SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-02-17 02:10:11	Google Open Sources Magika Ai d'identification des fichiers pour les chasseurs de logiciels malveillants et autres Google open sources file-identifying Magika AI for malware hunters and others (lien direct)	cool, mais il est 2024 & # 8211;Besoin de plus de battage médiatique, d'essouffement à la main et de démos enracinées flashy pour être appropriée ML Google a ouvert Magika d'origine, un identifiant de fichier à apprentissage machine interne, dans le cadre de son initiative de cyber-défense AI, qui, quivise à lui donner des défenseurs du réseau et d'autres outils automatisés.… Cool, but it\'s 2024 – needs more hype, hand wringing, and flashy staged demos to be proper ML Google has open sourced Magika, an in-house machine-learning-powered file identifier, as part of its AI Cyber Defense Initiative, which aims to give IT network defenders and others better automated tools.…	Malware Tool		★★
	2024-02-17 00:05:10	CORNE CISO: convergence CIO, 10 mesures de sécurité critiques, & amp;Ivanti Fallout CISO Corner: CIO Convergence, 10 Critical Security Metrics, & Ivanti Fallout (lien direct)	Toujours dans ce numéro: investissement au Moyen-Orient, nouvelles règles de notification de violation de la FCC et comment les lecteurs de lecture sombres utilisent les outils Genai dans leur appareil de cybersécurité. Also in this issue: Mideast investment, new FCC breach notification rules, and how Dark Reading readers use GenAI tools in their cybersecurity apparatus.	Tool		★★
	2024-02-16 20:41:12	SNS Sender \| Active Campaigns Unleash Messaging Spam Through the Cloud (lien direct)	#### Description Les chercheurs de Sentinelone ont découvert un nouveau script Python appelé SNS Sender qui utilise AWS Simple Notification Service (SNS) pour envoyer des messages SMS en vrac dans le but de spammer des liens de phishing, également connus sous le nom de swishing. Il s'agit du premier script observé à l'aide d'AWS SNS, et on pense que l'acteur derrière cet outil utilise des services cloud pour envoyer des messages de phishing SMS en vrac.L'auteur du script est connu par l'alias Arduino_Das et est prolifique dans la scène du kit Phish. Le script nécessite une liste de liens de phishing nommés links.txt dans son répertoire de travail.SNS Sender prend également plusieurs arguments entrés en entrée: un fichier texte contenant une liste de clés d'accès AWS, de secrets et de région délimitées par un côlon;un fichier texte contenant une liste de numéros de téléphone à cibler;un ID de l'expéditeur, similaire à un nom d'affichage pour un message;et le contenu du message.Le script remplace toutes les occurrences de la chaîne dans la variable de contenu du message par une URL du fichier links.txt, qui arme le message en tant que SMS de phishing.L'acteur derrière cet outil a été lié à de nombreux kits de phishing utilisés pour cibler les victimes \\ 'Informations personnellement identifiables (PII) et les détails de la carte de paiement sous le couvert d'un message de laUnited States Postal Service (USPS) concernant une livraison de colis manquée. #### URL de référence (s) 1. https://www.sentinelone.com/labs/sns-sender-active-campaignes-se détendre #### Date de publication 15 février 2024 #### Auteurs) Alex Delamotte #### Description SentinelOne researchers have discovered a new Python script called SNS Sender that uses AWS Simple Notification Service (SNS) to send bulk SMS messages for the purpose of spamming phishing links, also known as Smishing. This is the first script observed using AWS SNS, and it is believed that the actor behind this tool is using cloud services to send bulk SMS phishing messages. The script author is known by the alias ARDUINO_DAS and is prolific in the phish kit scene. The script requires a list of phishing links named links.txt in its working directory. SNS Sender also takes several arguments that are entered as input: a text file containing a list of AWS access keys, secrets, and region delimited by a colon; a text file containing a list of phone numbers to target; a sender ID, similar to a display name for a message; and the message content. The script replaces any occurrences of the string in the message content variable with a URL from the links.txt file, which weaponizes the message as a phishing SMS. The actor behind this tool has been linked to many phishing kits used to target victims\' personally identifiable information (PII) and payment card details under the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery. #### Reference URL(s) 1. https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/ #### Publication Date February 15, 2024 #### Author(s) Alex Delamotte	Spam Tool Cloud		★★★
	2024-02-16 20:34:13	Plate-forme de messagerie Telegram Sprouts Cyber Crime «Market lieux» des outils, des idées et des données Messaging Platform Telegram Sprouts Cyber Crime “Marketplaces” of Tools, Insights and Data (lien direct)	Les cybercriminels profitent du télégramme de la plate-forme de messagerie en créant des canaux et des groupes où l'apprentissage et le commerce peuvent tous avoir lieu librement. Cybercriminals are taking advantage of the messaging platform Telegram by creating channels and groups where learning and commerce all can take place freely.	Tool		★★
	2024-02-16 13:16:07	Google annonce l\'IA Cyber Defense Initiative pour renforcer la cybersécurité (lien direct)	Google annonce l'IA Cyber Defense Initiative pour renforcer la cybersécurité ● L'IA Cyber Defense Initiative vise à aider les défenseurs du numérique à prendre le dessus sur les attaquants, renforçant ainsi la sécurité mondiale. ● L'initiative comprend des investissements, un soutien aux startups, aux petites entreprises, aux établissements universitaires et aux chercheurs ; et permettre de nouveaux outils de sécurité d'IA open source. - Business	Tool		★★
	2024-02-16 09:45:39	Les signes Goldilock «Made in America» traitent des outils patriotes pour la fabrication américaine d'OT Cyber Kill-Switch Goldilock signs “Made in America” deal with Patriot Tools for US manufacture of OT cyber kill-switch (lien direct)	Les panneaux Goldilock «Made in America» traitent des outils patriotes pour la fabrication américaine d'OT Cyber Kill-Switch Cyber-kill-switch britannique, développé et utilisé par le ministère britannique de la Défense et déployé par le cybercommand ukrainien, sera désormais fabriqué en Amérique, en utilisant des composants américains - nouvelles commerciales Goldilock signs “Made in America” deal with Patriot Tools for US manufacture of OT cyber kill-switch British multi-patented cyber kill-switch, developed and used by UK Ministry of Defence and deployed by Ukrainian CyberCommand will now be Made in America, using US components - Business News	Tool Industrial		★★
	2024-02-16 06:00:45	Les tenants et aboutissants de la confidentialité des données, partie 1: la complexité importante et croissante d'assurer la confidentialité des données The Ins and Outs of Data Privacy, Part 1: The Importance-and Growing Complexity-of Ensuring Data Privacy (lien direct)	This blog is the first in a series where we explore data privacy. In these two blogs, we\'ll cover why data privacy is increasingly important as well as some tips for keeping data safe. We\'ll also discuss how data loss protection (DLP) and insider threat management tools (ITM) are critical to ensuring data privacy. Data Privacy Week in January 2024 highlighted the increasing importance and challenges of data privacy. Trends like digital transformation, remote work and the proliferation of cloud applications have made the task of protecting sensitive data harder than ever. As the volume and perceived value of data grows, so does the risk of data loss and theft, including by insiders. Despite these challenges, businesses can\'t afford missteps when it comes to keeping sensitive data safe. Companies everywhere are under pressure to meet strict data privacy laws that promote data security and data privacy. Noncompliance can be costly. Hefty fines and market loss are common. Research from our 2023 Voice of the CISO report underscores the risk. One-third of the CISOs who told us that their company suffered a material loss of sensitive data within the past 12 months also reported their business was hit with regulatory sanctions as a result. In this blog post, we take a closer look at data privacy and how it relates to data security. We also discuss how laws around data privacy are evolving. And we cover how data loss prevention (DLP) and insider threat management (ITM) tools can help you stay on top of your data compliance challenges. What is data privacy? Data privacy is about protecting sensitive data that belongs to individuals or entities. This includes personally identifiable information (PII), which can be used to identify an individual or a corporate customer. Examples of PII include names, addresses, Social Security or tax ID numbers, credit card data and dates of birth. A business that stores or manages this type of information must follow data privacy laws. These laws ensure that data is kept confidential and secure and that it is only used for authorized purposes. They are intended to help a business: Protect personal information Safeguard critical business data Preserve users\' autonomy Maintain trust with customers and employees Data privacy is also about trust. The misuse or theft of sensitive data can lead to email fraud, insurance fraud, identity theft and more. So, customers need to trust that the companies they share their private data with will guard it carefully. An evolving regulatory landscape Data privacy laws are designed to compel businesses to keep sensitive data safe. Data compliance mandates often require businesses to tell users exactly how their data is used and collected. They may also require companies to notify users when a data breach happens. As noted earlier, not following these laws can result in stiff penalties. Multiple data privacy laws around the globe govern regulations based on their type, the user\'s location and other criteria. Some examples include the: GDPR in the European Union CCPA in the U.S. HIPAA in the U.S. LGPD in Brazil Several state governments in the United States are stepping up efforts to enact data privacy laws. California, Colorado, Connecticut, Utah and Virginia enacted comprehensive consumer privacy laws before 2023. Those laws became enforceable last year. In 2023, these states enacted privacy laws: Delaware Florida Indiana Iowa Montana Oregon Tennessee Texas As data privacy laws emerge or evolve, the definition of sensitive data may change. For example, GDPR expanded the definition of PII to include data elements like email and IP addresses. That is why it is so important for companies to stay attuned to this ever-changing landscape. The rise of generative AI sites has also sparked new concerns about data privacy. New laws are likely to be developed soon. The Biden Administration\'s new executive order will also have an impact on data use in the year ahead. Why	Data Breach Malware Tool Threat Cloud		★★
	2024-02-15 20:28:57	Microsoft et Openai disent que les pirates utilisent le chatppt pour les cyberattaques Microsoft and OpenAI say hackers are using ChatGPT for Cyberattacks (lien direct)	Microsoft et Openai ont averti que les pirates d'État-nationaux armement l'intelligence artificielle (IA) et les modèles de langage de grands (LLM) pour améliorer leurs cyberattaques en cours. Selon une étude menée par Microsoft Threat Intelligence en collaboration avec OpenAI, les deux sociétés ont identifié et perturbé cinq acteurs affiliés à l'État qui ont cherché à utiliser les services d'IA pour soutenir les cyber-activités malveillantes. Ces acteurs affiliés à l'État sont associés à des pays comme la Russie, la Corée du Nord, l'Iran et la Chine. Les cinq acteurs malveillants affiliés à l'État comprenaient deux acteurs de menaces affiliés à la Chine connus sous le nom de typhon de charbon de bois (chrome) et de typhon de saumon (sodium);l'acteur de menace affilié à l'Iran connu sous le nom de Crimson Sandstorm (Curium);l'acteur affilié à la Corée du Nord connue sous le nom de grésil émeraude (thallium);et l'acteur affilié à la Russie connu sous le nom de Forest Blizzard (Strontium). Par exemple, l'Openai a rapporté que le typhon de charbon de bois de Chine \\ a utilisé ses services pour rechercher diverses entreprises et outils de cybersécurité, débogage du code et générer des scripts, et créer du contenu probable pour une utilisation dans les campagnes de phishing. Un autre exemple est la tempête de sable Crimson d'Iran \\, qui a utilisé des LLM pour générer des extraits de code liés au développement d'applications et de Web, générer du contenu probable pour les campagnes de phission de lance et pour une aide dans le développement du code pour échapper à la détection. En outre, Forest Blizzard, le groupe russe de l'État-nation, aurait utilisé des services OpenAI principalement pour la recherche open source sur les protocoles de communication par satellite et la technologie d'imagerie radar, ainsi que pour le soutien aux tâches de script. Openai a déclaré mercredi qu'il avait mis fin aux comptes OpenAI identifiés associés aux acteurs de pirate parrainés par l'État.Ces acteurs ont généralement cherché à utiliser les services OpenAI pour interroger les informations open source, traduire, trouver des erreurs de codage et exécuter des tâches de codage de base, a déclaré la société d'IA. «Le soutien linguistique est une caractéristique naturelle des LLM et est attrayante pour les acteurs de menace qui se concentrent continuellement sur l'ingénierie sociale et d'autres techniques qui s'appuient sur de fausses communications trompeuses adaptées à leurs cibles \\ ', des réseaux professionnels et d'autres relations.Surtout, nos recherches avec OpenAI n'ont pas identifié d'attaques significatives en utilisant les LLM que nous surveillons étroitement », lit le nouveau rapport de sécurité AI publié par Microsoft surMercredi en partenariat avec Openai. Heureusement, aucune attaque significative ou nouvelle, utilisant la technologie LLM n'a encore été détectée, selon la société.«Notre analyse de l'utilisation actuelle de la technologie LLM par les acteurs de la menace a révélé des comportements cohérents avec les attaquants utilisant l'IA comme autre outil de productivité.Microsoft et Openai n'ont pas encore observé des techniques d'attaque ou d'abus en particulier ou uniques en AI résultant des acteurs de la menace & # 8217;Utilisation de l'IA », a noté Microsoft dans son rapport. Pour répondre à la menace, Microsoft a annoncé un ensemble de principes façonnant sa politique et ses actions pour lutter contre l'abus de ses services d'IA par des menaces persistantes avancées (APT), des man	Tool Threat Studies	ChatGPT	★★
	2024-02-15 11:43:00	Microsoft, Openai confirment que les États-nations armement une IA générative dans les cyberattaques Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-Attacks (lien direct)	Microsoft et Openai ont découvert que les groupes d'État-nation utilisent des outils d'IA génératifs pour soutenir les cyber campagnes plutôt que de développer de nouvelles techniques d'attaque Microsoft and OpenAI found that nation-state groups are using generative AI tools to support cyber campaigns rather than developing novel attack techniques	Tool		★★
	2024-02-15 10:06:11	Cybersécurité : comment les " hackers d\'Etat " utilisent les outils d\'OpenAI (lien direct)	Des pirates informatiques affiliées à la Chine, la Russie, la Corée du Nord et l'Iran ont été identifiés par OpenAI et Microsoft, utilisant des outils d'IA pour mener des cyberattaques.	Tool		★★
	2024-02-15 09:18:45	Rhysida ransomware a fissuré!Outil de décryptage gratuit publié Rhysida ransomware cracked! Free decryption tool released (lien direct)	Bonne nouvelle pour les organisations qui ont été victimes du célèbre ransomware de Rhysida.Un groupe de chercheurs sud-coréens en matière de sécurité a découvert une vulnérabilité dans le tristement célèbre ransomware.Cette vulnérabilité offre un moyen pour que les fichiers cryptés soient non recueillis.Des chercheurs de l'Université de Kookmin décrivent comment ils ont exploité un défaut de mise en œuvre dans le code de Rhysida \\ pour régénérer sa clé de cryptage dans un document technique sur leurs résultats."Rhysida Ransomware a utilisé un générateur de nombres aléatoires sécurisé pour générer la clé de chiffrement et crypter ensuite les données. Cependant, un ... Good news for organisations who have fallen victim to the notorious Rhysida ransomware . A group of South Korean security researchers have uncovered a vulnerability in the infamous ransomware. This vulnerability provides a way for encrypted files to be unscrambled. Researchers from Kookmin University describe how they exploited an implementation flaw in Rhysida\'s code to regenerate its encryption key in a technical paper about their findings. "Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an...	Ransomware Tool Vulnerability Technical		★★★
	2024-02-15 09:17:59	Surfshark One, la boite à outils sécu du VPN (lien direct)	— Article en partenariat avec Surfshark — Salut les amis, ce matin on va se pencher sur la solution de protection complète du VPN Surfshark, j’ai nommé la suite Surfshark One. Car si vous ne le savez pas encore, la société au requin propose dorénavant bien plus que ce par … Suite	Tool		★★
	2024-02-14 21:46:11	Renouvellement de la section 702 des républicains de la Chambre ... House Republicans punt Section 702 renewal... again (lien direct)	Mercredi, la maison dirigée par les républicains a abandonné ses derniers efforts pour faire avancer la législation pour réautoriser un outil majeur de surveillance étrangère, le dernier reflet des divisions profondes parmi les législateurs du GOP.La décision abrupte a été prise car le comité des règles de la Chambre était tenue d'une audience sur un projet de loi àrenouveler L'article 702 de la Foreign Intelligence Surveillance Act, The Republican-led House on Wednesday ditched its latest effort to advance legislation to reauthorize a major foreign surveillance tool, the latest reflection of deep divisions among GOP lawmakers. The abrupt decision was made as the House Rules Committee was holding a hearing on a bill to renew Section 702 of the Foreign Intelligence Surveillance Act,	Tool Legislation		★★★
	2024-02-14 18:56:00	Ubuntu \\ 'Command-Not-Found \\' L'outil pourrait inciter les utilisateurs à installer des packages Rogue Ubuntu \\'command-not-found\\' Tool Could Trick Users into Installing Rogue Packages (lien direct)	Les chercheurs en cybersécurité ont constaté qu'il était possible pour les acteurs de menace d'exploiter un utilitaire bien connu appelé Command-Not-Found pour recommander leurs propres packages voyous et compromis les systèmes exécutant un système d'exploitation Ubuntu. "Alors que \\ 'Command-Not-Found \' sert d'outil pratique pour suggérer des installations pour les commandes désinstallées, il peut être manipulé par inadvertance par les attaquants à travers le Cybersecurity researchers have found that it\'s possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system. "While \'command-not-found\' serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the	Tool Threat		★★★
	2024-02-14 18:15:00	Riding Dragons: Capa harcèles Ghidra Riding Dragons: capa Harnesses Ghidra (lien direct)	capa est l'équipe Flare \\ 's ouverteoutil source qui détecte les capacités dans les fichiers exécutables. ghidra est un cadre d'ingénierie de logiciel open source créé et entretenu par leDirection de la recherche de l'Agence de sécurité nationale.Avec le version de capa v7 , nous avons intégré CAPAavec Ghidra, apportant directement les capacités de détection de Capa \\ à l'interface utilisateur de Ghidra \\.Avec cette intégration, nous espérons avoir un impact positif sur les workflows de la grande base d'utilisateurs de Ghidra \\ en aidant les utilisateurs de Ghidra à identifier rapidement le code qui suggère un comportement intéressant.Nous sommes ravis de partager ce travail avec le capa is the FLARE team\'s open source tool that detects capabilities in executable files. Ghidra is an open source software reverse engineering framework created and maintained by the National Security Agency Research Directorate. With the release of capa v7, we have integrated capa with Ghidra, bringing capa\'s detection capabilities directly to Ghidra\'s user interface. With this integration, we hope to positively impact the workflows of Ghidra\'s large user base by helping Ghidra users quickly identify code that suggests an interesting behavior. We are excited to share this work with the	Tool		★★
	2024-02-14 15:29:42	CrowdStrike a nommé le seul client \\ 'Choice: 2024 Gartner & Reg;«Voix du client» pour l'évaluation de la vulnérabilité CrowdStrike Named the Only Customers\\' Choice: 2024 Gartner® “Voice of the Customer” for Vulnerability Assessment (lien direct)	C'est un refrain courant dans les cercles de sécurité qui & # 8220; personne n'aime leur outil de gestion de vulnérabilité. & # 8221;Crowdsstrike a peut-être été l'exception.Nous sommes fiers d'annoncer que CrowdStrike est le seul fournisseur nommé un choix de clients dans le rapport 2024 Gartner «Voice of the Client» pour l'évaluation de la vulnérabilité.Dans ce rapport, Crowdsstrike [& # 8230;] It is a common refrain in security circles that “nobody loves their vulnerability management tool.” CrowdStrike may have just proved to be the exception. We are proud to announce that CrowdStrike is the only vendor named a Customers\' Choice in the 2024 Gartner “Voice of the Customer” Report for Vulnerability Assessment. In this report, CrowdStrike […]	Tool Vulnerability		★★
	2024-02-14 11:00:14	Ubuntu \\ 'Command-Not-Found \\' L'outil peut être maltraité pour répandre les logiciels malveillants Ubuntu \\'command-not-found\\' tool can be abused to spread malware (lien direct)	Un défaut logique entre le système de suggestions de package Ubuntu \\ 'S \' Command-Not-Found et le référentiel de package SNAP pourrait permettre aux attaquants de promouvoir des packages Linux malveillants aux utilisateurs sans méfiance.[...] A logic flaw between Ubuntu\'s \'command-not-found\' package suggestion system and the snap package repository could enable attackers to promote malicious Linux packages to unsuspecting users. [...]	Malware Tool Vulnerability		★★★
	2024-02-14 08:18:09	Comment fonctionne l'agent de point final de Sekoia How Sekoia Endpoint Agent works (lien direct)	> Selon Global Cybersecurity Outlook 2024 par le WEF, 29% des organisations ont déclaré avoir été considérablement affectée par un cyber-incident au cours des 12 derniers mois.En raison des risques croissants et de la surface d'attaque élargie, les entreprises cherchent à établir des stratégies de cyber-résilience fiables et à identifier rapidement les vecteurs d'attaque.Les bons outils pour collecter et analyser [& # 8230;] la publication Suivante Comment fonctionne l'agent de terminaison de Sekoia est un article de	Tool		★★
	2024-02-13 15:21:51	Islamique à but non lucratif infiltré pendant 3 ans avec une porte dérobée silencieuse Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor (lien direct)	L'organisme de bienfaisance en Arabie saoudite était sous surveillance avec l'outil de proxy inversé modifié, ont découvert les chercheurs. Saudi Arabia charity was under surveillance with the modified reverse proxy tool, researchers discovered.	Tool		★★★
	2024-02-13 11:00:00	API et automatisation: le bien, le mauvais et le mieux APIs and automation: The good, the bad, and the better (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. APIs are often adopted by businesses as a way to automate certain operational tasks. This not only helps to introduce efficiencies, it also reduces the chance of human error in repetitive, manual actions. But the relationship between APIs and automation doesn’t end there. To streamline the API management process, developers have started automating a variety of tasks in the API lifecycle, from development to production. In this article, we explore where these automations live, how they impact the development process, and what teams need to look out for. What is API automation? API automation is the process of automating a variety of tasks associated with designing, building, deploying, testing, and managing APIs. This automated approach lets developers navigate the API lifecycle by using controlled streamlined processes for repetitive, manual tasks. This enables greater consistency throughout the lifecycle, and can improve the success and reliability of functions like testing (both in development and production) and security. In addition, introducing automation also enables more efficiency in the process, allowing developers to focus more of their efforts on more strategic tasks. While not all tasks related to APIs can be automated, there are a variety that lend themselves to it quite nicely. These include: API documentation: Some tools can automatically generate API documentation based on the code base. Code generation: Other tools can automatically create code snippets, using API documentation and specifications as inputs. Versioning: Automated processes can facilitate the management of multiple API versions, ensuring that new changes don’t break anything. Deployment: Introducing automation into the API deployment process can introduce more consistency and reduce the scope of potential errors.	Tool Vulnerability		★★★
	2024-02-13 03:52:20	Malware de revanche de vengeance sans fichier Fileless Revenge RAT Malware (lien direct)	Ahnlab Security Intelligence Center (ASEC) a récemment découvert la distribution des logiciels malveillants de Revenge Rat qui avaient été développés en fonction deOutils légitimes.Il semble que les attaquants aient utilisé des outils tels que & # 8216; SMTP-Validator & # 8217;et & # 8216; e-mail à SMS & # 8217;.Au moment de l'exécution, le logiciel malveillant crée et exécute à la fois un outil légitime et un fichier malveillant, ce qui rend difficile pour les utilisateurs de réaliser qu'une activité malveillante s'est produite.Comme indiqué dans le code ci-dessous, l'acteur de menace crée et exécute setup.exe ... AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. As shown in the code below, the threat actor creates and runs Setup.exe...	Malware Tool Threat		★★
	2024-02-12 18:42:00	Rhysida ransomware fissué, outil de décryptage gratuit publié Rhysida Ransomware Cracked, Free Decryption Tool Released (lien direct)	Les chercheurs en cybersécurité ont découvert une "vulnérabilité de mise en œuvre" qui a permis de reconstruire les clés de chiffrement et de décrypter les données verrouillées par le ransomware Rhysida. Les résultats ont été publiés la semaine dernière par un groupe de chercheurs de l'Université de Kookmin et de la Corée Internet and Security Agency (KISA). "Grâce à une analyse complète des ransomwares de Rhysida, nous avons identifié un Cybersecurity researchers have uncovered an "implementation vulnerability" that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA). "Through a comprehensive analysis of Rhysida Ransomware, we identified an	Ransomware Tool		★★★
	2024-02-12 15:30:00	Pourquoi les identités compromises sont-elles le cauchemar à la vitesse et à l'efficacité IR? Why Are Compromised Identities the Nightmare to IR Speed and Efficiency? (lien direct)	La réponse aux incidents (IR) est une course contre le temps.Vous engagez votre équipe interne ou externe car il y a suffisamment de preuves que quelque chose de mauvais se produit, mais vous êtes toujours aveugle à la portée, à l'impact et à la cause profonde.L'ensemble commun d'outils et de pratiques IR offre aux équipes IR la possibilité de découvrir des fichiers malveillants et des connexions réseau sortantes.Cependant, l'aspect de l'identité - à savoir Incident response (IR) is a race against time. You engage your internal or external team because there\'s enough evidence that something bad is happening, but you\'re still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect - namely	Tool		★★★
	2024-02-12 08:02:39	4 étapes pour empêcher le compromis des e-mails des fournisseurs dans votre chaîne d'approvisionnement 4 Steps to Prevent Vendor Email Compromise in Your Supply Chain (lien direct)	Supply chains have become a focal point for cyberattacks in a world where business ecosystems are increasingly connected. Email threats are a significant risk factor, as threat actors are keen to use compromised email accounts to their advantage. Every month, a staggering 80% of Proofpoint customers face attacks that originate from compromised vendor, third-party or supplier email accounts. Known as supplier account compromise, or vendor email compromise, these attacks involve threat actors infiltrating business communications between trusted partners so that they can launch internal and external attacks. Their ultimate goal might be to steal money, steal data, distribute malware or simply cause havoc. In this blog post, we\'ll explain how vendor emails are compromised and how you can stop these attacks. Finally, we\'ll tell you how Proofpoint can help. What\'s at stake Supply chain compromise attacks can be costly for businesses. IBM, in its latest Cost of a Data Breach Report, says that the average total cost of a cyberattack that involves supply chain compromise is $4.76 million. That is almost 12% higher than the cost of an incident that doesn\'t involve the supply chain. In addition to the financial implications, compromised accounts can lead to: Phishing scams that result in even more compromised accounts Reputational and brand damage Complex legal liabilities between business partners How does vendor email compromise occur? Supply chain compromise attacks are highly targeted. They can stretch out over several months. And typically, they are structured as a multistep process. The bad actor initiates the assault by gaining access to the email account of a vendor or supplier through various means. Phishing attacks are one example. Once the attacker gains access, they will lay low for an extended period to observe the vendor\'s email communications. During this time, the adversary will study the language and context of messages so that they can blend in well and avoid detection. Attackers might also use this observation period to establish persistence. They will create mail rules and infrastructure so that they can continue to receive and send messages even after the vendor has regained control of the account. Once they establish access and persistence, the attackers will begin to insert themselves into conversations within the supplier\'s company as well as with external partners and customers. By posing as the sender, the attacker takes advantage of established trust between parties to increase their chances of success. Overview of a vendor email compromise attack. Proofpoint has observed a growing trend of attackers targeting accounts within smaller businesses and using them to gain entry into larger companies. Threat actors often assume that small businesses have less protection than large companies. They see them as targets that can help them achieve a bigger payday. How to stop vendor email compromise If you want to defend against these attacks, it\'s critical to understand the methods behind them. Such a formidable problem requires a strategic and multilayered solution. The four broad steps below can help. Step 1: Know your suppliers Your first line of defense against these email attacks sounds simple, but it\'s challenging. It is the ability to intimately “know your supplier” and understand their security strategy. This requires more than a one-time vendor assessment. Your security teams will need to prioritize continuous monitoring of your company\'s business partnerships. On top of that knowledge, you need a thorough understanding of the access and privileges that your business grants to each vendor. Compromised accounts that have uncontrolled access may be able to exfiltrate sensitive data or upload malware like ransomware. So, when you know what your suppliers can (and can\'t) access, you can identify a data breach faster. Other steps, like requiring multifactor authentication (MFA) for vendor accounts, can	Ransomware Data Breach Malware Tool Threat Studies Prediction Cloud		★★★
	2024-02-12 07:37:05	Alerte communautaire: campagne malveillante en cours impactant les environnements cloud Azure Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments (lien direct)	Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it. What are we seeing? In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL. Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions. Following the attack\'s behavioral patterns and techniques, our threat analysts identified specific indicators of compromise (IOCs) associated with this campaign. Namely, the use of a specific Linux user-agent utilized by attackers during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Attackers predominantly utilize this user-agent to access the \'OfficeHome\' sign-in application along with unauthorized access to additional native Microsoft365 apps, such as: \'Office365 Shell WCSS-Client\' (indicative of browser access to Office365 applications) \'Office 365 Exchange Online\' (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation) \'My Signins\' (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) \'My Apps\' \'My Profile\' Post compromise risks Successful initial access often leads to a sequence of unauthorized post-compromise activities, including: MFA manipulation. Attackers register their own MFA methods to maintain persistent access. We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code. Examples of MFA manipulation events, executed by attackers in a compromised cloud tenant. Data exfiltration. Attackers access and download sensitive files, including financial assets, internal security protocols, and user credentials. Internal and external phishing. Mailbox access is leveraged to conduct lateral movement within impacted organizations and to target specific user accounts with personalized phishing threats. Financial fraud. In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations. Mailbox rules. Attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims\' mailboxes. Examples of obfuscation mailbox rules created by attackers following successful account takeover. Operational infrastructure Our forensic analysis of the attack has surfaced several proxies,	Malware Tool Threat Cloud		★★★
	2024-02-09 17:09:20	Un guide détaillé sur Ligolo-NG A Detailed Guide on Ligolo-Ng (lien direct)	Ce guide complet plonge dans les subtilités du mouvement latéral utilisant Ligolo-NG, un outil développé par Nicolas Chatelain.L'outil Ligolo-NG facilite la création de This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng, a tool developed by Nicolas Chatelain. The Ligolo-Ng tool facilitates the establishment of	Tool		★★
	2024-02-09 06:00:24	Offensif et défensif: renforcer la sensibilisation à la sécurité avec deux approches d'apprentissage puissantes Offensive and Defensive: Build Security Awareness with Two Powerful Learning Approaches (lien direct)	“Offensive” security awareness and “defensive” security awareness are two learning approaches that you can use to build a robust security culture in your company. They involve applying different strategies to educate your employees about threats and how they can respond to them safely. You may have heard the terms “offensive cybersecurity” and “defensive cybersecurity.” You use defensive tools and techniques to strengthen security vulnerabilities. And with offensive tools and techniques, you focus on identifying those vulnerabilities before attackers find them first. How do defensive and offensive approaches apply to security awareness? Here\'s a quick overview: With a defensive approach, users learn the fundamentals of security. With an offensive approach, users learn how to protect themselves and the business against future threats. Let\'s use a sports analogy here. You can actively learn to be a defensive goalie and block threats. Then, you can take your skills up a level and learn to score points with protective techniques. With Proofpoint Security Awareness, our industry-leading threat intelligence informs both approaches. We help people learn how to defend against current threats. And we give them the tools for taking offensive action against future threats. Live-action series about Insider Threats. (play video) Defensive security awareness: set the foundation We all have to start with the basics, right? With defensive security awareness, you teach people the fundamentals of security and set the stage for safe behavior. This training is often reactive. It enables people to respond to immediate threats and incidents as they arise. At Proofpoint, we believe in using behavioral science methodologies, like adaptive learning and contextual nudges. We combine this with a threat-driven approach, weaving trend analysis and insights about recent security breaches into our training. A personalized adaptive framework The adaptive learning framework is a personalized defensive approach to training. It recognizes that everyone learns differently; it is the opposite of a one-size-fits-all approach. You can teach security fundamentals in a way that is meaningful for each person based on what they know, what they might do and what they believe. This framework lets you drive behavior change with education that is tailored to each person\'s needs. That can include their professional role, industry, content style and native language. The learner can engage with a wide variety of styles and materials. And each training is tied to a specific learning objective. Adaptive learning recognizes that people learn best in short bursts that are spread over time. Our microlearning video modules are under three minutes, and our nano-learning videos are under one minute. These formats give people the flexibility to learn at their own pace. For instance, our “You\'re Now a Little Wiser” nano series offers bite-size training on topics such as data protection to help users learn about specific threats. Screenshots from a one-minute nano-learning video. Contextual nudges and positive reinforcement Training is essential if you want to build a robust security culture. But it is not enough to change behavior fully. Here is where contextual nudges play a vital role in helping to reinforce positive behavior habits once they are formed. These deliberate interventions are designed to shape how people behave. Nudges are rooted in a deep understanding of human behavior. They can move people toward making better decisions, often without them realizing it. They are gentle reminders that can guide people toward creating optimal outcomes. That, in turn, helps to foster a defensive security-conscious culture in your company. It is important to find the respectful balance of nudging people toward secure behaviors without being too intrusive or complex. For example, when a user fails a phishing simulation exercise, Proofpoint Security Awareness offers “Tea	Ransomware Malware Tool Vulnerability Threat Prediction		★★★
	2024-02-08 21:14:16	\\ 'coyote \\' Le malware commence sa chasse, s'attaquant à 61 applications bancaires \\'Coyote\\' Malware Begins Its Hunt, Preying on 61 Banking Apps (lien direct)	Le Brésil, le Center for Banking Trojan malware du monde, a produit l'un de ses outils les plus avancés à ce jour.Et comme le montre l'histoire, Coyote pourrait bientôt étendre son territoire. Brazil, the world\'s center for banking Trojan malware, has produced one of its most advanced tools yet. And as history shows, Coyote may soon expand its territory.	Malware Tool		★★★
	2024-02-08 20:42:07	The Nine Lives of Commando Cat: Analyser une nouvelle campagne de logiciels malveillants ciblant Docker The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker (lien direct)	#### Description Les chercheurs de CADO ont découvert une nouvelle campagne de logiciels malveillants appelée "Commando Cat" qui cible les points de terminaison API Docker exposés.La campagne est une campagne de cryptojacking qui exploite Docker comme vecteur d'accès initial et monte le système de fichiers de l'hôte \\ avant d'exécuter une série de charges utiles interdépendantes directement sur l'hôte.Les charges utiles sont livrées aux instances API Docker exposées sur Internet. L'attaquant demande à Docker de baisser une image Docker appelée cmd.cat/chattr.Le projet CMD.cat "génère des images Docker à la demande avec toutes les commandes dont vous avez besoin et les pointer simplement par nom dans la commande docker run."Il est probablement utilisé par l'attaquant pour ressembler à un outil bénin et non à susciter des soupçons. L'attaquant crée ensuite le conteneur avec une commande personnalisée à exécuter.L'objectif principal de la charge utile user.sh est de créer une porte dérobée dans le système en ajoutant une clé SSH au compte racine, ainsi qu'en ajoutant un utilisateur avec un mot de passe connu de l'attaquant.Le script tshd.sh est responsable du déploiement de Tinyshell (TSH), une porte dérobée Unix open source écrite en C. Le script GSC.Sh est responsable du déploiement d'une porte dérobée appelée GS-Netcat, une version gonflée de Netcat qui peut perforerà travers Nat et les pare-feu.Le script AWS.SH est un créneau d'identification qui tire des informations d'identification à partir d'un certain nombre de fichiers sur le disque, ainsi que des IMD et des variables d'environnement.La charge utile finale est livrée en tant que script codé de base64 plutôt que dans la méthode traditionnelle de Curl-Into-bash utilisée précédemment par le malware.Cette base64 est repris dans Base64 -D, puis a tué dans le bash. #### URL de référence (s) 1. https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/ #### Date de publication 1er février 2024 #### Auteurs) Nate Bill Matt Muir #### Description Cado researchers have discovered a new malware campaign called "Commando Cat" that targets exposed Docker API endpoints. The campaign is a cryptojacking campaign that leverages Docker as an initial access vector and mounts the host\'s filesystem before running a series of interdependent payloads directly on the host. The payloads are delivered to exposed Docker API instances over the internet. The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat project "generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command." It is likely used by the attacker to seem like a benign tool and not arouse suspicion. The attacker then creates the container with a custom command to execute. The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password. The tshd.sh script is responsible for deploying TinyShell (tsh), an open-source Unix backdoor written in C. The gsc.sh script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. The aws.sh script is a credential grabber that pulls credentials from a number of files on disk, as well as IMDS, and environment variables. The final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. #### Reference URL(s) 1. https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/ #### Publication Date February 1, 2024 #### Author(s) Nate Bill Matt Muir	Malware Tool		★★★
	2024-02-08 08:06:33	La surtension des attaques de «swap de visage» profonds met en danger la vérification de l'identité à distance Surge in deepfake "Face Swap" attacks puts remote identity verification at risk (lien direct)	De nouvelles recherches montrent une augmentation de 704% des attaques de profondeur "Swap" de la première à la seconde moitié de 2023. Un rapport de la société biométrique Iproov avertit que les fraudeurs "aléatoire" utilisent de plus en plus des outils standard pour créer des manipulations manipuléesimages et vidéos.Les analystes d'Iproov \\ suivent plus de 100 applications et référentiels d'échanges de visage, ce qui signifie qu'il existe une large sélection d'outils d'IA génératifs à faible coût, facilement accessiblesun test "vivante".Un test "Lively" sera généralement ... New research shows a 704% increase in deepfake "face swap" attacks from the first to the second half of 2023. A report from biometric firm iProov warns that "face-swapping" fraudsters are increasingly using off-the-shelf tools to create manipulated images and videos. iProov\'s analysts are tracking over 100 face swap apps and repositories, meaning that there is a wide selection of low-cost, easily accessible generative AI tools that can create highly convincing deepfakes to trick humans and some remote identity verification solutions that do a "liveness" test. A "liveness" test will typically...	Tool		★★
	2024-02-08 00:00:33	Les propriétaires d'iPhone ciblés par des pirates gouvernementaux, explique Google iPhone Owners Targeted By Government Hackers, Says Google (lien direct)	Le groupe d'analyse des menaces de Google (TAG) de a révélé mardi que les pirates gouvernementaux ciblaient les utilisateurs d'iPhone avec des vulnérabilités zéro jour, en particulier celles considérées comme des utilisateurs «à haut risque», tels que des journalistes, des défenseurs des droits de l'homme, des dissidents etPoliticiens du parti d'opposition. Mardi, Google a publié «Achat Spinging», un rapport approfondi détaillant les fournisseurs de surveillance commerciale (CSV).Dans le rapport, le géant de la recherche a appelé les États-Unis et d'autres gouvernements à prendre des mesures plus strictes contre les ventes de logiciels espions et l'utilisation abusive des outils de surveillance. «Ces capacités ont augmenté la demande de technologie des logiciels espions, faisant la place à une industrie lucrative utilisée aux gouvernements et aux acteurs néfastes la possibilité d'exploiter les vulnérabilités dans les appareils de consommation», indique le rapport de balise «Bien que l'utilisation de logiciels espions affecte généralement un petit nombre de cibles humaines à la fois, ses ondulations plus larges à travers la société en contribuant à des menaces croissantes à la liberté d'expression, à la presse libre et à l'intégrité des élections dans le monde.» La balise de Google \\, l'équipe de la société qui examine le piratage soutenu par la nation, dans son rapport détaillé comment il suit activement environ 40 CSV de différents niveaux de sophistication et d'exposition publique, qui sont développés, vendus, vendus,et les logiciels espions déployés. Il fait également la lumière sur plusieurs cyber campagnes dirigées par le gouvernement qui ont utilisé des outils de piratage développés par des vendeurs de logiciels espions et d'exploits, notamment Variston basé à Barcelone, une start-up de la technologie de surveillance et de piratage. Dans l'une des campagnes, selon Google, les agents du gouvernement ont profité de trois vulnérabilités non identifiées d'iPhone «zéro-jours» qui n'étaient pas connues à Apple à l'époque pour exploiter le système d'exploitation iPhone du géant de Cupertino \\.Le logiciel espion en question, développé par Variston, a été analysé deux fois par Google en 2022 et 2023, indiquant que l'éminence croissante de la société dans le secteur des technologies de surveillance. Google a déclaré avoir découvert le client Variston inconnu utilisant ces zéro-jours pour cibler les iPhones en Indonésie en mars 2023. Les pirates ont livré un SMS contenant un lien malveillant infectant le téléphone de la cible \\ avec des logiciels espions, puis en redirigeantLa victime d'un article de presse du journal indonésien Pikiran Rakyat.Dans ce cas, Google n'a pas révélé l'identité du client du gouvernement de Variston. La société a spécifiquement appelé certains CSV, notamment la société israélienne NSO qui a développé les logiciels espions notoires de Pegasus, qui est devenu une menace mondiale pour les défenseurs des droits de l'homme et des droits de l'homme.Les autres sociétés nommées dans le rapport qui développent des logiciels espions comprennent les entreprises italiennes Cy4gate et RCS Labs, la société grecque Intellexa et la société italienne relativement récente Negg Group et Spain \'s Variston. «Nous espérons que ce rapport servira d'appel à l'action.Tant qu'il y aura une demande des gouvernements pour acheter une technologie de surveillance commerciale, les CSV continueront de développer et de vendre des logiciels espions », indique le rapport de balise «Nous pensons qu'il est temps que le gouvernement, l'industrie et la société civile se réunissent pour changer la structure incitative qui a permis à ces technologies de se propager si largement», a ajouté le groupe. Google\'s Threat Analysis Group (TAG) on Tuesday revealed that government hackers ta	Tool Vulnerability Threat Mobile Commercial		★★★
	2024-02-07 15:15:00	Les géants mondiaux de la coalition et de la technologie s'unissent contre la maltraitance commerciale des logiciels espions Global Coalition and Tech Giants Unite Against Commercial Spyware Abuse (lien direct)	Une coalition de dizaines de pays, dont la France, le Royaume-Uni, et les États-Unis, ainsi que des sociétés technologiques telles que Google, MDEC, Meta et Microsoft, ont signé un accord conjoint pour limiter l'abus de logiciels espions commerciaux pour commettre des violations des droits de l'homme. L'initiative, surnommée le processus & nbsp; Pall Mall, vise à lutter contre la prolifération et l'utilisation irresponsable d'outils de cyber-intrusion commerciaux par A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by	Tool Commercial		★★
	2024-02-07 11:00:00	L'art secret de la stéganographie The Covert Art of Steganography (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In cybersecurity, where information is both an asset and a potential target, various techniques are used to secure data and communications. One such covert art is steganography, which hides information within seemingly innocuous files to avoid detection. This article dives into the fascinating world of steganography, its history, techniques, and applications in the digital age. Understanding steganography Steganography, derived from the Greek words "steganos" (meaning covered) and "graphy" (meaning writing), is the art of concealing information within other data in a way that is not easily noticeable. Unlike cryptography, which seeks to make information unreadable, steganography aims to hide the existence of the information itself. Historical roots Steganography can be traced back to ancient times when people sought secure means of communication. Tattooing messages on shaved heads was one of the earliest recorded uses, allowing messengers to transmit information undetected. Another historical example is using invisible ink to write hidden messages during wartime. Digital steganography Steganography has evolved into a sophisticated practice in the digital age, utilizing the vast amounts of data exchanged on the internet. Digital steganography is the process of hiding information within digital media, such as images, audio files, and even executable files. The goal is to render the hidden data invisible to both human observers and automated tools. Digital steganography techniques Image steganography:	Tool Threat		★★
	2024-02-07 10:23:12	Mindgard a lancé le laboratoire de sécurité de MindGuard \\ Mindgard launched Mindguard\\'s AI Security Lab (lien direct)	L'outil gratuit de Mindgard \\ soulève le couvercle sur des cyber-risques AI inconnus et non détectés • Les laboratoires de sécurité AI de Mindgard \\ automatisent les tests de sécurité de l'IA et les évaluations des menaces actuellement non détectées par les organisations en raison du manque de compétences, de temps et d'argent • Au coût zéro, AI Security Labs permet les évaluations de cybersécurité d'une gamme d'attaques contre l'IA, les LLM et Genai. • Démontre les risques potentiels de sécurité de l'IA que l'IA présente à une organisation • Aide les ingénieurs à en savoir plus sur la sécurité de l'IA - rapports spéciaux Mindgard\'s free tool lifts the lid on unknown and undetected AI cyber risks • Mindgard\'s AI Security Labs automates AI security testing and threat assessments currently being undetected by organisations due to lack of skills, time and money • At zero cost, AI Security Labs enables cyber security assessments of a range of attacks against AI, LLMs, and GenAI. • Demonstrates the potential AI security risks that AI presents to an organisation • Assists engineers to learn more about AI security - Special Reports	Tool Threat		★★
	2024-02-07 05:00:39	Arrêt de cybersécurité du mois: prévenir le compromis de la chaîne d'approvisionnement Cybersecurity Stop of the Month: Preventing Supply Chain Compromise (lien direct)	This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. Its goal is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks:  Business email compromise (BEC) and supply chain attacks   EvilProxy   SocGholish   eSignature phishing  QR code phishing  Telephone-oriented attack delivery (TOAD)    Payroll diversion  MFA manipulation In this post, we look at supply chain compromise, which is a form of BEC. Supply chain compromise is not a new form of BEC, but we are seeing a rise in these attacks. The example in this blog post is one that Proofpoint recently detected. A law firm with 2,000 users was the intended target. In our discussion, we cover the typical attack sequence of a supply chain compromise to help you understand how it unfolds. And we explain how Proofpoint uses multiple signals to detect and prevent these threats for our customers. Background Supply chain attacks are growing in popularity and sophistication at a rapid pace. TechCrunch reports that the largest supply chain compromise in 2023 cost the impacted businesses more than $9.9 billion. That incident had a direct impact on more than 1,000 businesses and over 60 million people. In these attacks, a bad actor targets a company by compromising the security of its suppliers, vendors and other third parties within its supply chain. Instead of launching a direct attack on the target company\'s systems, networks or employees, an attacker infiltrates a trusted entity within the supply chain, thereby exploiting the entity\'s trust and access vis-a-vis the target. Attackers know that enterprises with mature supply chains tend to have stronger cybersecurity defenses, which makes them challenging targets. So, rather than trying to break into “Fort Knox” through the front door, they will target the ventilation system. Bad actors often use thread hijacking, also known as conversation hijacking, in these attacks. They target specific email accounts and compromise them so that they can spy on users\' conversations. When the time is right, they will insert themselves into a business email conversation based on the information they have gathered from the compromised email accounts or other sources. Sometimes, the attack will be bold enough to initiate new conversations. Thread hijacking attacks, like other BEC campaigns, don\'t often carry malicious payloads like attachments or URLs. Thread hijacking is also a targeted attack, so bad actors will often use a lookalike domain. (A lookalike domain is a website URL that closely resembles the address of a legitimate and well-known domain, often with slight variations in spelling, characters or domain extensions.) This potent combination-the lack of an active payload and the use of a lookalike domain-makes it difficult for simple, API-based email security solutions to detect and remediate these types of attacks. The scenario Proofpoint recently detected a threat actor account that was impersonating an accounts receivable employee at a small financial services company in Florida. Through this impersonation, the adversary launched a supply chain attack on their intended target-a large law firm in Boston. They sent an impersonating message to the law firm\'s controller asking them to halt a requested payment and change the payment information to another account. Unlike API-based email security solutions that only support post-delivery remediation, Proofpoint detected and blocked the impersonating messages before they reached the controller\'s inbox. As a result, the law fir	Tool Threat		★★
	2024-02-07 05:00:33	Protéger vos chemins, partie 2: Comprendre votre rayon de souffle d'identité Protecting Your Paths, Part 2: Understanding Your Identity Blast Radius (lien direct)	Welcome to the second part of our blog series on using attack path management (APM) to secure your network. In our first post, we examined the importance of using APM to identify and remediate identity-centric attack paths before attackers exploit them. We also emphasized that the compromise of tier-zero assets -aka the “IT crown jewels”-is a top objective for attackers. Attack path management (APM) is a process by which you discover all the existing paths that an attacker can exploit to reach tier-zero assets within your environment. APM plays a pivotal role in helping security teams pinpoint vulnerable identities. It provides a holistic view of the available attack paths that an attacker could use to move laterally in the quest to reach your IT crown jewels. In this blog, we introduce a crucial APM concept known as the identity blast radius. We explore the use cases for this view. And we highlight how it is similar but distinct from the attack path view. What you can learn from identity blast radius analysis An identity blast radius represents the potential impact of an attacker who is moving laterally using a compromised identity. It presents how the compromise of one particular identity can help an attacker reach other identities or assets in the network. Discovering the identity blast radius before attackers do is essential to prevent a minor compromise from turning into a major security incident. To see how this works, it\'s helpful to visualize it. Below is an illustration of the vulnerabilities related to a user named Brian Rivera. It\'s just one example of how attackers can abuse Active Directory ACLs. Example view of an identity blast radius. In the blast radius view above the subject identity for Brian Riviera serves as the “tree root” of the view. Branching off the tree root are all the assets and privileges that that specific user can invoke. These include: Stored credentials. If an attacker compromises hosts where Brian\'s Remote Desktop Protocol (RDP) credentials are stored, they can use those credentials to move laterally to the indicated hosts. Active Directory ACL assignments. An attacker that compromises Brian\'s identity can use his GenericWrite permission in Active Directory to: Gain code execution with elevated privileges on a remote computer Delete files and data Introduce malicious files or code on the flagged targets Identity blast radius use cases The identity blast radius view supports powerful use cases that support attack path analysis, including: Post-compromise analysis. After an attacker gets control of an identity, the blast radius view can help you identify other identities and assets that are vulnerable to lateral movement or other malicious actions. What-if analysis. Your security teams can use the identity blast radius view to assess the potential impact of an attack on high-value targets like your chief financial officer or a senior IT administrator. With that insight, they can apply other compensating controls. Changes in access privileges. It can also help you identify the potential impact of changes in access privileges. These often occur when employees move between roles. You can use this insight to ensure that an employee\'s access is properly managed. This can prevent an excessive accumulation of privileges. Assets vs. identities: Differences between tier-zero asset views and identity blast radius views The figure below shows how the tier-zero asset view illustrates paths that ascend from different entities to the tier-zero asset root. In contrast, the identity blast radius view positions the subject identity as the tree root. Paths extend downward to various entities that are reachable through diverse relations like Active Directory ACL assignments or stored credentials. Comparison of the tier-zero assets view versus the identity blast radius view. These two views offer different perspectives. But both are powerful tools to help you visualize identity-related vulnerabilities. These i	Tool Vulnerability Threat		★★★
	2024-02-06 20:08:17	Les gouvernements du monde, les géants de la technologie signent la responsabilité des logiciels espions World Govs, Tech Giants Sign Spyware Responsibility Pledge (lien direct)	La France, le Royaume-Uni, les États-Unis et d'autres travailleront sur un cadre pour l'utilisation responsable d'outils tels que Pegasus de NSO Group \\ et les gains de la Fondation ShadowServer & Pound; 1 million d'investissements. France, the UK, the US, and others will work on a framework for the responsible use of tools like NSO Group\'s Pegasus, and Shadowserver Foundation gains £1 million investment.	Tool		★★★
	2024-02-06 19:39:29	AnyDesk dit que le logiciel \\ 'sûr à utiliser \\' après cyberattaque AnyDesk says software \\'safe to use\\' after cyberattack (lien direct)	La société de logiciels de surveillance et de gestion à distance populaire, AnyDesk, a déclaré que toutes les versions de son outil obtenues à partir de «sources officielles» sont sûres à utiliser à la suite d'une cyberattaque qui a provoqué des jours de pannes et de préoccupations parmi les utilisateurs.La cyberattaque a affecté les serveurs en Espagne et au Portugal, mais nulle part ailleurs, a déclaré Anydesk.L'entreprise a confirmé vendredi dernier qu'un quatre jours Popular remote monitoring and management software company AnyDesk said all versions of its tool obtained from “official sources” are safe to use following a cyberattack that caused days of outages and concern among users. The cyberattack affected servers in Spain and Portugal but nowhere else, AnyDesk said. The company confirmed last Friday that a four-day	Tool		★★★
	2024-02-06 17:51:33	Top 7 des outils de chasse au cybermenace pour 2024 Top 7 Cyber Threat Hunting Tools for 2024 (lien direct)	Voici les principaux outils de chasse à la cyber-menace qui peuvent améliorer les défenses de cybersécurité de votre organisation.Apprenez comment leurs fonctionnalités se comparent. Here are the top cyber threat hunting tools that can enhance your organization\'s cybersecurity defenses. Learn how their features compare.	Tool Threat		★★★
	2024-02-06 15:42:30	LockSelf dévoile un nouveau Dashboard dédié aux RSSI ! (lien direct)	>Déployé de manière progressive et présenté au FIC en avril dernier, le Dashboard LockSelf fait désormais partie intégrante des outils de pilotage cyber des organisations utilisatrices de la suite LockSelf. Retour sur ses spécificités et ses fonctionnalités clés ! The post LockSelf dévoile un nouveau Dashboard dédié aux RSSI ! first appeared on UnderNews.	Tool		★★
	2024-02-06 14:30:47	Google: la moitié de tous les jours zéro utilisés contre nos produits sont développés par des fournisseurs de logiciels espions Google: Half of all zero-days used against our products are developed by spyware vendors (lien direct)	Google a déclaré mardi qu'il suivait au moins 40 entreprises impliquées dans la création de logiciels espions et d'autres outils de piratage qui sont vendus aux gouvernements et déployés contre les utilisateurs «à haut risque», y compris les journalistes, les défenseurs des droits de l'homme et les dissidents.Les vendeurs - qui ont développé des dizaines d'outils et d'astuces pour pénétrer dans les téléphones, les ordinateurs portables, Google said Tuesday that it is tracking at least 40 companies involved in the creation of spyware and other hacking tools that are sold to governments and deployed against “high risk” users, including journalists, human rights defenders and dissidents. The vendors - which have developed dozens of tools and tricks to break into phones, laptops,	Tool		★★★★
	2024-02-06 14:00:00	Les bogues Microsoft Azure Hdinsight exposent les mégadonnées aux violations Microsoft Azure HDInsight Bugs Expose Big Data to Breaches (lien direct)	Les trous de sécurité dans un outil Big Data pourraient entraîner un compromis Big Data. Security holes in a big data tool could lead to big data compromise.	Tool		★★★
	2024-02-06 11:00:33	70% des organisations ne sont pas préparées et comment les technologies avancées peuvent aider 70% of Organizations Feel Unprepared and How Advanced Technologies Can Help (lien direct)	Plus de 70% des répondants d'organisations estiment qu'ils n'ont pas les bons outils pour protéger leurs informations et systèmes sensibles contre les menaces d'initiés.Ces statistiques ne sont tout simplement pas alarmantes;C'est un appel à une compréhension plus profonde et à une réponse stratégique à un aspect souvent négligé de la cybersécurité. Over 70% of respondents of organizations feel that they lack the right tools to protect their sensitive information and systems from insider threats. These statistics are just not alarming; it\'s a call for a deeper understanding and strategic response to an often overlooked aspect of cybersecurity.	Tool		★★
	2024-02-06 11:00:00	AI en cybersécurité: 8 cas d'utilisation que vous devez connaître AI in Cybersecurity: 8 use cases that you need to know (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Cybercriminals live on the cutting edge of technology, and nothing fits the label more than artificial intelligence. It helps them design sophisticated, evolving malware, pose as higher-ups, and even successfully imitate biometrics like one’s voice. The use of AI in cyber security has developed as a natural response to these new and unpredictable challenges. How are cyber security experts using artificial intelligence to thwart the bad guys? The following eight use cases will tell you all you need to know. 1. Threat prevention and preemption It\'s not uncommon for businesses and organizations to be under persistent attack. Cyber threats can burrow deep into their networks and spread chaos for months before detection. Since AI models have large datasets of past behaviors to draw on, they can spot anomalous behavior far more quickly. Preventing attacks before deployment is among cyber security’s most desirable goals. If you have the right information, it can become a reality. For example, a cybersecurity team can use a proxy network to regularly scrape the contents of forums and other sites dedicated to hacking. They may then act on the gathered info and meet future attacks head-on. 2. Timely incident response Not even an AI-enhanced cybersecurity framework can stop all incoming attacks. Someone might connect an unsanctioned device, or an update might contain malicious code. Either way, a robust cyber security AI can respond to such incidents promptly, blocking or deleting the offending actors. 3. Data protection Data is the basis on which modern economies operate. Whether you obtain it through web scraping API, surveys, as part of your day-to-day operations, etc., the data you collect needs powerful safeguards. AI can help by classifying and automatically encrypting it. Access control is another process you can automate, as is compliance with data protection laws like the GDPR.	Spam Malware Tool Threat		★★
	2024-02-06 05:00:20	Comment les cybercriminels augmentent-ils le privilège et se déplacent-ils latéralement? How Do Cybercriminals Escalate Privilege and Move Laterally? (lien direct)	If you want to understand how cybercriminals cause business-impacting security breaches, the attack chain is a great place to start. The eight steps of this chain generalize how a breach progresses from start to finish. The most impactful breaches typically follow this pattern: Steps in the attack chain. In this blog post, we will simplify the eight steps of an attack into three stages-the beginning, middle and end. Our focus here will primarily be on the middle stage-info gathering, privilege escalation and lateral movement, which is often the most challenging part of the attack chain to see and understand. The middle steps are often unfamiliar territory, except for the most highly specialized security practitioners. This lack of familiarity has contributed to significant underinvestment in security controls required to address attacks at this stage. But before we delve into our discussion of the middle, let\'s address the easiest stages to understand-the beginning and the end. The beginning of the attack chain A cyberattack has to start somewhere. At this stage, a cybercriminal gains an initial foothold into a target\'s IT environment. How do they do this? Mainly through phishing. A variety of tactics are used here including: Stealing a valid user\'s login credentials Luring a user into installing malicious software, such as Remote Access Trojans (RATs) Calling the company\'s help desk to socially engineer the help desk into granting the attacker control over a user\'s account Much ink has been spilled about these initial compromise techniques. This is why, in part, the level of awareness and understanding by security and non-security people of this first stage is so high. It is fair to say that most people-IT, security and everyday users-have personally experienced attempts at initial compromise. Who hasn\'t received a phishing email? A great deal of investment goes into security tools and user training to stop the initial compromise. Think of all the security technologies that exist for that purpose. The list is very long. The end of the attack chain Similarly, the level of awareness and understanding is also very high around what happens at the end of the attack chain. As a result, many security controls and best practices have also been focused here. Everyone-IT, security and even everyday users-understands the negative impacts of data exfiltration or business systems getting encrypted by ransomware attackers. Stories of stolen data and ransomed systems are in the news almost daily. Now, what about the middle? The middle is where an attacker attempts to move from the initially compromised account(s) or system(s) to more critical business systems where the data that\'s worth exfiltrating or ransoming is stored. To most people, other than red teamers, pen testers and cybercriminals, the middle of the attack chain is abstract and unfamiliar. After all, regular users don\'t attempt to escalate their privileges and move laterally on their enterprise network! These three stages make up the middle of the attack chain: Information gathering. This includes network scanning and enumeration. Privilege escalation. During this step, attackers go after identities that have successively higher IT system privileges. Or they escalate the privilege of the account that they currently control. Lateral movement. Here, they hop from one host to another on the way to the “crown jewel” IT systems. Steps in the middle of the attack chain. Relatively few IT or security folks have experience with or a deep understanding of the middle of the attack chain. There are several good reasons for this: Most security professionals are neither red teamers, pen testers, nor cybercriminals. The middle stages are “quiet,” unlike initial compromise-focused phishing attacks or successful ransomware attacks, which are very “loud” by comparison. Unlike the front and back end of the attack chain, there has been little coverage about how these steps	Ransomware Malware Tool Vulnerability Threat		★★★
	2024-02-06 01:52:22	Risques de sécurité des graphiques de barre de Kubernetes et que faire à leur sujet Security Risks of Kubernetes Helm Charts and What to do About Them (lien direct)	Kubernetes est devenue la plate-forme principale pour orchestrer les applications conteneurisées.Cependant, les développeurs et les administrateurs comptent sur un écosystème d'outils et de plateformes qui ont émergé autour de Kubernetes.L'un de ces outils est Helm, un gestionnaire de packages qui simplifie les déploiements de Kubernetes.Cependant, avec la confusion et l'efficacité des offres, il présente également des risques de sécurité importants.Cet article explore les risques associés aux graphiques de barre de Kubernetes et fournit des stratégies exploitables pour atténuer les vulnérabilités potentielles.Comprendre et traiter ces sécurité ... Kubernetes has emerged as the leading platform for orchestrating containerized applications. However, developers and administrators rely on an ecosystem of tools and platforms that have emerged around Kubernetes. One of these tools is Helm, a package manager that simplifies Kubernetes deployments. However, with the convenience and efficiency Helm offers, it also introduces significant security risks. This article explores the risks associated with Kubernetes Helm charts and provides actionable strategies to mitigate potential vulnerabilities. Understanding and addressing these security...	Tool Vulnerability		★★
	2024-02-05 23:00:35	La Grande-Bretagne et la France rassemblent des diplomates pour un accord international sur les logiciels espions Britain and France assemble diplomats for international agreement on spyware (lien direct)	Le Royaume-Uni et la France organisent conjointement une conférence diplomatique à Lancaster House à Londres cette semaine pour lancer un nouvel accord international concernant «la prolifération des outils commerciaux de cyber-intrusion».Selon le ministère des Affaires étrangères, 35 nations seront représentées lors de la conférence, aux côtés de «Big Tech Leaders, d'experts juridiques et de droits de l'homme The United Kingdom and France are to jointly host a diplomatic conference at Lancaster House in London this week to launch a new international agreement addressing “the proliferation of commercial cyber intrusion tools.” According to the Foreign Office, 35 nations will be represented at the conference, alongside “big tech leaders, legal experts, and human rights	Tool Conference Commercial		★★
	2024-02-05 21:31:30	Vajraspy: un patchwork d'applications d'espionnage VajraSpy: A Patchwork of Espionage Apps (lien direct)	#### Description Les chercheurs de l'ESET ont découvert une nouvelle campagne de cyber-espionnage qui utilise douze applications Android transportant Vajraspy, un cheval de Troie (rat) d'accès à distance utilisé par le groupe Patchwork Apt. Six des applications étaient disponibles sur Google Play, et six ont été trouvés sur Virustotal.Les applications ont été annoncées comme des outils de messagerie, et on se faisait passer pour une application d'actualités.Vajraspy possède une gamme de fonctionnalités d'espionnage qui peuvent être élargies en fonction des autorisations accordées à l'application regroupée avec son code.Il vole les contacts, les fichiers, les journaux d'appels et les messages SMS, mais certaines de ses implémentations peuvent même extraire les messages WhatsApp et Signal, enregistrer des appels téléphoniques et prendre des photos avec l'appareil photo.La campagne a ciblé les utilisateurs principalement au Pakistan, et les acteurs de la menace ont probablement utilisé des escroqueries de romantisme ciblées pour attirer leurs victimes dans l'installation du malware. #### URL de référence (s) 1. https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ #### Date de publication 1er février 2024 #### Auteurs) Lukas Stefanko #### Description ESET researchers have discovered a new cyber espionage campaign that uses twelve Android apps carrying VajraSpy, a remote access trojan (RAT) used by the Patchwork APT group. Six of the apps were available on Google Play, and six were found on VirusTotal. The apps were advertised as messaging tools, and one posed as a news app. VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera. The campaign targeted users mostly in Pakistan, and the threat actors likely used targeted honey-trap romance scams to lure their victims into installing the malware. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/ #### Publication Date February 1, 2024 #### Author(s) Lukas Stefanko	Malware Tool Threat Mobile		★★★
	2024-02-05 16:42:00	Revue pratique: XDR basé sur Sase de Cato Networks Hands-On Review: SASE-based XDR from Cato Networks (lien direct)	Les entreprises sont engagées dans un jeu de chat et de souris apparemment sans fin en ce qui concerne la cybersécurité et les cyber-menaces.Alors que les organisations mettaient en place un bloc défensif après l'autre, les acteurs malveillants lancent leur jeu pour contourner ces blocs.Une partie du défi consiste à coordonner les capacités défensives des outils de sécurité disparates, même si les organisations ont des ressources limitées et une pénurie de Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their game up a notch to get around those blocks. Part of the challenge is to coordinate the defensive abilities of disparate security tools, even as organizations have limited resources and a dearth of	Tool		★★★
	2024-02-05 15:08:59	Metomic lance l'intégration de Chatgpt Metomic Launches ChatGPT Integration (lien direct)	Metomic lance l'intégration de Chatgpt pour aider les entreprises à profiter pleinement de l'outil d'IA génératif sans mettre des données sensibles à risque Metomic pour Chatgpt permet aux leaders de la sécurité de stimuler la productivité tout en surveillant les données en cours de téléchargement sur la plate-forme Chatgpt d'Openai \\ en temps réel - revues de produits Metomic Launches ChatGPT Integration To Help Businesses Take Full Advantage Of The Generative AI Tool Without Putting Sensitive Data At Risk Metomic for ChatGPT enables security leaders to boost productivity while monitoring data being uploaded to OpenAI\'s ChatGPT platform in real-time - Product Reviews	Tool	ChatGPT	★★

Last update at: 2024-06-25 06:08:12
See our sources.

To see everything: Our RSS (filtrered)