What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-27 11:00:12 | PlugX malware hides on USB devices to infect new Windows hosts (lien direct) | Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to. [...] | Malware | ★★★ | |
 |
2023-01-26 15:00:00 | Bienvenue au Camp de Goot: suivi de l'évolution des opérations de gootloader Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (lien direct) |
Depuis janvier 2021, la défense gérée mandiante a systématiquement répondu aux infections à gootloder.Les acteurs de la menace ont jeté un filet répandu lors de la propagation de Gootloader et ont un impact sur un large éventail de verticales et de régions géographiques de l'industrie.Nous n'attribuez actuellement que des logiciels malveillants et une infrastructure de Gootloader à un groupe que nous suivions en tant que UNC2565, et nous pensons qu'il est exclusif à ce groupe.
À partir de 2022, unc2565 a commencé à incorporer des modifications notables aux tactiques,Techniques et procédures (TTP) utilisées dans ses opérations.Ces modifications incluent l'utilisation de multiples variations du lanceur FonelaUnch
Since January 2021, Mandiant Managed Defense has consistently responded to GOOTLOADER infections. Threat actors cast a widespread net when spreading GOOTLOADER and impact a wide range of industry verticals and geographic regions. We currently only attribute GOOTLOADER malware and infrastructure to a group we track as UNC2565, and we believe it to be exclusive to this group. Beginning in 2022, UNC2565 began incorporating notable changes to the tactics, techniques, and procedures (TTPs) used in its operations. These changes include the use of multiple variations of the FONELAUNCH launcher |
Malware Threat | ★★★ | |
 |
2023-01-26 11:31:00 | PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration (lien direct) | Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022. "This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report shared with The Hacker | Malware | ★★ | |
 |
2023-01-25 17:30:00 | Kronos Malware Reemerges with Increased Functionality (lien direct) | >The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos […] | Malware | ★★ | |
 |
2023-01-25 17:12:26 | North Korean hackers use fake job offers, salary bumps as lure for crypto theft (lien direct) |  Hackers connected to the North Korean military used a variety of new phishing methods in 2022 to steal cryptocurrency, according to a new report from Proofpoint. The hackers bombarded people with emails about fake job opportunities at prestigious firms or fictitious salary increases as a way to get people to open emails carrying malware that [… |
Malware | ★★ | |
 |
2023-01-25 15:50:54 | [Security Masterminds] Breaking It Down to Bits & Bytes: Analyzing Malware To Understand the Cybercriminal (lien direct) |
![[Security Masterminds] Breaking It Down to Bits & Bytes: Analyzing Malware To Understand the Cybercriminal](https://blog.knowbe4.com/hubfs/Screen%20Shot%202023-01-25%20at%209.40.35%20AM.png)
In our latest episode of Security Masterminds, we have the pleasure of interviewing Roger Grimes, Data-Driven Defense Evangelist for KnowBe4, who has held various roles throughout his career. In the episode, Roger discusses his early days of malware disassembly, the trials and tribulations of public speaking, and his magnum opus, his book about data-driven defense. |
Malware | ★★ | |
|
2023-01-25 13:00:10 | Malware exploited critical Realtek SDK bug in millions of attacks (lien direct) | Hackers have leveraged a critical remote code execution vulnerability in Realtek Jungle SDK 134 million attacks trying to infect smart devices in the second half of 2022. [...] | Malware Vulnerability | ★★ | |
 |
2023-01-25 11:06:00 | Attackers move away from Office macros to LNK files for malware delivery (lien direct) | For years attackers have used Office documents with malicious macros as one of the primary methods of infecting computers with malware. Microsoft finally took steps to disable such scripts by default in documents downloaded from the internet, forcing many groups to change tactics and increasingly choose LNK (shortcut) files as a delivery mechanism.This trend has led to the creation of paid tools and services dedicated to building malicious LNK files. Some of these builders include MLNK Builder, Quantum Builder, Macropack, LNKUp, Lnk2pwn, SharPersist, and RustLnkBuilder, but their use can provide opportunities for easier detection by security products.To read this article in full, please click here | Malware Prediction | ★ | |
 |
2023-01-25 11:00:00 | (Déjà vu) 12 ways to improve your website security (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In today's digital age, a business website is essential for success. Not only does it provide potential customers with information about your products or services, but it also allows you to connect and engage with them directly. However, simply having a website is not enough. To ensure that your site is effective and safe, you need to make sure that it has all the necessary security features. In this article, we will discuss twelve security features that every business website must have. 1. Enable auto-update for plugins and software One of the simplest but most effective security measures you can take, especially if you’re looking to protect your WordPress site, is to ensure that all your plugins and software are up-to-date. Outdated software is one of the most common ways that attackers gain access to websites. By keeping everything up to date, you can help to prevent vulnerabilities from being exploited. You can usually enable auto-updates for most plugins and software from within their settings menu. For WordPress sites, there is also a plugin called Easy Updates Manager that can help you to keep everything up to date with ease. 2. Have a strong password policy A strong password policy is the first step to protecting your website from malicious actors. By requiring strong and unique passwords, you can make it significantly more difficult for attackers to gain access to your site. You need to ensure that your website's backend is well protected and that only authorized users have access. To do this, you should consider using a password manager to generate and store strong passwords for your site. You should not be using the same password for multiple sites. 3. Use two-factor authentication Two-factor authentication (2FA) is an important security measure that you should consider implementing for your website. 2FA adds an extra layer of security by requiring users to provide two pieces of information before they can access your site. This could include a password and a one-time code that is generated by an app on your phone. 2FA can help to prevent attackers from gaining access to your site, even if they have your password. 4. Use a secure socket layer (SSL) certificate An SSL certificate is a must-have for any website that wants to protect their users' information. SSL encrypts the communications between your website and your users' web browsers. This means that even if an attacker was able to intercept the communication, they would not be able to read it. SSL also provides authentication, which means you can be sure that your users are communicating with the intended website and not a fake site set up by an attacker. Increasingly, having things like HTTPS and an SSL certificate are part of Google's ranking metrics and will help your website's SEO. If you aren't trying to protect your visitors and users (the people who give you their sensitive credit card information), they may take their business elsewhere. 5. Use a web application firewall (WAF) A web application firewall (WAF) is a piece of software that sits between your website and the internet. It filters traffic to your site and blocks any requests that it considers to be malicious. WAFs can be very effective at stopping attacks such as SQL injection (SQLi) and cross-site scripting (XSS). 6. Use intrusion detection and prevention systems (IDPS) Intrusion detection and prevention systems (IDPS) are designed to detect and prevent attacks on your website. IDPS systems can be either host-based or network-based. Host-based IDPSs are installed on the servers that host your website. They monitor traffic to and from the server and can | Malware Threat | ★★★★ | |
|
2023-01-25 09:53:14 | New stealthy Python RAT malware targets Windows in attacks (lien direct) | A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems. [...] | Malware | ★★ | |
|
2023-01-24 20:07:00 | Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection (lien direct) | Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne said in an analysis published today. A striking | Malware | ★★ | |
 |
2023-01-24 19:00:32 | Administrator of RSOCKS Proxy Botnet Pleads Guilty (lien direct) | Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.” | Malware Guideline | ★★ | |
|
2023-01-24 16:33:00 | Emotet Malware Makes a Comeback with New Evasion Techniques (lien direct) | The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via | Malware Threat | ★★★★ | |
 |
2023-01-24 16:30:00 | Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing, and Smishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022
(published: January 19, 2023)
In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.
Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.
MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure
Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android
Hook: a New Ermac Fork with RAT Capabilities
(published: January 19, 2023)
ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.
Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive |
Malware Tool Threat Guideline | APT 15 APT 25 | ★★★ |
 |
2023-01-24 16:00:00 | Microsoft to Block Excel XLL Add-Ins to Stop Malware Delivery (lien direct) | The tech giant confirmed it intends to implement these plans by March 2023 | Malware | ★ | |
 |
2023-01-24 15:49:01 | Microsoft OneNote phishing technique, from Matt Aldridge, OpenText (lien direct) | Earlier today, news broke that some hackers are now using OneNote attachments to spread malware. Please find the full story here: Microsoft OneNote attachments are being used to spread malware The story focuses on phishing emails which include OneNote files carrying malicious VBS files. When released, these communicate with the target's C2 server and download malware on to the computer. The commentary Matt Aldridge, Principal Solutions Consultant at OpenText Security Solutions on what this means for the industry, and how business leaders can mitigate cyber risks in the ever-changing cyber landscape. - Opinion | Malware Guideline | ★★ | |
|
2023-01-24 13:17:08 | DragonSpark: Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (lien direct) | SentinelLabs has been monitoring recent attacks against East Asian organisations from a group tracked as 'DragonSpark'. The attacks are characterised by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation. - Malware Update | Malware | ★ | |
 |
2023-01-24 13:13:00 | The Year of the Wiper (lien direct) | FortiGuard Labs has been tracking wiper malware since the start of the 2022 Russia-Ukraine conflict. Read our latest blog to find out recent updates about the trends in wiper malware and how attack scenarios have changed. | Malware | ★★ | |
 |
2023-01-23 14:37:48 | Ce malware menace de prendre le contrôle de votre smartphone à distance (lien direct) |  Un dangereux malware visant les smartphones Android a été repéré. Il est capable de prendre le contrôle complet d'un téléphone à distance pour commettre une fraude. |
Malware | ★★ | |
|
2023-01-23 09:44:13 | Microsoft plans to kill malware delivery via Excel XLL add-ins (lien direct) | Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. [...] | Malware | ★★ | |
 |
2023-01-23 09:20:59 | Attackers Exploit Fortinet Zero-Day CVE-2022-42475 with BoldMove Malware (lien direct) | >Researchers have discovered a sophisticated new BoldMove malware created specifically to operate on Fortinet’s FortiGate firewalls after collecting data... | Malware | ★★★ | |
 |
2023-01-23 07:15:10 | CVE-2023-24068 (lien direct) | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file. | Malware Threat | ||
 |
2023-01-22 00:56:23 | Excelling at Excel, Part 3 (lien direct) | One of the most common use cases we come across during our malware analysis exercises is a ROI-driven comparison of features between many samples of the same malware family. Yes, […] | Malware | ★★★★★ | |
|
2023-01-21 11:15:30 | (Déjà vu) Hackers now use Microsoft OneNote attachments to spread malware (lien direct) | Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. [...] | Malware Threat | ★★★★★ | |
|
2023-01-21 11:15:30 | Beware: Hackers now use OneNote attachments to spread malware (lien direct) | Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. [...] | Malware Threat | ★ | |
 |
2023-01-21 01:58:26 | DDE Command Execution malware samples (lien direct) |  Here are a few samples related to the recent DDE Command executionReading:10/18/2017 InQuest/yara-rules 10/18/2017 https://twitter.com/i/moments/918126999738175489 10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland10/16/2017 https://twitter.com/noottrak/status/91997508182826188810/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 10/10/2017 NViso labs: MS Office DDE YARA rules |
Ransomware Malware | ★★ | |
|
2023-01-20 22:03:00 | Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers\' DNS Settings (lien direct) | Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea. | Malware Threat | ★★ | |
|
2023-01-20 12:29:00 | New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (lien direct) | A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were | Malware Vulnerability Threat | ★★ | |
|
2023-01-20 11:02:16 | New Boldmove Linux malware used to backdoor Fortinet devices (lien direct) | Suspected Chinese hackers exploited a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting a European government and an African MSP with a new custom 'BOLDMOVE' Linux and Windows malware. [...] | Malware Vulnerability | ★★★ | |
 |
2023-01-20 05:04:47 | (Déjà vu) ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with... | Ransomware Malware | ★★ | |
 |
2023-01-19 21:30:00 | Attackers Crafted Custom Malware for Fortinet Zero-Day (lien direct) | The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China. | Malware | ★★ | |
 |
2023-01-19 19:57:37 | Cloud Threats Memo: Threat Actors Continue to Abuse Cloud Services to Deliver Malware in 2023 (lien direct) | >Our most recent Cloud and Threat Report highlighted how threat actors abuse cloud services (with a special focus on cloud storage apps) to deliver malicious content (and yes, OneDrive leads the chart of the most exploited apps). To confirm that this trend will likely continue in 2023, researchers at Trend Micro have discovered an active […] | Malware Threat Guideline Prediction | ★★★ | |
|
2023-01-19 19:17:18 | Canada\'s largest alcohol retailer infected with card skimming malware twice since December (lien direct) |  On January 12, Canadian alcohol retail giant LCBO announced that an “unauthorized party embedded malicious code” onto its website in order to steal information from customers in the process of checking out. Over five days in January, they wrote, customers “may have had their information compromised.” In fact, the infection was one of several to […] |
Malware | ★★★ | |
|
2023-01-19 18:57:00 | Android Users Beware: New Hook Malware with RAT Capabilities Emerges (lien direct) | The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring | Malware Threat | ★★★ | |
|
2023-01-19 18:30:22 | New \'Hook\' Android malware lets hackers remotely control your phone (lien direct) | A new Android malware named 'Hook' is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). [...] | Malware | ★★★ | |
|
2023-01-19 15:00:00 | Des acteurs de menace chinois présumés exploitant la vulnérabilité de Fortios (CVE-2022-42475) Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (lien direct) |
mandiant suit une campagne suspectée de China-Nexus qui aurait exploité une vulnérabilité récemment annoncée dans Fortios SSL-VPN de Fortinet \\, CVE-2022-42475, commeun jour zéro. Les preuves suggèrent que l'exploitation se produisait dès octobre 2022 et que les objectifs identifiés incluent une entité gouvernementale européenne et un fournisseur de services gérés situé en Afrique.
mandiant a identifié un nouveau malware que nous suivons comme "Boldmove" dans le cadre de notre enquête.Nous avons découvert une variante Windows de Boldmove et une variante Linux, qui est spécialement conçue pour fonctionner sur des pare-feu FortiGate.Nous
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet\'s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa. Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We |
Malware Vulnerability Threat | ★★★★ | |
|
2023-01-19 12:55:02 | Roaming Mantis\' Android malware adds DNS changer to hack WiFi routers (lien direct) | Starting in September 2022, the 'Roaming Mantis' credential theft and malware distribution campaign was observed using a new version of the Wroba.o/XLoader Android malware that incorporates a function for detecting specific WiFi routers and changing their DNS. [...] | Malware Hack | ★★ | |
|
2023-01-19 10:49:02 | New Linux malware hits record highs in 2022, rising by 50% (lien direct) | New Linux malware hits record highs in 2022, rising by 50% - Malware Update | Malware | ★★★ | |
 |
2023-01-19 10:00:06 | Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 (lien direct) | Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o. | Malware | ★★★ | |
|
2023-01-19 04:27:00 | Chinese hackers targeted Iranian government entities for months: Report (lien direct) | Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here | Malware Threat | APT 15 APT 25 | ★★★ |
 |
2023-01-18 19:46:05 | Rise of cloud-delivered malware poses key security challenges (lien direct) | >The volume of cloud-based malware tripled in 2022 over the prior year, says Netskope, with 30% of the malicious downloads coming from Microsoft OneDrive. | Malware | ★ | |
|
2023-01-18 19:21:00 | ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn (lien direct) | The powerful AI bot can produce malware without malicious code, making it tough to mitigate. | Malware | ChatGPT | ★★★ |
|
2023-01-18 17:10:00 | ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware (lien direct) | Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security. | Malware Threat Industrial | ★★ | |
|
2023-01-18 16:35:00 | Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores
Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows
Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: FG-IR-22-398, CVE-2022-42 |
Malware Tool Vulnerability Threat Guideline | LastPass | ★★ |
|
2023-01-18 16:35:00 | Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks (lien direct) | The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated | Malware Threat | ★★★ | |
|
2023-01-18 16:00:00 | ChatGPT Creates Polymorphic Malware (lien direct) | The first step to creating the malware was to bypass ChatGPT content filters | Malware | ChatGPT | ★★ |
|
2023-01-18 14:57:51 | Ukraine links data-wiping attack on news agency to Russian hackers (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country's National News Agency of Ukraine (Ukrinform) to Sandworm Russian military hackers. [...] | Malware | ★★★ | |
|
2023-01-18 11:45:00 | Almost Half of Critical Manufacturing at Risk of Breach (lien direct) | Critical manufacturing experienced an increase in severe vulnerabilities and malware infections in 2022 | Malware | ★★ | |
|
2023-01-18 10:32:15 | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France (lien direct) | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France - Malwares | Malware | ★★★ | |
|
2023-01-17 18:15:00 | Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware (lien direct) | New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port | Malware Threat | ★★★ |
To see everything:
Our RSS (filtrered)
