AI assistant |
Threat | ||
 |
2024-05-29 07:35:44 | Présentation de Sekoia TDR Introducing Sekoia TDR (lien direct) |
> Cette fois, nous ne révélons pas une nouvelle enquête ou analyse de cyber-menace, mais je veux partager quelques idées sur l'équipe derrière tous les rapports d'ingénierie de l'intelligence et de détection des menaces de Sekoia.Permettez-moi de vous présenter l'équipe Sekoia TDR.TL; Dr Sekoia Menace Detection & # 038;La recherche (TDR) est une équipe multidisciplinaire dédiée à la cyber-menace [& # 8230;]
la publication Suivante Présentation de Sekoia tdr est un article de Blog Sekoia.io .
>This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights about the team behind all Sekoia Threat Intelligence and Detection Engineering reports. Let me introduce you to the Sekoia TDR team. TL;DR Sekoia Threat Detection & Research (TDR) is a multidisciplinary team dedicated to Cyber Threat […] La publication suivante Introducing Sekoia TDR est un article de Sekoia.io Blog. |
Threat | ||
 |
2024-05-29 05:00:00 | Mémoire de sécurité: chantez-nous une chanson que vous êtes l'arnaque du piano Security Brief: Sing Us a Song You\\'re the Piano Scam (lien direct) |
What happened Proofpoint recently identified a cluster of activity conducting malicious email campaigns using piano-themed messages to lure people into advance fee fraud (AFF) scams. The campaigns have occurred since at least January 2024, and are ongoing. Most of the messages target students and faculty at colleges and universities in North America, however other targeting of industries including healthcare and food and beverage services was also observed. Proofpoint observed at least 125,000 messages so far this year associated with the piano scam campaigns cluster. In the campaigns, the threat actor purports to offer up a free piano, often due to alleged circumstances like a death in the family. When a target replies, the actor instructs them to contact a shipping company to arrange delivery. That contact address will also be a fake email managed by the same threat actor. The “shipping company” then claims they will send the piano if the recipient sends them the money for shipping first. Lure email purporting to be giving away a “free” piano. Shipping options provided by the fake shipping company. The actor requests payment via multiple options including Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency. The actor also attempts to collect personally identifiable information (PII) from the user including names, physical addresses, and phone numbers. Proofpoint identified at least one Bitcoin wallet address the piano scam fraudsters directed payment to. At the time of this writing, it contained over $900,000 in transactions. It is likely that multiple threat actors are conducting numerous different types of scams concurrently using the same wallet address given the volume of transactions, the variations in transaction prices, and overall amount of money associated with the account. While the email body content of the messages is similar, the sender addresses vary. Typically, the actors use freemail email accounts, usually with some combination of names and numbers. Most of the campaigns include multiple variations on the email content and contact addresses. Attribution To obtain more information about the fraudsters, researchers started a discussion with the actors and convinced them to interact with a researcher-managed redirect service. Proofpoint was able to identify at least one perpetrator\'s IP address and device information. Based on the information obtained, researchers assess with high confidence that at least one part of the operation is based in Nigeria. Screenshot of a part of a conversation between a researcher and threat actor. Advance Fee Fraud (AFF), which in the past has been referred to as 419,” “Nigerian 419,” or “Nigerian Prince” email fraud, occurs when a threat actor asks the potential victim for a small amount of money in advance of a larger, promised payout to be given to the victim at a later date. There are endless variations of this type of fraud. Typical schemes contain elaborate stories that explain why there is a large sum of money, job opportunity, or other goods or services available to the victim and why the sender needs a small upfront or advanced fee before the victim gets the promised money or goods. The fraudsters often bait victims with subjects such as inheritance, awards, government payouts, and international business. Once the victim provides the small amount of money to the fraudster, however, they cut all contact and disappear. Why it matters Proofpoint has previously published research on AFF campaigns using a variety of different themes to entice recipients to engage with them, including employment opportunities targeting university students and cryptocurrency fraud. In all cases, AFF relies on elaborate social engineering and the use of multiple different payment platforms. People should be aware of the common techniques used by threat actors and remember that if an unsolicited email so | Threat Medical | ||
 |
2024-05-28 21:01:11 | Les groupes de menaces Catddos accélèrent fortement les attaques DDOS CatDDOS Threat Groups Sharply Ramp Up DDoS Attacks (lien direct) |
Lors des attaques au cours des trois derniers mois, les acteurs de la menace ont exploité plus de 80 vulnérabilités pour accélérer la distribution de la variante Mirai.
In attacks over the past three months, threat actors have exploited more than 80 vulnerabilities to accelerate distribution of the Mirai variant. |
Threat Vulnerability | ||
 |
2024-05-28 20:51:27 | Arc Browsers Windows Lancez ciblé par Google Ads Malvertising Arc Browsers Windows Launch Targeted by Google Ads Malvertising (lien direct) |
## Instantané Le navigateur ARC, un nouveau navigateur Web qui a récemment été publié, a été la cible d'une campagne de malvertising. ## Description Les cybercriminels ont créé une fausse campagne publicitaire qui imite le navigateur Arc, en utilisant des logos et des sites Web officiels pour inciter les utilisateurs à télécharger des logiciels malveillants.Le malware est emballé de manière unique, le programme d'installation principal contenant deux autres exécutables.L'un de ces exécutables récupère un installateur Windows pour le logiciel Arc légitime, tandis que l'autre contacte la plate-forme cloud méga via l'API de son développeur \\.En raison de l'installation du navigateur ARC comme prévu sur la machine de la victime et des fichiers malveillants exécutés furtivement en arrière-plan, il est peu probable que la victime se rendait à la victime qu'elles sont maintenant infectées par des logiciels malveillants. Les acteurs de la menace capitalisent sur le battage médiatique entourant les nouveaux lancements logiciels / jeux ne sont pas nouveaux, mais continue d'être une méthode efficace pour distribuer des logiciels malveillants. Les utilisateurs qui cherchent à télécharger des logiciels devraient ignorer tous les résultats promus sur Google Search, utiliser des bloqueurs d'annonces qui masquent ces résultats et mettant en signet les sites Web officiels du projet pour une utilisation future. ## Recommandations # Recommandations pour protéger contre la malvertising Appliquez ces atténuations pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge SmartScreen, qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites contenant des exploits et hébergent des logiciels malveillants.[Allumez la protection du réseau] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=Magicti%3CEM%3ETA%3C/em%3ElearnDoc) pour bloquer les connexions aux domaines malveillants et aux adresses IP. - Construire la résilience organisationnelle contre les menaces par e-mail en éduquant les utilisateurs sur l'identification des attaques d'ingénierie sociale et la prévention de l'infection par les logiciels malveillants.Utilisez [Formation de la simulation d'attaque] (https://learn.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started?ocid=Magicti%3CEM%3ETA%3C/EM% 3ElearnDoc) dans Microsoft Defender pour Office 365 pour exécuter des scénarios d'attaque, accroître la sensibilisation des utilisateurs et permettre aux employés de reconnaître et de signaler ces attaques. - Pratiquez le principe du moindre privile et maintenez l'hygiène des références.Évitez l'utilisation des comptes de service au niveau de l'administration à l'échelle du domaine.La restriction des privilèges administratifs locaux peut aider à limiter l'installation de rats et d'autres applications indésirables. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-cloud-protection-Microsoft-Defender-Antivirus? OCID = magicti% 3cem% 3eta% 3c / em% 3elearndoc) et échantillon automatiqueSoumission sur Microsoft Defender Antivirus.Ces capacités utilisent l'intelligence artificielle et l'apprentissage automatique pour identifier et arrêter rapidement les menaces nouvelles et inconnues. - Allumez [Fonctionnalités de protection contre les alcool% 3eta% 3C / EM% 3ELEARNDOC) Pour empêcher les attaquants d'empêcher les services de sécurité. Les clients de Microsoft Defender peuvent activer [Règles de réduction de la surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=Magicti%3CEM%3ETA%3C/EM% | Threat Ransomware Malware Cloud | ||
|
2024-05-28 19:40:48 | ShrinkLocker: transformer le bitlocker en ransomware ShrinkLocker: Turning BitLocker into Ransomware (lien direct) |
#### Géolocations ciblées
- Mexique
- Indonésie
- Jordan
## Instantané
Des chercheurs de Kapersky ont identifié un incident dans lequel les attaquants se sont déployés et un script de base visuel avancé (VBScript) qui a profité du bitlocker pour le cryptage de fichiers non autorisé.
## Description
Bitlocker a été initialement conçu pour protéger les données contre le vol ou l'exposition lorsque les appareils sont perdus, volés ou mal éliminés.Cependant, les attaquants ont découvert comment exploiter cette fonctionnalité à des fins malveillantes.Les chercheurs de Kapersky ont détecté ce script et ses versions modifiées au Mexique, en Indonésie et en Jordanie.
Initialement, le script utilise Windows Management Instrumentation (WMI) pour collecter des informations sur le système d'exploitation (OS).Il vérifie le domaine et la version du système d'exploitation actuels, se terminant s'il rencontre certaines conditions, telles que les anciennes versions Windows comme XP ou Vista.
Le script effectue des opérations de redimensionnement du disque uniquement sur des disques fixes pour éviter les outils de détection sur les lecteurs de réseau.Pour Windows Server 2008 et 2012, il rétrécit les partitions non-Boot, crée de nouvelles partitions, les formats et réinstalle les fichiers de démarrage à l'aide de DiskPart et BCDBoot.Pour d'autres versions Windows, des opérations similaires sont exécutées avec du code adapté à la compatibilité.
Les entrées de registre sont ajoutées par le script, qui vérifie si les outils de chiffrement BitLocker Drive sont actifs et démarre le service de cryptage BitLocker Drive s'il ne s'exécute pas déjà.Le script désactive et supprime ensuite les protecteurs de bitlocker par défaut, les remplaçant par un mot de passe numérique pour éviter la récupération des clés.
Une clé de chiffrement unique à 64 caractères est générée à l'aide d'éléments aléatoires et de données spécifiques au système, converti en une chaîne sécurisée et utilisé pour activer BitLocker sur les disques.Les attaquants utilisent le domaine trycloudflare.com pour envoyer des demandes de publication chiffrées avec des informations système et la clé de chiffrement de leur serveur.
Pour couvrir ses pistes, le script se supprime, efface les journaux et modifie les paramètres du système avant de forcer un arrêt.Lors du redémarrage, la victime est confrontée à un écran Bitlocker sans options de récupération, les verrouillant efficacement de leurs données.
## Les références
[ShrinkLocker: transformer Bitlocker en ransomware] (https://securelist.com/ransomware-abuses-bitlocker/112643/).Kapersky (consulté en 2024-05-28)
#### Targeted Geolocations - Mexico - Indonesia - Jordan ## Snapshot Researchers at Kapersky identified an incident where attackers deployed and an advanced Visual Basic Script (VBScript) that took advantage of BitLocker for unauthorized file encryption. ## Description BitLocker was originally designed to protect data from being stolen or exposed when devices are lost, stolen, or improperly disposed of. However, attackers have discovered how to exploit this feature for malicious purposes. Kapersky researchers have detected this script and its modified versions in Mexico, Indonesia, and Jordan. Initially, the script uses Windows Management Instrumentation (WMI) to gather operating system (OS) information. It checks the current domain and OS version, terminating itself if it encounters certain conditions, such as older Windows versions like XP or Vista. The script performs disk resizing operations only on fixed drives to avoid detection tools on network drives. For Windows Server 2008 and 2012, it shrinks non-boot partitions, creates new partitions, formats them, and reinstalls boot files using diskpart and bcdboot. For other Windows versions, similar operations are executed wit |
Threat Ransomware Tool | ||
|
2024-05-28 17:37:40 | Faits saillants hebdomadaires, 28 mai 2024 Weekly OSINT Highlights, 28 May 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a diverse array of sophisticated cyber threats targeting various sectors, including financial institutions, government entities, and academic organizations. The reports highlight a variety of attack types such as banking trojans, stealers, crypto mining malware, ransomware, and remote access trojans (RATs). Attack vectors include malspam campaigns, spear-phishing emails, search engine advertisements, and trojanized software packages. Threat actors range from financially motivated groups like UAC-0006 and Ikaruz Red Team to state-sponsored entities such as the Chinese-linked "Unfading Sea Haze" and the Iranian Void Manticore. These actors employ advanced techniques like fileless malware, DLL sideloading, and custom keyloggers to achieve persistence and data exfiltration. The targets of these attacks are geographically widespread, encompassing North and South America, the South China Sea region, the Philippines, and South Korea, underscoring the global reach and impact of these threats. ## Description 1. **[Metamorfo Banking Trojan Targets North and South America](https://security.microsoft.com/intel-explorer/articles/72f52370)**: Forcepoint reports that the Metamorfo (Casbaneiro) banking trojan spreads through malspam campaigns, using HTML attachments to initiate system metadata collection and steal user data. This malware targets banking users in North and South America by employing PowerShell commands and various persistence mechanisms. 2. **[Unfading Sea Haze Targets South China Sea Military and Government Entities](https://security.microsoft.com/intel-explorer/articles/c95e7fd5)**: Bitdefender Labs identified a Chinese-linked threat actor, "Unfading Sea Haze," using spear-phishing emails and fileless malware to target military and government entities in the South China Sea region. The campaign employs tools like SerialPktdoor and Gh0stRAT to exfiltrate data and maintain persistence. 3. **[Acrid, ScarletStealer, and Sys01 Stealers](https://security.microsoft.com/intel-explorer/articles/8ca39741)**: Kaspersky describes three stealers-Acrid, ScarletStealer, and Sys01-targeting various global regions. These stealers focus on stealing browser data, cryptocurrency wallets, and credentials, posing significant financial risks by exfiltrating sensitive user information. 4. **[REF4578 Crypto Mining Campaign](https://security.microsoft.com/intel-explorer/articles/c2420a77)**: Elastic Security Labs reports on REF4578, an intrusion set leveraging vulnerable drivers to disable EDRs for deploying Monero crypto miners. The campaign\'s GHOSTENGINE module ensures persistence and termination of security agents, targeting systems for crypto mining. 5. **[SmokeLoader Malware Campaign in Ukraine](https://security.microsoft.com/intel-explorer/articles/7bef5f52)**: CERT-UA observed the UAC-0006 threat actor distributing SmokeLoader malware via phishing emails in Ukraine. The campaign downloads additional malware like Taleshot and RMS, targeting remote banking systems and increasing fraud schemes. 6. **[Ikaruz Red Team Targets Philippines with Modified Ransomware](https://security.microsoft.com/intel-explorer/articles/624f5ce1)**: The hacktivist group Ikaruz Red Team uses leaked LockBit 3 ransomware builders to attack Philippine organizations, aligning with other hacktivist groups like Turk Hack Team. The group engages in politically motivated data leaks and destructive actions. 7. **[Grandoreiro Banking Trojan Campaign](https://security.microsoft.com/intel-explorer/articles/bc072613)**: IBM X-Force tracks the Grandoreiro banking trojan, which operates as Malware-as-a-Service (MaaS) and targets over 1500 global banks. The malware uses advanced evasion techniques and spreads through phishing emails, aiming to commit banking fraud worldwide. 8. **[Void Manticore\'s Destructive Wiping Attacks](https://security.microsoft.com/intel-explorer/articles/d5d5c07f)**: Check Point Research analyzes the Iranian threat actor Void Manticore, conducting destructive wip | Threat Ransomware Malware Hack Tool | APT 34 | |
|
2024-05-28 16:15:00 | Vérifier le point exhorte l'examen de la configuration VPN au milieu de la pointe d'attaque Check Point Urges VPN Configuration Review Amid Attack Spike (lien direct) |
Ces attaques n'ont pas exploité de vulnérabilité mais ont plutôt exploité des méthodes d'authentification plus faibles
These attacks did not exploit a vulnerability but instead leveraged weaker authentication methods |
Threat Vulnerability | ||
|
2024-05-28 15:45:00 | Les chercheurs mettent en garde contre la technique d'attaque DDOS Catddos Botnet et DNSBomb DDOS Researchers Warn of CatDDoS Botnet and DNSBomb DDoS Attack Technique (lien direct) |
Les acteurs de la menace derrière le botnet malware Catddos ont exploité sur 80 défauts de sécurité connus dans divers logiciels au cours des trois derniers mois pour infiltrer des appareils vulnérables et les coopter dans un botnet pour mener des attaques de déni de service distribué (DDOS).
"Les échantillons de gangs liés à Catddos ont utilisé un grand nombre de vulnérabilités connues pour livrer des échantillons", l'équipe Qianxin XLAB & NBSP;
The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. "CatDDoS-related gangs\' samples have used a large number of known vulnerabilities to deliver samples," the QiAnXin XLab team |
Threat Malware Vulnerability | ||
 |
2024-05-28 13:32:24 | Distorsion sociale: la menace de la peur, de l'incertitude et de la tromperie dans la création de risques de sécurité Social Distortion: The Threat of Fear, Uncertainty and Deception in Creating Security Risk (lien direct) |
> Un look dans les piliers traditionnels de la culture communautaire de sécurité et comment ils sont affaiblis et compromis, et même jetant un œil à l'endroit où tout cela pourrait aller dans un monde de fesses profondes et de biais et d'hallucination alimentés par l'IA.
>A look int the traditional pillars of security community culture and how they are being weakened and compromised, and even peek at where this all could go in a world of deepfakes and AI-fueled bias and hallucination. |
Threat | ||
 |
2024-05-28 12:16:01 | Cyjax: les signes révélateurs que le groupe Ransomware Medusa est affilié russe Cyjax: Telltale signs that the Medusa Ransomware group are Russian affiliated (lien direct) |
Cyjax: les signes révélateurs que le groupe de ransomwares Medusa est affilié russe par Ian Thornton-Trump, CISO, Cyjax &
Fidèle romain, Cyber Threat Intelligence Eadving, Cyjax
-
opinion
Cyjax: Telltale signs that the Medusa Ransomware group are Russian affiliated by Ian Thornton-Trump, CISO, Cyjax & Roman Faithful, Cyber Threat Intelligence Team Lead, Cyjax - Opinion |
Threat Ransomware | ||
 |
2024-05-28 12:00:22 | Ai Powers Saber \\ est une détection et une réponse de menace améliorées AI Powers Sabre\\'s Enhanced Threat Detection & Response (lien direct) |
Précision AI par Palo Alto Networks aide les équipes de sécurité à faire confiance aux résultats de l'IA en utilisant des modèles spécifiques à la sécurité pour automatiser la détection, la prévention et la correction.
Precision AI by Palo Alto Networks helps security teams trust AI outcomes using security-specific models to automate detection, prevention and remediation. |
Threat | ||
|
2024-05-28 12:00:00 | Plugin WordPress exploité pour voler les données de la carte de crédit des sites de commerce électronique WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites (lien direct) |
Les acteurs de menaces inconnus abusent des plugins d'extraits de code moins connues pour que WordPress inséte le code PHP malveillant dans les sites victimes et NBSP; qui sont & nbsp; capable de récolter les données de carte de crédit.
La campagne, observée par SUCURI le 11 mai 2024, implique & nbsp; The Abuse of & nbsp; un plugin WordPress appelé & nbsp; Dessky Extraits, qui permet aux utilisateurs d'ajouter du code PHP personnalisé.Il dispose de plus de 200 installations actives.
Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. It has over 200 active installations. |
Threat | ||
 |
2024-05-28 10:00:00 | L'évolution des cybermenaces à l'ère de l'IA: défis et réponses The Evolution of Cyber Threats in the Age of AI: Challenges and Responses (lien direct) |
"In war, the importance of speed cannot be overstated. Swift and decisive actions often determine the outcome of battles, as delays can provide the enemy with opportunities to exploit weaknesses and gain advantages." - General Patton, "Leadership and Strategy in Warfare," Military Journal, 1945. Cybersecurity has become a battlefield where defenders and attackers engage in a constant struggle, mirroring the dynamics of traditional warfare. In this modern cyber conflict, the emergence of artificial intelligence (AI) has revolutionized the capabilities of traditionally asymmetric cyber attackers and threats, enabling them to pose challenges akin to those posed by near-peer adversaries.[1] This evolution in cyber threats demands a strategic response from organizations leveraging AI to ensure speed and intelligence in countering increasingly sophisticated attacks. AI provides force multiplication factors to both attackers and defenders. To wit, which ever side neglects the use of this new technology does so at its own peril. AI-Driven Evolution of Cyber Threats AI is playing a pivotal role in empowering cyber attackers and bridging the gap towards near-peer status with organizations in terms of cyber threats which, historically have been asymmetric in nature. The advancements in AI technologies have provided attackers with sophisticated tools and techniques that rival the defenses of many organizations. Several key areas highlight how AI is enabling the evolution of cyber threats: Sophisticated Attack Automation: AI-powered tools allow attackers to automate various stages of the attack lifecycle, from reconnaissance to exploitation.[2] This level of automation enables attackers to launch coordinated and sophisticated attacks at scale, putting organizations at risk of facing near-peer level threats in terms of attack complexity and coordination. Adaptive and Evolving Tactics: AI algorithms can analyze data and adapt attack tactics in real-time based on the defender\'s responses.[3] This adaptability makes it challenging for defenders to predict and defend against evolving attack strategies, mirroring the dynamic nature of near-peer adversaries who constantly adjust their tactics to overcome defenses. AI-Driven Social Engineering: AI algorithms can analyze vast amounts of data to craft highly convincing social engineering attacks, such as phishing emails or messages.[4] These AI-driven social engineering techniques exploit human vulnerabilities effectively, making it difficult for organizations to defend against such personalized and convincing attacks. AI-Powered Malware: Malware developers leverage AI to create sophisticated and polymorphic malware that can evade detection by traditional security solutions.[5] This level of sophistication in malware design and evasion techniques puts organizations at risk of facing near-peer level threats in terms of malware sophistication and stealthiness. AI-Enhanced Targeting: AI algorithms can analyze large datasets to identify specific targets within organizations, such as high-value assets or individuals with sensitive information.[6] This targeted approach allows attackers to focus their efforts on critical areas, increasing the effectiveness of their attacks and approaching the level of precision seen in near-peer threat actor operations. The combination of these AI-driven capabilities empowers cyber attackers to launch sophisticated, automated, and adaptive attacks that challenge organizations in ways previously seen only with near-peer adversaries in nation state attacks and warfare. Today, a single person, harnessing the power of AI can create a veritable army and provides force multiplication to the attackers. This puts organizations at an even greater defensive disadvantage than in years prior to the introduction of AI. AI\'s Role in Defenders\' Responses "Defense is not just about fortifying positions but also about reac | Threat Malware Tool Conference Prediction Vulnerability | ||
|
2024-05-28 08:57:31 | Vérifier les VPN des points ciblés pour pirater les réseaux d'entreprise Check Point VPNs Targeted to Hack Enterprise Networks (lien direct) |
> Le point de contrôle est averti les clients que les acteurs de la menace ciblent les instances de VPN sans sécurité pour l'accès initial aux réseaux d'entreprise.
>Check Point is warning customers that threat actors are targeting insecure VPN instances for initial access to enterprise networks. |
Threat Hack | ||
 |
2024-05-27 17:59:53 | Blackberry expose le cyber-espionnage par une tribu transparente ciblant le gouvernement indien, les secteurs de la défense BlackBerry exposes cyber espionage by Transparent Tribe targeting Indian government, defense sectors (lien direct) |
> BlackBerry a révélé que le groupe de menaces persistant avancé basé à Pakistanais, la tribu transparente (APT36), a ciblé le gouvernement indien, la défense et ...
>BlackBerry disclosed that the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeted the Indian government, defense, and... |
Threat | APT 36 | |
 |
2024-05-27 14:19:21 | Les pirates Target Check Point VPNS pour violer les réseaux d'entreprise Hackers target Check Point VPNs to breach enterprise networks (lien direct) |
Les acteurs de la menace ciblent les appareils VPN à l'accès à distance de contrôle dans une campagne en cours pour violer les réseaux d'entreprise, a averti la société dans un avis de lundi.[...]
Threat actors are targeting Check Point Remote Access VPN devices in an ongoing campaign to breach enterprise networks, the company warned in a Monday advisory. [...] |
Threat | ||
 |
2024-05-27 12:23:17 | 27 mai & # 8211;Rapport de renseignement sur les menaces 27th May – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes de cyber-recherche pour la semaine du 20 mai, veuillez télécharger notre bulletin menace_intelligence.Les principales attaques et violations d'une violation de données ont exposé 500 Go de données biométriques indiennes, affectant la police indienne, le personnel militaire et d'autres travailleurs publics lors des élections en Inde.La fuite provenait de bases de données non garanties gérées par ThoughtGreen Technologies [& # 8230;]
>For the latest discoveries in cyber research for the week of 20th May, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES A data breach has exposed 500GB of Indian biometric data, affecting Indian police, military personnel, and other public workers during elections in India. The leak stemmed from unsecured databases managed by ThoughtGreen Technologies […] |
Threat Data Breach Legislation | ||
 |
2024-05-27 10:00:04 | Paysage des menaces pour les systèmes d'automatisation industrielle, T1 2024 Threat landscape for industrial automation systems, Q1 2024 (lien direct) |
Dans ce rapport, Kaspersky ICS CERT partage les statistiques sur les menaces bloquées sur les ordinateurs ICS à l'échelle mondiale et dans des régions distinctes du premier trimestre 2024: Part des ordinateurs attaqués, les industries les plus touchées, les types de menaces les plus courants.
In this report Kaspersky ICS CERT shares statistics on threats blocked on ICS computers globally and in separate regions in Q1 2024: share of attacked computers, most affected industries, most common types of threats. |
Threat Industrial | ||
|
2024-05-25 14:41:00 | Les experts trouvent une faille dans le service d'IA reproducteur exposant les clients et les données et les données Experts Find Flaw in Replicate AI Service Exposing Customers\\' Models and Data (lien direct) |
Les chercheurs en cybersécurité ont découvert une faille de sécurité critique dans une intelligence artificielle (AI) - en tant que fournisseur de service et NBSP; reproducteur et NBSP; qui auraient pu permettre aux acteurs de menace d'accéder aux modèles d'IA propriétaires et aux informations sensibles.
"L'exploitation de cette vulnérabilité aurait permis un accès non autorisé aux invites et aux résultats de tous les clients de la plate-forme de réplication de \\", "
Cybersecurity researchers have discovered a critical security flaw in an artificial intelligence (AI)-as-a-service provider Replicate that could have allowed threat actors to gain access to proprietary AI models and sensitive information. "Exploitation of this vulnerability would have allowed unauthorized access to the AI prompts and results of all Replicate\'s platform customers," |
Threat Vulnerability | ||
|
2024-05-24 22:00:00 | Les pirates ont créé des machines virtuelles voyoues pour échapper à la détection dans une cyber-attaque récente Hackers Created Rogue VMs to Evade Detection in Recent MITRE Cyber Attack (lien direct) |
La Miter Corporation a révélé que la cyberattaque ciblant la société à but non lucratif vers la fin décembre 2023 en exploitant les défauts zéro-jours dans Ivanti Connect Secure (ICS) impliquait l'acteur créant des machines virtuelles itinéraires (VM) dans son environnement VMware.
"L'adversaire a créé ses propres machines virtuelles voyoues dans l'environnement VMware, tirant parti de l'accès au serveur VCenter compromis", mitre
The MITRE Corporation has revealed that the cyber attack targeting the not-for-profit company towards late December 2023 by exploiting zero-day flaws in Ivanti Connect Secure (ICS) involved the actor creating rogue virtual machines (VMs) within its VMware environment. "The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access," MITRE |
Threat Vulnerability | ||
|
2024-05-24 19:09:46 | Explorer le Troie bancaire Metamorfo Exploring the Metamorfo Banking Trojan (lien direct) |
#### Géolocations ciblées
- Amérique du Nord
- Amérique du Sud
## Instantané
Forcepoint rapporte sur Metamorfo Banking Trojan, également connu sous le nom de Casbaneiro, qui est un cheval de Troie bancaire qui cible l'Amérique du Nord et du Sud.
## Description
Il se répand malveillant via des campagnes de Malspam, incitant les utilisateurs à cliquer sur les pièces jointes HTML.Une fois cliqué, une série d'activités est lancée, toutes axées sur la collecte des métadonnées du système.Le malware est distribué par e-mail et la pièce jointe contient des codes malveillants qui conduisent à un compromis de données.Les commandes PowerShell sont utilisées pour supprimer les fichiers à divers emplacements suspects, arrêter le système et provoquer la persistance de voler des données utilisateur telles que les noms d'ordinateur, la modification des paramètres du système, les paramètres des utilisateurs, les keylogging et l'envoi à des systèmes compromis.Les clients de ForcePoint sont protégés contre cette menace à divers stades d'attaque.
## Les références
["Explorer le troie bancaire Metamorfo"] (https://www.forcepoint.com/blog/x-labs/exploration-metamorfo-banking-malware) ForcePoint (consulté en 2024-05-24)
#### Targeted Geolocations - North America - South America ## Snapshot Forcepoint reports on Metamorfo Banking Trojan, also known as Casbaneiro, that is a banking trojan that targets North and South America. ## Description he malware spreads through malspam campaigns, enticing users to click on HTML attachments. Once clicked, a series of activities are initiated, all focused on gathering system metadata. The malware is distributed via email and the attachment contains malicious codes that lead to data compromise. The PowerShell commands are utilized to drop the files at various suspicious locations, shutdown the system, and cause persistence to steal user data such as computer names, modifying system settings, user settings, keylogging, and sending it to compromised systems. Forcepoint customers are protected against this threat at various stages of attack. ## References ["Exploring the Metamorfo Banking Trojan"](https://www.forcepoint.com/blog/x-labs/exploring-metamorfo-banking-malware) Forcepoint (Accessed 2024-05-24) |
Threat Malware | ||
|
2024-05-24 18:42:00 | (Déjà vu) Les pirates chinois se cachent sur les réseaux militaires et gouvernementaux pendant 6 ans Chinese hackers hide on military and govt networks for 6 years (lien direct) |
#### Targeted Industries - Government Agencies & Services ## Snapshot A previously unknown threat actor, Bitdefender Labs designated as "Unfading Sea Haze", has been targeting military and government entities in the South China Sea region since 2018, undetected until recently. Bitdefender researchers link its operations to Chinese geopolitical interests. ## Description "Unfading Sea Haze" attacks start with spear-phishing emails containing malicious ZIP archives and LNK files, deploying fileless malware via MSBuild. This fileless malware, named \'SerialPktdoor,\' serves as a backdoor program that provides the attackers with remote control over the compromised system. Additionally, the attackers employ scheduled tasks, local administrator account manipulation, and commercial Remote Monitoring and Management (RMM) tools like the Itarian RMM to gain a foothold on the compromised network. Once access is established, Unfading Sea Haze utilizes various tools such as a custom keylogger, info-stealer targeting data stored in web browsers, and Gh0stRAT malware variants to capture keystrokes, steal information, and maintain persistence. The threat actor also utilizes tools like Ps2dllLoader, \'SharpJSHandler,\' and a custom tool for monitoring and exfiltrating data from breached systems. More recent attacks have shown a shift to using the curl utility and the FTP protocol for data exfiltration, along with dynamically generated credentials that are changed frequently. ## Recommendations Recommendations to protect against Information stealers Microsoft recommends the following mitigations to reduce the impact of Information stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authenticati | Threat Ransomware Spam Malware Tool Commercial | ||
|
2024-05-24 18:20:00 | Les faux sites Web antivirus fournissent des logiciels malveillants aux appareils Android et Windows Fake Antivirus Websites Deliver Malware to Android and Windows Devices (lien direct) |
Les acteurs de la menace ont été observés en utilisant de faux sites Web déguisés en solutions antivirus légitimes de Avast, Bitdefender et MalwareBytes pour propager des logiciels malveillants capables de voler des informations sensibles aux appareils Android et Windows.
"Héberger des logiciels malveillants via des sites qui semblent légitimes sont prédateurs pour les consommateurs généraux, en particulier ceux qui cherchent à protéger leurs appareils
Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. "Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices |
Threat Malware Mobile | ★★ | |
|
2024-05-24 17:19:00 | Comment les pirates se mélangent-ils si bien?Apprenez leurs astuces dans ce webinaire expert How Do Hackers Blend In So Well? Learn Their Tricks in This Expert Webinar (lien direct) |
Ne soyez pas dupe de penser que les cyber-menaces ne sont qu'un problème pour les grandes organisations.La vérité est que les cybercriminels visent de plus en plus les petites entreprises, et elles deviennent plus intelligentes chaque jour.
Rejoignez notre webinaire gratuit "Navigation du paysage des menaces SMB: les idées clés de Huntress \\ 'Kenace Rapport", dans laquelle Jamie Levy - Directeur des tactiques adverses à Huntress, une renommée renommée
Don\'t be fooled into thinking that cyber threats are only a problem for large organizations. The truth is that cybercriminals are increasingly targeting smaller businesses, and they\'re getting smarter every day. Join our FREE webinar "Navigating the SMB Threat Landscape: Key Insights from Huntress\' Threat Report," in which Jamie Levy - Director of Adversary Tactics at Huntress, a renowned |
Threat | ||
|
2024-05-24 17:17:36 | Longe de lune en utilisant un jeu de chars malveillant pour infecter les appareils Moonstone Sleet using malicious tank game to infect devices (lien direct) |
## Snapshot Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game called DeTankWar. In some cases, after gaining initial access via the tank game, Moonstone Sleet conducted lateral movement and extensive exfiltration of data from impacted organizations. The actor has shared the DeTankWar malware extensively via social media and through directly contacting organizations in the gaming, education, and software development sectors, suggesting the actor is putting intense effort behind this campaign. Customers can use Microsoft Defender XDR to detect activity related to this threat actor in their environments. Microsoft Defender for Endpoint detects many components of this activity, such as *Moonstone Sleet actor activity detected*, and Microsoft Defender Antivirus detects the malware execution with behavioral signatures. ## Activity Overview Since February 2024, Microsoft observed Moonstone Sleet infecting devices using a malicious tank game it developed. Moonstone Sleet sent the game to targets through messaging platforms such as LinkedIn and Telegram, phishing emails, and also spoofed the website of a well-known game maker to act as a download site. Once the ZIP file is downloaded, multiple malicious DLLs included in it are run upon launch of the game leading to connection to command-and-control (C2) infrastructure using Moonstone Sleet\'s YouieLoad, which is decrypted from one of the DLLs and in some cases subsequent hands-on-keyboard activity. Observed targets include employees of blockchain, trading, game development, and technology companies, as well as academics. These targets are globally located. #### Attack chain **Initial access** Moonstone Sleet often approaches its targets either through messaging platforms or by email. We have observed the threat actor presenting itself as a game developer seeking either investment or developer support. In these emails, Moonstone Sleet masquerades as a legitimate blockchain company or uses fake companies. Moonstone Sleet presents DeTankWar as a nonfungible token (NFT)-enabled, play-to-earn game available on Windows, Mac, and Linux.  *Figure 1. Example of a Moonstone Sleet DeTankWar spear phishing email* To bolster its superficial legitimacy, Moonstone Sleet has created a robust public campaign that includes the websites *detankwar\[.\]com* and *defitankzone\[.\]com*, Twitter accounts for the personas it uses to approach targets, and the game itself, which is alternately referred to as DeTankWar, DeFiTankWar, TankWarsZone, and DeTankLand.   *Figures 2 and 3. DeTankWar Twitter accounts*   *Figures 4 and 5. Pages from the DeTankWar website* In mid-March, Microsoft observed a homoglyph domain created by Moonstone Sleet to spoof a well-known game developer. This website offered a page on DeTankWar with both a download link and a link to the @detankwar1 X (Twitter) account.  *Figure 6. Elements on the page for DeTankWar on spoofed website* **Launch** Visitors to the DeTankWar website are prompted to download a compressed ZIP archive. When the user launches the game, the malicious payload *delfi-tank-unity.exe* or *DeTankWar.exe* also launches. The payload is cu | Threat Malware Tool | ||
|
2024-05-24 15:40:00 | Google détecte le 4e chrome zéro-jour en mai activement attaqué - mise à jour dès que possible Google Detects 4th Chrome Zero-Day in May Actively Under Attack - Update ASAP (lien direct) |
Google a déployé jeudi des correctifs pour lutter contre un défaut de sécurité de haute sévérité dans son navigateur Chrome qui, selon lui, a été exploité dans la nature.
Affecté l'identifiant CVE & NBSP; CVE-2024-5274, la vulnérabilité se rapporte & nbsp; à un bogue de confusion de type dans le moteur V8 JavaScript & nbsp; et WebAssembly.Il a été signalé & nbsp; par Cl & eacute; ment Lecigne of Google \'s Mende Analysis Group et Brendon Tiszka de
Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild. Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google\'s Threat Analysis Group and Brendon Tiszka of |
Threat Vulnerability | ||
|
2024-05-24 15:31:07 | Google découvre le quatrième jour zéro en moins d'un mois Google Discovers Fourth Zero-Day in Less Than a Month (lien direct) |
La société technologique a déployé des correctifs pour une vulnérabilité de confusion de type qui a déjà été exploitée par des acteurs malveillants.
The tech company has rolled out fixes for a type confusion vulnerability that has already been exploited by malicious actors. |
Threat Vulnerability | ||
 |
2024-05-24 15:05:50 | Comprendre NetSkope pour de bon Understanding Netskope for Good (lien direct) |
> Une partie importante de la vision de NetSkope se concentre sur la responsabilité que nous avons pour soutenir nos communautés plus larges. & # 160;Cela est évident dans la façon dont notre technologie aide la communauté de la sécurité mondiale à protéger contre le paysage des menaces en constante évolution.Mais nous pensons qu'il est également incroyablement important que nous allions au-delà de la technologie et exploitez la puissance [& # 8230;]
>An important part of the Netskope vision centers around the responsibility we have for supporting our wider communities. This is apparent in the way that our technology helps the global security community protect against the ever evolving threat landscape. But we believe it’s also incredibly important that we go beyond technology, and harness the power […] |
Threat | ||
|
2024-05-24 12:31:01 | La stratégie de votre Cybersecurity AI à l'épreuve de la cybersécurité Future-Proof Your Cybersecurity AI Strategy (lien direct) |
Une stratégie XDR à long terme efficace répondra au besoin continu d'analyse rapide et de vérification continue des dernières informations sur les menaces.
An effective, long-term XDR strategy will address the ongoing need for rapid analysis and continual vetting of the latest threat intelligence. |
Threat | ★★ | |
|
2024-05-24 11:30:00 | Dans d'autres nouvelles: l'espionnage sous-marin de la Chine, les logiciels espions de l'hôtel, les attaques perturbatrices de l'Iran In Other News: China\\'s Undersea Spying, Hotel Spyware, Iran\\'s Disruptive Attacks (lien direct) |
Des histoires remarquables qui auraient pu glisser sous le radar: les navires de réparation chinois pourraient espionner les communications sous-marines, les logiciels espions trouvés lors des chèques de l'hôtel, Royaume-Uni pas prêt pour la menace en Chine.
Noteworthy stories that might have slipped under the radar: Chinese repair ships might be spying on undersea communications, spyware found at hotel check-ins, UK not ready for China threat. |
Threat | ||
 |
2024-05-24 11:07:53 | Sur le marché zéro jour On the Zero-Day Market (lien direct) |
Nouveau article: & # 8220; zéro progrès les jours: comment les dix dernières années ont créé le moderne moderneMarché des logiciels espions & # 8220 ;:
Résumé: Les logiciels espions facilitent la surveillance.Les dix dernières années ont vu un marché mondial émerger pour les logiciels prêts à l'emploi qui permettent aux gouvernements de surveiller leurs citoyens et leurs adversaires étrangers et pour le faire plus facilement que lorsque ces travaux nécessitaient des métiers.Les dix dernières années ont également été marquées par des échecs frappés de contrôler les logiciels espions et ses précurseurs et composants.Cet article tient compte et critique ces échecs, offrant une histoire socio-technique depuis 2014, en se concentrant en particulier sur la conversation sur le commerce des vulnérabilités et des exploits zéro-jour.Deuxièmement, cet article applique des leçons de ces échecs pour guider les efforts réglementaires à l'avenir.Tout en reconnaissant que le contrôle de ce commerce est difficile, je soutiens que les pays devraient se concentrer sur la construction et le renforcement des coalitions multilatérales des institutions multilatérales disposées, plutôt que sur les institutions multilatérales existantes fortes pour travailler sur le problème.Individuellement, les pays devraient se concentrer sur les contrôles à l'exportation et autres sanctions qui ciblent les mauvais acteurs spécifiques, plutôt que de se concentrer sur la restriction des technologies particulières.Enfin, je continue d'appeler la transparence en tant que partie clé de la surveillance des gouvernements nationaux & # 8217;Utilisation de logiciels espions et de composants associés ...
New paper: “Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market“: Abstract: Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike and to do so more easily than when such work required tradecraft. The last ten years have also been marked by stark failures to control spyware and its precursors and components. This Article accounts for and critiques these failures, providing a socio-technical history since 2014, particularly focusing on the conversation about trade in zero-day vulnerabilities and exploits. Second, this Article applies lessons from these failures to guide regulatory efforts going forward. While recognizing that controlling this trade is difficult, I argue countries should focus on building and strengthening multilateral coalitions of the willing, rather than on strong-arming existing multilateral institutions into working on the problem. Individually, countries should focus on export controls and other sanctions that target specific bad actors, rather than focusing on restricting particular technologies. Last, I continue to call for transparency as a key part of oversight of domestic governments’ use of spyware and related components... |
Threat Vulnerability | ||
|
2024-05-24 01:09:17 | Rapport de CrimeWare: Acred, Scarletsaler et SYS01 Stealers Crimeware Report: Acrid, ScarletStealer, and Sys01 Stealers (lien direct) |
## Snapshot Kaspersky security researchers provide details on three distinct stealers: Acrid, ScarletStealer, and Sys01. These stealers exhibit varying levels of sophistication and global targeting, with specific geographic concentrations for each. ## Description Acrid is a new stealer that was found in December 2023. It is written in C++ for the 32-bit system and uses the "Heaven\'s Gate" technique to bypass certain security controls. ScarletStealer is a rather unique stealer as most of its stealing functionality is contained in other binaries that it downloads. ScarletStealer victims are mostly located in Brazil, Turkey, Indonesia, Algeria, Egypt, India, Vietnam, the USA, South Africa and Portugal. Sys01 (also known as “Album Stealer” or “S1deload Stealer”) is a relatively unknown stealer that has been around since at least 2022. Victims of this campaign were found all over the world, but most of them were located in Algeria. The stealer is distributed through a long chain of downloaders, where the last one is the Penguish downloader, and signed with a digital certificate. Unlike previous publicly disclosed versions of Sys01, the latest version of the stealer has split functionality. It now specifically steals Facebook-related data and sends stolen browser data to the C2. All three stealers have the typical functionality one might expect from a stealer, such as stealing browser data, stealing local cryptocurrency wallets, stealing files with specific names, and stealing credentials from installed applications. The danger posed by stealers lies in the consequences. This malware steals passwords and other sensitive information, which later can be used for further malicious activities causing great financial losses among other things. ## Microsoft Analysis In recent years, Microsoft has tracked the growing risk that infostealers pose to enterprise security. Infostealers are commodity malware used to steal information from a target device and send it to the threat actor. The popularity of this class of malware led to the emergence of an infostealer ecosystem and a new class of threat actors who leveraged these capabilities to conduct their attacks. Infostealers are advertised as a malware as a service (MaaS) offering – a business model where the developers lease the infostealer payload to distributers for a fee. Information stealers are versatile and can be distributed in various forms including through phishing email campaigns, malvertising, and trojanized software, games and tools. Typically, once the user downloads and launches the malicious payload, it establishes command and control (C2) connections with suspicious domains. Once infected, the infostealer attempts to collect and ultimately exfiltrate information from the system including files, browsers, internet-facing devices and applications to the C2 servers. ## Detections ### Microsoft Defender for Endpoint Alerts with the following titles in the security center can indicate threat activity on your network. These alerts, however, can be triggered by unrelated threat activity. - Information stealing malware activity - An executable loaded an unexpected dll - DLL search order hijack - Possible S1deload stealer activity ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learn | Threat Ransomware Spam Malware Tool | ★★ | |
|
2024-05-23 22:33:00 | Les attaques de ransomware exploitent les vulnérabilités VMware Esxi dans le modèle alarmant Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern (lien direct) |
Ransomware attaque le ciblage de l'infrastructure VMware ESXi & nbsp; suivi & nbsp; un modèle établi, indépendamment du déploiement de logiciels malveillants qui résidait au fichier.
"Les plates-formes de virtualisation sont une composante essentielle de l'infrastructure informatique organisationnelle, mais elles souffrent souvent de erreurs de configuration et de vulnérations inhérentes, ce qui en fait un objectif lucratif et très efficace pour les acteurs de menace à abuser", "
Ransomware attacks targeting VMware ESXi infrastructure following an established pattern regardless of the file-encrypting malware deployed. "Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse," |
Threat Ransomware Malware Vulnerability | ★★ | |
|
2024-05-23 21:02:25 | GhostEngine mining attacks kill EDR security using vulnerable drivers (lien direct) | ## Instantané
Elastic Security Labs a identifié un ensemble d'intrusion, REF4578, qui intègre plusieurs modules malveillants et exploite les conducteurs vulnérables pour désactiver les solutions de sécurité connues (EDR) pour l'exploitation cryptographique.
## Description
La charge utile principale de cet ensemble d'intrusion est GhostEngine, qui est responsable de la récupération et de l'exécution de modules sur la machine.GhostEngine utilise principalement HTTP pour télécharger des fichiers à partir d'un domaine configuré, avec une IP de sauvegarde dans le cas où les domaines ne sont pas disponibles.De plus, il utilise FTP comme protocole secondaire avec des références intégrées.
L'objectif ultime de l'ensemble d'intrusion Ref4578 était d'avoir accès à un environnement et de déployer un mineur de cryptographie Monero persistant, XMRIG.Les auteurs de logiciels malveillants ont incorporé de nombreux mécanismes de contingence et de duplication, et GhostEngine exploite les conducteurs vulnérables pour terminer et supprimer les agents EDR connus qui interfèrent probablement avec le mineur de pièces de monnaie déployé et bien connu.Cette campagne impliquait une quantité rare de complexité pour assurer à la fois l'installation et la persistance du mineur XMRIG.Le malware analyse et compare tous les processus en cours d'exécution avec une liste codée en dur d'agents EDR connus.S'il y a des correspondances, il met d'abord mis fin à l'agent de sécurité, puis supprime le binaire de l'agent de sécurité avec un autre pilote vulnérable.
## Recommandations
Appliquez ces atténuations pour réduire l'impact de cette menace.
- [Allumez la protection PUA] (https://docs.microsoft.com/windows/security/thereat-potection/microsoft-defender-antivirus/detect-block-potential-unwanted-apps-microsoft-defender-asvirus).Les applications potentiellement indésirables (PUA) peuvent avoir un impact négatif sur la performance des machines et la productivité des employés.Dans les environnements d'entreprise, la protection PUA peut arrêter les logiciels publicitaires, les téléchargeurs torrent et les mineurs de pièces.
- Allumez la protection livrée par le cloud et la soumission automatique des échantillons sur Microsoft Defender Antivirus.Ces capacités utilisent l'intelligence artificielle et l'apprentissage automatique pour identifier et arrêter rapidement les mineurs de pièces de monnaie.
## Les références
[GhostEngine Mining Attacks tue la sécurité EDR en utilisant des conducteurs vulnérables] (https://www.ellastic.co/security-labs/invisible-miners-unveiling-ghostengine).Elastic Security Labs (consulté le 22-22-2024)
## Snapshot Elastic Security Labs has identified an intrusion set, REF4578, that incorporates several malicious modules and leverages vulnerable drivers to disable known security solutions (EDRs) for crypto mining. ## Description The primary payload of this intrusion set is GHOSTENGINE, which is responsible for retrieving and executing modules on the machine. GHOSTENGINE primarily uses HTTP to download files from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a secondary protocol with embedded credentials. The ultimate goal of the REF4578 intrusion set was to gain access to an environment and deploy a persistent Monero crypto miner, XMRig. The malware authors incorporated many contingency and duplication mechanisms, and GHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere with the deployed and well-known coin miner. This campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the XMRIG miner. The malware scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any matches, it first terminates the security agent and then deletes the security agent binary with another vulnerable |
Threat Malware | ★★ | |
|
2024-05-23 19:20:00 | Nouvelles frontières, anciennes tactiques: le groupe d'espionnage chinois cible les gouvernements Afrique et Caraïbes New Frontiers, Old Tactics: Chinese Espionage Group Targets Africa & Caribbean Govts (lien direct) |
L'acteur de menace lié à la Chine connue sous le nom de Panda Sharp a élargi son ciblage pour inclure des organisations gouvernementales en Afrique et dans les Caraïbes dans le cadre d'une campagne de cyber-espionnage en cours.
"La campagne adopte Cobalt Strike Beacon comme charge utile, permettant des fonctionnalités de porte dérobée comme la communication C2 et l'exécution des commandes tout en minimisant l'exposition de leurs outils personnalisés", Check Point
The China-linked threat actor known as Sharp Panda has expanded their targeting to include governmental organizations in Africa and the Caribbean as part of an ongoing cyber espionage campaign. "The campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools," Check Point |
Threat Tool | ★★★ | |
 |
2024-05-23 18:34:07 | Rapport IBM X-FORCE: Le malware de Grandoreiro cible plus de 1 500 banques dans 60 pays IBM X-Force Report: Grandoreiro Malware Targets More Than 1,500 Banks in 60 Countries (lien direct) |
Découvrez comment fonctionnent les campagnes de Troie Banking Grandoreiro et les pays ciblés, ainsi que comment atténuer cette menace malveillante.
Find out how Grandoreiro banking trojan campaigns work and the countries targeted, as well as how to mitigate this malware threat. |
Threat Malware | ★★ | |
|
2024-05-23 16:44:00 | Inside Operation Spectre diplomatique: Tactiques furtives de Group Chinese \\ exposées Inside Operation Diplomatic Specter: Chinese APT Group\\'s Stealthy Tactics Exposed (lien direct) |
Les entités gouvernementales au Moyen-Orient, en Afrique et en Asie sont la cible d'un groupe de menace persistant avancé chinois (APT) dans le cadre d'une campagne de cyber-espionnage en cours surnommée & NBSP; Opération Spectre diplomatique et NBSP; depuis au moins fin 2022.
"Une analyse de cette activité de cette menace acteur révèle des opérations d'espionnage à long terme contre au moins sept entités gouvernementales", Palo Alto Networks
Governmental entities in the Middle East, Africa, and Asia are the target of a Chinese advanced persistent threat (APT) group as part of an ongoing cyber espionage campaign dubbed Operation Diplomatic Specter since at least late 2022. "An analysis of this threat actor\'s activity reveals long-term espionage operations against at least seven governmental entities," Palo Alto Networks |
Threat | ★★★ | |
|
2024-05-23 16:15:00 | Les cybercriminels exploitent le stockage du nuage pour les escroqueries de phishing SMS Cybercriminals Exploit Cloud Storage For SMS Phishing Scams (lien direct) |
Selon ENEA, ces campagnes utilisent des plates-formes de stockage cloud pour héberger des sites Web malveillants, en envoyant des liens via SMS pour contourner les pare-feu
According to Enea, these campaigns use cloud storage platforms to host malicious websites, sending links via SMS to bypass firewalls |
Threat Cloud | ★★ | |
|
2024-05-23 13:07:07 | Sharp Dragon se développe vers l'Afrique et les Caraïbes Sharp Dragon Expands Towards Africa and The Caribbean (lien direct) |
> Introduction des résultats clés Depuis 2021, les recherches sur le point de contrôle ont surveillé de près les activités de Sharp Dragon (anciennement appelé Panda Sharp *), un acteur de menace chinois.Les activités historiques consistent principalement en des e-mails de phishing hautement ciblés, conduisant auparavant au déploiement de & # 160; victorydll & # 160; ou & # 160; soul & # 160; framework.Alors que les opérateurs de dragons tranchants finaux ont déployé des heures supplémentaires, leur modus operandi [& # 8230;]
>Key Findings Introduction Since 2021, Check Point Research has been closely monitoring the activities of Sharp Dragon (Formerly referred to as Sharp Panda*), a Chinese threat actor. Historical activities mostly consist of highly-targeted phishing emails, previously leading to the deployment of VictoryDLL or Soul framework. While the final payloads Sharp Dragon operators have deployed overtime changed, their modus operandi […] |
Threat | ★★ | |
|
2024-05-23 13:00:02 | La campagne d'espionnage chinoise s'étend pour cibler l'Afrique et les Caraïbes Chinese Espionage Campaign Expands to Target Africa and The Caribbean (lien direct) |
> La recherche sur les points de contrôle (RCR) voit une campagne de cyber-espionnage en cours se concentre sur le ciblage des organisations gouvernementales en Afrique et dans les Caraïbes.Attribué à un acteur de menace chinois Sharp Dragon (anciennement Sharp Panda), la campagne adopte Cobalt Strike Beacon en tant que charge utile, permettant des fonctionnalités de porte dérobée telles que la communication C2 et l'exécution des commandes tout en minimisant l'exposition de leurs outils personnalisés.Cette approche raffinée suggère une compréhension plus profonde de leurs cibles.Les principales constatations de Dragon Sharp \\ (anciennement appelées opérations de panda pointues) se poursuivent, élargissant maintenant leur objectif vers de nouvelles régions & # 8211;L'Afrique et les Caraïbes.Sharp Dragon utilise des entités gouvernementales de confiance pour infecter de nouvelles [& # 8230;]
>Check Point Research (CPR) sees an ongoing cyber espionage campaign focuses on targeting governmental organizations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly Sharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools. This refined approach suggests a deeper understanding of their targets. Key Findings Sharp Dragon\'s (formerly referred to as Sharp Panda) operations continues, expanding their focus now to new regions – Africa and the Caribbean. Sharp Dragon utilizes trusted government entities to infect new […] |
Threat Tool | ★★ | |
|
2024-05-23 13:00:00 | Phishing avec les travailleurs de Cloudflare: phishing transparent et contrebande de HTML Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling (lien direct) |
> Résumé Netskope Threat Labs suit plusieurs campagnes de phishing qui abusent des travailleurs de CloudFlare.Les campagnes sont probablement le travail de différents attaquants car ils utilisent deux techniques très différentes.Une campagne (similaire à la campagne Azorult précédemment divulguée) utilise HTML debout, une technique d'évasion de détection souvent utilisée pour télécharger des logiciels malveillants, pour masquer le contenu de phishing [& # 8230;]
>Summary Netskope Threat Labs is tracking multiple phishing campaigns that abuse Cloudflare Workers. The campaigns are likely the work of different attackers since they use two very different techniques. One campaign (similar to the previously disclosed Azorult campaign) uses HTML smuggling, a detection evasion technique often used for downloading malware, to hide the phishing content […] |
Threat Malware | ★★★ | |
 |
2024-05-23 11:36:00 | Comment protéger votre organisation contre les équipes de Microsoft aux équipes de phishing How to Protect your Organization Against Microsoft Teams Phishing Attacks (lien direct) |
Ces derniers mois, nous avons vu une augmentation spectaculaire du nombre d'attaques utilisant des équipes Microsoft comme vecteur de menace.Ce blog explorera pourquoi les équipes deviennent un point d'entrée si populaire, comment les offres de sécurité intégrées et de marché ne parviennent pas à répondre aux menaces sophistiquées des équipes, et pourquoi l'IA comportementale est la solution à la détection précoce de l'ingénierie sociale basée sur les équipes et des compromis de comptes.
In recent months, we\'ve seen a dramatic rise in the number of attacks using Microsoft Teams as a threat vector. This blog will explore why Teams is becoming such a popular entry point, how built-in and market security offerings fail to address sophisticated Teams threats, and why behavioral AI is the solution to early detection of Teams-based social engineering and account compromise. |
Threat | ★★★ | |
|
2024-05-23 11:00:00 | Les attaques zéro-jour et les compromis de la chaîne d'approvisionnement, MFA restent sous-utilisés: Rapid7 Rapport Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report (lien direct) |
> Les attaquants deviennent plus sophistiqués, mieux armés et plus rapides.Rien dans Rapid7 \'s 2024 Attack Intelligence Report suggère que cela changera.
>Attackers are getting more sophisticated, better armed, and faster. Nothing in Rapid7\'s 2024 Attack Intelligence Report suggests that this will change. |
Threat Vulnerability | ★★ | |
 |
2024-05-23 08:30:13 | UK Data Watchdog veut six chiffres de N Ireland Cops après la fuite de données de 2023 UK data watchdog wants six figures from N Ireland cops after 2023 data leak (lien direct) |
Discount massif appliqué pour sauver le budget de l'hélicoptère de Save Cop Shop \\ à la suite d'une fuite de données qui a apporté "la peur tangible de la menace à la vie", le chien de garde de la protection des données du Royaume-Uni dit qu'il a l'intentePour amender le service de police d'Irlande du Nord (PSNI) & Pound; 750 000 (955 798 $).…
Massive discount applied to save cop shop\'s helicopter budget Following a data leak that brought "tangible fear of threat to life", the UK\'s data protection watchdog says it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 ($955,798).… |
Threat Legislation | ★★★ | |
|
2024-05-23 08:02:17 | Proofpoint vs sécurité anormale: une entreprise Fortune 500 explique pourquoi on est meilleur Proofpoint vs. Abnormal Security: A Fortune 500 Company Explains Why One Is Better (lien direct) |
Businesses that choose Proofpoint tend to stay with us. In fact, while many start by using our email threat detection tools, over time they often consolidate their other cybersecurity tools with us. They end up using Proofpoint for their other attack surfaces, like identity threats and information protection. But what happens if they\'re forced to adopt Abnormal Security by senior management? That\'s what happened to the Fortune 500 financial services corporation discussed in this blog post. They wanted to share their story but requested anonymity. As a customer of both Proofpoint and Abnormal, they have some key insights about what makes Proofpoint stand out from the competition. A defense-in-depth approach An existing Microsoft 365 E5 customer, the company deployed a defense-in-depth security approach because the native and Microsoft Defender email security capabilities were not good enough to detect and block phishing, malware and ransomware. They also used CrowdStrike and complemented these tools with Proofpoint Threat Protection. Proofpoint ensured that they could detect and block more sophisticated email threats like: Socially engineered attacks Business email compromise (BEC) Advanced credential phishing By combining Microsoft, Proofpoint and CrowdStrike, the customer had powerful email security. It could detect and block email threats and automate remediation across its offices worldwide. And it had a strong continuous detection model (predelivery, post-delivery and click-time) throughout its entire email delivery flow. End-to-end protection is why 87% of Fortune 100 companies trust Proofpoint to protect their people and business. Because the customer\'s senior executive management team truly believed in the defense-in-depth approach, it decided to add Abnormal Security as an additional layer of defense. Abnormal is an API-based, post-delivery, remediation-only tool that\'s positioned as easy to use. Featuring behavioral AI, it\'s sold as a “set it and forget it” tool that can detect and remediate email threats faster while improving operational efficiency. The company soon integrated Abnormal with its existing Microsoft 365 APIs so that Abnormal could receive emails from Microsoft. At the same time, the customer deactivated automated remediation in Proofpoint Threat Response Auto-Pull. The Abnormal tool was now in charge of analyzing emails post-delivery. “We were told it would be \'set it and forget it\' with Abnormal but found it couldn\'t be further from the truth.” - IT director, data security, Fortune 500 financial services company A head-to-head comparison: Proofpoint vs. Abnormal Once they started using Abnormal, the cybersecurity team watched what it could do and assessed how the company\'s new defense-in-depth approach was going. Here\'s what they observed. Predelivery efficacy: Proofpoint wins Unlike Proofpoint, Abnormal does not provide any predelivery detection or analysis capabilities; it has a 0% predelivery efficacy rate. Compare that to Proofpoint predelivery detection, which stops known and emerging threats before they are delivered to users\' inboxes. This prevents users from engaging with threats and reduces the downstream burden on security teams. Proofpoint uses a multilayered detection stack to accurately identify and catch the widest array of threats. Our broad set of detection technology means that we can apply the right technique for the right threat. This includes QR code scams, URL-based threats and BEC attacks. By combining our existing attachment defense with our new predelivery hold and sandboxing of suspicious messages with URLs, Proofpoint ensures that fewer malicious URLs and dangerous payloads are delivered to users\' inboxes. This includes QR codes or any malicious files that are attached to emails. And thanks to our new predelivery large language model (L | Threat Ransomware Malware Tool | ★★★ | |
 |
2024-05-23 01:07:40 | Actuels et anciens fonctionnaires du gouvernement vantent les progrès de la collaboration de l'industrie Current, former government cyber officials tout industry collaboration advancements (lien direct) |
> Easterly, Krebs et d'autres discutent de la violation de l'Ivanti, expirant les protections juridiques pour les entreprises qui partagent des données sur les menaces avec les fédérales et les progrès du JCDC.
>Easterly, Krebs and others discuss Ivanti breach, expiring legal protections for companies that share threat data with feds, and JCDC progress. |
Threat | ★★ | |
|
2024-05-22 20:16:56 | UAC-0006 Cyberattaques augmentées UAC-0006 Increased Cyberattacks (lien direct) |
## Instantané
L'équipe gouvernementale de réponse d'urgence informatique de l'Ukraine (CER-UA) a observé une activité accrue d'un acteur de menace financièrement déplacé qu'ils suivent en tant que UAC-0006.Depuis le 20 mai 2024, le groupe a mené au moins deux campagnes de distribution de logiciels malveillants distinctes.
## Description
CERT-UA rapporte que ces campagnes distribuent un malware SmokeLoader via des e-mails de phishing.Ces e-mails contiennent des archives zip avec des fichiers malveillants, y compris des fichiers .IMG avec des fichiers exécutables (.exe) et des documents Microsoft Access (.ACCDB) avec des macros intégrés.Ces macros exécutent des commandes PowerShell pour télécharger et exécuter les fichiers exécutables.
Après le compromis initial du système, des logiciels malveillants supplémentaires tels que TALESHOT et RMS sont téléchargés et installés.Actuellement, le botnet comprend plusieurs centaines d'ordinateurs infectés.À la suite de cette activité accrue, CERT-UA s'attend à une augmentation des régimes de fraude ciblant les systèmes bancaires à distance dans un avenir proche.
## Détections
** Microsoft Defender Antivirus **
Microsoft Defender Antivirus détecte les composants de la menace comme logiciel malveillant suivant:
- [* Trojan: Win32 / SmokeLoader *] (https://www.microsoft.com/en-us/wdsi/Therets/Malware-encyClopedia-Description?name=trojan:win32/SmokeLoader&threatid=-2147238753)
- * [Trojan: win64 / smokeloader] (https://www.microsoft.com/en-us/wdsi/Threats/Malware-encyClopedia-Description?name=trojan:win64/smokeloader& ;threatid=-2147113809) *
## Les références
[UAC-0006 Cyberattaques augmentées] (https://cert.gov.ua/article/6279366).Équipe d'intervention d'urgence informatique d'Ukraine (consultée en 2024-05-22)
## Snapshot The Governmental Computer Emergency Reponse Team of Ukraine (CERT-UA) has observed increased activity from a financially movtivated threat actor they track as UAC-0006. Since May 20, 2024, the group has conducted at least two distinct malware distribution campaigns. ## Description CERT-UA reports that these campaigns are distributing SmokeLoader malware via phishing emails. These emails contain ZIP archives with malicious files, including .IMG files with executable (.exe) files and Microsoft Access (.ACCDB) documents with embedded macros. These macros execute PowerShell commands to download and run the executable files. After initial system compromise, additional malware such as Taleshot and RMS are downloaded and installed. Currently, the botnet comprises several hundred infected computers. As a result of this increased activity, CERT-UA expects an increase in fraud schemes targeting remote banking systems in the near future. ## Detections **Microsoft Defender Antivirus** Microsoft Defender Antivirus detects threat components as the following malware: - [*Trojan:Win32/SmokeLoader*](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/SmokeLoader&threatId=-2147238753) - *[Trojan:Win64/Smokeloader](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Smokeloader&threatId=-2147113809)* ## References [UAC-0006 Increased Cyberattacks](https://cert.gov.ua/article/6279366). Computer Emergency Response Team of Ukraine (accessed 2024-05-22) |
Threat Malware | ★★★ |
To see everything:
Our RSS (filtrered)
