SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-05-22 14:00:00	Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (lien direct)	Written by: Michael Raggi Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp	Malware Tool Vulnerability Threat Prediction Cloud Commercial	APT 15 APT 5 APT 31	★★★
	2024-04-25 10:00:00	Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct)	Written by: Kelli Vanderlee, Jamie Collier Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.	Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical	APT 40 APT 29 APT 28 APT 43 APT 31 APT 42	★★★
	2018-02-20 13:30:00	APT37 (Reaper): l'acteur nord-coréen négligé APT37 (Reaper): The Overlooked North Korean Actor (lien direct)	Le 2 février 2018, nous avons publié un Blog détaillant l'utilisation d'une vulnérabilité Adobe Flash Zero-Day (CVE-2018-4878) par un groupe de cyber-espionnage nord-coréen présumé que nous suivons maintenant comme APT37 (Reaper). Notre analyse de l'activité récente d'APT37 \\ révèle que les opérations du groupe \\ se développent en portée et en sophistication, avec un ensemble d'outils qui comprend l'accès aux vulnérabilités zéro-jour et aux logiciels malveillants d'essuie-glace.Nous évaluons avec une grande confiance que cette activité est réalisée au nom du gouvernement nord-coréen compte tenu des artefacts de développement de logiciels malveillants et ciblant qui s'aligne sur l'État nord-coréen On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Our analysis of APT37\'s recent activity reveals that the group\'s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state	Malware Vulnerability	APT 37 APT 37	★★★★
	2017-12-07 17:00:00	Nouvelle attaque ciblée au Moyen-Orient par APT34, un groupe de menaces iranien présumé, en utilisant le CVE-2017-11882 Exploiter New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit (lien direct)	Moins d'une semaine après que Microsoft a publié un correctif pour CVE-2017-11882 Le 14 novembre 2017, Fireeye a observé un attaquant utilisant un exploit pour la vulnérabilité de Microsoft Office pour cibler une organisation gouvernementale au Moyen-Orient.Nous évaluons que cette activité a été réalisée par un groupe de menaces de cyber-espionnage iranien présumé, que nous appelons APT34, en utilisant une porte dérobée PowerShell personnalisée pour atteindre ses objectifs. Nous pensons que l'APT34 est impliqué dans une opération de cyber-espionnage à long terme largement axé sur les efforts de reconnaissance au profit des intérêts iraniens de l'État-nation et est opérationnel depuis Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at	Vulnerability Threat	APT 34 APT 34	★★★★
	2015-07-13 08:31:00	Démontrant Hustle, les groupes de l'APT chinois utilisent rapidement une vulnérabilité zéro-jour (CVE-2015-5119) après une fuite d'équipe de piratage Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak (lien direct)	Le Fireeye en tant qu'équipe de service a détecté des campagnes de phishing indépendantes menées par deux groupes de menace persistante avancés chinois (APT) que nous suivons, APT3 et APT18.Chaque groupe de menaces a rapidement profité d'une vulnérabilité zéro-jour (CVE-2015-5119), qui a été divulguée dans la divulgation des données internes de l'équipe de piratage.Adobe a publié un patch pour la vulnérabilité le 8 juillet 2015. Avant ce patcha été publié, les groupes ont lancé des campagnes de phishing contre plusieurs sociétés de l'aérospatiale et de la défense, de la construction et de l'ingénierie, de l'éducation, de l'énergie The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a zero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team\'s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy	Vulnerability Threat	APT 18 APT 3	★★★★
	2015-06-23 11:21:00	Opération Clandestine Wolf & # 8211;Adobe Flash Zero-Day dans APT3 PHISHISHing Campagne Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign (lien direct)	En juin, Fireeye \'s Fireeye en tant que service Campagne de phishing exploitant une vulnérabilité Adobe Flash Player Zero-Day (CVE-2015-3113).Les e-mails des attaquants comprenaient des liens vers des serveurs Web compromis qui ont servi de contenu bénin ou d'un fichier de lecteur flash malveillant malveillant qui exploite CVE-2015-3113. Adobe a déjà publié un correctif pour CVE-2015-3113 avec un bulletin de sécurité hors bande ( https://helpx.adobe.com/security/products/flash-player/apsb15-14.html ).FireEye recommande aux utilisateurs d'Adobe Flash Player à mettre à jour la dernière version dès que possible. Fire In June, FireEye\'s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers\' emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113. Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash Player users update to the latest version as soon as possible. Fire	Vulnerability	APT 3 APT 3	★★★★
	2014-11-21 19:36:00	Opération Double Tap Operation Double Tap (lien direct)	apt3 (également connu sous le nom d'UPS), les acteurs responsables de Operation Clandestine Fox a tranquillement continué à envoyer des vagues de messages de spearphish au cours des derniersmois.Cet acteur a lancé sa dernière campagne le 19 novembre 2014 ciblant plusieurs organisations.L'attaquant a exploité plusieurs exploits, ciblant les deux CVE-2014-6332 et CVE-2014-4113 .Le CVE-2014-6332 a été divulgué publiquement le 2014-2011-11 et est une vulnérabilité d'exécution de code à distance de tableau d'automatisation Windows Ole.CVE-2014-4113 est une vulnérabilité d'escalade privilégiée qui était divulgué publiquement le 2014-10-14 . l'utilisation de cve APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14. The use of CVE	Vulnerability Technical	APT 3 APT 3	★★★★

Last update at: 2024-07-01 10:08:03
See our sources.

To see everything: Our RSS (filtrered)