What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-04-07 11:45:00 | Microsoft prend des mesures juridiques pour perturber les cybercriminels \\ 'Utilisation illégale de l'outil de grève du cobalt Microsoft Takes Legal Action to Disrupt Cybercriminals\\' Illegal Use of Cobalt Strike Tool (lien direct) |
Microsoft a déclaré qu'il s'était associé au Fortra et au Centre d'analyse des informations sur les informations sur la santé (ISAC) pour lutter contre les abus de la grève du cobalt par les cybercriminels pour distribuer des logiciels malveillants, y compris le ransomware.
À cette fin, l'unité des crimes numériques du géant de la technologie (DCU) a révélé qu'elle avait obtenu une ordonnance du tribunal aux États-Unis pour "supprimer des copies illégales de la grève de Cobalt afin qu'elles ne puissent plus être utilisées par
Microsoft said it teamed up with Fortra and Health Information Sharing and Analysis Center (Health-ISAC) to tackle the abuse of Cobalt Strike by cybercriminals to distribute malware, including ransomware. To that end, the tech giant\'s Digital Crimes Unit (DCU) revealed that it secured a court order in the U.S. to "remove illegal, legacy copies of Cobalt Strike so they can no longer be used by |
Tool | ★★ | |
 |
2023-04-06 16:00:00 | Microsoft mène des efforts pour perturber l'utilisation illicite de la grève du cobalt, un dangereux outil de piratage entre les mauvaises mains Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (lien direct) |
> L'action contre les versions illicites des applications légitimes de grève de Cobalt représente l'aboutissement d'une enquête d'un an.
>The action against illicit versions of legitimate Cobalt Strike applications represents the culmination of a year-long investigation. |
Tool | ★★ | |
 |
2023-04-06 08:35:00 | Microsoft, Fortra obtient une autorisation légale pour contrer la grève des cobalt Microsoft, Fortra get legal permission to counter Cobalt Strike abuse (lien direct) |
Microsoft et deux organisations partenaires ont obtenu une ordonnance du tribunal pour aller après les infrastructures cybercriminales associées à l'abus rampant de la grève du cobalt - un outil de test légitime que les attaquants ont utilisé pour faire des ravages dans l'industrie de la santé.Dans une initiative [annoncée jeudi] (https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/), la société \'sUnité des crimes numériques (DCU) - aux côtés de l'organisme à but non lucratif
Microsoft and two partner organizations have been granted a court order to go after cybercriminal infrastructure associated with the rampant abuse of Cobalt Strike - a legitimate testing tool that attackers have used to wreak havoc on the healthcare industry. In an initiative [announced Thursday](https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/), the company\'s Digital Crimes Unit (DCU) - alongside the nonprofit |
Tool | ★★★ | |
 |
2023-04-04 16:00:00 | NOUVEAU RORSCHWAGE "RORSCHACH" via un produit commercial New "Rorschach" Ransomware Spread Via Commercial Product (lien direct) |
La souche ransomware utilise un composant signé de l'outil de service de vidage Palo Alto Cortex XDR
The ransomware strain uses a signed component of the Palo Alto Cortex XDR Dump Service Tool |
Ransomware Tool | ★★ | |
 |
2023-04-04 13:15:09 | CVE-2023-29000 (lien direct) | Le client de bureau NextCloud est un outil pour synchroniser les fichiers à partir du serveur NextCloud.En commençant par la version 3.0.0 et avant la version 3.7.0, en espérant que le serveur renvoie un certificat qui appartient à la clé de la clé de l'utilisateur, un serveur malveillant pourrait amener le client de bureau à crypter des fichiers avec une clé connue de l'attaquant.Ce problème est résolu dans NextCloud Desktop 3.7.0.Aucune solution de contournement connue n'est disponible.
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. |
Tool | ||
|
2023-04-04 13:15:08 | CVE-2023-28998 (lien direct) | Le client de bureau NextCloud est un outil pour synchroniser les fichiers à partir du serveur NextCloud.En commençant par la version 3.0.0 et avant la version 3.6.5, un administrateur de serveur malveillant peut accéder à un dossier crypté de bout en bout.Ils peuvent décrypter des fichiers, récupérer la structure du dossier et ajouter de nouveaux fichiers.?Les utilisateurs doivent mettre à niveau le client de bureau NextCloud à 3.6.5 pour recevoir un correctif.Aucune solution de contournement connue n'est disponible.
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.? Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. |
Tool | ||
|
2023-04-04 13:15:08 | CVE-2023-28997 (lien direct) | Le client de bureau NextCloud est un outil pour synchroniser les fichiers à partir du serveur NextCloud.À partir de la version 3.0.0 et avant la version 3.6.5, un administrateur de serveur malveillant peut récupérer et modifier le contenu des fichiers cryptés de bout en bout.Les utilisateurs doivent mettre à niveau le client de bureau NextCloud à 3.6.5 pour recevoir un correctif.Aucune solution de contournement connue n'est disponible.
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. |
Tool | ||
 |
2023-04-04 07:09:13 | Travels en toute sécurité?La recherche sur les points de chèque met en lumière un marché souterrain croissant en vendant des points de vol, des récompenses de l'hôtel et des diplômes volés des comptes de compagnies aériennes Safe Travels? Check Point Research puts a spotlight on a growing underground market selling flight points, hotel rewards and stolen credential of airline accounts (lien direct) |
> Faits saillants: Check Point Research (RCR) révèle une industrie croissante qui vend des informations d'identification aux comptes de hôtels et de compagnies aériennes volés.L'objectif final est d'avoir accès aux comptes avec des points de récompense et de le vendre.La RCR fournit des exemples comprenant un outil de forçage brute dédié utilisé pour voler des comptes, des informations d'identification volées en vente et des «agents de voyage» vendant des vols à prix réduits récupérés à l'aide de comptes de compagnies aériennes / hôtelières volées.Contexte avec les prix des compagnies aériennes en flèche de nos jours, au milieu de l'inflation mondiale, les gens recherchent toujours des ventes de dernière minute, des offres spéciales et seront généralement tentées de suivre toute offre lucrative qui diminuera les prix lourds dont nous avons tous besoin pour [& # 8230;]
>Highlights: Check Point Research (CPR) reveals a growing industry selling credentials to stolen hotel and airline accounts. End goal is to get access to accounts with reward points and sell it. CPR provides examples including dedicated brute forcing tool used to steal accounts, stolen credentials on sale and “travel agents” selling discounted flights retrieved using stolen airline / hotel accounts. Background With airline prices skyrocketing these days, amidst the global inflation, people are always seeking last minute sales, special offers and will usually be tempted to follow any lucrative offer that will decrease the heavy prices we all need to […] |
Tool | ★★ | |
 |
2023-04-03 22:13:00 | Anomali Cyber Watch: Injecteurs du presse-papiers, infostelleurs, malvertising, pay-per-install, chaîne d'approvisionnement et vulnérabilités Anomali Cyber Watch: Clipboard-injectors, Infostealers, Malvertising, Pay-per-install, Supply chain, and Vulnerabilities (lien direct) |
& nbsp;
Anomali Cyber Watch: Balada Injecteur exploite WordPress Elementor Pro, ICON 3CX Stealer détecté par Yara, Koi Loader-Stealer Compresshes-then-Encrypts Streams, et plus.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali Cyber Watch discutent des sujets suivants: Injecteurs de presse.Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Vulnérabilité à haute gravité dans WordPress Elementor Pro patchée
(Publié: 31 mars 2023)
La campagne Balada Injecteur cible les plugins et les thèmes de site Web vulnérables depuis au moins 2017. Sa nouvelle cible sont les sites Web WordPress WooCommerce avec une vulnérabilité de contrôle d'accès brisé dans le populaire site Web Plugin Elementor Pro.Cette vulnérabilité à haute gravité (CVSS V3.1: 8.8, élevée) a reçu un patch de sécurité le 22 mars 2023, par conséquent, l'injecteur de Balada cible des sites Web qui n'ont pas encore été corrigés.Les attaquants créent un nouvel utilisateur administrateur et insérent un script envoyant des visiteurs à une redirection multi-HOP aux fins de spam, d'escroquerie ou d'installation de logiciels publicitaires.
Commentaire de l'analyste: Les administrateurs de sites Web doivent mettre à jour immédiatement s'ils ont Elementor Pro version 3.11.6 ou moins installé.Utilisez la numérisation côté serveur pour détecter le contenu malveillant non autorisé.Tous les indicateurs connus associés à la campagne Balada Injector sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1587.004 - développer des capacités:Exploits | [mitre att & amp; ck] t1190 - exploiter l'application de formation publique
Tags: Campagne: Balada Injecteur, site Web compromis, redirection, spam, arnaque, type malware: Adware, Contrôle d'accès cassé, vulnérabilité, élémentor Pro, WordPress
3cx: SupplyL'attaque en chaîne affecte des milliers d'utilisateurs dans le monde
(Publié: 30 mars 2023)
Un groupe de menaces non identifié lié à la Corée du Nord a trojanisé le bureau de 3cx \\, un client de bureau vocal et vidéo utilisé par 12 millions d'utilisateurs dans 190 pays.Les installateurs de Windows récents (18.12.407 et 18.12.416) et Mac (18.11.1213, 18.12.402, 18.12.407 et 18.12.416) ont été compromis.Les installateurs de Windows contenaient des versions propres de l'application ainsi que des DLL malveillantes prêtes pour l'attaque de chargement latéral DLL.Les versions MacOS affectées ont été compromises de la même manière et contenaient une version trojanisée de la bibliothèque dynamique nommée libffmpeg.dylib.La charge utile finale observée était un logiciel malveillant de volée d'informations téléchargé comme un fichier ICO à partir d'un référentiel GitHub spécifique.
Commentaire de l'analyste: Les attaques de la chaîne d |
Malware Tool Vulnerability Threat | ★★ | |
 |
2023-04-03 12:10:52 | Pas seulement un infosteller: la porte dérobée de Gopuram a été déployée via une attaque de chaîne d'approvisionnement 3CX Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack (lien direct) |
Une DLL nommée Guard64.dll, qui a été chargée dans le processus 3CXDesktopApp.exe infecté, a été utilisé dans des déploiements récents d'une porte dérobée que nous avons surnommée «Gopuram» et avait suivi en interne depuis 2020.
A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. |
Tool Threat General Information | ★★ | |
 |
2023-04-03 10:00:00 | 10 raisons pour lesquelles les entreprises ont besoin de gestion des appareils mobiles (MDM) 10 Reasons why businesses need mobile device management (MDM) (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Mobile device management (MDM) refers to a type of software that allows businesses to manage, configure and secure mobile devices used by their employees. Companies use MDM solutions to maintain a secure environment across all the mobile devices they own or have access to, as well as provide features such as remote wipe, password policies, application management and data protection. This helps them ensure security while providing their employees with access to the applications and data they need. An increasing number of businesses are either accepting that they need MDM or realising that what they have in place is not sufficient. With that in mind, below are ten reasons why MDM is an integral part of doing business in the 21st century. 1. Enhanced security MDM technology provides an extra layer of security for businesses, protecting them from breaches and data loss. MDM solutions enable secure authentication, access control and encryption for devices, applications and data, which in turn helps to keep sensitive corporate information safe. ESIMs, or embedded SIM cards can enhance the security of mobile devices even further by allowing businesses to remotely manage and secure their devices. Improved security is one of the most important reasons why businesses need MDM solutions. With an ever-increasing number of cyber threats, it is essential for companies to take steps to keep their data and systems secure. MDM can help with this. 2. Increased productivity MDM makes it easier for employees to access the applications and data they need, increasing their productivity and efficiency. By providing them with secure access to the resources they need, MDM solutions help remove the frustration of not being able to do their job due to technical issues or security policies. The ability to securely access corporate resources from anywhere, at any time, helps boost employee productivity and gives them the freedom they need to work more flexibly. 3. Reduced costs MDM solutions can help reduce costs in several ways. They enable companies to better manage their mobile devices and applications, which ensures that they are up-to-date with the latest security patches and features. This helps reduce maintenance costs associated with managing outdated equipment. MDM solutions also make it easier for businesses to deploy new applications, as they don’t have to worry about manually configuring each device. This reduces expensive install times and makes it easier for employees to get started quickly. 4. Improved compliance MDM solutions help businesses comply with industry standards and regulations. They enable companies to configure devices to meet specific security requirements, as well as monitor and manage mobile devices so that they adhere to corporate policies. By ensuring that all company devices are configured securely, MDM solutions reduce the risk of data breaches and fines associated with non-compliance. What\'s more, they can help identify areas where businesses need to improve their compliance processes. 5. Easier troubleshooting MDM solutio | Tool | ★★ | |
|
2023-03-31 20:15:07 | CVE-2022-4899 (lien direct) | Une vulnérabilité a été trouvée dans ZSTD v1.4.10, où un attaquant peut fournir une chaîne vide comme argument à l'outil de ligne de commande pour provoquer un dépassement de tampon.
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. |
Tool Vulnerability | ||
|
2023-03-31 18:50:00 | Les problèmes de confidentialité et de sécurité de Chatgpt entraînent une interdiction temporaire en Italie [ChatGPT privacy and safety concerns lead to temporary ban in Italy] (lien direct) |
L'Agence de protection des données d'Italie \\ a temporairement interdit le chatppt, alléguant que le puissant outil d'intelligence artificielle a été illégalement collecté des données des utilisateurs et ne protégeant pas les mineurs.Dans une disposition publiée jeudi, l'agence a écrit qu'Openai, la société propriétaire du chatbot, n'alerte pas les utilisateurs qu'il collecte leurs données.Ils soutiennent également que
Italy\'s data protection agency has temporarily banned ChatGPT, alleging the powerful artificial intelligence tool has been illegally collecting users\' data and failing to protect minors. In a provision released Thursday, the agency wrote that OpenAI, the company that owns the chatbot, does not alert users that it is collecting their data. They also contend that |
Tool | ChatGPT ChatGPT | ★★★ |
|
2023-03-30 16:15:07 | CVE-2022-30350 (lien direct) | AvanQuest Software RAD PDF (PDFescape Online) 3.19.2.2 est vulnérable à la fuite / divulgation d'informations.L'outil en ligne PDFescape offre aux utilisateurs une fonctionnalité "White Out" pour la expurgation d'images, de texte et d'autres graphiques à partir d'un document PDF.Cependant, ce mécanisme ne supprime pas les informations sous-jacentes de texte ou d'objet PDF du PDF.En conséquence, par exemple, le texte expurgé peut être copier par un lecteur PDF.
Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a "white out" functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader. |
Tool | ||
|
2023-03-29 19:15:22 | CVE-2023-25809 (lien direct) | Runc est un outil CLI pour reproduire et exécuter des conteneurs en fonction de la spécification OCI.Dans les versions affectées, il a été constaté que Rootless Runc rend `/ sys / fs / cgroup` écrivable dans les conditons suivants: 1. Lorsque Runc est exécuté dans l'espace de noms d'utilisateur, et le` config.json` ne spécifie pas l'espace de noms CGroup comme non partagé(par exemple, `(docker | podman | nerdctl) run --cgroupns = host`, avec rootless docker / podman / nerdctl) ou 2. lorsque runc est exécuté en dehors de l'espace de noms d'utilisateur, et` / sys` est monté avec `rbind, et` / sys` est monté avec `RBIND, ro` (par exemple, `Runc Spec --Rootless`; cette condition est très rare).Un conteneur peut obtenir l'accès en écriture à la hiérarchie CGROUP appartenant à l'utilisateur `/sys/fs/cgroup/user.slice / ...` sur l'hôte.Les hiérarchies CGROUP des autres utilisateurs ne sont pas affectées.Il est conseillé aux utilisateurs de passer à la version 1.1.5.Les utilisateurs incapables de mettre à niveau peuvent désabuser l'espace de noms Cgroup (`(docker | podman | nerdctl) exécuter --cgroupns = private)`.Il s'agit du comportement par défaut de Docker / Podman / Nerdctl sur les hôtes CGroup V2.ou ajoutez `/ sys / fs / cgroup` à` masquedpaths`.
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users\'s cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. |
Tool | ||
|
2023-03-29 19:15:22 | CVE-2023-28642 (lien direct) | Runc est un outil CLI pour reproduire et exécuter des conteneurs en fonction de la spécification OCI.Il a été constaté que Apparmor peut être contourné lorsque `/ proc` à l'intérieur du conteneur est systématique avec une configuration de montage spécifique.Ce problème a été résolu dans Runc version 1.1.5, en interdisant Symliend `/ Proc`.Voir PR # 3785 pour plus de détails.Il est conseillé aux utilisateurs de mettre à niveau.Les utilisateurs incapables de mettre à niveau doivent éviter d'utiliser une image de conteneur non fiable.
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. |
Tool | ||
 |
2023-03-29 00:00:00 | Microsoft Security Copilot utilise GPT-4 pour renforcer la réponse aux incidents de sécurité [Microsoft Security Copilot Uses GPT-4 to Beef Up Security Incident Response] (lien direct) | Le nouvel outil d'assistant AI de Microsoft aide les équipes de cybersécurité à enquêter sur les incidents de sécurité et à rechercher des menaces.
Microsoft\'s new AI assistant tool helps cybersecurity teams investigate security incidents and hunt for threats. |
Tool | ★★ | |
|
2023-03-28 23:38:00 | Microsoft présente l'outil de copilote de sécurité GPT-4 pour autoriser les défenseurs [Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders] (lien direct) | Microsoft a dévoilé mardi le copilote de sécurité en avant-première, marquant sa poussée continue pour intégrer les fonctionnalités axées sur l'IA dans le but d'offrir "une défense de bout en bout à la vitesse et à l'échelle de la machine".
Propulsé par GPT-4 d'Openai \\ GPT-4 et son propre modèle spécifique à la sécurité, il est facturé comme un outil d'analyse de sécurité qui permet aux analystes de cybersécurité de répondre rapidement aux menaces, aux signaux de processus et
Microsoft on Tuesday unveiled Security Copilot in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale." Powered by OpenAI\'s GPT-4 generative AI and its own security-specific model, it\'s billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and |
Tool | ★★ | |
|
2023-03-28 21:28:00 | Anomali Cyber Watch: Takeover comptable, APT, Banking Trojans, Chine, Cyberespionage, Inde, Malspam, Corée du Nord, Phishing, Skimmers, Ukraine et Vulnérabilités [Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities] (lien direct) | Aucun Sélectionné Sauter vers le contenu à l'aide d'Anomali Inc Mail avec les lecteurs d'écran Yury 1 sur 52 ACW CONSEIL POLOZOV ACCORDS MAR 27 MAR, 2023, 10: 11 & # 8239; AM (1 jour) pour moi, marketing, recherche Cher Jarom etMarketing, ACW est prêt https://ui.thereatstream.com/tip/6397663 - Yury Polozov |Analyste de renseignement sur la menace de Sr. |ATR |www.anomali.com Téléphone: + 1-347-276-5554 3 pièces jointes et taureau;Scanné par gmail
& nbsp;
Anomali Cyber Watch: Spies amer sur l'énergie nucléaire chinoise, Kimsuky prend le contrôle de Google pour infecter les appareils Android connectés, les mauvaises cibles magiques occupées des parties de l'Ukraine, et plus encore.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent des sujets suivants: Takeover, APT, Banking Trojans, China, Cyberspionage, Inde, Malspam, North Corée, Phishing, Skimmers, Ukraine, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
campagne de phishingCible l'industrie chinoise de l'énergie nucléaire
(Publié: 24 mars 2023)
Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection.
Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at |
Malware Tool Threat Cloud | APT 37 APT 43 | ★★ |
 |
2023-03-28 13:00:00 | Cyberheistnews Vol 13 # 13 [Oeil Overner] Comment déjouer les attaques de phishing basées sur l'IA sournoises [CyberheistNews Vol 13 #13 [Eye Opener] How to Outsmart Sneaky AI-Based Phishing Attacks] (lien direct) |
CyberheistNews Vol 13 #13 | March 28th, 2023
[Eye Opener] How to Outsmart Sneaky AI-Based Phishing Attacks
Users need to adapt to an evolving threat landscape in which attackers can use AI tools like ChatGPT to craft extremely convincing phishing emails, according to Matthew Tyson at CSO.
"A leader tasked with cybersecurity can get ahead of the game by understanding where we are in the story of machine learning (ML) as a hacking tool," Tyson writes. "At present, the most important area of relevance around AI for cybersecurity is content generation.
"This is where machine learning is making its greatest strides and it dovetails nicely for hackers with vectors such as phishing and malicious chatbots. The capacity to craft compelling, well-formed text is in the hands of anyone with access to ChatGPT, and that\'s basically anyone with an internet connection."
Tyson quotes Conal Gallagher, CIO and CISO at Flexera, as saying that since attackers can now write grammatically correct phishing emails, users will need to pay attention to the circumstances of the emails.
"Looking for bad grammar and incorrect spelling is a thing of the past - even pre-ChatGPT phishing emails have been getting more sophisticated," Gallagher said. "We must ask: \'Is the email expected? Is the from address legit? Is the email enticing you to click on a link?\' Security awareness training still has a place to play here."
Tyson explains that technical defenses have become very effective, so attackers focus on targeting humans to bypass these measures.
"Email and other elements of software infrastructure offer built-in fundamental security that largely guarantees we are not in danger until we ourselves take action," Tyson writes. "This is where we can install a tripwire in our mindsets: we should be hyper aware of what it is we are acting upon when we act upon it.
"Not until an employee sends a reply, runs an attachment, or fills in a form is sensitive information at risk. The first ring of defense in our mentality should be: \'Is the content I\'m looking at legit, not just based on its internal aspects, but given the entire context?\' The second ring of defense in our mentality then has to be, \'Wait! I\'m being asked to do something here.\'"
New-school security awareness training with simulated phishing tests enables your employees to recognize increasingly sophisticated phishing attacks and builds a strong security culture.
Remember: Culture eats strategy for breakfast and is always top-down.
Blog post with links:https://blog.knowbe4.com/identifying-ai-enabled-phishing
|
Ransomware Malware Hack Tool Threat Guideline | ChatGPT ChatGPT | ★★★ |
 |
2023-03-28 10:14:08 | Vivotek lance la caméra de reconnaissance faciale à comparer First Edge FD9387-FR-V2 [VIVOTEK Launches First Edge-Computing Facial Recognition Camera FD9387-FR-v2] (lien direct) | Vivotek s'efforce de fournir des solutions de sécurité complètes et lance la toute première caméra de reconnaissance faciale qui intègre le calcul Edge pour aider les entreprises à identifier rapidement le sexe et l'âge des personnes dans la vidéo sur le bord, ainsi que ceux qui portent des masques.
-
revues de produits
VIVOTEK strives to provide comprehensive security solutions and launches first-ever facial recognition camera that integrates edge computing to help enterprises to quickly identify the gender and age of people in the video on edge, as well as those who are wearing masks. - Product Reviews |
Tool Threat | ★★★ | |
|
2023-03-28 00:00:00 | CISA publie un outil de chasse aux services cloud de Microsoft \\ [CISA Releases Hunt Tool for Microsoft\\'s Cloud Services] (lien direct) | CISA a publié l'outil de chasse et de réponse pour aider les défenseurs à extraire des artefacts de cloud sans effectuer d'analyses supplémentaires.
CISA released the hunt and response tool to help defenders extract cloud artifacts without performing additional analytics. |
Tool Cloud | ★★★★ | |
|
2023-03-27 15:18:00 | Microsoft émet un patch pour le défaut de confidentialité d'Acropalypse dans les outils de capture d'écran Windows [Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools] (lien direct) | Microsoft a publié une mise à jour hors bande pour aborder un défaut de déficience de confidentialité dans son outil d'édition de capture d'écran pour Windows 10 et Windows 11.
Le problème, surnommé Acropalypse, pourrait permettre aux acteurs malveillants de récupérer des parties éditées de captures d'écran, potentiellement révélant des informations sensibles qui peuvent avoir été résolues.
Suivi comme CVE-2023-28303, la vulnérabilité est notée de 3,3 sur le CVSS
Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out. Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS |
Tool Vulnerability | ★★ | |
 |
2023-03-23 11:05:07 | Attaque de ransomware de masse [Mass Ransomware Attack] (lien direct) | Une vulnérabilité dans un outil de transfert de données populaire a abouti à un attaque de ransomware de masse :
TechCrunch a appris des dizaines d'organisations qui ont utilisé le logiciel de transfert de fichiers Goanywhere affecté au moment de l'attaque du ransomware, suggérant que davantage de victimes sont susceptibles de se manifester.
Cependant, alors que le nombre de victimes de la masse s'élargit, l'impact connu est au mieux trouble.
Depuis l'attaque fin janvier ou début février & # 8212; La date exacte n'est pas connue & # 8212; CloP a révélé moins de la moitié des 130 organisations qu'elle prétendait avoir compromises via Goanywhere, un système qui peut être hébergé dans laCloud ou sur un réseau d'organisation qui permet aux entreprises de transférer en toute sécurité d'énormes ensembles de données et autres fichiers volumineux ...
A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack: TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward. However, while the number of victims of the mass-hack is widening, the known impact is murky at best. Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files... |
Ransomware Tool Vulnerability Studies Cloud | ★★★ | |
|
2023-03-23 10:00:00 | Blackguard Stealer étend ses capacités dans une nouvelle variante [BlackGuard stealer extends its capabilities in new variant] (lien direct) | AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.
Key takeaways:
BlackGuard steals user sensitive information from a wide range of applications and browsers.
The malware can hijack crypto wallets copied to clipboard.
The new variant is trying to propagate through removable media and shared devices.
Background
BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.
In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)
Figure 1. Announcement of new malware version in its Telegram channel.
Analysis
When executed, BlackGuard first checks if another instance is running by creating a Mutex.
Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it\'s running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)
Figure 2. Malware will avoid execution if running under specific user names.
Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)
Figure 3. BlackGuard main folder with stolen data divided into folders.
When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)
Figure 4. Zipping exfiltrated data with password and uploading to command & control.
Browser stealth
Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)
Figure 5. Collecting browser information.
Below is the list of browsers BlackGuard is looking for:
Chromium
|
Malware Tool Threat General Information | ★★★ | |
 |
2023-03-21 00:00:00 | Authentification multi-facteurs: pas la solution miracle [Multi-Factor Authentication: Not the Silver Bullet] (lien direct) | L'authentification multi-facteurs (MFA) a été largement adoptée comme mesure de sécurité par rapport aux méthodes de rachat de compte commun.Cependant, l'industrie constate de plus en plus d'exemples de compromis MFA dans lesquels les acteurs de menace exploitent l'outil de sécurité lui-même pour obtenir un accès au compte.
Multi-Factor Authentication (MFA) has been widely adopted as a security measure against common account takeover methods. However, the industry is seeing more and more examples of MFA compromise wherein threat actors exploit the security tool itself to gain account access. |
Tool Threat | ★★ | |
|
2023-03-20 23:29:00 | Anomali Cyber Watch: APT, China, Data leak, Injectors, Packers, Phishing, Ransomware, Russia, and Ukraine (lien direct) |
& nbsp;
Anomali Cyber Watch: Winter Vivern imite la page Web de cybercrimes de la Poland, le télégramme trojanisé vole les clés de crypto-monnaie à partir de captures d'écran, Silkloder évite l'East Asian Menking Bookbox, et plus encore.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Chine, fuite de données, injecteurs, packers, phishing, ransomware, Russie, et Ukraine.Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Visern d'hiver |Découvrir une vague d'espionnage mondial
(Publié: 16 mars 2023)
Depuis décembre 2020, Winter Vivern se livrait à des campagnes de cyberespionnage alignées sur les objectifs du Bélarus et du gouvernement russe.Depuis janvier 2021, il a ciblé les organisations gouvernementales en Lituanie, en Inde, au Vatican et en Slovaquie.De la mi-2022 à décembre 2022, il a ciblé l'Inde et l'Ukraine: a usurpé l'identité du site Web du service de courrier électronique du gouvernement indien et a envoyé un excel macro-compétitif pour cibler un projet facilitant la reddition du personnel militaire russe.Au début de 2023, Winter Vivern a créé de fausses pages pour le bureau central de la Pologne pour la lutte contre la cybercriminalité, le ministère ukrainien des Affaires étrangères et le service de sécurité de l'Ukraine.Le groupe s'appuie souvent sur le simple phishing pour les références.Un autre type d'activité d'hiver VIVERN comprend des documents de bureau malveillants avec des macros, un script de chargeur imitant un scanner de virus et l'installation de la porte dérobée de l'ouverture.L'infrastructure malveillante du groupe comprend des domaines typosquattés et des sites Web WordPress compromis.
Commentaire de l'analyste: Faites attention si un domaine demande vos mots de passe, essayez d'établir son authenticité et sa propriété.Les clients anomalis préoccupés par les risques pour leurs actifs numériques (y compris les domaines similaires / typosquattés) peuvent essayer Service de protection numérique premium d'Anomali \\ 's .De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec des pièces jointes malveillantes qui obligent l'utilisateur à l'ouvrir et à activer les macroses.Il est important d'enseigner à vos utilisateurs une hygiène de base en ligne et une conscience de phishing.
mitre att & amp; ck: [mitre att & amp; ck] t1583.001 -Acquérir des infrastructures: domaines | [mitre att & amp; ck] t1566.001 - phishing: spearphishing attachement | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1059.003 - commande et scriptInterprète: Shell de commande Windows | [mitre att & amp; ck] t1105 - transfert d'outils d'en |
Ransomware Malware Tool Vulnerability Threat Cloud | ★★ | |
 |
2023-03-20 16:19:22 | DataSurgeon – Extract Sensitive Information (PII) From Logs (lien direct) | DataSurgeon (ds) is a versatile tool designed to Extract Sensitive Information (PII) From Logs, it's intended to be used for incident response, penetration testing, and CTF challenges. | Tool | ★★ | |
 |
2023-03-20 12:30:04 | JMX Exploitation Revisited (lien direct) | The Java Management Extensions (JMX) are used by many if not all enterprise level applications in Java for managing and monitoring of application settings and metrics. While exploiting an accessible JMX endpoint is well known and there are several free tools available, this blog post will present new insights and a novel exploitation technique that allows for instant Remote Code Execution with no further requirements, such as outgoing connections or the existence of application specific MBeans. Introduction How to exploit remote JMX services is well known. For instance, Attacking RMI based JMX services by Hans-Martin Münch gives a pretty good introduction to JMX as well as a historical overview of attacks against exposed JMX services. You may want to read it before proceeding so that we're on the same page. And then there are also JMX exploitation tools such as mjet (formerly also known as sjet, also by Hans-Martin Münch) and beanshooter by my colleague Tobias Neitzel, which both can be used to exploit known vulnerabilities and JMX services and MBeans. However, some aspects are either no longer possible in current Java versions (e. g., pre-authenticated arbitrary Java deserialization via RMIServer.newClient(Object)) or they require certain MBeans being present or conditions such as the server being able to connect back to the attacker (e. g., MLet with HTTP URL). In this blog post we will look into two other default MBean classes that can be leveraged for pretty unexpected behavior: remote invocation of arbitrary instance methods on arbitrary serializable objects remote invocation of arbitrary static methods on arbitrary classes Tobias has implemented some of the gained insights into his tool beanshooter. Thanks! Read The Fine Manual By default, MBean classes are required to fulfill one of the following: follow certain design patterns implement certain interfaces For example, the javax.management.loading.MLet class implements the javax.management.loading.MLetMBean, which fulfills the first requirement that it implements an interface whose name of the same name but ends with MBean. The two specific MBean classes we will be looking at fulfill the second requirement: javax.management.StandardMBean javax.management.modelmbean.RequiredModelMBean Both classes provide features that don't seem to have gotten much attention yet, but are pretty powerful and allow interaction with the MBean server and MBeans that may even violate the JMX specification. The Standard MBean Class StandardMBean The StandardMBean was added to JMX 1.2 with the following description: […] the javax.management.StandardMBean class can be used to define standard MBeans with an interface whose name is not necessarily related to the class name of the MBean. – Java™ Management Extensions (JMX™) (Maintenance Release 2) Also: An MBean whose management interface is determined by reflection on a Java interface. – | Tool | ★★ | |
 |
2023-03-17 09:58:00 | Free decryptor released for Conti-based ransomware following data leak (lien direct) | Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free. Conti was one of the most notorious ransomware groups, responsible for hundreds of attacks against organisations, which netted criminals over $150 million. Its victims included the government of Costa Rica which declared a national emergency after systems in multiple departments were severely impacted. However, things began to unravel for the Conti ransomware gang in February 2022, when the... | Ransomware Tool General Information | ★★★ | |
|
2023-03-16 20:56:00 | Kaspersky releases decryptor for ransomware based on Conti source code (lien direct) |
Cybersecurity firm Kaspersky on Thursday released a decryptor that could help victims who had their data locked down by a version of the Conti ransomware. Kaspersky said the tool can be used on a malware strain that infected dozens of “companies and state institutions” throughout December 2022. Kaspersky did not name the strain, but experts |
Ransomware Malware Tool | ★★ | |
 |
2023-03-16 16:31:10 | ReMarkable emits Type Folio keyboard cover for e-paper tablet (lien direct) | Distraction-free long-life e-ink handheld writing tool becomes a typing tool too... but leaves us conflicted Norwegian e-ink tablet maker reMarkable has launched the Type Folio, a keyboard cover, causing one Reg hack to feel strangely conflicted.… | Hack Tool | ★★ | |
|
2023-03-16 10:30:00 | NCSC Calms Fears Over ChatGPT Threat (lien direct) | Tool won't democratize cybercrime, agency argues | Tool Threat | ChatGPT ChatGPT | ★★ |
|
2023-03-15 17:49:06 | WithSecure™: Chinese cyber crime tool acquired by Russian ransomware gangs (lien direct) | WithSecure™: Chinese cyber crime tool acquired by Russian ransomware gangs - Malware Update | Ransomware Tool | ★ | |
|
2023-03-15 17:25:05 | Police shut down cryptocurrency mixer linked to laundering more than $3 billion in criminal funds (lien direct) | North Korean hackers alone used the tool to launder bitcoin worth more than $700 million. | Tool | ★★ | |
|
2023-03-15 11:00:34 | Can your SASE solution block these top malware? (lien direct) | >Malware is a go-to tactic and essential tool for attackers. According to Check Point Research’s 2023 Cyber Security Report, 32% of cyber attacks globally are based on multipurpose malware with email as the attack vector in 86% of those attacks. The most vicious malware are wipers, whose only purpose is to cause irreversible damage and… | Malware Tool | ★★ | |
 |
2023-03-15 11:00:00 | Chinese Silkloader cyber attack tool falls into Russian hands (lien direct) | >Malware is a go-to tactic and essential tool for attackers. According to Check Point Research’s 2023 Cyber Security Report, 32% of cyber attacks globally are based on multipurpose malware with email as the attack vector in 86% of those attacks. The most vicious malware are wipers, whose only purpose is to cause irreversible damage and… | Tool | ★★★ | |
 |
2023-03-14 18:17:21 | Cloud Threats Memo: Cyber Espionage Campaign Using Remote Access Tools (lien direct) | >Another day, another cyber espionage campaign exploiting two legitimate and well-known cloud services to deliver the malicious payload. Once again, this campaign was unearthed by researchers at Sentinel One, and it is aimed to distribute the Remcos Remote Access Tool (yet another example of a remote control tool used for malicious purposes) through the DBatLoader […] | Tool Cloud | ★★★ | |
|
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
 |
2023-03-14 10:30:49 | The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia (lien direct) | ESET Research uncovered a campaign by APT group Tick against a data-loss prevention company in East Asia and found a previously unreported tool used by the group | Tool | ★★★ | |
|
2023-03-10 21:15:14 | CVE-2023-0193 (lien direct) | NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump, where a local user running the tool against a malicious binary may cause an out-of-bounds read, which may result in a limited denial of service and limited information disclosure. | Tool Vulnerability | ||
|
2023-03-09 17:20:02 | ChatGPT: A tool for offensive cyber operations?! Not so fast! (lien direct) | ChatGPT: A tool for offensive cyber operations?! Not so fast! By John Borrero Rodriguez, Trellix - Opinion | Tool | ChatGPT | ★★ |
 |
2023-03-08 13:00:14 | Influence Techniques in Everyday Life: Sales (lien direct) | People in many different professions use social engineering as a tool in everyday life. In the case of sales, social […] | Tool | ★★★ | |
 |
2023-03-08 12:04:53 | OSV and the Vulnerability Life Cycle (lien direct) | Posted by Oliver Chang and Andrew Pollock, Google Open Source Security Team It is an interesting time for everyone concerned with open source vulnerabilities. The U.S. Executive Order on Improving the Nation's Cybersecurity requirements for vulnerability disclosure programs and assurances for software used by the US government will go into effect later this year. Finding and fixing security vulnerabilities has never been more important, yet with increasing interest in the area, the vulnerability management space has become fragmented-there are a lot of new tools and competing standards. In 2021, we announced the launch of OSV, a database of open source vulnerabilities built partially from vulnerabilities found through Google's OSS-Fuzz program. OSV has grown since then and now includes a widely adopted OpenSSF schema and a vulnerability scanner. In this blog post, we'll cover how these tools help maintainers track vulnerabilities from discovery to remediation, and how to use OSV together with other SBOM and VEX standards. Vulnerability Databases The lifecycle of a known vulnerability begins when it is discovered. To reach developers, the vulnerability needs to be added to a database. CVEs are the industry standard for describing vulnerabilities across all software, but there was a lack of an open source centric database. As a result, several independent vulnerability databases exist across different ecosystems. To address this, we announced the OSV Schema to unify open source vulnerability databases. The schema is machine readable, and is designed so dependencies can be easily matched to vulnerabilities using automation. The OSV Schema remains the only widely adopted schema that treats open source as a first class citizen. Since becoming a part of OpenSSF, the OSV Schema has seen adoption from services like GitHub, ecosystems such as Rust and Python, and Linux distributions such as Rocky Linux. Thanks to such wide community adoption of the OSV Schema, OSV.dev is able to provide a distributed vulnerability database and service that pulls from language specific authoritative sources. In total, the OSV.dev database now includes 43,302 vulnerabilities from 16 ecosystems as of March 2023. Users can check OSV for a comprehensive view of all known vulnerabilities in open source. Every vulnerability in OSV.dev contains package manager versions and git commit hashes, so open source users can easily determine if their packages are impacted because of the familiar style of versioning. Maintainers are also familiar with OSV's community driven and distributed collaboration on the development of OSV's database, tools, and schema. Matching The next step in managing vulnerabilities is to determine project dependencies and their associated vulnerabilities. Last December we released OSV-Scanner, a free, open source tool which scans software projects' lockfiles, SBOMs, or git repositories to identify vulnerabilities found in the | Tool Vulnerability | ★★★★ | |
|
2023-03-08 11:59:13 | Thank you and goodbye to the Chrome Cleanup Tool (lien direct) | Posted by Jasika Bawa, Chrome Security Team Starting in Chrome 111 we will begin to turn down the Chrome Cleanup Tool, an application distributed to Chrome users on Windows to help find and remove unwanted software (UwS). Origin story The Chrome Cleanup Tool was introduced in 2015 to help users recover from unexpected settings changes, and to detect and remove unwanted software. To date, it has performed more than 80 million cleanups, helping to pave the way for a cleaner, safer web. A changing landscape In recent years, several factors have led us to reevaluate the need for this application to keep Chrome users on Windows safe. First, the user perspective – Chrome user complaints about UwS have continued to fall over the years, averaging out to around 3% of total complaints in the past year. Commensurate with this, we have observed a steady decline in UwS findings on users' machines. For example, last month just 0.06% of Chrome Cleanup Tool scans run by users detected known UwS. Next, several positive changes in the platform ecosystem have contributed to a more proactive safety stance than a reactive one. For example, Google Safe Browsing as well as antivirus software both block file-based UwS more effectively now, which was originally the goal of the Chrome Cleanup Tool. Where file-based UwS migrated over to extensions, our substantial investments in the Chrome Web Store review process have helped catch malicious extensions that violate the Chrome Web Store's policies. Finally, we've observed changing trends in the malware space with techniques such as Cookie Theft on the rise – as such, we've doubled down on defenses against such malware via a variety of improvements including hardened authentication workflows and advanced heuristics for blocking phishing and social engineering emails, malware landing pages, and downloads. What to expect Starting in Chrome 111, users will no longer be able to request a Chrome Cleanup Tool scan through Safety Check or leverage the "Reset settings and cleanup" option offered in chrome://settings on Windows. Chrome will also remove the component that periodically scans Windows machines and prompts users for cleanup should it find anything suspicious. Even without the Chrome Cleanup Tool, users are automatically protected by Safe Browsing in Chrome. Users also have the option to turn on Enhanced protection by navigating to chrome://settings/security – this mode substantially increases protection from dangerous websites and downloads by sharing real-time data with Safe Browsing. While we'll miss the Chrome Cleanup Tool, we wanted to take this opportunity to acknowledge its role in combating UwS for the past 8 years. We'll continue to monitor user feedback and trends in the malware ecosystem, and when adversaries adapt their techniques again – which they will – we'll be at the ready. As always, please feel free to send us feedback or find us on Twitter @googlechrome. | Malware Tool | ★★★ | |
|
2023-03-07 19:50:00 | Hacker Cracks Toyota Customer Search Tool (lien direct) | Flaw in Toyota's C360 customer relationship management tool exposed personal data of unknown number of customers in Mexico, a disclosure says. | Tool | ★★★★ | |
|
2023-03-07 16:30:00 | Anomali Cyber Watch: Mustang Panda Adopted MQTT Protocol, Redis Miner Optimization Risks Data Corruption, BlackLotus Bootkit Reintroduces Vulnerable UEFI Binaries (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Cryptojacking, Phishing, Ransomware, Secure boot bypass, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT
(published: March 2, 2023)
In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe.
Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives.
MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion | |
Ransomware Malware Tool Vulnerability Threat Medical | ★ | |
 |
2023-03-07 16:01:57 | Utilisation de l'analyse de la mémoire pour détecter les logiciels malveillants nullifiants EDR Using Memory Analysis to Detect EDR-Nullifying Malware (lien direct) |
> Dans le paysage de cybersécurité en constante évolution, les acteurs de la menace sont obligés d'évoluer et de modifier continuellement les tactiques, les techniques et les procédures (TTP) qu'ils utilisent pour lancer et maintenir les attaques avec succès.Ils modifient continuellement leurs logiciels malveillants et leurs méthodes d'exécution de commande pour échapper à la détection.Les attaquants dans ces cas tentent d'obtenir une longueur d'avance sur le logiciel de sécurité au niveau le plus élémentaire.Cependant, certaines techniques adoptent une approche différente, en visant plus dans la pile et en prenant directement des logiciels de sécurité.Les méthodes les plus effrontées consistent à tirer parti de divers outils qui terminent directement ou d'arrêt du logiciel de sécurité.En cas de succès, cette méthode est efficace pour donner un règne sans attaquant sur un système.Cependant, il est au coût potentiel d'alerter les utilisateurs ou les administrateurs que le logiciel a cessé de signaler de manière inattendue ou a été éteint.Qu'en est-il d'une technique qui vole un peu plus sous le radar?En novembre 2022, Trend Micro a publié un [& # 8230;]
>In the ever-changing cybersecurity landscape, threat actors are forced to evolve and continually modify the tactics, techniques, and procedures (TTPs) they employ to launch and sustain attacks successfully. They are continually modifying their malware and command-execution methods to evade detection. The attackers in these cases are attempting to get a step ahead of security software at the most basic level. However, some techniques take a different approach, aiming further up the stack and directly taking on security software. The most brazen methods involve leveraging various tools that directly terminate or shutdown security software. If successful, this method is effective at giving an attacker free reign on a system. However, it comes at the potential cost of alerting users or administrators that the software unexpectedly stopped reporting or was shut off. What about a technique that potentially flies a bit more under the radar? In November 2022, Trend Micro published a […] |
Malware Tool Threat Prediction | ★★★ | |
|
2023-03-07 13:15:00 | Just 10% of Firms Can Resolve Cloud Threats in an Hour (lien direct) | Tool bloat is making it harder to detect and contain attacks | Tool Cloud | ★★ | |
|
2023-03-07 00:46:00 | Machine Learning Improves Prediction of Exploited Vulnerabilities (lien direct) | The third iteration of the Exploit Prediction Scoring System (EPSS) performs 82% better than previous versions, giving companies a better tool for evaluating vulnerabilities and prioritizing patching. | Tool | ★★★★ |
To see everything:
Our RSS (filtrered)
