Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
![SecurityWeek.webp](./Ressources/img/SecurityWeek.webp) |
2019-07-23 14:31:00 |
China-Linked Threat Actor Using New Backdoor (lien direct) |
The China-linked threat actor known as APT15 has been using a previously undocumented backdoor for more than two years, ESET's security researchers have discovered.
|
Threat
|
APT 15
|
|
![itsecurityguru.webp](./Ressources/img/itsecurityguru.webp) |
2019-07-19 14:35:01 |
Malware that waits for three mouse clicks before running. (lien direct) |
An elusive hacking operation is using a previously unreported backdoor in a malware campaign targeting diplomats and government departments around the world. The Ke3chang advanced persistent threat group is thought to operate out of China and has conducted cyber-espionage campaigns using remote access trojans and other malware since at least 2010. Now cybersecurity researchers at ESET have identified […]
|
Malware
Threat
|
APT 15
APT 25
|
★★
|
![bleepingcomputer.webp](./Ressources/img/bleepingcomputer.webp) |
2019-07-18 07:03:00 |
New Okrum Malware Used by Ke3chang Group to Target Diplomats (lien direct) |
Updated malware implants and a new backdoor named Okrum connected with the Ke3chang threat group operating from China have been found by ESET researchers while monitoring their operations between 2015 and 2019. [...] |
Malware
Threat
|
APT 15
APT 25
|
|
![AlienVault.webp](./Ressources/img/AlienVault.webp) |
2019-01-31 17:24:00 |
APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs (lien direct) |
Threat Actors That Don’t Discriminate
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
Wired Maga |
Malware
Vulnerability
Threat
|
APT 10
|
|
![MalwarebytesLabs.webp](./Ressources/img/MalwarebytesLabs.webp) |
2019-01-16 17:00:00 |
The Advanced Persistent Threat files: APT10 (lien direct) |
While security companies are getting good at analyzing the tactics of nation-state threat actors, they still struggle with placing these actions in context and making solid risk assessments. So in this series, we're going to take a look at a few APT groups, and see how they fit into the larger threat landscape-starting with APT10.
Categories:
Cybercrime
Hacking
Tags: advanced persistent threatadvanced persistent threatsaerospaceAPTAPT10APTschinaChinese Ministry of State SecurityconstructionengineeringFireEyeMSSPlugXPoison Ivyscanboxsogutelecomsthreat actors
(Read more...)
|
Threat
|
APT 10
|
|
![SecurityWeek.webp](./Ressources/img/SecurityWeek.webp) |
2018-12-21 15:51:02 |
Industry Reactions to U.S. Charging APT10 Hackers: Feedback Friday (lien direct) |
The United States, United Kingdom, Canada, Australia, New Zealand and Japan have pointed the finger at China for sophisticated cyberattacks launched by a threat group known as APT10 against organizations around the world. The U.S.
|
Threat
|
APT 10
|
|
![SecurityWeek.webp](./Ressources/img/SecurityWeek.webp) |
2018-12-21 07:24:01 |
\'Five Eyes\' Nations Blame China for APT10 Attacks (lien direct) |
The United States, United Kingdom, Canada, Australia and New Zealand officially blamed China on Thursday for the cyberattacks launched by a threat group known as APT10 against organizations around the world.
|
Threat
|
APT 10
|
|
![AlienVault.webp](./Ressources/img/AlienVault.webp) |
2018-12-20 14:00:00 |
Let\'s Chat: Healthcare Threats and Who\'s Attacking (lien direct) |
Healthcare is under fire and there’s no sign of the burn slowing.
Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.
Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.
So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.
And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.
SamSam attackers are known to:
Gain remote access through traditional attacks, such as JBoss exploits
Deploy web-shells
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading |
Threat
|
Wannacry
APT 19
APT 18
APT 22
APT 23
|
|
![no_ico.webp](./Ressources/img/no_ico.webp) |
2018-10-19 15:30:05 |
(Déjà vu) Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew (lien direct) |
News broke today that newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States. Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada. …
The ISBuzz Post: This Post Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew |
Tool
Threat
|
APT 32
APT 1
|
|
![SecurityAffairs.webp](./Ressources/img/SecurityAffairs.webp) |
2018-10-19 07:06:03 |
Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew (lien direct) |
Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada. The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1. “McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report. “We […]
|
Malware
Threat
|
APT 32
APT 1
|
|
![bleepingcomputer.webp](./Ressources/img/bleepingcomputer.webp) |
2018-10-18 00:01:00 |
New Reconnaissance Tool Uses Code from Eight-Year-Old Comment Crew Implant (lien direct) |
A newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States. [...] |
Tool
Threat
|
APT 1
|
|
![SecurityWeek.webp](./Ressources/img/SecurityWeek.webp) |
2018-09-14 17:23:01 |
China-linked APT10 Hackers Update Attack Techniques (lien direct) |
Recently attacks launched by the China-linked threat actor APT10 against the Japanese media sector revealed the use of updated tactics, techniques and procedures (TTPs), FireEye says.
|
Threat
|
APT 10
|
|
![SecurityAffairs.webp](./Ressources/img/SecurityAffairs.webp) |
2018-09-10 18:59:03 |
Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks (lien direct) |
Security experts observed the LuckyMouse APT group using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks. Security experts from Kaspersky have observed the LuckyMouse APT group (aka Emissary Panda, APT27 and Threat Group 3390) using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks. The APT group […]
|
Threat
|
APT 27
APT 1
|
★★★
|
![Kaspersky.webp](./Ressources/img/Kaspersky.webp) |
2018-09-03 12:49:03 |
APT10 Under Close Scrutiny as Potentially Linked to Chinese Ministry of State Security (lien direct) |
An advanced threat actor has been associated with China's Ministry of State Security via two individuals and a Chinese firm. |
Threat
|
APT 10
|
|
![Mandiant.webp](./Ressources/img/Mandiant.webp) |
2017-04-06 14:00:00 |
APT10 (Menupass Group): Nouveaux outils, la dernière campagne de la campagne mondiale de la menace de longue date APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat (lien direct) |
APT10 Background
APT10 (Menupass Group) est un groupe de cyber-espionnage chinois que Fireeye a suivi depuis 2009. Ils ont historiquement ciblé la construction et l'ingénierie, l'aérospatiale et les sociétés de télécommunications et les gouvernements aux États-Unis, en Europe et au Japon.Nous pensons que le ciblage de ces industries a soutenu les objectifs de sécurité nationale chinoise, notamment l'acquisition de précieuses informations militaires et de renseignement ainsi que le vol de données commerciales confidentielles pour soutenir les sociétés chinoises.Pwc et Bae ont récemment publié un blog conjoint >
APT10 Background
APT10 (MenuPass Group) is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations. PwC and BAE recently issued a joint blog detailing extensive APT10 activity. |
Threat
Technical
|
APT 10
APT 10
|
★★★★
|
![Mandiant.webp](./Ressources/img/Mandiant.webp) |
2015-07-13 08:31:00 |
Démontrant Hustle, les groupes de l'APT chinois utilisent rapidement une vulnérabilité zéro-jour (CVE-2015-5119) après une fuite d'équipe de piratage Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak (lien direct) |
Le Fireeye en tant qu'équipe de service a détecté des campagnes de phishing indépendantes menées par deux groupes de menace persistante avancés chinois (APT) que nous suivons, APT3 et APT18.Chaque groupe de menaces a rapidement profité d'une vulnérabilité zéro-jour (CVE-2015-5119), qui a été divulguée dans la divulgation des données internes de l'équipe de piratage.Adobe a publié un patch pour la vulnérabilité le 8 juillet 2015. Avant ce patcha été publié, les groupes ont lancé des campagnes de phishing contre plusieurs sociétés de l'aérospatiale et de la défense, de la construction et de l'ingénierie, de l'éducation, de l'énergie
The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a zero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team\'s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy |
Vulnerability
Threat
|
APT 18
APT 3
|
★★★★
|
![Mandiant.webp](./Ressources/img/Mandiant.webp) |
2014-10-27 03:00:42 |
Malware APT28: une fenêtre sur les opérations de cyber-espionnage de la Russie? APT28 Malware: A Window into Russia\\'s Cyber Espionage Operations? (lien direct) |
Le rôle des acteurs de l'État-nation dans les cyberattaques a peut-être été le plus largement révélé en février 2013 lorsque mandiant href = "https://www.mandiant.com/resources/mandiant-expose-apt1-chinas-cyber-espionage-units" cible = "_ Blank"> Rapport APT1, en Chine.Aujourd'hui, nous publions un nouveau rapport: apt28:Une fenêtre sur les opérations de cyber-espionnage de la Russie?
Ce rapport se concentre sur un groupe de menaces que nous avons désigné comme APT28.Alors que les logiciels malveillants d'APT28 \\ sont assez connus dans la communauté de la cybersécurité, notre rapport détaille des informations supplémentaires exposant des opérations en cours et ciblées qui, selon nous, indiquent un sponsor gouvernemental basé à Moscou.
dans
The role of nation-state actors in cyber attacks was perhaps most widely revealed in February 2013 when Mandiant released the APT1 report, which detailed a professional cyber espionage group based in China. Today we release a new report: APT28: A Window Into Russia\'s Cyber Espionage Operations?
This report focuses on a threat group that we have designated as APT28. While APT28\'s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow.
In |
Malware
Threat
|
APT 28
APT 28
APT 1
|
★★★★
|
![Mandiant.webp](./Ressources/img/Mandiant.webp) |
2013-02-19 07:00:45 |
Mandiant expose APT1 & # 8211;L'une des unités de cyber-espionnage de Chine et libère 3 000 indicateurs Mandiant Exposes APT1 – One of China\\'s Cyber Espionage Units & Releases 3,000 Indicators (lien direct) |
Aujourd'hui, le Mandiant & Reg;Intelligence Center ™ a publié un rapport sans précédent Exposer la campagne d'espionnage informatique de l'APT1 \\ à l'échelle de l'entreprise.APT1 est l'une des dizaines de groupes de menaces, des pistes mandiantes du monde entier et nous le considérons comme l'un des plus prolifiques en termes de quantité d'informations qu'elle a volée.
Les faits saillants du rapport incluent:
Preuve liant APT1 au 2e Bureau de la Chine de la Chine du Département général de l'Armée de libération (PLA) \'s (GSD) 3e département (désignateur de couverture militaire 61398).
Une chronologie de l'espionnage économique de l'APT1 réalisée depuis 2006
Today, The Mandiant® Intelligence Center™ released an unprecedented report exposing APT1\'s multi-year, enterprise-scale computer espionage campaign. APT1 is one of dozens of threat groups Mandiant tracks around the world and we consider it to be one of the most prolific in terms of the sheer quantity of information it has stolen.
Highlights of the report include:
Evidence linking APT1 to China\'s 2nd Bureau of the People\'s Liberation Army (PLA) General Staff Department\'s (GSD) 3rd Department (Military Cover Designator 61398).
A timeline of APT1 economic espionage conducted since 2006 |
Threat
|
APT 1
|
★★★★
|