What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-12-21 09:11:00 | Urgent: nouvelle vulnérabilité chromée zéro exploitée dans la nature - mise à jour dès que possible Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP (lien direct) |
Google a déployé des mises à jour de sécurité pour le navigateur Web Chrome pour lutter contre un défaut zéro jour de haute sévérité qui, selon lui, a été exploité dans la nature.
La vulnérabilité, attribuée à l'identificateur CVE & NBSP; CVE-2023-7024, a été décrite comme a & nbsp; Bug de débordement de tampon basé sur un tas & nbsp; dans le cadre WebBrTC qui pourrait être exploité pour entraîner des plantages de programme ou une exécution de code arbitraire.
Cl & eacute; ment;
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution. Clément |
Vulnerability Threat | ★★ | |
 |
2023-12-21 08:00:00 | IAM & Detection Engineering (lien direct) | Introduction & # 160;Dans le paysage de cybersécurité en constante évolution, la gestion de l'identité et de l'accès (IAM) est la pierre angulaire de la protection des actifs numériques de l'organisation.Les solutions IAM jouent un rôle essentiel dans la gestion des identités des utilisateurs, le contrôle de l'accès aux ressources et la conformité.Alors que le paysage des menaces numériques augmente constamment de complexité, la nécessité de visibilité des événements IAM [& # 8230;]
la publication Suivante iam & # 038;Ingénierie de détection est un article de blog Sekoia.io .
Introduction In the ever-changing cybersecurity landscape, Identity and Access Management (IAM) stands as the cornerstone of an organisation’s digital asset protection. IAM solutions play an essential role in managing user identities, controlling access to resources and ensuring compliance. As the digital threat landscape is constantly increasing in complexity, the need for visibility of IAM events […] La publication suivante IAM & Detection Engineering est un article de Sekoia.io Blog. |
Threat Guideline | ★★★ | |
 |
2023-12-21 05:00:25 | Battleroyal, le cluster Darkgate se propage par e-mail et les fausses mises à jour du navigateur BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates (lien direct) |
Overview Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: Delivery: via email and RogueRaticate fake browser updates Volumes and geography: email campaigns include tens of thousands of emails targeting dozens of industries primarily in USA and Canada Attack chain: includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025 Volume of DarkGate campaigns based on four GroupIDs discussed in this report. TDS all the things! (an email campaign example) On October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use of more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL files involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the attack chain from this actor changed or varied, .URL files were involved in every campaign. The emails in this campaign contained: 404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS Keitaro TDS was observed serving an internet shortcut (.URL) file The internet shortcut, if double clicked, downloaded a zipped VBS script The VBS in turn downloaded and executed several shell commands (cmd.exe) The shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new directory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script, and (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter The AutoIT script ran an embedded DarkGate Attack chain summary that follows the flow of: Email > 404 TDS > Keitaro TDS > .URL > .VBS > Shell commands > AutoIT / AutoIT script > DarkGate. Screenshot of an example email from October 2 campaign. Screenshot of the .URL file involved in the October 2 campaign. Proofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the BattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data. Notably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a security feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow an actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink pointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL target. RogueRaticate (fake browser update campaign example) On October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake update activity cluster using an interesting obfuscation technique first identified in 2020. Proofpoint subsequently identified the activity in Proofpoint data. This campaign delivered fake browser update requests to end users on their web browsers that dropped a DarkGate payload with the “ADS5” GroupID. The threat actor injected a request to a domain they controlled that used .css steganography to conceal the malicious c | Malware Tool Vulnerability Threat Prediction | ★★ | |
 |
2023-12-21 00:00:00 | 2024 Prévisions du paysage cyber-menace 2024 Cyber Threat Landscape Forecast (lien direct) |
Overview Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: Delivery: via email and RogueRaticate fake browser updates Volumes and geography: email campaigns include tens of thousands of emails targeting dozens of industries primarily in USA and Canada Attack chain: includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025 Volume of DarkGate campaigns based on four GroupIDs discussed in this report. TDS all the things! (an email campaign example) On October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use of more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL files involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the attack chain from this actor changed or varied, .URL files were involved in every campaign. The emails in this campaign contained: 404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS Keitaro TDS was observed serving an internet shortcut (.URL) file The internet shortcut, if double clicked, downloaded a zipped VBS script The VBS in turn downloaded and executed several shell commands (cmd.exe) The shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new directory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script, and (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter The AutoIT script ran an embedded DarkGate Attack chain summary that follows the flow of: Email > 404 TDS > Keitaro TDS > .URL > .VBS > Shell commands > AutoIT / AutoIT script > DarkGate. Screenshot of an example email from October 2 campaign. Screenshot of the .URL file involved in the October 2 campaign. Proofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the BattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data. Notably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a security feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow an actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink pointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL target. RogueRaticate (fake browser update campaign example) On October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake update activity cluster using an interesting obfuscation technique first identified in 2020. Proofpoint subsequently identified the activity in Proofpoint data. This campaign delivered fake browser update requests to end users on their web browsers that dropped a DarkGate payload with the “ADS5” GroupID. The threat actor injected a request to a domain they controlled that used .css steganography to conceal the malicious c | Threat Prediction | ★★★ | |
 |
2023-12-20 21:21:37 | Russian Foreign Intelligence Service (SVR) exploitant JetBrains TeamCity Cve dans le monde entier Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally (lien direct) |
#### Description
Russian Foreign Intelligence Service (SVR) Cyber Actors - également connu sous le nom de menace persistante avancée 29 (APT 29), The Dukes, Cozybear et Nobelium / Midnight Blizzard-est exploitant CVE-2023-42793 à grande échelle, ciblant les serveurs hébergeant JetBrains TeamCityLogiciel depuis septembre 2023.
Les développeurs de logiciels utilisent TeamCity Software pour gérer et automatiser la compilation de logiciels, la construction, les tests et la libération.S'il est compromis, l'accès à un serveur TeamCity offrirait aux acteurs malveillants un accès au code source de ce développeur de logiciels, à la signature des certificats et à la possibilité de sous-publier des processus de compilation et de déploiement des logiciels - Accéder à un acteur malveillant pourrait utiliser davantage pour effectuer une chaîne d'approvisionnementopérations.Bien que le SVR ait utilisé un tel accès pour compromettre Solarwinds et ses clients en 2020, un nombre limité et des types de victimes apparemment opportunistes actuellement identifiés, indiquent que le SVR n'a pas utilisé l'accès accordé par TeamCity CVE d'une manière similaire.Le SVR a cependant été observé en utilisant l'accès initial glané en exploitant le CVE de TeamCity pour augmenter ses privilèges, se déplacer latéralement, déployer des délais supplémentaires et prendre d'autres mesures pour garantir un accès persistant et à long terme aux environnements réseau compromis.
#### URL de référence (s)
1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
#### Date de publication
12 décembre 2023
#### Auteurs)
Cisa
#### Description Russian Foreign Intelligence Service (SVR) cyber actors-also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard-are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023. Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer\'s source code, signing certificates, and the ability to subvert software compilation and deployment processes-access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a #### Publication Date December 12, 2023 #### Author(s) CISA |
Threat | APT 29 | ★★★ |
 |
2023-12-20 18:21:05 | Vérifier le logiciel Point: Le pionnier de la cybersécurité gagne la reconnaissance de la plate-forme de sécurité des meilleures sociétés d'analystes en 2023 Check Point Software: The Pioneer in Cybersecurity Earns Security Platform Recognition from Top Analysts Firms in 2023 (lien direct) |
> Depuis plus de trois décennies, Check Point Software a conduit l'industrie de la cybersécurité pour garantir que les organisations de toutes tailles peuvent mener des affaires sur Internet avec les plus hauts niveaux de sécurité grâce à la recherche et à l'innovation.Nous livrons une vision mondiale de la plate-forme à travers quatre principes clés & # 8212;Prioriser la prévention des menaces alimentées par l'IA, l'adoption de pratiques de gestion de premier ordre, l'emploi d'une architecture unifiée et le maintien d'un vaste réseau partenaire & # 8211;Tout cela défend les organisations et leurs applications et utilisateurs de cyberattaques Sophistiquées Gen V.Check Point recommande les 3C de la sécurité optimale: consolidé, collaboratif et complet, pour lutter efficacement contre la menace croissante [& # 8230;]
>For more than three decades, Check Point Software has led the cybersecurity industry in ensuring that organizations of all sizes can conduct business over the internet with the highest levels of security through research and innovation. We deliver on a global platform vision through four key principles — prioritizing AI-powered threat prevention, adopting top-notch management practices, employing a unified architecture, and maintaining an extensive partner network – all of which defend organizations and their applications and users from sophisticated, Gen V cyberattacks. Check Point recommends the 3Cs of Optimum Security: Consolidated, Collaborative, and Comprehensive, to effectively combat the growing threat […] |
Threat | ★★ | |
 |
2023-12-20 16:52:42 | Fake F5 Big-ip Zero-Day Avertissement Emails Fake F5 BIG-IP zero-day warning emails push data wipers (lien direct) |
Le cyber-Directorat national d'Israël avertit des e-mails de phishing faisant semblant d'être des mises à jour de sécurité Zero-Day F5 Big-IP qui déploient les essuie-glaces de données Windows et Linux.[...]
The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers. [...] |
Vulnerability Threat | ★★★ | |
|
2023-12-20 16:35:00 | Produit expliqué: Défense en temps réel de Memcyco \\ contre l'usurpation du site Web Product Explained: Memcyco\\'s Real-Time Defense Against Website Spoofing (lien direct) |
Revue pratique: la solution d'intelligence de menace de Memcyco \\
L'usurpation d'identité du site Web, également connu sous le nom de jacking ou l'usurpation du site Web, est devenue une menace importante pour les entreprises en ligne.Les acteurs malveillants clonaient des sites Web légitimes pour tromper les clients, conduisant à des escroqueries financières et à un vol de données causant des dommages à la réputation et des pertes financières pour les organisations et les clients.
La menace croissante de
Hands-On Review: Memcyco\'s Threat Intelligence Solution Website impersonation, also known as brandjacking or website spoofing, has emerged as a significant threat to online businesses. Malicious actors clone legitimate websites to trick customers, leading to financial scams and data theft causing reputation damage and financial losses for both organizations and customers. The Growing Threat of |
Threat | ★★ | |
 |
2023-12-20 16:00:00 | Les attaquants exploitent le bug Microsoft Office de 6 ans pour répandre les logiciels espions Attackers Exploit 6-Year-Old Microsoft Office Bug to Spread Spyware (lien direct) |
Les pièces jointes malveillantes qui exploitent un défaut RCE de 2017 propagent l'agent Tesla par e-mails socialement modifiés et une méthode d'infection évasive.
Malicious attachments that exploit an RCE flaw from 2017 are propagating Agent Tesla via socially engineered emails and an evasive infection method. |
Threat | ★★ | |
|
2023-12-20 15:50:00 | Alerte: les pirates de langue chinois se présentent comme autorité des EAU dans la dernière vague de smiming Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave (lien direct) |
Les acteurs de la menace chinoise derrière & NBSP; Smishing Triad & NBSP; ont été observés se faisant passer pour l'autorité fédérale des Émirats arabes unis pour l'identité et la citoyenneté pour envoyer des SMS malveillants dans le but ultime de collecter des informations sensibles des résidents et des étrangers du pays.
"Ces criminels envoient des liens malveillants à leurs victimes \\ 'mobiles via SMS ou
The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country. "These criminals send malicious links to their victims\' mobile devices through SMS or |
Threat Mobile | ★★ | |
|
2023-12-20 15:00:00 | 3 façons d'utiliser des renseignements en temps réel pour vaincre les robots 3 Ways to Use Real-Time Intelligence to Defeat Bots (lien direct) |
Les boucles de rétroaction des renseignements sur les menaces sont un outil de plus en plus vital dans l'escalade de la bataille contre les bots.
Threat intelligence feedback loops are an increasingly vital tool in the escalating battle against bots. |
Tool Threat | ★★★ | |
 |
2023-12-20 15:00:00 | Un aperçu de la campagne basée à NIM à l'aide de documents Microsoft Word pour imiter le gouvernement népalais A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government (lien direct) |
> Les acteurs de menace sommaire utilisent souvent des techniques d'attaque furtives pour échapper à la détection et rester dans le cadre du radar du défenseur.Une façon de le faire consiste à utiliser des langages de programmation peu communs pour développer des logiciels malveillants.L'utilisation d'un langage de programmation inhabituel pour développer des logiciels malveillants offre plusieurs avantages, notamment: l'évasion de certaines détections basées sur la signature entravant l'analyse par des analystes de logiciels malveillants qui sont [& # 8230;]
>Summary Threat actors often employ stealthy attack techniques to elude detection and stay under the defender\'s radar. One way they do so is by using uncommon programming languages to develop malware. Using an uncommon programming language to develop malware provides several benefits, including: Evading some signature based detections Impeding analysis by malware analysts that are […] |
Malware Threat | ★★ | |
 |
2023-12-20 14:13:27 | Les enjeux du cyberespionnage étatique (lien direct) | Les enjeux du cyberespionnage étatique par TIXEO - Points de Vue | Threat | ★★★ | |
|
2023-12-20 13:55:00 | 5 Informations essentielles du rapport de défense numérique \\ 'Microsoft 2023 \\' 5 Essential Insights From the \\'Microsoft Digital Defense Report 2023\\' (lien direct) |
En examinant les derniers risques, les organisations peuvent mieux se protéger contre un paysage de menace dynamique - et déployer des technologies et des politiques qui les maintiennent mieux défendus.
By reviewing the latest risks, organizations can better protect themselves against a dynamic threat landscape - and deploy technologies and policies that keep them better defended. |
Threat | ★★★ | |
|
2023-12-20 13:42:17 | Rapport de l\'ANSSI : État de la menace ciblant le secteur des télécommunications (lien direct) | Rapport de l'ANSSI : État de la menace ciblant le secteur des télécommunications par Benoit Grunemwald - Expert en Cybersécurité chez ESET France réagit - Points de Vue | Threat Studies | ★★★ | |
|
2023-12-20 13:40:00 | Nouveaux logiciels malveillants Jaskago ciblant les systèmes Windows et MacOS New Go-Based JaskaGO Malware Targeting Windows and macOS Systems (lien direct) |
Un nouveau voleur d'informations basé sur le GO MALWWare appelé & nbsp; jaskago & nbsp; est devenu la dernière menace multiplateforme pour infiltrer les systèmes Windows et Apple MacOS.
AT & amp; t Alien Labs, qui a fait la découverte, & nbsp; dit & nbsp; le malware est "équipé d'un éventail complet de commandes de son serveur de commande et de contrôle (c & amp; c)".
Des artefacts conçus pour les macOS ont été observés pour la première fois en juillet
A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. AT&T Alien Labs, which made the discovery, said the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server." Artifacts designed for macOS were first observed in July |
Malware Threat | ★★ | |
|
2023-12-20 13:01:25 | Le cyber-paysage évolutif: AI Fighting Ai The Evolving Cyber Landscape: AI Fighting AI (lien direct) |
> La montée de l'IA générative (Genai) provoque un changement dans le paysage de la cyber-attaque.D'un côté, les acteurs de la menace commencent à utiliser Genai pour générer des attaques & # 8211;Rendre leur piratage plus sophistiqué, tout en abaissant la barre pour l'expertise nécessaire pour violer les organisations.Dans le même temps, les employés bien intentionnés ont accidentellement exposé une IP de l'entreprise à des modèles publics de grande langue (LLMS), créant plus qu'un mal de tête pour les équipes informatiques.De l'autre côté, les entreprises courent pour utiliser l'IA pour prévenir et détecter les violations en temps réel, tout en réduisant la fatigue alerte qui afflige les équipes informatiques.En fait, au point de contrôle [& # 8230;]
>The rise of Generative AI (GenAI) is causing a shift in the cyber-attack landscape. On one side, threat actors are starting to use GenAI to generate attacks – making their hacking more sophisticated, while also lowering the bar for the expertise needed to breach organizations. At the same time, well-meaning employees have accidentally exposed company IP to public large language models (LLMs), creating more than a headache for IT teams. On the other side, companies are racing to use AI to prevent and detect breaches in real-time, while also reducing alert fatigue plaguing IT teams. In fact, at Check Point […] |
Threat | ★★ | |
 |
2023-12-20 09:36:56 | Amélioration de la sécurité IoT avec Cyber Threat Intelligence (CTI) Enhancing IoT Security with Cyber Threat Intelligence (CTI) (lien direct) |
> L'Internet des objets (IoT) représente une progression technologique importante qui est largement utilisée dans ...
>The Internet of Things (IoT) represents a significant technological advancement that is widely utilized in... |
Threat | ★★ | |
|
2023-12-19 20:47:10 | #Hundredprees: Plain #StopRansomware: Play Ransomware (lien direct) |
#### Description
Depuis juin 2022, la pièce (également connue sous le nom de PlayCrypt) Ransomware Group a eu un impact sur un large éventail d'entreprises et d'infrastructures critiques en Amérique du Nord, en Amérique du Sud et en Europe.En octobre 2023, le FBI était au courant d'environ 300 entités touchées qui auraient été exploitées par les acteurs du ransomware.
En Australie, le premier incident de ransomware de jeu a été observé en avril 2023, et plus récemment en novembre 2023.
Le groupe Ransomware est présumé être un groupe fermé, conçu pour «garantir le secret des offres», selon une déclaration du site Web de fuite de données du groupe \\.Les acteurs de ransomwares de jeu utilisent un modèle à double expression, chiffrant les systèmes après exfiltration de données.Les billets de rançon n'incluent pas une première demande de rançon ou des instructions de paiement, les victimes sont plutôt invitées à contacter les acteurs de la menace par e-mail.
#### URL de référence (s)
1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
#### Date de publication
11 décembre 2023
#### Auteurs)
Cisa
#### Description Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors. In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023. The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group\'s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a #### Publication Date December 11, 2023 #### Author(s) CISA |
Ransomware Threat | ★★ | |
|
2023-12-19 19:00:00 | Les pirates abusant de Github pour échapper à la détection et au contrôle des hôtes compromis Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts (lien direct) |
Les acteurs de la menace utilisent de plus en plus Github à des fins malveillantes grâce à de nouvelles méthodes, notamment abuser des GIST secrètes et émettre des commandes malveillantes via des messages Git Commit.
"Les auteurs de logiciels malveillants placent occasionnellement leurs échantillons dans des services tels que Dropbox, Google Drive, OneDrive et Discord pour accueillir des logiciels malveillants de deuxième étape et des outils de détection de touche", inverse le chercheur Karlo Zanki & NBSP
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki |
Malware Tool Threat | ★★★ | |
|
2023-12-19 17:11:00 | Des pirates iraniens utilisant Muddyc2go dans des attaques d'espionnage de télécommunications à travers l'Afrique Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa (lien direct) |
L'acteur iranien de l'État-nation connu sous le nom de & nbsp; muddywater & nbsp; a exploité un cadre de commandement et de contrôle (C2) nouvellement découvert appelé Muddyc2go dans ses attaques contre le secteur des télécommunications en Égypte, au Soudan et en Tanzanie.
L'équipe Symantec Threat Hunter, qui fait partie de Broadcom, est & nbsp; suivi & nbsp; l'activité sous le nom de graine, qui est également suivie sous les surnoms boggy serpens, cobalt
The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt |
Threat | ★★★ | |
|
2023-12-19 16:32:00 | Nouvelle campagne de malvertising distribuant Pikabot déguisé en logiciel populaire New Malvertising Campaign Distributing PikaBot Disguised as Popular Software (lien direct) |
Le chargeur malveillant connu sous le nom de Pikabot est distribué dans le cadre de A & NBSP; Malvertising & nbsp; Campaign & NBSP; ciblant les utilisateurs à la recherche de logiciels légitimes comme AnyDesk.
"Pikabot n'était auparavant distribué que via des campagnes de Malspam de manière similaire à Qakbot et est apparue comme l'une des charges utiles préférées pour un acteur de menace connu sous le nom de TA577", a déclaré malwarebytes \\ 'j & eacute; r & ocirc; me Segura & nbsp;
La famille des logiciels malveillants,
The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes\' Jérôme Segura said. The malware family, |
Malware Threat | ★★ | |
 |
2023-12-19 16:30:00 | Smishing Triad cible les résidents des EAU dans la campagne de vol d'identité Smishing Triad Targets UAE Residents in Identity Theft Campaign (lien direct) |
L'équipe de réécurité a découvert la menace et a rapidement informé les agences d'application de la loi des EAU aux EAU
The Resecurity team discovered the threat and promptly notified UAE law enforcement agencies |
Threat | ★★★ | |
|
2023-12-19 16:00:00 | Statistiques de laboratoire de menace de netskope pour novembre 2023 Netskope Threat Labs Stats for November 2023 (lien direct) |
> Netskope Threat Labs publie un article de blog de résumé mensuel des principales menaces que nous suivons sur la plate-forme Netskope.Le but de cet article est de fournir des renseignements stratégiques et exploitables sur les menaces actives contre les utilisateurs d'entreprise du monde entier.Résumé Après un certain temps hors de la première place, les types de fichiers PDF sont retournés comme les plus courants [& # 8230;]
>Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide. Summary After some time out of the first place, PDF file types returned as the most common […] |
Threat | ★★ | |
 |
2023-12-19 15:55:00 | Organisations de télécommunications en Afrique ciblées par des pirates liés à l'Iran Telecom organizations in Africa targeted by Iran-linked hackers (lien direct) |
Un groupe de cyber-espionnage lié au service de renseignement de l'Iran \\ a ciblé les sociétés de télécommunications en Égypte, au Soudan et en Tanzanie, ont révélé des chercheurs.C'est probablement la première fois que le groupe, suivi comme Muddywater, opère contre des organisations en Afrique, selon Marc Elias, analyste des renseignements sur les menaces chez Symantec, qui a analysé l'incident .Dans précédemment
A cyber-espionage group linked to Iran\'s intelligence service has been targeting telecommunications companies in Egypt, Sudan and Tanzania, researchers have found. This is likely the first time the group, tracked as MuddyWater, has operated against organizations in Africa, according to Marc Elias, a threat intelligence analyst at Symantec, who analyzed the incident. In previously reported |
Threat | ★★★ | |
 |
2023-12-19 15:52:08 | Développer et exécuter une chasse à la menace OT entièrement informée Developing and Executing a Fully Informed OT Threat Hunt (lien direct) |
> Écrit en partenariat avec Michael Gardner, qui a précédemment travaillé comme responsable des comptes techniques de renseignement chez Dragos, Inc. Hunting à la menace ...
Le post développer et exécuter une chasse à la menace OT entièrement informée est apparu pour la première fois sur dragos .
>Written in partnership with Michael Gardner, who previously worked as an Intelligence Technical Account Manager at Dragos, Inc. Threat hunting... The post Developing and Executing a Fully Informed OT Threat Hunt first appeared on Dragos. |
Threat Industrial Technical | ★★★ | |
|
2023-12-19 15:00:00 | 2023 Cyber Madenats: 26 000+ Vulnérabilités, 97 au-delà de la liste des CISA 2023 Cyber Threats: 26,000+ Vulnerabilities, 97 Beyond CISA List (lien direct) |
Le rapport Quality a également montré que plus de 7 000 vulnérabilités avaient un code d'exploitation de preuve de concept
The Qualys report also showed over 7000 vulnerabilities had proof-of-concept exploit code |
Vulnerability Threat | ★★★ | |
 |
2023-12-19 14:00:00 | Les injections sur le Web sont de retour en augmentation: 40+ banques affectées par une nouvelle campagne de logiciels malveillants Web injections are back on the rise: 40+ banks affected by new malware campaign (lien direct) |
> Les injections Web, une technique privilégiée utilisée par divers chevaux de Troie bancaire, ont été une menace persistante dans le domaine des cyberattaques.Ces injections malveillantes permettent aux cybercriminels de manipuler les échanges de données entre les utilisateurs et les navigateurs Web, compromettant potentiellement des informations sensibles.En mars 2023, des chercheurs en sécurité chez IBM Security Trudieer ont découvert une nouvelle campagne de logiciels malveillants en utilisant JavaScript [& # 8230;]
>Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript […] |
Malware Threat | ★★ | |
|
2023-12-19 14:00:00 | Les États-Unis et l'Australie mettent en garde contre la menace des ransomwares de jeu US and Australia Warn of Play Ransomware Threat (lien direct) |
Un avis conjoint des agences gouvernementales américaines et australiennes exhorte les organisations à se protéger contre les tactiques du groupe de jeux
A joint advisory by US and Australian government agencies urges organizations to protect themselves against Play group\'s tactics |
Ransomware Threat | ★★★ | |
|
2023-12-19 12:28:00 | 8220 gang exploitant Oracle Weblogic Server Vulnérabilité à la propagation de logiciels malveillants 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware (lien direct) |
Les acteurs de menace associés à la & nbsp; 8220 gang & nbsp; ont été observés exploitant un défaut de haute sévérité dans le serveur Oracle Weblogic pour propager leurs logiciels malveillants.
La lacune de sécurité est & nbsp; CVE-2020-14883 & nbsp; (Score CVSS: 7.2), un bug d'exécution de code distant qui pourrait être exploité par des attaquants authentifiés pour prendre les serveurs sensibles.
"Cette vulnérabilité permet à la distance authentifiée
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated |
Malware Vulnerability Threat | ★★ | |
|
2023-12-19 11:12:00 | Le ransomware de jeu à double expression frappe 300 organisations dans le monde Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide (lien direct) |
On estime que les acteurs de la menace derrière le ransomware de jeu auraient eu un impact sur environ 300 entités en octobre 2023, selon un nouvel avis de cybersécurité conjoint d'Australie et des États-Unis.
"Les acteurs de ransomwares de jeu utilisent un modèle à double expression, cryptant des systèmes après exfiltration de données et ont eu un impact sur un large éventail d'entreprises et d'organisations d'infrastructure critiques dans le Nord
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North |
Ransomware Threat | ★★★ | |
 |
2023-12-19 10:27:56 | Rapport de menace ESET H2 2023 ESET Threat Report H2 2023 (lien direct) |
Une vision du paysage des menaces H2 2023 vu par la télémétrie ESET et du point de vue des experts de la détection et de la recherche des menaces ESET
A view of the H2 2023 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts |
Threat | ★★ | |
 |
2023-12-19 09:08:04 | Manipulation de modèles linguistiques, piratage de casques VR, attaques de Vishing : que nous réserve l\'année " cyber " 2024 ? (lien direct) | Chaque nouvelle tendance technologique ouvre de nouveaux vecteurs d'attaque pour les cybercriminels. En 2024, les menaces émergentes ciblant les entreprises et les particuliers seront encore plus intenses, complexes et difficiles à gérer. | Threat Prediction | ★★★ | |
 |
2023-12-19 08:38:10 | FBI, CISA, TSA publie avertissement consultatif de la menace globale de ransomware à l'aide de tactiques à double extorsion FBI, CISA, ASD issue advisory warning of Play ransomware global threat using double extortion tactics (lien direct) |
> Le Federal Bureau of Investigation (FBI), l'Agence de sécurité de la cybersécurité et des infrastructures (CISA) et la Direction des signaux australiens \\ 's ...
>The U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate\'s... |
Ransomware Threat | ★★★ | |
 |
2023-12-19 01:22:36 | La vulnérabilité Apache ActiveMQ (CVE-2023-46604) étant en permanence exploitée dans les attaques Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks (lien direct) |
En novembre 2023, Ahnlab Security Emergency Response Center (ASEC) a publié un article de blog intitulé & # 8220;Circonstances du groupe Andariel exploitant une vulnérabilité Apache ActiveMQ (CVE-2023-46604) & # 8221;[1] qui a couvert les cas du groupe de menaces Andariel exploitant la vulnérabilité CVE-2023-46604 pour installer des logiciels malveillants.Ce message a non seulement couvert les cas d'attaque du groupe Andariel, mais aussi ceux de Hellokitty Ransomware, de Cobalt Strike et Metasploit Meterpreter.Depuis lors, la vulnérabilité Apache ActiveMQ (CVE-2023-46604) a continué à être exploitée par divers acteurs de menace.Ce ...
In November 2023, AhnLab Security Emergency response Center (ASEC) published a blog post titled “Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)” [1] which covered cases of the Andariel threat group exploiting the CVE-2023-46604 vulnerability to install malware. This post not only covered attack cases of the Andariel group but also those of HelloKitty Ransomware, Cobalt Strike, and Metasploit Meterpreter. Since then, the Apache ActiveMQ vulnerability (CVE-2023-46604) has continued to be exploited by various threat actors. This... |
Ransomware Malware Vulnerability Threat | ★★★ | |
 |
2023-12-18 22:51:00 | Dans les coulisses: la frappe coordonnée de Jaskago \\ sur macOS et Windows Behind the Scenes: JaskaGO\\'s Coordinated Strike on macOS and Windows (lien direct) |
Executive summary
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems.
As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
Key takeaways:
The malware is equipped with an extensive array of commands from its Command and Control (C&C) server.
JaskaGO can persist in different methods in infected system.
Users face a heightened risk of data compromise as the malware excels at exfiltrating valuable information, ranging from browser credentials to cryptocurrency wallet details and other sensitive user files.
Background
JaskaGO contributes to a growing trend in malware development leveraging the Go programming language. Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats.
While macOS is often perceived as a secure operating system, there exists a prevalent misconception among users that it is impervious to malware. Historically, this misbelief has stemmed from the relative scarcity of macOS-targeted threats compared to other platforms. However, JaskaGO serves as a stark reminder that both Windows and macOS users are constantly at risk of malware attacks.
As the malware use of file names resembling well-known applications (such as “Capcut_Installer_Intel_M1.dmg”, “Anyconnect.exe”) suggest a common strategy of malware deployment under the guise of legitimate software in pirated application web pages.
The first JaskaGo sample was observed in July 2023, initially targeting Mac users. Following this opening assault, dozens of new samples have been identified as the threat evolved its capabilities and developed in both macOS and to Windows versions; its low detection rate is evident by its recent sample by anti-virus engines. (Figure 1)
 .
Figure 1. As captured by Alien Labs: Anti-virus detection for recent JaskaGO samples within VirusTotal.
Analysis
Upon initial execution, the malware cunningly presents a deceptive message box, displaying a fake error message, claiming a missing file. This is strategically designed to mislead the user into believing that the malicious code failed to run. (Figure 2)
Figure 2. As captured by Alien Labs: Fake error message.
Anti-VM
The malware conducts thorough checks to determine if it is operating within a virtual machine (VM). This process begins with the examination of general machine information, where specific criteria such as the number of processors, system up-time, available system memory, and MAC addresses are checked. The presence of MAC addresses associated with well-known VM software, such as VMware or VirtualBox, is a key indicator. (Figure 3)
Figure 3. As captured by Alien Labs: Looking for VM related MAC addresses.
Additionally, the malware\'s Windows version searches for VM-related traces in both the registry and the file system. (Figure 4)
|
Malware Vulnerability Threat Prediction Technical | ★★★ | |
|
2023-12-18 21:13:00 | Attention: les experts révèlent de nouveaux détails sur les exploits Outlook RCE sur zéro clique Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits (lien direct) |
Des détails techniques ont émergé environ deux défauts de sécurité désormais paralysés dans Microsoft Windows qui pourraient être enchaînés par les acteurs de la menace pour réaliser l'exécution de code distant sur le service de messagerie Email Outlook sans toute interaction utilisateur.
"Un attaquant sur Internet peut enchaîner les vulnérabilités pour créer un exploit complet de code distant (RCE) à zéro cliquez sur des clients d'Outlook", akamai la sécurité
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security |
Vulnerability Threat Technical | ★★★ | |
|
2023-12-18 20:01:00 | Rhadamanthys Malware: couteau suisse au couteau d'information des voleurs émerge Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges (lien direct) |
Les développeurs du voleur d'informations malveillants connu sous le nom de & nbsp; rhadamanthys & nbsp; itèrent activement sur ses fonctionnalités, élargissant ses capacités de collecte d'informations et incorporant également un système de plugin pour le rendre plus personnalisable.
Cette approche le transforme non seulement en une menace capable de répondre aux "besoins spécifiques du distributeur", mais le rend également plus puissant, Check Point & nbsp; Said &
The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point said& |
Malware Threat | ★★ | |
 |
2023-12-18 16:09:11 | Alerte de menace: Citriced (CVE-2023-4966) THREAT ALERT: CITRIXBLEED (CVE-2023-4966) (lien direct) |
|
Threat | ★★ | |
|
2023-12-18 13:32:23 | 18 décembre & # 8211;Rapport de renseignement sur les menaces 18th December – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes en cyberLes principales attaques et violations de l'opérateur mobile d'Ukraine \\ d'Ukraine, Kyivstar, ont été frappées par «la plus grande cyberattaque sur les infrastructures de télécommunications au monde», rendant des millions sans services mobiles et Internet pendant au moins 48 heures.Il semblerait que l'attaque ait également affecté [& # 8230;]
>For the latest discoveries in cyber research for the week of 18th December, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Ukraine\'s largest mobile operator, Kyivstar, was hit by “largest cyber-attack on telecom infrastructure in the world”, rendering millions without mobile and internet services for at least 48 hours. Reportedly, the attack also affected […] |
Threat Mobile | ★★ | |
|
2023-12-18 11:11:00 | La CISA invite les fabricants éliminent les mots de passe par défaut pour contrecarrer les cyber-menaces CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats (lien direct) |
L'Agence américaine de sécurité de la cybersécurité et de l'infrastructure (CISA) est & nbsp; exhort & nbsp; les fabricants à se débarrasser des mots de passe par défaut sur les systèmes exposés à Internet, invoquant des risques graves qui pourraient être exploités par des acteurs malveillants pour obtenir un accès initial et se déplacer latéralement à l'intérieur, les organisations, les organisations par les organisations par les organisations malveillantes pour et se déplacer latéralement à l'intérieur, les organisations, les organisations.
Dans une alerte publiée la semaine dernière, l'agence a appelé les acteurs de la menace iranienne affiliés à
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with |
Threat | ★★ | |
|
2023-12-18 11:00:00 | Dévoiler le Web Dark: un guide professionnel de l'exploration éthique Unveiling the dark web: A professional\\'s guide to ethical exploration (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The dark web, often shrouded in mystery and intrigue, is a realm of the internet that exists beyond the reach of traditional search engines. While the Dark Web does harbor a certain notoriety for hosting illegal activities, it also contains valuable information and resources that can be beneficial for professionals involved in cybersecurity, threat intelligence, and investigations. This article will provide a comprehensive guide on how to search the dark web for information gathering in a professional and ethical manner. Understanding the dark web Before delving into the intricacies of searching on the dark web, it\'s crucial to comprehend its structure. The internet comprises three layers: the surface web, the deep web, and the dark web. Surface web: This is the portion of the internet indexed by search engines like Google and accessible to the general public. Deep web: The Deep Web includes websites and databases not indexed by search engines. These are often password-protected or behind paywalls, such as online banking or email accounts. Dark web: The dark web is a hidden network of websites that can only be accessed using specialized software, such as Tor. It\'s intentionally designed to conceal the identity of users and hosts. While it has a reputation for illegal markets, it also includes legitimate websites and forums. Ethical considerations Searching the dark web requires a strong commitment to ethical conduct. It\'s essential to respect both legal and moral boundaries. Here are some critical ethical considerations: Legal compliance: Ensure that your activities are within the bounds of the law. Engaging in any illegal activities, such as purchasing illicit goods, is strictly prohibited. Use encryption: When accessing the dark web, always use encryption tools like the Tor browser to protect your identity and maintain anonymity. Verification: Verify the legitimacy of the information you find. Misinformation and scams are prevalent on the dark web. Searching the Dark Web Get the right tools: Start by downloading the Tor browser, a free and open-source software that allows you to access the dark web while concealing your IP address. Consider using a virtual private network (VPN) in combination with the Tor browser for an additional layer of security. Deep web vs. dark web: Distinguish between the deep web and the dark web. Remember that the deep web consists of web pages not indexed by search engines but is not inherently hidden. The dark web, on the other hand, is intentionally concealed. Search engines: Dark web search engines like DuckDuckGo, Torch and notEvil can be used to find specific websites and content. These search engines access .onion domains, which are unique to the dark web. Directories: Dark web directories are like Yellow Pages for hidden services. They list websites and their categories, making it easier to find what you\'re looking for. Notable directories include The Hidden Wiki and TorLinks. Forums and communities: The dark web hosts numerous forums, discussion boards, and communities that cover a wide range of topics. Some of these can be valuable sources of information. However, exercise caution as many forums are associated with illegal activities. File sharing: File-sharing services on the dark web may contain a wealth of data, including documents, reports, and archives. Some of these files may be of intere | Tool Vulnerability Threat | ★★ | |
|
2023-12-18 10:11:41 | Kaspersky fait la découverte de trois nouvelles menaces multi-plateformes (lien direct) | Kaspersky fait la découverte de trois nouvelles menaces multi-plateformes et divulgue trois nouvelles stratégies employées par les cybercriminels dans le cadre de la campagne FakeSG, du ransomware Akira et du stealer pour macOS AMOS. - Malwares | Ransomware Threat | ★★ | |
|
2023-12-18 06:00:21 | Une approche de risque intégrée pour briser la chaîne d'attaque juridique et de conformité: les informations de Proofpoint Protect 2023 An Integrated Risk Approach to Breaking the Legal and Compliance Attack Chain: Insights from Proofpoint Protect 2023 (lien direct) |
Last September, Proofpoint held our first in-person event since the pandemic in New York City, Protect 2023. In this blog post, our Chief Compliance Officer in Residence John Pepe shares some key insights from the leaders who participated in the Compliance Leader\'s Roundtable at that conference. A big part of that discussion was exploring how combining data points from multiple tools can help stop known risk patterns before problems escalate. “Break the Attack Chain” is a Proofpoint initiative that outlines our approach to prevent and disrupt cyberattacks that target people and their data. The attack chain can basically be broken down into eight steps and three main stages: Initial compromise Privilege escalation Data exfiltration Steps in the attack chain. We believe that breaking the attack chain is so important that we made it the theme of Protect 2023. When you break the attack chain, you reduce the risks and the impact of cyberattacks. And you avoid a lot of the financial, reputational and operational damage. Proofpoint argues that this starts by taking a people-centric approach to security that focuses on the human factors that enable and motivate attackers. But this theme isn\'t just relevant to cybersecurity. It\'s also an important concept that\'s relevant to compliance professionals and their current challenges. Recently at the Protect 2023 conference, we explored how the industry is using this idea to rethink the ways it approaches and mitigates risk. What\'s top of mind for compliance professionals right now? Part of my job at Proofpoint is to provide our customers-some of whom are highly regulated-with executive briefings on compliance and regulatory best practices. I also have a lot of critical discussions with the legal and regulatory communities. So I understand why the concept of breaking the attack chain transcends cybersecurity and really resonates with these groups. That\'s why I chose to explore it at Protect 2023 at the Compliance Leader\'s Roundtable. This panel was comprised of a chief compliance officer from a leading financial services provider, the head of surveillance for an asset manager, and a chief information security officer. And our topic was “What\'s Top of Mind for Compliance Professionals Post COVID-19." The discussion was informal and focused on work-from-home (WFH) initiatives during and after the pandemic. Two interconnected areas were of particular interest: Risks and programs related to WFH, with a special focus on collaboration platforms How behavioral indicators may help to predict potential legal or compliance issues When talking about insider risks and threats, the panelists explored: Best practices for controlling messaging apps and mitigating risks in mobile texts and chat How behavioral modeling and analytics can be used to enhance risk monitoring for user conduct How combining multiple compliance approaches can help form a holistic risk management program, which can mean integrating: Threat detection People analytics Conduct compliance applications As part of the conversation, I brought up the topic of employee behaviors and patterns that can lead to legal or compliance issues. The example scenario I offered was of a disgruntled employee who had received an underwhelming bonus or was passed up for a promotion. To get back at the company, this person stole sensitive company data and intellectual property (IP) before they left their job. The panel discussed behaviors or telemetry that might be present in such a scenario. And they talked about whether any data about user conduct might help detect and prevent potential losses. An integrated approach to breaking the attack chain What follows are some of the ways that our panelists use tools to mitigate risks. And how Proofpoint can help. Combining internal and external data One of the most crucial aspects of a surveillance analyst\'s job, especially in financial services, is monitoring employee risk. The roundtable emp | Tool Threat Mobile Prediction Conference | ★★★ | |
|
2023-12-16 10:30:00 | Microsoft met en garde contre Storm-0539: la menace croissante derrière les fraudes des cartes-cadeaux de vacances Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds (lien direct) |
Microsoft met en garde contre une augmentation de l'activité malveillante à partir d'un cluster de menaces émergentes qu'il est suivi comme & nbsp; Storm-0539 & nbsp; pour orchestrer la fraude et le vol de cartes-cadeaux via des e-mails très sophistiqués et des attaques de phishing SMS contre des entités de vente au détail pendant la saison de magasinage des vacances.
L'objectif des attaques est de propager des liens piégés qui dirigent les victimes à l'adversaire dans le milieu (AITM (AITM
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it\'s tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM |
Threat | ★★★ | |
|
2023-12-15 21:35:08 | Ace dans le trou: exposer Gambleforce Ace in the Hole: Exposing GambleForce (lien direct) |
#### Description
Septembre 2023, la société de cybersécurité Group-IB a découvert Gambleforce, un acteur de menace inconnu spécialisé dans les attaques d'injection SQL dans la région Asie-Pacifique.Gambleforce a ciblé plus de 20 sites Web (gouvernement, jeu, vente au détail et voyages) en Australie, en Chine, en Indonésie, aux Philippines, en Inde, en Corée du Sud, en Thaïlande et au Brésil.
Le groupe a utilisé un ensemble d'outils avec des méthodes d'attaque de base mais efficaces, conduisant à des préoccupations d'une activité supplémentaire même après que le groupe-IB a enlevé son serveur de commande et de contrôle.L'ensemble du jeu d'outils était basé sur des instruments open source accessibles au public utilisés à des fins de pentisting.Après avoir examiné le jeu d'outils plus en détail, il est devenu clair que les outils étaient très probablement associés à un acteur de menace exécutant l'une des plus anciennes méthodes d'attaque: les injections de SQL.Les attaquants ont obtenu un accès initial à l'aide de SQLMAP, puis ont procédé à la téléchargement de la grève de Cobalt sur des serveurs compromis.Notamment, la version de Cobalt Strike a découvert sur le serveur du gang \\ a utilisé des commandes en chinois, mais ce fait seul n'est pas suffisant pour attribuer l'origine du groupe.
#### URL de référence (s)
1. https://www.group-ib.com/blog/gambleforce-gang/
#### Date de publication
15 décembre 2023
#### Auteurs)
Nikita Rostovcev
#### Description September 2023, cybersecurity firm Group-IB uncovered GambleForce, a previously unknown threat actor specializing in SQL injection attacks across the Asia-Pacific region. GambleForce has targeted more than 20 websites (government, gambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. The group employed a toolset with basic but effective attack methods, leading to concerns of further activity even after Group-IB took down their command and control server. The entire toolset was based on publicly available open-source instruments used for pentesting purposes. After examining the toolset in more detail, it became clear that the tools were most likely associated with a threat actor executing one of the oldest attack methods: SQL injections. The attackers gained initial access using SQLmap, then proceeded to upload Cobalt Strike on compromised servers. Notably, the version of Cobalt Strike discovered on the gang\'s server used commands in Chinese, but this fact alone is not enough to attribute the group\'s origin. #### Reference URL(s) 1. https://www.group-ib.com/blog/gambleforce-gang/ #### Publication Date December 15, 2023 #### Author(s) Nikita Rostovcev |
Tool Threat | ★★★ | |
|
2023-12-15 20:55:00 | Patch maintenant: exploiter les supports d'activité pour dangereux Apache Struts 2 Bogue Patch Now: Exploit Activity Mounts for Dangerous Apache Struts 2 Bug (lien direct) |
Le CVE-2023-50164 est plus difficile à exploiter que le bug de Struts 2017 derrière la violation massive à Equifax, mais ne sous-estime pas le potentiel pour les attaquants de l'utiliser dans des attaques ciblées.
CVE-2023-50164 is harder to exploit than the 2017 Struts bug behind the massive breach at Equifax, but don\'t underestimate the potential for attackers to use it in targeted attacks. |
Threat | Equifax | ★★★ |
|
2023-12-15 19:47:00 | Nouveau KV-Botnet ciblant les appareils Cisco, Draytek et Fortinet pour des attaques furtives New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks (lien direct) |
Un nouveau botnet composé de pare-feu et de routeurs de Cisco, Draytek, Fortinet et Netgear est utilisé comme réseau de transfert de données secrètes pour les acteurs avancés de menace persistante, y compris l'acteur de menace lié à la Chine appelée & nbsp; volt typhoon.
Surnommé & nbsp; kv-botnet & nbsp; par l'équipe Black Lotus Labs chez Lumen Technologies, le réseau malveillant est une fusion de deux activités complémentaires
A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon. Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity |
Threat | Guam | ★★ |
|
2023-12-15 18:31:00 | Crypto Hardware Wallet Ledger \\'s Supply Chain Breach entraîne un vol de 600 000 $ Crypto Hardware Wallet Ledger\\'s Supply Chain Breach Results in $600,000 Theft (lien direct) |
Crypto Hardware Wallet Maker Ledger a publié une nouvelle version de son module NPM "@ LedgerHQ / Connect-Kit" après que les acteurs de menace non identifiés aient poussé le code malveillant qui a conduit au vol de & nbsp; plus de 600 000 $ & nbsp; dans des actifs virtuels.
Le & nbsp; compromis & nbsp; était le résultat d'un ancien employé victime d'une attaque de phishing, a indiqué la société dans un communiqué.
Cela a permis aux assaillants de gagner
Crypto hardware wallet maker Ledger published a new version of its "@ledgerhq/connect-kit" npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets. The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement. This allowed the attackers to gain |
Threat | ★★★ | |
|
2023-12-15 13:00:05 | Apprendre à connaître: Royce Ho Getting to Know: Royce Ho (lien direct) |
> Royce Ho est consultant régional en matière de sécurité de la prévention des menaces pour l'Asie du Sud-Est & # 38;Région de la Corée (Seak) chez Check Point Software Technologies.Avant le point de contrôle, il a travaillé chez CSintelligence, Deloitte, F5 Networks et StarHub.Royce a obtenu un baccalauréat \\ de sciences en systèmes d'information et de la sécurité et de l'assurance de l'information de la Singapore Management University.Royce, comment êtes-vous entré dans la cybersécurité?J'ai obtenu mon diplôme de Singapore Management University (SMU) avec une double majeure en systèmes d'information et en sécurité et assurance de l'information.C'est à ce moment-là que ma curiosité dans la cybersécurité a été piquée, et les connaissances que j'ai acquises tout au long de mes journées académiques m'ont permis [& # 8230;]
>Royce Ho is a Regional Threat Prevention Security Consultant for the Southeast Asia & Korea (SEAK) region at Check Point Software Technologies. Prior to Check Point, he worked at CSIntelligence, Deloitte, F5 Networks and StarHub. Royce received a Bachelor\'s of Science in Information Systems and Information Security and Assurance from Singapore Management University. Royce, how did you get into cybersecurity? I graduated from Singapore Management University (SMU) with a double major in Information Systems and Information Security and Assurance. That was when my curiosity in cybersecurity was piqued, and the knowledge that I gained throughout my academic days enabled me […] |
Threat | Deloitte | ★★★ |
To see everything:
Our RSS (filtrered)
