What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-11 10:00:00 | Sécurité proactive pour la technologie opérationnelle et les infrastructures critiques Proactive Security for Operational Technology and Critical Infrastructure (lien direct) |
technologie opérationnelle (OT) et systèmes de contrôle industriel (ICS) ont longtemps été utilisés dans les environnements industriels pour surveilleret automatiser les processus physiques et les opérations critiques de mission.Ces systèmes constituent les éléments fondamentaux de certaines de nos infrastructures les plus critiques et soutiennent les fonctions sociétales essentielles, telles que la production d'électricité, le traitement des eaux usées, les transports publics, la fabrication industrielle, l'extraction des ressources, le pétrole et le gaz et les télécommunications.
La dernière décennie a connu une augmentation progressive de la motivation mondiale de l'acteur de cyber-menace pour cibler l'OT à usage spécial
Operational Technology (OT) and Industrial Control Systems (ICS) have long been used in industrial environments to monitor and automate physical processes and mission-critical operations. These systems form the foundational building blocks for some of our most critical infrastructure and support essential societal functions, such as power generation, wastewater treatment, public transportation, industrial manufacturing, resource mining, oil and gas, and telecommunications. The last decade has seen a gradual uptick in global cyber threat actor motivation for targeting special-purpose OT |
Threat Industrial | ★★★ | |
|
2022-01-31 15:00:00 | 1 sur 7 OT Ransomware Extorsion Attaque de fuite Critique Informations sur la technologie opérationnelle 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information (lien direct) |
Les fuites de données ont toujours été une préoccupation pour les organisations.L'exposition d'informations sensibles peut entraîner des dommages à la réputation, des sanctions légales, une perte de propriété intellectuelle et même un impact sur la confidentialité des employés et des clients.Cependant, il y a peu de recherches sur les défis posés aux organisations industrielles lorsque les acteurs de la menace divulguent des détails sensibles sur leur sécurité, la production, les opérations ou la technologie.
En 2021, Mandiant Threat Intelligence a continué à observer les opérateurs de ransomwares tentant d'extorquer des milliers de victimes en divulguant des téraoctets de volés
Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology. In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen |
Ransomware Threat Industrial | ★★★ | |
|
2021-11-18 12:00:00 | Présentation du cadre de criminalistique numérique et de réponse aux incidents de Mandiant \\ pour les systèmes OT intégrés Introducing Mandiant\\'s Digital Forensics and Incident Response Framework for Embedded OT Systems (lien direct) |
La collecte et l'analyse des données médico-légales sont un composant central du processus de réponse de l'incident.Ce processus est central pour déterminer l'existence et la portée subséquente d'un compromis, les outils utilisés par les adversaires et leurs capacités.Cependant, l'obtention des données de criminalistique numérique et de réponse aux incidents (DFIR) n'est pas toujours une tâche simple, en particulier lorsque des systèmes de technologie opérationnelle (OT) sont impliqués.
Les réseaux OT comprennent souvent une variété de produits peu communs et parfois obscurs qui exploitent régulièrement des composants logiciels et de micrologiciels embarqués.Un bon exemple de ceci est en temps réel
Collecting and analyzing forensic data is a core component of the incident response process. This process is central to determining the existence, and subsequent scope of a compromise, the tools used by adversaries, and their capabilities. However, obtaining digital forensics and incident response (DFIR) data is not always a simple task, especially when operational technology (OT) systems are involved. OT networks often include a variety of uncommon and sometimes obscure products that regularly leverage embedded software and firmware components. A good example of this is real-time |
Tool Industrial | ★★★ | |
|
2021-10-27 08:01:01 | Fichier exécutable portable infectant les logiciels malveillants se trouve de plus en plus dans les réseaux OT Portable Executable File Infecting Malware Is Increasingly Found in OT Networks (lien direct) |
Lors de la recherche de fichiers associés à une gamme de fabricants d'équipements d'origine (OT) (OEM), Mandiant Threat Intelligence a découvert un grand nombre de binaires exécutables portables (PE) légitimes affectés par divers types de PEinfecter les logiciels malveillants.Les fichiers infectés incluent les binaires associés aux contrôleurs logiques programmables (PLC), les communications OLE pour le contrôle de processus (OPC), les applications d'interface humaine-machine (HMI) et d'autres fonctions OT prise en charge par des appareils basés sur Windows aux niveaux 2 et 3 du PurdueModèle.
Un PE est un format de fichier développé par Microsoft
While researching files associated with a range of operational technology (OT) original equipment manufacturers (OEM), Mandiant Threat Intelligence uncovered a large number of legitimate portable executable (PE) binaries affected by various types of PE infecting malware. The infected files include binaries associated with programmable logical controllers (PLC), OLE for process control (OPC) communications, human-machine interface (HMI) applications, and other OT functions supported by Windows-based devices at levels 2 and 3 of the Purdue Model. A PE is a file format developed by Microsoft |
Malware Threat Industrial | ★★★ | |
|
2021-08-17 08:01:01 | Mandiant révèle la vulnérabilité critique affectant des millions de dispositifs IoT Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices (lien direct) |
Aujourd'hui, Mandiant a révélé une vulnérabilité critique des risques en coordination avec le Agence de sécurité de la cybersécurité et des infrastructures («CISA») qui affecte des millions de dispositifs IoT qui utilisent les lytek «kalay» réseau.Cette vulnérabilité, découverte par des chercheurs de l'équipe rouge de Mandiant \\, à la fin de 2020, permettrait aux adversaires de compromettre à distance les appareils IoT victime, ce qui a donné la possibilité d'écouter l'audio en direct, de regarder des données vidéo en temps réel et de compromettre les informations d'identification de l'appareil pour plus de nouvellesAttaques basées sur la fonctionnalité du dispositif exposé.Ces autres attaques pourraient inclure des actions qui permettraient
Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant\'s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow |
Vulnerability Industrial | ★★★ | |
 |
2021-07-23 22:03:21 | Episode 221: Biden Unmasked APT 40. But Does It Matter? (lien direct) | Andrew Sellers, the Chief Technology Officer at QOMPLX joins us to unpack the revelations this week about APT 40, the Chinese group that the US has accused of a string of attacks aimed at stealing sensitive trade secrets. Also: is Salesforce the next SolarWinds | Industrial | APT 40 | |
 |
2021-07-21 17:31:16 | Indictments, Attribution Unlikely to Deter Chinese Hacking, Researchers Say (lien direct) | Researchers are skeptical that much will come from calling out China for the Microsoft Exchange attacks and APT40 activity, but the move marks an important foreign-policy change. | Industrial | APT 40 | |
 |
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
 |
2021-07-19 20:36:16 | US DoJ indicts four members of China-linked APT40 cyberespionage group (lien direct) | US DoJ indicted four members of the China-linked cyberespionage group known as APT40 for hacking various entities between 2011 and 2018. The U.S. Justice Department (DoJ) indicted four members of the China-linked cyber espionage group APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan) for hacking tens of government organizations, private businesses and universities around the world between 2011 and 2018. […] | Industrial | APT 40 | |
 |
2021-07-19 13:44:03 | U.S., Allies Officially Accuse China of Microsoft Exchange Attacks (lien direct) | U.S. Charges Four Alleged Members of Chinese Hacking Group APT40 The United States and its allies have officially attributed the Microsoft Exchange server attacks disclosed in early March to hackers affiliated with the Chinese government. | Industrial | APT 40 | |
 |
2021-07-19 10:44:21 | US indicts members of Chinese-backed hacking group APT40 (lien direct) | Today, the US Department of Justice (DOJ) indicted four members of the Chinese state-sponsored hacking group known as APT40 for hacking various companies, universities, and government entities in the US and worldwide between 2011 and 2018. [...] | Industrial | APT 40 | |
|
2021-05-25 09:00:00 | Crimes d'opportunité: augmentation de la fréquence des compromis sur la technologie opérationnelle à faible sophistication Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises (lien direct) |
Les attaques contre les processus de contrôle soutenues par la technologie opérationnelle (OT) sont souvent perçues comme nécessairement complexes.En effet, perturber ou modifier un processus de contrôle pour provoquer un effet prévisible est souvent assez difficile et peut nécessiter beaucoup de temps et de ressources.Cependant, Maniant Threat Intelligence a observé des attaques plus simples, où les acteurs ayant différents niveaux de compétences et de ressources utilisent des outils et des techniques informatiques communs pour accéder et interagir avec les systèmes OT exposés.
L'activité n'est généralement pas sophistiquée et n'est normalement pas ciblée contre des organisations spécifiques
Attacks on control processes supported by operational technology (OT) are often perceived as necessarily complex. This is because disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources. However, Mandiant Threat Intelligence has observed simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. The activity is typically not sophisticated and is normally not targeted against specific organizations |
Tool Threat Industrial | ★★★ | |
|
2021-04-13 10:00:00 | Piratage de la technologie opérationnelle pour la défense: leçons apprises de l'infrastructure de contrôle des compteurs intelligents en équipe d'OT Red Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure (lien direct) |
Les incidents de sécurité très médiatisés au cours de la dernière décennie ont apporté un examen minutieux à la cybersécurité pour la technologie opérationnelle (OT).Cependant, il existe une perception continue entre les organisations d'infrastructures critiques que les réseaux OT sont isolés de réseaux publics tels que Internet.Dans l'expérience de mandiant, le concept d'un \\ 'Air Gap \' séparant les actifs des réseaux externes est rarement vrai dans la pratique.
En 2018, nous avons publié un article de blog présentant les outils et techniques qui Temp.veles utilisé pendant l'incident de Triton pour traverser un compromis externe des informations
High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology (OT). However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks-such as the Internet. In Mandiant\'s experience, the concept of an \'air gap\' separating OT assets from external networks rarely holds true in practice. In 2018, we released a blog post presenting the tools and techniques that TEMP.Veles used during the TRITON incident to traverse from an external compromise of the information |
Tool Industrial | ★★★★ | |
|
2021-02-17 13:00:00 | Briller une lumière sur la solarcité: exploitation pratique du dispositif X2E IoT (deuxième partie) Shining a Light on SolarCity: Practical Exploitation of the X2e IoT Device (Part Two) (lien direct) |
Dans cet article, nous continuons notre analyse du Solarcity ConnectPort X2E Appareil ZigBee (appelé tous les appareils X2E).Dans partie un , nous avons discuté du x2e à un niveau élevé, effectué des attaques initiales basées sur le réseau, puis a discuté des techniques matérielles utilisées pour obtenir un shell distant sur le périphérique X2E en tant qu'utilisateur système non priviaire.Dans ce segment, nous couvrons comment nous avons obtenu une coquille privilégiée sur l'appareil localement en utilisant des attaques de glitch, et explorer CVE-2020-12878 , une vulnérabilité que nous avons découverte qui a permis une escalade de privilège à distance à l'utilisateur root .Combiné avec cve-2020-9306
In this post, we continue our analysis of the SolarCity ConnectPort X2e Zigbee device (referred to throughout as X2e device). In Part One, we discussed the X2e at a high level, performed initial network-based attacks, then discussed the hardware techniques used to gain a remote shell on the X2e device as a non-privileged system user. In this segment, we\'ll cover how we obtained a privileged shell on the device locally using power glitching attacks, and explore CVE-2020-12878, a vulnerability we discovered that permitted remote privilege escalation to the root user. Combined with CVE-2020-9306 |
Vulnerability Industrial | ★★★★ | |
 |
2020-10-07 18:31:39 | Amazon Wants to \'Win at Games.\' So Why Hasn\'t It? (lien direct) | After brute-forcing its way to dominance in so many industries, the tech leviathan may finally have met its match. | Industrial | APT 40 | |
|
2020-10-04 09:35:41 | Security Affairs newsletter Round 284 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Apple addresses four vulnerabilities in macOS Google removes 17 Joker -infected apps from the Play Store Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT Mount Locker […] | Industrial | APT 40 | |
|
2020-09-29 08:01:01 | Dans la poursuite d'une visualisation Gestalt: fusion de l'agent à mitre ATT & CK & Reg;Pour l'entreprise et les CI, communiquer les comportements adversaires In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate Adversary Behaviors (lien direct) |
mise à jour (10 décembre): Ce message a été mis à jour pour refléter les modifications de la matrice de mitre ATT & amp; CK pour l'entreprise, qui comprend désormais des tactiques supplémentaires.
Comprendre les menaces de plus en plus complexes auxquelles sont confrontés les organisations d'infrastructures industrielles et critiques n'est pas une tâche simple.Alors que les acteurs de menaces très qualifiés continuent de se renseigner sur les nuances uniques de la technologie opérationnelle (OT) et les systèmes de contrôle industriel (CI), nous observons de plus en plus les attaquants explorant une diversité de méthodes pour atteindre leurs objectifs.Les défenseurs sont confrontés au défi de l'analyse systématique des informations de ces incidents
Update (Dec. 10): This post has been updated to reflect changes in MITRE ATT&CK Matrix for Enterprise, which now includes additional tactics. Understanding the increasingly complex threats faced by industrial and critical infrastructure organizations is not a simple task. As high-skilled threat actors continue to learn about the unique nuances of operational technology (OT) and industrial control systems (ICS), we increasingly observe attackers exploring a diversity of methods to reach their goals. Defenders face the challenge of systematically analyzing information from these incidents |
Threat Industrial | ★★★ | |
|
2020-09-27 09:28:15 | Microsoft took down 18 Azure AD apps used by Chinese Gadolinium APT (lien direct) | Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created by a Chinese-linked APT group Gadolinium. Microsoft announced this week to have removed 18 Azure Active Directory applications from its Azure portal that were created by a China-linked cyber espionage group tracked as APT group Gadolinium (aka APT40, or Leviathan). The 18 […] | Industrial | APT 40 | |
 |
2020-09-24 21:09:50 | Microsoft removed 18 Azure AD apps used by Chinese state-sponsored hacker group (lien direct) | Azure AD apps were abused by the Gadolinium (APT40) group to attack Microsoft Azure customers. | Industrial | APT 40 | |
|
2020-08-25 04:00:00 | Une introduction pratique à l'approche de Mandiant \\ S à l'équipe d'OT Red A Hands-On Introduction to Mandiant\\'s Approach to OT Red Teaming (lien direct) |
Les propriétaires d'actifs de technologie opérationnelle (OT) ont historiquement considéré que les réseaux rouges de l'OT et du système de contrôle industriel (ICS) sont trop risqués en raison du potentiel de perturbations ou d'impact négatif sur les systèmes de production.Bien que cet état d'esprit soit resté largement inchangé depuis des années, l'expérience de Mandiant dans le domaine suggère que ces perspectives changent;Nous fournissons de plus en plus de valeur aux clients en faisant équipe en toute sécurité en associant leurs réseaux de production OT.
Cette volonté croissante de l'équipe rouge de l'OT est probablement motivée par quelques facteurs, notamment le nombre croissant et
Operational technology (OT) asset owners have historically considered red teaming of OT and industrial control system (ICS) networks to be too risky due to the potential for disruptions or adverse impact to production systems. While this mindset has remained largely unchanged for years, Mandiant\'s experience in the field suggests that these perspectives are changing; we are increasingly delivering value to customers by safely red teaming their OT production networks. This increasing willingness to red team OT is likely driven by a couple of factors, including the growing number and |
Industrial | ★★★★ | |
|
2020-07-15 10:00:00 | Les acteurs à motivation financière étendent l'accès à l'OT: analyse des listes de mise à mort qui incluent des processus OT utilisés avec sept familles de logiciels malveillants Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families (lien direct) |
Mandiant Threat Intelligence a recherché et rédigé de nombreuses recherches sur l'activité de menace financière croissante impactant directement les réseaux de technologie opérationnelle (OT).Certaines de ces recherches sont disponibles dans nos précédents articles de blog sur post-compromise industrielleRansomware Et approche de Fireeye \\ pour la sécurité OT .Bien que la plupart des acteurs derrière cette activité ne se différencient probablement pas entre celui-ci et l'OT ou ont un intérêt particulier pour les actifs OT, ils sont motivés par le but de gagner de l'argent et ont démontré les compétences nécessaires pour fonctionner dans ces réseaux.Par exemple, le changement vers
Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye\'s approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to |
Malware Threat Industrial | ★★★★ | |
|
2020-03-23 07:00:00 | Surveillance des outils de cyber-opération ICS et des modules d'exploitation de logiciels pour anticiper les menaces futures Monitoring ICS Cyber Operation Tools and Software Exploit Modules To Anticipate Future Threats (lien direct) |
Il n'y a eu qu'un petit nombre de cyberattaques largement documentées ciblant les technologies opérationnelles (OT) / systèmes de contrôle industriel (ICS) au cours de la dernière décennie.Bien que moins d'attaques soit clairement une bonne chose, l'absence d'une taille d'échantillon adéquate pour déterminer les seuils de risque peut rendre difficile pour les défenseurs de comprendre l'environnement de menace, de hiérarchiser les efforts de sécurité et de justifier l'allocation des ressources.
Pour résoudre ce problème, Fireeye Mandiant Threat Intelligence produit une gamme de rapports pour abonnement Les clients qui se concentrent sur différents indicateurs pour prédire les menaces futures
There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult for defenders to understand the threat environment, prioritize security efforts, and justify resource allocation. To address this problem, FireEye Mandiant Threat Intelligence produces a range of reports for subscription customers that focus on different indicators to predict future threats |
Tool Threat Industrial Prediction | ★★★★ | |
 |
2020-03-22 00:00:00 | Comment l'IoT industriel pourrait déclencher le prochain cyber-catastrophieffect d'urgence / 11 sur l'industrie manufacturière américaine révèle 7 milliards de dollars pour les eaux autres How Industrial IoT could Trigger the Next Cyber CatastropheEffect of URGENT/11 on the US Manufacturing Industry Reveals $7 Billion ExposureRead More (lien direct) |
IntroductionOn 29th July 2019, the cyber security firm Armis announced that it had found eleven different vulnerabilities in the operating system âVXworksâ which they believe exposed around 200 million critical devices. The team at Armis dubbed this group of vulnerabilities: URGENT/11. This report explores how the discovery of URGENT/11 demonstrates the susceptibility of global manufacturing businesses to large losses from a cyber-attack event and the potential impact on commercial P&C (re)insurers.âThe Operating System at the Heart of the IssueVxWorks is a widely used, but lesser known, lightweight IoT real-time operating system (RTOS). This operating system is embedded in over 2 billion devices in the US and worldwide. These range from large-scale industrial machinery controlling installations such as nuclear power stations and oil production platforms, to smaller systems throughout the worldâs automotive, aviation, agri-business, textile, logistics and pharmaceutical facilities. A malicious attack could affect what is known as the SupervisoryControl and Data Acquisition (SCADA), the system that allows industrial organizations to gather and monitor real-time data in their manufacturing and distribution systems. Critically, VxWorks is also part of what are known as Industrial Control Systems (ICS) â software that manages the industrial processes themselves.âNot a Quick FixAs with any type of software vulnerability, affected organizations need to patch vulnerabilities quickly. However, in the case of URGENT/11, the necessary patches can be very expensive to apply immediately, because the affected devices are critical to day-to-day operations. Patching a vulnerability requires stopping or interrupting the device, which could lead to significant business disruption. Furthermore, while very large organizations have the financial and technical resources to implement system patches quickly, smaller manufacturers â who may nevertheless be critical to the supply chain â often do not. They may buy equipment that happens to contain VxWorks, but do not expect to have to maintain the software or even be aware of its existence.âQuantifying URGENT/11âs Potential Loss Scenarios for the US Manufacturing IndustryTo understand the extent of companies that were vulnerable to URGENT/11, their susceptibility to being attacked, and the effect an attack might have industry wide, Kovrr deployed its proprietary technologies. The first step was to gather real-time information about the distribution of VxWorks in the US manufacturing sector. To achieve this, Kovrr leveraged its ability to continuously collect relevant business intelligence, cyber threat intelligence, external and internal security data. As a result, we were able to identify companies with devices that were utilizing the VxWorks operating system. For internal mapping, access to multiple security vendors\' data is essential because each vendor has its own expertise and distribution, in terms of geolocation, served industries, defense level focus, mapped devices, etc. In the case below involving an industrial sector, unique data focused on IoT devices is needed. Kovrr partners with a diverse range of data providers to detect and map beyond the firewall devices and security control mechanisms. By having access to Armis\' proprietary IoT fingerprinting technology, we were able to produce a highly granular map of any IoT device being used by one organization.We can then accurately assess any IoT related emerging vulnerability on clients\' portfolios. In order to understand the nature of these businesses, including their sector, size and place in the supply chain; we use publicly available information linked to a variety of proprietary data-sources including our own. This technique is similar in principle to the exposure-data cleansing and augmentation used by catastrophe modelers. Having developed a sophisticated view of the affected businesses, we have selected a series of events fro | Ransomware Vulnerability Threat Industrial Prediction | ★★★★ | |
|
2020-03-16 10:30:00 | Ils viennent dans la nuit: tendances de déploiement des ransomwares They Come in the Night: Ransomware Deployment Trends (lien direct) |
Ransomware est un shakedown numérique éloigné.Il est perturbateur et coûteux, et il affecte toutes sortes d'organisations, à partir de Cutting Edge Technologie spatiale Firms, aux Woolindustrie , à | Ransomware Threat Industrial | ★★★ | |
|
2020-02-24 23:30:00 | Ransomware contre la machine: comment les adversaires apprennent à perturber la production industrielle en le ciblant et en OT Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT (lien direct) |
Depuis au moins 2017, il y a eu une augmentation significative des divulgations publiques des incidents de ransomwares ayant un impact sur la production industrielle et les organisations d'infrastructures critiques.Des familles de ransomwares bien connues comme Wannacry,Lockergoga, Megacortex, Ryuk, Maze, et maintenant Snakehose (alias Snake / Ekans), ont des victimes de coûts dans une variété de verticales de l'industrie plusieurs millions de dollarsen rançon et en coûts de garantie.Ces incidents ont également entraîné des perturbations et des retards importants sur les processus physiques qui permettent aux organisations de produire et de fournir des biens et services.
tandis que beaucoup
Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services. While lots |
Ransomware Industrial | Wannacry | ★★★ |
|
2020-02-10 08:28:13 | Malaysia\'s MyCERT warns cyber espionage campaign carried out by APT40 (lien direct) | Malaysia’s MyCERT issued a security alert to warn of a hacking campaign targeting government officials that was carried out by the China-linked APT40 group. Malaysia’s Computer Emergency Response Team (MyCERT) warns of a cyber espionage campaign carried out by the China-linked APT40 group aimed at Malaysian government officials. The attackers aimed at stealing confidential documents […] | Industrial | APT 40 | |
|
2020-02-07 01:25:41 | Malaysia warns of Chinese hacking campaign targeting government projects (lien direct) | MyCERT security alert points the finger at APT40, a Chinese state-sponsored hacking crew. | Industrial | APT 40 | |
 |
2020-01-20 16:32:45 | A week in security (January 13 – 19) (lien direct) |
Our weekly security roundup for January 13-19, with a look at elastic servers, data enrichment, rootkits, regulation for deepfakes, and more.
Categories:
A week in security
Tags: apt40Ciscocitrixdata enrichmentdeepfakeselastic serversemotetrootkittravelexweleakinfo
(Read more...)
|
Industrial | APT 40 | |
|
2019-12-11 13:00:00 | L'approche mandiante de la sécurité des technologies opérationnelles (OT) The Mandiant Approach to Operational Technology (OT) Security (lien direct) |
Ce post explique la philosophie mandiante et l'approche plus large de la sécurité des technologies opérationnelles (OT).En résumé, nous constatons que la visibilité combinée dans les environnements IT et OT est essentielle pour détecter l'activité malveillante à tout stade d'une intrusion OT.L'approche mandiante de la sécurité OT est de:
détecter les menaces tôt en utilisant la conscience de la situation complète de It et OT Networks.
La surface de la plupart des intrusions transcende les couches architecturales car à presque tous les niveaux en cours de route, il y a des ordinateurs (serveurs et postes de travail) et des réseaux utilisant le même ou similaire
This post explains the Mandiant philosophy and broader approach to operational technology (OT) security. In summary, we find that combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The Mandiant approach to OT security is to: Detect threats early using full situational awareness of IT and OT networks. The surface area for most intrusions transcends architectural layers because at almost every level along the way, there are computers (servers and workstations) and networks using the same or similar |
Industrial | ★★★ | |
|
2019-09-30 12:00:00 | Le Fireeye OT-CSIO: une ontologie pour comprendre, ré-comparer et évaluer les incidents de cybersécurité en technologie opérationnelle The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents (lien direct) |
The FireEye Technology Technology Cyber Security Incident Ontology (OT-CSIO)
Alors que le nombre de Menaces to Operational Technology (OT) ont considérablement augmenté depuis la découverte de Stuxnet & # 8211;Poussé par des facteurs tels que la convergence croissante avec les réseaux de technologies de l'information (TI) et la disponibilité croissante des informations sur les informations, la technologie, les logiciels et les documents de référence & # 8211;Nous n'avons observé qu'un petit nombre d'attaques axées sur le monde réel.La taille limitée de l'échantillon des attaques OT bien documentées et le manque d'analyse du point de vue du niveau macro représente un défi pour
The FireEye Operational Technology Cyber Security Incident Ontology (OT-CSIO) While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for |
Industrial | ★★★★ | |
|
2019-04-09 23:00:00 | Profil TTP de l'acteur de Triton, outils d'attaque personnalisés, détections et mappage ATT & CK TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping (lien direct) |
Présentation
Fireeye peut désormais confirmer que nous avons découvert et répond à une intrusion supplémentaire par l'attaquant derrière Triton dans une installation d'infrastructure critique différente .
En décembre 2017, Fireeye a publié publiquement notre première analyse sur l'attaque de Triton où les acteurs malveillants ont utilisé le cadre d'attaque personnalisé de Triton pour manipuler les systèmes de sécurité industrielle dans une installation d'infrastructure critique et ont provoqué par inadvertance un arrêt de processus.Dans la suivante recherche Nous avons examiné comment les attaquants peuvent avoir eu accès à des composants critiques nécessairesPour construire le cadre d'attaque de Triton
Overview FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility. In December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown. In subsequent research we examined how the attackers may have gained access to critical components needed to build the TRITON attack framework |
Industrial | ★★★ | |
|
2019-03-06 07:59:00 | APT40 cyberespionage group supporting growth of China\'s naval sector (lien direct) | A cyber-espionage group, tracked as APT40, apparently linked to the Chinese government is focused on targeting countries important to the country's Belt and Road Initiative. The cyber-espionage group tracked as APT40 (aka TEMP.Periscope, TEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country's Belt and Road Initiative […] | Industrial | APT 40 | |
|
2019-03-05 13:19:03 | State-Sponsored Hackers Supporting China\'s Naval Modernization Efforts: Report (lien direct) | APT40 Hackers Appear to be Supporting China's Belt and Road Initiative | Industrial | APT 40 | |
|
2018-11-15 11:04:02 | Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs (lien direct) | Chinese TEMP.Periscope cyberespionage group targeted a UK-based engineering company using TTPs associated with Russia-linked APT groups. Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities. Chinese hackers have targeted a UK-based engineering company using techniques and artifacts attributed to the Russia-linked APT groups Dragonfly and […] | Industrial | APT 40 | |
|
2018-10-23 10:00:00 | Attribution de Triton: le laboratoire appartenant à un gouvernement russe a probablement construit des outils d'intrusion personnalisés pour les attaquants de Triton TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers (lien direct) |
Présentation
Dans un article de blog précédent, nous avons détaillé l'intrusion de Triton qui a eu un impact sur les systèmes de contrôle industriel (ICS) dans une installation d'infrastructure critique.Nous suivons maintenant cet ensemble d'activités comme Temp.veles.Dans ce billet de blog, nous fournissons des informations supplémentaires reliant Temp.veles et leur activité entourant l'intrusion de Triton à un institut de recherche appartenant au gouvernement russe.
Triton Intrusion démontre des liens russes;Probablement soutenu par l'Institut de recherche russe
Le renseignement Fireeye évalue avec une grande confiance que l'activité d'intrusion qui a conduit au déploiement de Triton a été soutenue par le
Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems (ICS) at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding the TRITON intrusion to a Russian government-owned research institute. TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the |
Tool Industrial | ★★★★ | |
|
2018-10-11 09:30:00 | Tendances de sécurité tactique ICS: analyse des risques de sécurité les plus fréquents observés sur le terrain ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field (lien direct) |
Introduction
Fireeye Isight Intelligence a compilé des données approfondies à partir de dizaines d'Iscolys Assessment Engagements (ICS HealthCheck) effectué par l'équipe de conseil Mandiant, Fireeye \\, pour identifier les risques de sécurité prioritaires les plus omniprésents et les plus élevés dans les installations industrielles.Les informations ont été acquises à partir d'évaluations pratiques réalisées au cours des dernières années dans un large éventail d'industries, notamment la fabrication, l'exploitation minière, l'automobile, l'énergie, le produit chimique, le gaz naturel et les services publics.Dans cet article, nous fournissons des détails sur ces risques et indiquons les meilleures pratiques et
Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye\'s consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and |
Industrial | ★★★★ | |
 |
2018-07-20 09:33:00 | TEMP.Periscope : Des pirates Chinois, amateurs d\'éléctions présidentielles ? (lien direct) | Il n’y aurait pas que les pirates Russes amateurs d’éléctions ? Le groupe d'espionnage chinois TEMP.Periscope cible... L'article TEMP.Periscope : Des pirates Chinois, amateurs d’éléctions présidentielles ? est apparu en premier sur Data Security Breach. | Industrial | APT 40 | |
|
2018-07-12 08:22:03 | China-based TEMP.Periscope APT targets Cambodia\'s elections (lien direct) | FireEye uncovered a large-scale Chinese phishing and hacking campaign powered by Temp.periscope APT aimed at Cambodia’s elections. Security researchers at FireEye have uncovered a large-scale Chinese phishing and hacking campaign aimed at Cambodia’s elections. The hackers distributed a remote access trojan (RAT) and data exfiltration operation targeting the poll. The experts from FireEye attributed the attacks to an APT group tracked […] | Industrial | APT 40 | |
|
2018-07-10 07:00:00 | Le groupe d'espionnage chinois Temp.Periscope cible le Cambodge avant les élections de juillet 2018 et révèle de larges opérations à l'échelle mondiale Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally (lien direct) |
Introduction
Fireeye a examiné une gamme d'activités de périccope révélant un intérêt étendu pour la politique du Cambodge \\, avec des compromis actifs de plusieurs entités cambodgiennes liées au système électoral du pays.Cela comprend les compromis des entités gouvernementales cambodgienes chargées de superviser les élections, ainsi que le ciblage des chiffres de l'opposition.Cette campagne se déroule dans la mise en ligne vers les élections générales du 29 juillet 2018 du pays.Temp.Periscope a utilisé la même infrastructure pour une gamme d'activités contre d'autres cibles plus traditionnelles, y compris la base industrielle de la défense
Introduction FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia\'s politics, with active compromises of multiple Cambodian entities related to the country\'s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country\'s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base |
Industrial | APT 40 | ★★★★ |
 |
2018-07-05 17:10:01 | Threat Model Thursdays: Crispin Cowan (lien direct) | Over at the Leviathan blog, Crispin Cowan writes about “The Calculus Of Threat Modeling.” Crispin and I have collaborated and worked together over the years, and our approaches are explicitly aligned around the four question frame. What are we working on? One of the places where Crispin goes deeper is definitional. He’s very precise about … Continue reading "Threat Model Thursdays: Crispin Cowan" | Threat Industrial | APT 40 | |
|
2018-06-07 09:00:00 | Un traité totalement tubulaire sur Triton et Tristation A Totally Tubular Treatise on TRITON and TriStation (lien direct) |
Introduction
En décembre 2017, Fireeye \'s mandiant a discuté d'une réponse incidente impliquant le framework .L'attaque de Triton et bon nombre des intrusions de CI sur les ICS impliquaient des techniques de routine où les acteurs de la menace n'utilisaient que ce qui est nécessaire pour réussir dans leur mission.Pour Industryer et Triton, les attaquants sont passés du réseau informatique vers le réseau OT (technologie opérationnelle) à travers des systèmes accessibles aux deux environnements.Bargades de logiciels malveillants traditionnels, distillats Mimikatz, sessions de bureau à distance et autres attaques bien documentées et facilement détectées
Introduction In December 2017, FireEye\'s Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz distillates, remote desktop sessions, and other well-documented, easily-detected attack |
Malware Threat Industrial | ★★★★ | |
 |
2018-03-20 09:52:03 | Un groupe de cyber-espionnage chinois s\'attaque à des entreprises américaines (lien direct) |  Un groupe de cyber-espionnage chinois (TEMP.Periscope) s'attaque à des entreprises américaines dans les secteurs de l'ingénierie et du maritime. |
Industrial | APT 40 | |
|
2018-03-17 16:49:02 | Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries (lien direct) | The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months. Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States. The group has also targeted professional/consulting services, high-tech industry, […] | Industrial | APT 40 | |
|
2018-03-16 20:36:03 | (Déjà vu) China-linked Hackers Target Engineering and Maritime Industries (lien direct) | A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports. Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States. “The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says. | Industrial | APT 40 | |
|
2017-12-14 15:00:00 | Les attaquants déploient un nouveau cadre d'attaque ICS «Triton» et provoquent une perturbation opérationnelle des infrastructures critiques Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (lien direct) |
Introduction
mandiant a récemment répondu à un incident dans une organisation d'infrastructure critique où un attaquant a déployé des logiciels malveillants conçus pour manipuler les systèmes de sécurité industrielle.Les systèmes ciblés ont fourni une capacité d'arrêt d'urgence pour les processus industriels.Nous évaluons avec une confiance modérée que l'attaquant développait la capacité de causer des dommages physiques et des opérations d'arrêt par inadvertance.Ce logiciel malveillant, que nous appelons Triton, est un cadre d'attaque conçu pour interagir avec les contrôleurs de système instrumentés de sécurité Triconex (SIS).Nous n'avons pas attribué l'incident à un
Introduction Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a |
Malware Industrial Technical | ★★★★ | |
 |
2017-10-19 09:50:25 | Group launches Cyber Attacks against Maritime and Defense sectors (lien direct) | >Leviathan, an espionage group active since 2014, is launching cyber attacks against the maritime and defense sectors- focusing specifically on contractors and associated University Research institutions. View Full Story ORIGINAL SOURCE: ZDNet | Industrial | APT 40 | |
|
2016-06-02 09:00:00 | Irongate ics malware: rien à voir ici ... masquer l'activité malveillante sur les systèmes SCADA IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems (lien direct) |
Dans la seconde moitié de 2015, l'équipe Flare a identifié plusieurs versions d'un logiciel malveillant axé sur les CI ICS fabriqué pour manipuler un processus industriel spécifique exécutant dans un environnement de système de contrôle Siemens simulé.Nous avons nommé cette famille de logiciels malveillants irongate.
Flare a trouvé les échantillons sur Virustotal lors de la recherche de gouttes compilés avec Pyinstaller - une approche utilisée par de nombreux acteurs malveillants.Les échantillons irongés se sont démarqués en fonction de leurs références à SCADA et aux fonctionnalités associées.Deux échantillons de la charge utile de logiciels malveillants ont été téléchargés par différentes sources en 2014, mais aucun des antivirus
In the latter half of 2015, the FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE. FLARE found the samples on VirusTotal while researching droppers compiled with PyInstaller - an approach used by numerous malicious actors. The IRONGATE samples stood out based on their references to SCADA and associated functionality. Two samples of the malware payload were uploaded by different sources in 2014, but none of the antivirus |
Malware Industrial | ★★★★ |
To see everything:
Our RSS (filtrered)
