What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-05-17 00:24:27 | Les logiciels malveillants transforment les routeurs domestiques en procurations pour les pirates chinois parrainés par l'État Malware turns home routers into proxies for Chinese state-sponsored hackers (lien direct) |
Suivant les traces de VPNFilter, un nouveau firmware obscurcit les pirates \\ 'Point de terminaison.
Following in the footsteps of VPNFilter, new firmware obscures hackers\' endpoints. |
Malware | VPNFilter | ★★ |
 |
2022-04-05 18:17:00 | Anomali Cyber Watch: AcidRain Wiped Viasat Modems, BlackMatter Rewritten into BlackCat Ransomware, SaintBear Goes with Go, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Information stealers, Phishing, Russia, Ukraine, Vulnerabilities, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
AcidRain | A Modem Wiper Rains Down on Europe
(published: March 31, 2022)
On February 24, 2022, Viasat KA-SAT modems became inoperable in Ukraine after threat actors exploited a misconfigured VPN appliance, compromised KA-SAT network, and were able to execute management commands on a large number of residential modems simultaneously. SentinelOne researchers discovered that a specific Linux wiper, dubbed AcidRain, likely used in that attack as it shows the same targeting and the same overwriting method that was seen in a Viasat’s Surfbeam2 modem targeted in the attack. AcidRain shows code similarities with VPNFilter stage 3 wiping plugin called dstr, but AcidRain’s code appears to be sloppier, so the connection between the two is still under investigation.
Analyst Comment: Internet service providers are heavily targeted due to their trust relationships with their customers and they should harden their configurations and access policies. Devices targeted by AcidRain can be brought back to service through flash memory/factory reset. Organizations exposed to Russia-Ukrainian military conflict should plan for backup options in case of a wiper attack.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: AcidRain, Viasat KA-SAT, Russia, Ukraine, Germany, target-country:UA, target-country:DE, Wiper, Modem, Supply-chain compromise, VPN appliance, VPNFilter
BlackCat Ransomware
(published: March 31, 2022)
BlackCat (ALPHV) ransomware-as-a-service surfaced on Russian-speaking underground forums in late 2021. The BlackCat ransomware is perhaps the first ransomware written entirely in Rust, and is capable of targeting both Windows and Linux machines. It targeted multiple industries in the US, Europe, the Philippines, and other regions, and Polyswarm researchers expect it to expand its operations. It is attributed to the BlackMatter/DarkSide ransomware threat group. BlackCat used some known BlackMatter infrastructure and shared the same techniques: reverse SSH tunnels and scheduled tasks for persistence, LSASS for credential access, lmpacket, RDP, and psexec for command and control.
Analyst Comment: It is crucial for your company to ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a |
Ransomware Malware Tool Vulnerability Threat Guideline | VPNFilter VPNFilter | |
 |
2022-04-01 14:09:48 | AcidRain Wiper Suspected in Satellite Broadband Outage in Europe (lien direct) | FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, "malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online." 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent "legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."The belief is that "these destructive commands" refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to "VPNFilter Malware - Critical Update" and "VPNFilter Update - New Attack Modules Documented".What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking "networks and endpoints associated with the U.S. election" in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr | Malware Threat | VPNFilter VPNFilter APT 28 | |
 |
2022-03-18 12:43:23 | Russia-linked Cyclops Blink botnet targeting ASUS routers (lien direct) | The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers. The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend Micro researchers. The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other […] | Malware | VPNFilter | |
 |
2022-02-24 15:03:29 | Threat Advisory: Cyclops Blink (lien direct) | Cisco Talos is aware of the recent reporting around a new modular malware family, Cyclops Blink, that targets small and home office (SOHO) devices, similar to previously observed threats like VPNFilter. This malware is designed to run on Linux systems and is compiled specifically for 32-bit PowerPC... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware | VPNFilter | |
 |
2022-02-24 11:34:25 | New \'Cyclops Blink\' Malware Linked to Russian State Hackers Targets Firewalls (lien direct) | Russia-Linked Sandworm Group Replaces VPNFilter With New Malware | Malware | VPNFilter VPNFilter | |
 |
2022-02-24 10:42:00 | US and UK Warn of VPNFilter Successor “Cyclops Blink” (lien direct) | Russian malware is designed to compromise SOHO devices | Malware | VPNFilter VPNFilter | |
 |
2022-02-24 03:57:49 | US, UK Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices (lien direct) | Intelligence agencies in the U.K. and the U.S. disclosed details of a new botnet malware called Cyclops Blink that's been attributed to the Russian-backed Sandworm hacking group and deployed in attacks dating back to 2019. "Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) | Malware | VPNFilter VPNFilter | |
|
2021-01-19 18:25:55 | Hundreds of Networks Still Host Devices Infected With VPNFilter Malware (lien direct) | The VPNFilter malware is still present in hundreds of networks and malicious actors could take control of the infected devices, according to researchers at cybersecurity firm Trend Micro. | Malware | VPNFilter VPNFilter | |
|
2018-09-27 03:30:00 | VPNFilter Router Malware Adds 7 New Network Exploitation Modules (lien direct) | Security researchers have discovered even more dangerous capabilities in VPNFilter-the highly sophisticated multi-stage malware that infected 500,000 routers worldwide in May this year, making it much more widespread and sophisticated than earlier.
Attributed to Russia's APT 28, also known as 'Fancy Bear,' VPNFilter is a malware platform designed to infect routers and network-attached storage
|
Malware | VPNFilter APT 28 | ★★★★★ |
 |
2018-09-26 18:09:01 | VPNFilter\'s Arsenal Expands With Newly Discovered Modules (lien direct) | Seven new modules discovered in VPNFilter further fill in the blanks about how the malware operates and reveals a wider breath of capabilities. | Malware | VPNFilter | |
 |
2018-09-26 16:35:00 | VPNFilter Evolving to Be a More Dangerous Threat (lien direct) | VPNFilter malware is adding capabilities to become a more fully-featured tool for threat actors. | Malware Tool Threat | VPNFilter | |
 |
2018-09-04 07:00:00 | BrandPost: Unidentified Devices Leave Networks Vulnerable (lien direct) | As organizations embrace digital transformation to improve operational efficiency, IoT devices-including industrial and medical IoT-are being deployed at an unprecedented rate. This rapid adoption of IoT is one of the primary reasons why networks are in constant flux. New devices, whether physical or virtual, are continually connecting and disconnecting from the network, and often then reconnecting somewhere else. And to do their job, they need immediate access to applications and networked resources.Internet of Things endpoints are growing at an unprecedented rate, reaching an installed base of several dozen billion units in just a few years. While most people imagine digital cameras, printers, and smart appliances when they think of IoT, it also includes medical IoT (MIoT) devices, such as infusion pumps and heart monitors, and industrial IoT (IIoT), including valve controllers, temperature and pressure monitors, and manufacturing devices. This trend hasn't gone unnoticed by the cybercriminal community. While there continue to be high-profile attacks targeting traditional IoT devices, MIoT and IIoT devices are also increasingly being targeted, such as the recent Triton and VPNFilter malware attacks. | Malware | VPNFilter | |
|
2018-07-19 11:16:00 | IDG Contributor Network: The router of all evil (lien direct) | We spend a lot of time researching and highlighting the dangers of IoT devices. Cameras, DVRs, thermostats, light bulbs, and even refrigerators, connected to the internet may be vulnerable to attacks and exploits.Still, there's one IoT device that everyone owns and, I'll wager, the vast majority of people forget about: the router.“The box,” as my parents call it, typically is happily blinking away in a forgotten corner of the house and left alone for years. These home routers recently became the target of a Russian malware campaign using what is known as “VPNfilter” malware. | Malware | VPNFilter | |
|
2018-07-13 08:09:02 | Ukraine \'s SBU Security Service reportedly stopped VPNFilter attack at chlorine station (lien direct) | Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants. According to the Interfax-Ukraine media outlet, the VPNFilter hit the LLC Aulska station in Auly (Dnipropetrovsk region), according to the experts the malware aimed at disrupting operations at the chlorine station. […] | Malware | VPNFilter | |
|
2018-07-13 05:33:02 | VPNFilter Malware Hits Critical Infrastructure in Ukraine (lien direct) | The Security Service of Ukraine (SBU) revealed this week that the VPNFilter malware, which it attributed to Russian intelligence agencies, had targeted a critical infrastructure organization. | Malware | VPNFilter | |
 |
2018-07-12 19:12:03 | Ukraine Says It Stopped a VPNFilter Attack on a Chlorine Distillation Station (lien direct) | The Ukrainian Secret Service (SBU) said today it stopped a cyber-attack with the VPNFilter malware on a chlorine distillation plant in the village of Aulska, in the Dnipropetrovsk region. [...] | Malware | VPNFilter |
1
We have: 17 articles.
We have: 17 articles.
To see everything:
Our RSS (filtrered)
