What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-02-27 10:00:00 | Governments Targeted by Discord-Based Threat Campaign (lien direct) | Threat actor delivers multiple malware types via PureCrypter | Malware Threat | ★★ | |
 |
2023-02-27 04:15:15 | When Low-Tech Hacks Cause High-Impact Breaches (lien direct) | Web hosting giant GoDaddy made headlines this month when it disclosed that a multi-year breach allowed intruders to steal company source code, siphon customer and employee login credentials, and foist malware on customer websites. Media coverage understandably focused on GoDaddy's admission that it suffered three different cyberattacks over as many years at the hands of the same hacking group. But it's worth revisiting how this group typically got in to targeted companies: By calling employees and tricking them into navigating to a phishing website. | Malware | ★★ | |
 |
2023-02-27 02:30:00 | War tests Ukrainian telecom, internet resilience (lien direct) | One year after Russia's invasion of Ukraine, the country's overall resilience and defiance has been inspiring, but telecommunications and internet connectivity has grown much more difficult.Initially the country's internet network mostly withstood with some outages and slowdowns, but that has changed over time as the aggressors devote more effort in destroying physical locations and deploying malware and other cybersecurity weapons.For example, researchers at Top10VPN recently reported some distressing analysis including:To read this article in full, please click here | Malware | ★★ | |
 |
2023-02-25 10:16:22 | PureCrypter malware hits govt orgs with ransomware, info-stealers (lien direct) | A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. [...] | Ransomware Malware Threat | ★★ | |
 |
2023-02-24 20:24:50 | Desde Chile con Malware (From Chile with Malware) (lien direct) | Spoiler Alert: They weren't actually from Chile. Introduction This blog post provides a short update on our ongoing tracking of... | Malware | ★★★★ | |
 |
2023-02-24 16:07:11 | New S1deload Malware Hijacking Youtube And Facebook Accounts (lien direct) | A new malware campaign called S1deload Stealer has been discovered by Bitdefender’s Advanced Threat Control (ATC) team, targeting YouTube and Facebook users. The malware infects computers, hijacks social media accounts, and uses devices to mine cryptocurrency. Security researchers discovered that the malware uses DLL sideloading to evade detection. Bitdefender products detected over 600 unique users […] | Malware Threat | ★★★ | |
 |
2023-02-24 12:35:31 | macOS : ce malware mine des cryptos sur votre Mac, au détriment de ses performances (lien direct) |  Un malware conçu pour miner des cryptomonnaies vise actuellement les Macs, et spécialement les ordinateurs avec une puce M conçue par Apple. Pour se protéger du virus, les experts recommandent d'installer la mise à jour Ventura sans tarder. |
Malware | ★ | |
 |
2023-02-24 10:30:09 | A year of wiper attacks in Ukraine (lien direct) | >ESET Research has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia's invasion of Ukraine in 2022 | Malware | ★★ | |
 |
2023-02-23 23:30:05 | Suspected Russian NLBrute malware boss extradited to US (lien direct) | Dariy Pankov accused of infiltrating systems, selling tool and passwords to other miscreants A Russian national accused of developing the NLBrute brute-force hacking tool has made his first court appearance this week in Florida over accusations that he used the tool to spawn a criminal empire.… | Malware Tool | ★★★ | |
 |
2023-02-23 22:19:00 | Hackers Using Trojanized macOS Apps to Deploy Evasive Cryptocurrency Mining Malware (lien direct) | Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems. Jamf Threat Labs, which made the discovery, said the XMRig coin miner was executed as Final Cut Pro, a video editing software from Apple, which contained an unauthorized modification. "This malware makes use of the Invisible Internet Project (i2p) [...] to download | Malware Threat | ★ | |
 |
2023-02-23 21:57:12 | Russian accused of developing password-cracking tool extradited to US (lien direct) |  A 28-year-old Russian malware developer was extradited to the U.S. where he could face up to 47 years in federal prison for allegedly creating and selling a malicious password-cracking tool. Dariy Pankov, also known as “dpxaker,” developed what the Department of Justice called “powerful” password-cracking program that he marketed and sold to other cybercriminals for a [… |
Malware Tool | ★★ | |
 |
2023-02-23 21:54:44 | Pirated Final Cut Pro for macOS Offers Stealth Malware Delivery (lien direct) | The number of people who have made the weaponized software available for sharing via torrent suggests that many unsuspecting victims may have downloaded the XMRig coin miner. | Malware | ★★ | |
|
2023-02-23 19:54:00 | Hydrochasma Threat Group Bombards Targets with Slew of Commodity Malware, Tools (lien direct) | A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines. | Malware Threat Medical | ★★★ | |
|
2023-02-23 19:02:13 | Hackers use ChatGPT phishing websites to infect users with malware (lien direct) |  Cyble says cybercriminals are setting up phishing websites that mimic the branding of ChatGPT, an AI tool that has exploded in popularity |
Malware Tool | ChatGPT | ★★★ |
|
2023-02-23 18:50:35 | Wiper Malware Surges Ahead, Spiking 53% in 3 Months (lien direct) | Cybercriminals and hacktivists have joined state-backed actors in using sabotage-bent malware in destructive attacks, new report shows. | Malware | ★★ | |
 |
2023-02-23 18:20:55 | Russian national accused of developing, selling malware appears in U.S. court (lien direct) | >Dariy Pankov faces up to 47 years in prison on charges linked to credential sales and offering access to the NLBrute malware. | Malware | ★★★ | |
|
2023-02-23 17:17:00 | Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data (lien direct) | A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. | Malware Tool Medical | APT 38 | ★ |
 |
2023-02-23 16:28:45 | Malware Report: The Number of Unique Phishing Emails in Q4 Rose by 36% (lien direct) |
|
Malware | ★★★ | |
|
2023-02-23 16:15:00 | New S1deload Malware Hijacking Users\' Social Media Accounts and Mining Cryptocurrency (lien direct) | An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency. Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals | Malware | ★ | |
 |
2023-02-23 14:47:00 | Stealthy Mac Malware Delivered via Pirated Apps (lien direct) | >Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. | Malware | ★★ | |
 |
2023-02-23 14:29:50 | (Déjà vu) Ukraine suffered more data-wiping malware than anywhere, ever (lien direct) | Russia has greatly accelerated cyberattacks on its neighbor in the wake of its invasion. | Malware | ★★ | |
|
2023-02-23 13:34:26 | Pirated Final Cut Pro infects your Mac with cryptomining malware (lien direct) | Security researchers discovered a cryptomining operation targeting macOS with a malicious version of Final Cut Pro that remains largely undetected by antivirus engines. [...] | Malware | ★★★ | |
 |
2023-02-23 13:17:09 | Bitdefender - Nouveau Malware - S1deload Stealer - visant les comptes Facebook et YouTube (lien direct) | Bitdefender - Nouveau Malware - S1deload Stealer - visant les comptes Facebook et YouTube - Malwares | Malware | ★★ | |
|
2023-02-23 12:59:09 | Russian Accused of Developing NLBrute Malware Extradited to US (lien direct) | >A Russian malware developer behind the NLBrute brute-forcing tool has been extradited to the United States from Georgia. | Malware Tool | ★★ | |
|
2023-02-23 12:36:04 | Russian malware dev behind NLBrute hacking tool extradited to US (lien direct) | A Russian malware developer accused of creating and selling the NLBrute password-cracking tool was extradited to the United States after being arrested in the Republic of Georgia last year on October 4. [...] | Malware Tool | ★★★ | |
 |
2023-02-23 11:00:00 | Stories from the SOC - The case for human response actions (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.
Investigation
The alarm
One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.
A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.
The below image is for an alarm for malware which ended up being process automation software
but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.
The business impact
The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.
The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.
What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.
Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when |
Malware Tool | ★★★ | |
 |
2023-02-23 09:57:34 | Russia V Ukraine: Round two – Gamma Edition (lien direct) | >By Nilaa Maharjan; Logpoint Global Services & Security ResearchContentsWhat has happened?Anticipating the anniversaryGamaredon: Who are they?The impact of these malware strains?Download Report: Russia V Ukraine: Round two - Gamma EditionA year on since the first attack on Ukrainian territory and the unofficial beginning of the cyber war, the Secretary of Ukraine's National Security and Defense [...] | Malware | ★★ | |
|
2023-02-23 09:50:00 | Russian Invasion Sparks Global Wiper Malware Surge (lien direct) | Fortinet detected a 50% increase in destructive attacks in H2 2022 | Malware | ★★ | |
|
2023-02-23 09:25:51 | Une fausse app ChatGPT pour Windows menace de pirater vos comptes Facebook, TikTok et Google (lien direct) |  Une fausse application ChatGPT pour PC Windows se propage sur les réseaux sociaux. Elle cache un malware capable de voler les identifiants des comptes Facebook, TikTok et Google. |
Malware | ChatGPT | ★★ |
|
2023-02-23 09:20:00 | Phishing Sites and Apps Use ChatGPT as Lure (lien direct) | Campaigns designed to steal card information and install malware | Malware | ChatGPT | ★★ |
 |
2023-02-23 09:07:44 | Fake ChatGPT apps spread Windows and Android malware (lien direct) | OpenAI's ChatGPT chatbot has been a phenomenon, taking the internet by storm. Whether it is composing poetry, writing essays for college students, or finding bugs in computer code, it has impressed millions of people and proven itself to be the most accessible form of artificial intelligence ever seen. Yes, there are plenty of fears about how the technology could be used and abused, questions to be answered about its ethical use and how regulators might police its use, and worries that some may not realise that ChatGPT is not as smart as it initially appears. But no-one can deny that it has... | Malware | ChatGPT | ★★ |
|
2023-02-23 06:00:00 | Clasiopa hackers use new Atharvan malware in targeted attacks (lien direct) | Security researchers have observed a hacking group targeting companies in the materials research sector with a unique toolset that includes a custom remote access trojan (RAT) called Atharvan. [...] | Malware | ★★ | |
 |
2023-02-23 02:00:00 | Anti-Forensic Techniques Used By Lazarus Group (lien direct) | Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensics refers to the tampering of evidence in... | Malware Threat Medical | APT 38 | ★★ |
|
2023-02-23 01:03:51 | ChromeLoader Disguised as Illegal Game Programs Being Distributed (lien direct) | Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games. Some of the filenames used in... | Malware | ★★ | |
|
2023-02-23 00:00:00 | Distribution of Malware Exploiting Vulnerable Innorix: Andariel (lien direct) | The ASEC (AhnLab Security Emergency response Center) analysis team has discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent. The collected malware is a backdoor that attempts to connect to a C&C server. The exploited Innorix Agent is a file transfer solution client. Details about the vulnerability were posted by the Korea Internet & Security Agency (KISA)[1] where the INNORIX Agent versions that required the security updates were identified as version 9.2.18.450 and an earlier version,... | Malware Vulnerability | ★★ | |
|
2023-02-22 21:25:30 | House Democrats want briefing on domestic terrorism at energy facilities, including malware (lien direct) |  Democrats in the House asked CISA and DHS for a briefing about domestic terrorists, including cyberattacks against energy infrastructure |
Malware | ★★ | |
 |
2023-02-22 19:12:00 | Anomali Cyber Watch: Earth Kitsune Uses Chrome Native Messaging for Persistence, WIP26 Targets Middle East Telco from Abused Clouds, Azerbaijan-Sponsored Group Geofenced Its Payloads to Armenian IPs (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Abused cloud instances, APT, Armenia, Azerbaijan, Cyberespionage, Phishing, Social engineering, and Watering hole attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Coinbase Cyberattack Targeted Employees with Fake SMS Alert
(published: February 20, 2023)
On February 5th, 2023, several employees at the Coinbase cryptocurrency exchange platform received a fake SMS alert on their mobile phones. The message indicated that they need to urgently log in via the link provided to receive an important message. One employee got phished by the attackers, but they failed to login due to the MFA restrictions. The attackers, likely associated with the previously-documented 0ktapus phishing campaign, proceeded to call the employee and phish him for more information by pretending to be from the corporate IT. Coinbase was able to detect the unusual activity and stop the breach, although the attackers have obtained some contact information belonging to multiple Coinbase employees in addition to the login credentials of the phished user.
Analyst Comment: Network defenders are advised to monitor for access attempts from a third-party VPN provider, such as Mullvad VPN. Monitor for download of remote desktop viewers such as AnyDesk or ISL Online. Set up monitoring for Incoming phone calls / text messages from Bandwidth dot com, Google Voice, Skype, and Vonage/Nexmo. Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. And as always with these types of social engineering attacks employee awareness is key - not just of the threat but how to independently verify the legitimacy of any contact and what to do with anything suspicious.
MITRE ATT&CK: [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1219 - Remote Access Software
Tags: campaign:0ktapus, Coinbase, Social engineering, SMS, Typosquatting, AnyDesk, ISL Online, Mullvad VPN, Google Voice, Skype, Vonage/Nexmo, Bandwidth, Browser extension, EditThisCookie
Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack
(published: February 17, 2023)
Since the end of 2022, a new campaign by the state-sponsored Earth Kitsune group targets visitors of pro-North Korea websites. A malicious JavaScript embedded into their video pages prompts a viewer to download a codec installer. Only visitors from particular subnets located in Nagoya, Japan and Shenyang, China, and users of a VPN provider in Brazil are receiving the malicious payload. The legitimate codec installer was patched to increase the PE image size and add an additional section. The attackers employ elliptic cryptography to protect encryption keys and use rare hashing algorithms: 32-bit Fowler-Noll-Vo hash (FNV-1) to compute machine IDs and a 32-bit Murmur3 hash of the 16-byte AES key to compute the |
Malware Tool Threat Guideline | ★★ | |
|
2023-02-22 17:58:07 | The Energy Department\'s Puesh Kumar on grid hacking, Ukraine and Pipedream malware (lien direct) | Puesh Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response, discusses how the DOE fends off hackers. | Malware | ★★ | |
|
2023-02-22 16:58:19 | Hackers use fake ChatGPT apps to push Windows, Android malware (lien direct) | Threat actors are actively exploiting the popularity of OpenAI's ChatGPT AI tool to distribute Windows malware, infect Android devices with spyware, or direct unsuspecting victims to phishing pages. [...] | Malware Tool Threat | ChatGPT | ★★★ |
|
2023-02-22 16:25:56 | Un nouveau malware vole des identifiants de réseaux sociaux en se faisant passer pour une application ChatGPT (lien direct) | Un nouveau malware vole des identifiants de réseaux sociaux en se faisant passer pour une application ChatGPT - Malwares | Malware | ChatGPT | ★★★ |
|
2023-02-22 12:27:52 | New S1deload Stealer malware hijacks Youtube, Facebook accounts (lien direct) | An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. [...] | Malware | ★★ | |
 |
2023-02-22 12:00:00 | Ukraine Suffered More Wiper Malware in 2022 Than Anywhere, Ever (lien direct) | As Russia has accelerated its cyberattacks on its neighbor, it's barraged the country with an unprecedented volume of different data-destroying programs. | Malware | ★★★ | |
|
2023-02-22 07:19:07 | (Déjà vu) ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023) (lien direct) | The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals various information such as... | Ransomware Malware | ★★ | |
|
2023-02-21 16:05:00 | Researchers Discover Dozens Samples of Information Stealer \'Stealc\' in the Wild (lien direct) | A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 | Malware Threat | ★★★ | |
|
2023-02-21 07:31:13 | GUEST ESSAY: Too many SMBs continue to pay ransomware crooks - exacerbating the problem (lien direct) | Well-placed malware can cause crippling losses – especially for small and mid-sized businesses. Related: Threat detection for SMBs improves Not only do cyberattacks cost SMBs money, but the damage to a brand's reputation can also hurt growth and trigger the … (more…) | Ransomware Malware | ★★ | |
|
2023-02-21 01:00:00 | HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) (lien direct) | In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the... | Malware Vulnerability Threat Cloud | APT 37 | ★★★ |
 |
2023-02-20 23:26:00 | More Supply Chain Attacks via New Malicious Python Packages in PyPi (lien direct) | Read how the FortiGuard Labs team discovered another 0-day attack in the PyPI packages (Python Package Index) by the malware authors 'Portgual' and 'Brazil'. | Malware | ★★★ | |
|
2023-02-20 17:00:00 | GoDaddy Announces Source Code Stolen and Malware Installed in Breach (lien direct) | An unauthorized party caused the intermittent redirection of customer websites | Malware | ★ | |
|
2023-02-20 16:32:00 | How to Detect New Threats via Suspicious Activities (lien direct) | Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently. Challenges of new threats' | Malware Threat | ★★★ | |
|
2023-02-20 16:27:42 | New Stealc malware emerges with a wide set of stealing capabilities (lien direct) | A new information stealer called Stealc has emerged on the dark web gaining traction due to aggressive promotion of stealing capabilities and similarities with malware of the same kind like Vidar, Raccoon, Mars, and Redline. [...] | Malware | ★★ |
To see everything:
Our RSS (filtrered)
