SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-05-01 20:56:45	La campagne de logiciels malveillants tente la maltraitance des binaires de sophos Malware Campaign Attempts Abuse of Sophos Binaries (lien direct)	## Instantané Sophos discute d'une campagne de ransomwares qui exploite des exécutables et des DLL légitimes de Sophos en modifiant leur contenu d'origine, en écrasant le code de point d'entrée et en insérant la charge utile déchiffrée comme ressource. ## Description Cette usurpation d'identité des fichiers légitimes vise à infiltrer les systèmes.L'enquête a révélé plusieurs charges utiles, telles que Cobalt Strike, Brute Ratel, Qakbot et Latrodectus, indiquant l'implication de plus d'un groupe criminel. L'accès initial aux systèmes des victimes \\ 'impliquait l'utilisation de chargeurs JavaScript envoyés par e-mail.Le comportement malveillant vise à confondre les analystes en se déguisant en fichiers légitimes, en évitant potentiellement la détection.Les attaquants ont ciblé plusieurs exécutables Sophos And dlls, y compris sophosleanup.exe, sophosfstelemetry.exe, sophosfx.exe, sophosintelixpackager.exe, sophosntpuninstall.eXE, Healthapi.dll et Sophosuninstall.exe.Ces fichiers se sont révélés malveillants et ont été associés à diverses charges utiles et connexions C2. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact des menaces de ransomware. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une énorme majorité de variantes nouvelles et inconnues. - Allumez [Protection Tamper] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=Magicti_TA_LearnDoc).Empêcher les attaquants d'empêcher les services de sécurité. - Exécutez [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_TA_Learndoc), de sorte que celaLe défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants détectés après la durée. - Activer [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=Magicti_TA_Learndoc) en mode automatisé complet pour permettre au défenseur de prendre une action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate surAlertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Les clients de Microsoft Defender peuvent activer [Règles de réduction de la surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=Magicti_TA_LearnDoc) pour prévenir les techniques d'attaque communes utilisées utilisées	Ransomware Malware Tool Threat		★★
	2024-05-01 19:46:49	Attaque "Stream Dirty": découvrir et atténuer un modèle de vulnérabilité commun dans les applications Android “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps (lien direct)	## Snapshot Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application\'s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application\'s implementation. Arbitrary code execution can provide a threat actor with full control over an application\'s behavior. Meanwhile, token theft can provide a threat actor with access to the user\'s accounts and sensitive data. We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We\'re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases. As threats across all platforms continue to evolve, industry collaboration among security researchers, security vendors, and the broader security community is essential in improving security for all. Microsoft remains committed to working with the security community to share vulnerability discoveries and threat intelligence to protect users across platforms. After discovering this issue, we identified several vulnerable applications. As part of our responsible disclosure policy, we notified application developers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) and worked with them to address the issue. We would like to thank the Xiaomi, Inc. and WPS Office security teams for investigating and fixing the issue. As of February 2024, fixes have been deployed for the aforementioned apps, and users are advised to keep their device and installed applications up to date. Recognizing that more applications could be affected, we acted to increase developer awareness of the issue by collaborating with Google to publish an article on the Android Developers website, providing guidance in a high-visibility location to help developers avoid introducing this vulnerability pattern into their applications. We also wish to thank Google\'s Android Application Security Research team for their partnership in resolving this issue. In this post, we continue to raise developer and user awareness by giving a general overview of the vulnerability pattern, and then focusing on Android share targets, as they are the most prone to these types of attacks. We go through an actual code execution case study where we demonstrate impact that extends beyond the mobile device\'s scope and could even affect a local network. Finally, we provide guidance to users and application developers and illustrate the importance of collaboration to improve security for all. ## Activity Overview ### Data and file sharing on Android The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read/write restrictions within an application\'s home directory. The Android software development kit (SDK) includes the [FileProvider](https://developer.android.com/reference/androidx/core/content/FileProvider) class, a subclass of ContentProvider that enables file sharing between installed applications. An application that needs to share its files with other applications can declare a FileProvider in its app manifest and declare the specific paths to share. Every file provider has a property called authority, which identifies it system-wide, and can b	Tool Vulnerability Threat Studies Mobile Technical		★★★
	2024-05-01 19:01:06	Muddywater Campaign abuse d'agents Atera MuddyWater Campaign Abusing Atera Agents (lien direct)	#### Targeted Geolocations - Israel - India - Algeria - Italy - Egypt - Türkiye #### Targeted Industries - Transportation Systems - Aviation - Information Technology - Healthcare & Public Health - Government Agencies & Services - General Public Services - Federal ## Snapshot Researchers at HarfangLab have been monitoring a campaign by Iran-based threat group MuddyWater, tracked by Microsoft as [Mango Sandstorm](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340), characterized by the use of Remote Monitoring and Management (RMM) tools. Microsoft tracks this actor as Mango Sandstorm, [read more about them here](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340). ## Description According to HarfangLab, MuddyWater has been utilizing legitimate RMM software in its attacks since at least 2021, but has been monitoring this campaign using Atera Agent since October 2023. Leveraging Atera\'s free trial offers, the agents seen in this campaign have been registered using both compromised enterprise and personal email accounts. The infection chain in this campaign begins with the deployment of spearphishing emails. These emails are highly tailored to the victim organization and contain malicious attachments or links. Upon interaction, MuddyWater leverages free file sharing sites to host the RMM software, in this case Atera Agent, giving the group remote access and control over compromised systems. The group likely does not rely on the Subsequently, the group is able to execute commands, conduct reconnaissance, and move laterally across the network facilitating the deployment of additional malware payloads enabling the group to maintain persistence and exfiltrate sensitive data. ## Microsoft Analysis Microsoft Threat Intelligence has identified that this campaign is likely attributed to the actor Microsoft tracks as Mango Sandstorm, an Iranian nation-state actor with ties to Iran\'s Ministry of Intelligence and Security (MOIS). In past operations, Mango Sandstorm has primarily, but not exclusively, sought to collect information assessed to have strategic value, typically from organizations in the aviation, education, defense, energy, government, and telecommunications sectors in the Middle East and North Africa. Mango Sandstorm tends to favor spearphishing attacks. In this and prior campaigns, the group has been observed using commercial RMM tools to achieve persistence in a target environment. Mango Sandstorm has been identified attempting to deliver Atera, SimpleHelp, RPort, N-able Advanced Monitoring Agent, Splashtop, Syncro, and AnyConnect. ## Detections As tools used in these types of campaigns might have legitimate uses, they are not typically detected as malicious, and proactive hunting is recommended. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of activity associated with Mango Sandstorm\'s operations. - Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application\'s consent screen as well as spoofed app names, logos and domain URLs appearing to originate from legitimate applications or companies. Note: Attack Simulator testing currently only supports phishing emails containing links. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. - Harden internet-facing assets and identify and se	Malware Tool Threat Medical Commercial		★★★
	2024-05-01 17:11:23	Nord Security présente Nordstellar Nord Security introduces NordStellar (lien direct)	Les créateurs de NordVPN lance Nordstellar, une nouvelle plateforme de gestion de l'exposition aux menaces pour les entreprises ● Nordstellar permet aux entreprises de réduire les temps de détection des fuites de données et de minimiser les risques pour une organisation ● Pendant plusieurs années, la plate-forme a été utilisée et testée comme un outil interne, désormais mis à la disposition du public ● C'est la troisième solution B2B par Nord Security, y compris un gestionnaire de mots de passe pour les entreprises - Nordpass, et une solution de sécurité d'accès au réseau - Nordlayer ● Cette année, la société a également lancé Saily - un service ESIM - revues de produits The creators of NordVPN launches NordStellar, a new threat exposure management platform for businesses ● NordStellar allows companies to cut down on data leak detection times and minimize risk to an organization ● For several years, the platform was used and tested as an internal tool, now made available to the public ● It\'s the third B2B solution by Nord Security, including a password manager for businesses - NordPass, and a network access security solution - NordLayer ● This year, the company also launched Saily - an eSIM service - Product Reviews	Tool Threat		★★
	2024-05-01 16:33:00	Tout le monde est un expert: comment autonomiser vos employés pour le succès de la cybersécurité Everyone\\'s an Expert: How to Empower Your Employees for Cybersecurity Success (lien direct)	Il y a un désir humain naturel d'éviter les scénarios menaçants. & Nbsp; L'ironie, bien sûr, est si vous espérez atteindre un semblant de sécurité, & nbsp; vous êtes arrivé à & nbsp; rester prêt à affronter ces & nbsp; très nbsp;mêmes menaces. En tant que décideur pour votre organisation, vous le savez bien.Mais peu importe le nombre d'experts ou d'outils de cybersécurité de confiance, votre organisation a une garde debout, There\'s a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you\'ve got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard,	Tool		★★
	2024-05-01 14:00:00	Uncharmed: Untangling Iran\'s APT42 Operations (lien direct)	Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (	Malware Tool Threat Cloud	Yahoo APT 35 APT 42	★★
	2024-05-01 11:26:49	Kapeka : De nouveaux outils dans l\'Arsenal de SandStorm (lien direct)	EN BREF :Kapeka, également connu sous le nom de KnuckleTouch, est apparu initialement mi-2022 mais a été officiellement repéré en 2024 en raison d'attaques de portée limitée, notamment en Europe de l'Est.La backdoor Kapeka est liée au groupe Sandstorm, dirigé par le groupe militaire russe 74455 et connu pour perturber les cyberactivités.Les opérations de Sandstorm, notamment [...]	Tool		★★
	2024-05-01 10:00:00	Histoires du SOC & # 8211;Combattre les escroqueries «alertes de sécurité» Stories from the SOC – Combating “Security Alert” Scams (lien direct)	Executive Summary The “Security Alert” scam is a prevalent tech-support fraud that threatens both Windows and Apple users. It exploits the trust of users by masquerading as an official support site, using fake pop-up warnings to lure users into dialing scam phone numbers by conveying a sense of urgency. The ultimate goal is gaining remote access to the user’s system and pilfering personal data to extort money. Combating a “Security Alert” scam is difficult on many fronts because most of the time attackers leverage newly registered domains, which means there is a lack of malicious OSINT (open-source intelligence), and they are able to bypass traditional detection methods. To gain remote access, attackers need the end user to call into a fraudulent support team to install a Remote Desktop Protocol (RDP) tool. An endpoint detection and response (EDR) tool might not catch the initial intrusion as such tools are also used for legitimate business reasons. The most successful way to combat phishing/scams is by end-user education and communication with the IT department. In a recent incident, a fake “Microsoft Security Alert” domain targeted one of our Managed Endpoint Security with SentinelOne customers, causing alarm for the end users and IT staff, but fortunately, the end user did not fall into the trap of calling the fraudulent number. The customer immediately contacted their assigned Threat Hunter for support and guidance, and the Threat Hunter was able to quickly utilize the security measures in place, locate multiple domains, and report them to the Alien Labs threat intelligence team. AT&T Cybersecurity was one of the first cybersecurity companies to alert on the domains and share the information via the Open Threat Exchange (OTX) threat intelligence sharing community, helping other organizations protect against it. Investigation Initial Alarm Review Indicators of Compromise (IOCs) The initial security layers failed to raise alarms for several reasons. First, the firewalls did not block the domain because it was newly registered and therefore not yet on any known block lists. Second, the platform did not create any alarms because the domain’s SSL certificates were properly configured. Finally, the EDR tool did not alert because no downloads were initiated from the website. The first indication of an issue came from an end user who feared a hack and reported it to the internal IT team. Utilizing the information provided by the end user, the Threat Hunter was able to locate the user\'s asset. Sniffing the URL data revealed a deceptive “Microsoft Security Alert” domain and a counterfeit McAfee website. These were detected largely because of improvements recommended during the customer\'s monthly meetings with the Threat Hunter, including a recommendation to activate the SentinelOne Deep Visibility browser extension, which is the tool that was instrumental in capturing URL information with greater accuracy after all the redirects. Figure I – Fake Microsoft Support page Figure 2 – Fake McAfee page Artifact (Indicator of Compromise) IOC Fake McAfee Page bavareafastrak[.]org Website Hosting Scam Pages Galaxytracke[.]com Zip file hash Tizer.zip - 43fb8fb69d5cbb8d8651af075059a8d96735a0d5 Figure 3 – Indicators of compromise Expanded Investigation Events Search With the understanding that the e	Hack Tool Threat		★★
	2024-05-01 05:12:14	Quelle est la meilleure façon d'arrêter la perte de données Genai?Adopter une approche centrée sur l'homme What\\'s the Best Way to Stop GenAI Data Loss? Take a Human-Centric Approach (lien direct)	Chief information security officers (CISOs) face a daunting challenge as they work to integrate generative AI (GenAI) tools into business workflows. Robust data protection measures are important to protect sensitive data from being leaked through GenAI tools. But CISOs can\'t just block access to GenAI tools entirely. They must find ways to give users access because these tools increase productivity and drive innovation. Unfortunately, legacy data loss prevention (DLP) tools can\'t help with achieving the delicate balance between security and usability. Today\'s release of Proofpoint DLP Transform changes all that. It provides a modern alternative to legacy DLP tools in a single, economically attractive package. Its innovative features help CISOs strike the right balance between protecting data and usability. It\'s the latest addition to our award-winning DLP solution, which was recognized as a 2024 Gartner® Peer Insights™ Customers\' Choice for Data Loss Prevention. Proofpoint was the only vendor that placed in the upper right “Customers\' Choice” Quadrant. In this blog, we\'ll dig into some of our latest research about GenAI and data loss risks. And we\'ll explain how Proofpoint DLP Transform provides you with a human-centric approach to reduce those risks. GenAI increases data loss risks Users can make great leaps in productivity with ChatGPT and other GenAI tools. However, GenAI also introduces a new channel for data loss. Employees often enter confidential data into these tools as they use them to expedite their tasks. Security pros are worried, too. Recent Proofpoint research shows that: Generative AI is the fastest-growing area of concern for CISOs 59% of board members believe that GenAI is a security risk for their business “Browsing GenAI sites” is one of the top five alert scenarios configured by companies that use Proofpoint Information Protection Valuable business data like mergers and acquisitions (M&A) documents, supplier contracts, and price lists are listed as the top data to protect A big problem faced by CISOs is that legacy DLP tools can\'t capture user behavior and respond to natural language processing-based user interfaces. This leaves security gaps. That\'s why they often use blunt tools like web filtering to block employees from using GenAI apps altogether. You can\'t enforce acceptable use policies for GenAI if you don\'t understand your content and how employees are interacting with it. If you want your employees to use these tools without putting your data security at risk, you need to take a human-centric approach to data loss. A human-centric approach stops data loss With a human-centric approach, you can detect data loss risk across endpoints and cloud apps like Microsoft 365, Google Workspace and Salesforce with speed. Insights into user intent allow you to move fast and take the right steps to respond to data risk. Proofpoint DLP Transform takes a human-centric approach to solving the security gaps with GenAI. It understands employee behavior as well as the data that they are handling. It surgically allows and disallows employees to use GenAI tools such as OpenAI ChatGPT and Google Gemini based on employee behavior and content inputs, even if the data has been manipulated or has gone through multiple channels (email, web, endpoint or cloud) before reaching it. Proofpoint DLP Transform accurately identifies sensitive content using classical content and LLM-powered data classifiers and provides deep visibility into user behavior. This added context enables analysts to reach high-fidelity verdicts about data risk across all key channels including email, cloud, and managed and unmanaged endpoints. With a unified console and powerful analytics, Proofpoint DLP Transform can accelerate incident resolution natively or as part of the security operations (SOC) ecosystem. It is built on a cloud-native architecture and features modern privacy controls. Its lightweight and highly stable user-mode agent is unique in	Tool Medical Cloud	ChatGPT	★★★
	2024-04-30 19:13:26	Résoudre le dilemme du service d'assistance avec p-dem Solving the Help Desk Dilemma with P-DEM (lien direct)	> Une dure réalité pour les entreprises et les agents de l'entreprise d'Enterprise d'aujourd'hui qui dirigent les bureaux d'aide d'entreprise aujourd'hui sont dans une situation très difficile.Ils sont chargés de résoudre un volume considérablement accru de billets, mais n'ont pas la visibilité et les outils nécessaires pour le faire. & # 160;Dépassé et souvent incapable de faire leur travail efficacement, les professionnels de l'assistance [& # 8230;] >A harsh reality for today\'s enterprise help desks Leaders and agents running enterprise help desks today are in a very tough spot. They are tasked with resolving a dramatically increased volume of tickets, yet lack the visibility and tools needed to do so. Overwhelmed and often unable to do their jobs effectively, help desk professionals […]	Tool		★★
	2024-04-30 14:00:00	Protection des ransomwares et stratégies de confinement: conseils pratiques pour le durcissement et la protection des infrastructures, des identités et des points de terminaison Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints (lien direct)	Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including: Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks. Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale. Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts. Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting: Identities Endpoints Network Architectures Remote Access Platforms Trusted Service Infrastructure (TSI) Cascading weaknesses across these layers create opportunities for attackers to breach an organization\'s perimeter, gain initial access, and maintain a persistent foothold within the compromised network. In our updated report,	Ransomware Malware Tool Threat		★★★
	2024-04-30 12:14:48	Détection du vol de données du navigateur à l'aide des journaux d'événements Windows Detecting browser data theft using Windows Event Logs (lien direct)	Publié par Will Harris, Chrome Security Team Le modèle de processus sandboxé de Chrome \\ de se défend bien contre le contenu Web malveillant, mais il existe des limites à la façon dont l'application peut se protéger des logiciels malveillants déjà sur l'ordinateur.Les cookies et autres informations d'identification restent un objectif de grande valeur pour les attaquants, et nous essayons de lutter contre cette menace continue de plusieurs manières, notamment en travaillant sur des normes Web comme dbsc Cela aidera à perturber l'industrie du vol de cookies car l'exfiltration de ces cookies n'aura plus de valeur. Lorsqu'il n'est pas possible d'éviter le vol d'identification et de cookies par malware, la prochaine meilleure chose est de rendre l'attaque plus observable par antivirus, d'agents de détection de terminaux ou d'administrateurs d'entreprise avec des outils d'analyse de journaux de base. Ce blog décrit un ensemble de signaux à utiliser par les administrateurs système ou les agents de détection de point de terminaison qui devraient signaler de manière fiable tout accès aux données protégées du navigateur d'une autre application sur le système.En augmentant la probabilité d'une attaque détectée, cela modifie le calcul pour les attaquants qui pourraient avoir un fort désir de rester furtif et pourraient les amener à repenser ces types d'attaques contre nos utilisateurs. arrière-plan Les navigateurs basés sur le chrome sur Windows utilisent le DPAPI (API de protection des données) pour sécuriser les secrets locaux tels que les cookies, le mot de passe, etc.La protection DPAPI est basée sur une clé dérivée des informations d'identification de connexion de l'utilisateur et est conçue pour se protéger contre l'accès non autorisé aux secrets des autres utilisateurs du système ou lorsque le système est éteint.Étant donné que le secret DPAPI est lié à l'utilisateur connecté, il ne peut pas protéger contre les attaques de logiciels malveillants locaux - l'exécution de logiciels malveillants en tant qu'utilisateur ou à un niveau de privilège plus élevé peut simplement appeler les mêmes API que le navigateur pour obtenir le secret DPAPI. Depuis 2013, Chromium applique l'indicateur CryptProtect_Audit aux appels DPAPI pour demander qu'un journal d'audit soit généré lorsque le décryptage se produit, ainsi que le marquage des données en tant que détenue par le navigateur.Parce que tout le stockage de données crypté de Chromium \\ est soutenu par une clé sécurisée DPAPI, toute application qui souhaite décrypter ces données, y compris les logiciels malveillants, devrait toujours générer de manière fiable un journal d'événements clairement observable, qui peut être utilisé pour détecter ces typesd'attaques. Il y a trois étapes principales impliquées dans le profit de ce journal: Activer la connexion sur l'ordinateur exécutant Google Chrome, ou tout autre navigateur basé sur le chrome. Exporter les journaux des événements vers votre système backend. Créer une logique de détection pour détecter le vol. Ce blog montrera également comment la journalisation fonctionne dans la pratique en la testant contre un voleur de mot de passe Python. Étape 1: Activer la connexion sur le système Les événements DPAPI sont connectés à deux endroits du système.Premièrement, il y a le 4693 Événement qui peut être connecté au journal de sécurité.Cet événement peut être activé en activant "Audit l'activité DPAPI" et les étapes pour ce faire sont d	Malware Tool Threat		★★
	2024-04-30 10:00:00	Acquisition de données volatiles à partir de systèmes linux en direct: partie I Volatile Data Acquisition from Live Linux Systems: Part I (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In the domain of digital forensics, volatile data assumes a paramount role, characterized by its ephemeral nature. Analogous to fleeting whispers in a bustling city, volatile data in Linux systems resides transiently within the Random Access Memory (RAM), encapsulating critical system configurations, active network connections, running processes, and traces of user activities. Once a Linux machine powers down, this ephemeral reservoir of information dissipates swiftly, rendering it irretrievable. Recognizing the significance of timely incident response and the imperative of constructing a detailed timeline of events, this blog embarks on an exhaustive journey, delineating a systematic approach fortified with best practices and indispensable tools tailored for the acquisition of volatile data within the Linux ecosystem. Conceptually, volatile data serves as a mirror reflecting the real-time operational landscape of a system. It embodies a dynamic tapestry of insights, ranging from system settings and network connectivity to program execution and user interactions. However, the transient nature of this data necessitates proactive measures to capture and analyse it before it evaporates into the digital void. In pursuit of elucidating this intricate process, we delve into a meticulous exploration, elucidating each facet with precision and clarity. Through a curated synthesis of established methodologies and cutting-edge tools, we equip forensic practitioners with the requisite knowledge and skills to navigate the complexities of volatile data acquisition in live Linux environments. Join us as we unravel the intricacies of digital forensics, embark on a journey of discovery, and empower ourselves with the tools and techniques necessary to unlock the secrets concealed within live Linux systems. Before proceeding, it\'s vital to grasp what volatile data encompasses and why it\'s so important in investigations: System Essentials: Hostname: Identifies the system · Date and Time: Contextualizes events · Timezone: Helps correlate activities across regions Uptime: Reveals system state duration Network Footprint: Network Interfaces: Active connections and configurations Open Ports: Potential entry points and services exposed Active Connections: Shows live communication channels Process Ecosystem: Running Processes: Active programs and their dependencies Process Memory: May uncover hidden execution or sensitive data Open Files: Accessed Files: Sheds light on user actions Deleted Files: Potential evidence recovery point Kernel Insights Loaded Modules: Core extensions and potential rootkits Kernel Ring Buffers (dmesg): Reveals driver or hardware events User Traces Login History: User activity tracking Command History: Executed commands provide insights Before diving into the acquisition process, it\'s essential to equip yourself with the necessary tools and commands for gathering volatile data effectively, for purpose of demonstration I will be using Linux Mint: Hostname, Date, and Time: hostname: Retrieves the system\'s hostname. date: Displays the current date and time.	Tool Technical		★★★
	2024-04-30 09:00:40	Détection et réponse gérées en 2023 Managed Detection and Response in 2023 (lien direct)	Le rapport couvre les tactiques, les techniques et les outils le plus souvent déployés par les acteurs de la menace, la nature des incidents détectés et leur distribution entre les clients MDR. The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers.	Tool Threat		★★
	2024-04-30 08:16:53	Conjuguer innovation, cybersécurité, IA et lancement de produit (lien direct)	La cybersécurité est incontestablement un sujet stratégique pour l'ensemble des entreprises et des structures publiques. Dans ce contexte, les concepteurs de technologies de cybersécurité se doivent d'innover en continu pour proposer des outils efficaces et évolutifs qui permettent à leurs clients d'évoluer dans une sphère de confiance. Custocy, éditeur toulousain spécialisé en IA appliquée à la cybersécurité, livre un retour d'expérience sur les actions qu'une start-up du secteur est amenée à mettre en (...) - Points de Vue	Tool		★★
	2024-04-30 03:02:40	DMARC - La prochaine étape de l'hygiène et de la sécurité des e-mails DMARC - The Next Step in Email Hygiene and Security (lien direct)	En 1971, Ray Tomlison a développé le premier service de courrier électronique tout en travaillant à la Defense Advanced Research Projects Agency (DARPA).Cette évolution a changé la façon dont nous avons communiqué.Cependant, même s'il s'agissait d'un outil exceptionnel, il n'était pas très convivial, obligeant les utilisateurs à avoir des logiciels spécifiques installés sur leurs ordinateurs.En 1996, Sabeer Bhatia a fondé Hotmail, ce qui en fait le premier service de messagerie électronique en ligne.Un an exactement après que Microsoft a acquis Hotmail, j'ai ouvert mon premier compte de messagerie.Je me souviens encore du sentiment d'euphorie qui venait de recevoir une réponse virtuelle au ... In 1971, Ray Tomlison developed the first email service while working at The Defense Advanced Research Projects Agency (DARPA) . This development changed how we communicated. However, even though this was an exceptional tool, it was not very user-friendly, requiring users to have specific software installed on their computers. In 1996, Sabeer Bhatia founded Hotmail, making it the first web-based email messaging service. Exactly one year after Microsoft acquired Hotmail, I opened my first email account. I still remember the feeling of euphoria that came from receiving a virtual response to the...	Tool		★★★
	2024-04-29 22:01:20	Android malware hacks bancs comptes bancs avec de fausses invites à la mise à jour chromée Android Malware Hacks Bank Accounts With Fake Chrome Update Prompts (lien direct)	Security researchers have discovered a new Android banking trojan that can steal users’ sensitive information and allow attackers to remotely control infected devices. “Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware,” Dutch security firm ThreatFabric said in an analysis published on Thursday. According to ThreatFabric, Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking. The malware was discovered by the researchers while investigating a fake Google Chrome web browser “update” page, commonly used by cybercriminals to lure victims into downloading and installing malware. Looking at prior campaigns, the researchers found that Brokewell was used to target a popular “buy now, pay later” financial service and an Austrian digital authentication application. The malware is said to be in active development, with new commands added almost daily to capture every event on the device, from keystrokes and information displayed on screen to text entries and apps launched by the victim. Once downloaded, Brokewell creates an overlay screen on a targeted application to capture user credentials. It can also steal browser cookies by launching its own WebView, overriding the onPageFinished method, and dumping the session cookies after the user completes the login process. “Brokewell is equipped with “accessibility logging,” capturing every event happening on the device: touches, swipes, information displayed, text input, and applications opened. All actions are logged and sent to the command-and-control server, effectively stealing any confidential data displayed or entered on the compromised device,” the ThreatFabric researchers point out. “It\'s important to highlight that, in this case, any application is at risk of data compromise: Brokewell logs every event, posing a threat to all applications installed on the device. This piece of malware also supports a variety of “spyware” functionalities: it can collect information about the device, call history, geolocation, and record audio.” After stealing the credentials, the attackers can initiate a Device Takeover attack using remote control capabilities to perform screen streaming. It also provides the threat actor with a range of various commands that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements. ThreatFabric discovered that one of the servers used as a command and control (C2) point for Brokewell was also used to host a repository called “Brokewell Cyber Labs,” created by a threat actor called “Baron Samedit.” This repository comprised the source code for the “Brokewell Android Loader,” another tool from the same developer designed to bypass restrictions Google introduced in Android 13 and later to prevent exploitation of Accessibility Service for side-loaded apps (APKs). According to ThreatFabric, Baron Samedit has been active for at least two years, providing tools to other cybercriminals to check stolen accounts from multiple services, which could still be improved to support a malware-as-a-service operation. “We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions,” the researchers conclude. Hence, the only way to effectively identify and prevent potential fraud from malware families like the newly discovered Brokewell is to use a comprehensive	Malware Tool Threat Mobile		★★
	2024-04-29 20:07:15	De ransomware icedid à Dagon Locker en 29 jours From IcedID to Dagon Locker Ransomware in 29 Days (lien direct)	## Instantané Le rapport DFIR fournit un compte rendu détaillé d'une intrusion sophistiquée qui a commencé avec une campagne de phishing utilisant PromEthEustDS pour distribuer des logiciels malveillants icedid en août 2023. ## Description Le malware icedid a établi la persistance, communiqué avec les serveurs C2 et a abandonné une balise de frappe de cobalt, qui a été utilisée pour le mouvement latéral, l'exfiltration des données et le déploiement des ransomwares.L'acteur de menace a également utilisé une suite d'outils tels que Rclone, NetScan, NBTScan, Anydesk, Seatt Libt, Sharefinder et Adfinind.L'intrusion a abouti au déploiement de ransomwares Dagon Locker après 29 jours. Les acteurs de la menace ont utilisé diverses techniques pour obscurcir le fichier JavaScript et le coquille de cobalt grève, échapper à la détection, maintenir la persistance et effectuer des activités d'énumération du réseau.Les activités de l'acteur de menace comprenaient l'abus de fonctionnalités de mouvement latérale telles que le psexec et le protocole de bureau à distance (RDP), l'exfiltration des fichiers, le dumping et l'exfiltration des journaux d'événements de sécurité Windows et l'utilisation des commandes PowerShell exécutées à partir de la grève de Cobaltbalise. De plus, l'acteur de menace a utilisé plusieurs techniques d'exfiltration, y compris l'utilisation de RClone et AWS CLI pour exfiltrer les données de l'infrastructure compromise.Le déploiement du ransomware Dagon Locker a été facilité par l'utilisation d'un script PowerShell personnalisé, AWScollector et un module Locker, avec une commande PowerShell spécifique exécutée à partir d'un contrôleur de domaine pour déployer le ransomware à différents systèmes.L'impact de cet incident a permis à tous les systèmes d'être affectés par les ransomwares Dagon Locker. ## Les références [https://thedfirreport.com/2024/04/29/from-iced-to-dagon-locker-ransomware-in-29 days/-IDIDID-to-dagon-locker-ransomware en 29 jours /) ## Snapshot The DFIR report provides a detailed account of a sophisticated intrusion that began with a phishing campaign using PrometheusTDS to distribute IcedID malware in August 2023. ## Description The IcedID malware established persistence, communicated with C2 servers, and dropped a Cobalt Strike beacon, which was used for lateral movement, data exfiltration, and ransomware deployment. The threat actor also utilized a suite of tools such as Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. The intrusion culminated in the deployment of Dagon Locker ransomware after 29 days. The threat actors employed various techniques to obfuscate the JavaScript file and the Cobalt Strike shellcode, evade detection, maintain persistence, and perform network enumeration activities. The threat actor\'s activities included the abuse of lateral movement functionalities such as PsExec and Remote Desktop Protocol (RDP), exfiltration of files, dumping and exfiltration of Windows Security event logs, and the use of PowerShell commands executed from the Cobalt Strike beacon. Additionally, the threat actor employed multiple exfiltration techniques, including the use of Rclone and AWS CLI to exfiltrate data from the compromised infrastructure. The deployment of the Dagon Locker ransomware was facilitated through the use of a custom PowerShell script, AWScollector, and a locker module, with a specific PowerShell command run from a domain controller to deploy the ransomware to different systems. The impact of this incident resulted in all systems being affected by the Dagon Locker ransomware. ## References [https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/)	Ransomware Malware Tool Threat Technical		★★★
	2024-04-29 16:05:58	Faits saillants hebdomadaires, 29 avril 2024 Weekly OSINT Highlights, 29 April 2024 (lien direct)	## Snapshot Last week\'s OSINT reporting reveals a diverse range of cyber threats targeting organizations globally. The articles highlight various attack vectors, including phishing emails with malware payloads (SSLoad, [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc)), ransomware variants (KageNoHitobito, DoNex), and mobile banking malware (Brokewell) distributed through fake domain schemes and overlay attacks. Threat actors behind these campaigns range from financially motivated ransomware groups to sophisticated state-sponsored actors like Sandworm ([Seashell Blizzard](https://sip.security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb)) and UAT4356 ([Storm-1849](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5)). Targetted organizations span Europe, Asia, and the Americas and targetted industries include critical infrastructure and IT. ## Description 1. [Ongoing FROZEN#SHADOW Phishing Campaign](https://security.microsoft.com/intel-explorer/articles/e39d9bb3): The FROZEN#SHADOW campaign utilizes phishing emails to distribute SSLoad malware, alongside [Cobalt Strike](https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc) and ConnectWise ScreenConnect for extensive persistence and remote access. The victim organizations, predominantly in Europe, Asia, and the Americas, are targeted via JavaScript file downloads and MSI installers connecting to attacker-controlled domains. 2. [Insights on KageNoHitobito and DoNex Ransomware](https://security.microsoft.com/intel-explorer/articles/ff848e92): KageNoHitobito and DoNex are ransomware variants with distinct encryption methods and ransom note presentations. While KageNoHitobito prompts victims to negotiate through a TOR site, DoNex terminates specific services and processes, deletes shadow copies, and may be linked to DarkRace ransomware. 3. [Brokewell Mobile Banking Malware](https://security.microsoft.com/intel-explorer/articles/99a5deee): Brokewell poses a significant threat to the banking industry, utilizing overlay attacks, spyware functionalities, and remote control capabilities to steal credentials and device information. The malware\'s active development and promotion on underground channels indicate a growing interest among cybercriminals targeting different regions. 4. [Malvertising Campaign Targeting IT Teams with MadMxShell](https://security.microsoft.com/intel-explorer/articles/ffa6ca10): A sophisticated threat actor distributes the MadMxShell backdoor through fake domains, using Google Ads to push them to the top of search results. MadMxShell employs complex evasion techniques, including multi-stage injection and DNS tunneling for C2 communication, indicating an interest in targeting IT professionals for unauthorized access. 5. [ArcaneDoor Campaign by UAT4356 (Storm-1849)](https://security.microsoft.com/intel-explorer/articles/a0cf0328): UAT4356 (tracked by Microsoft as [Storm-1949](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5)) targets perimeter network devices like Cisco Adaptive Security Appliances (ASA) with backdoors "Line Runner" and "Line Dancer" for reconnaissance and malicious actions. The campaign showcases a state-sponsored actor\'s advanced tradecraft, with deliberate efforts to evade forensics and exploit 0-day vulnerabilities. The initial access vector used in this campaign remains unidentified, but two vulnerabilities ([CVE-2024-20353](https://security.microsoft.com/intel-explorer/cves/CVE-2024-20353/description) and[CVE-2024-20359](https://security.microsoft.com/intel-explorer/cves/CVE-2024-20359/description)) were exploited. 6. [Kapeka Backdoor Linked to Sandworm (Seashell Blizzard)](https://security.microsoft.com/intel-explorer/articles/364efa92): Kapeka (tracked by Microsoft as K	Ransomware Malware Tool Vulnerability Threat Mobile Industrial		★★★
	2024-04-29 14:00:00	De l'assistant à l'analyste: la puissance de Gemini 1.5 Pro pour l'analyse des logiciels malveillants From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis (lien direct)	Executive Summary A growing amount of malware has naturally increased workloads for defenders and particularly malware analysts, creating a need for improved automation and approaches to dealing with this classic threat. With the recent rise in generative AI tools, we decided to put our own Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise. We did this for multiple malware files, testing with both decompiled and disassembled code, and Gemini 1.5 Pro was notably accurate each time, generating summary reports in human-readable language. Gemini 1.5 Pro was even able to make an accurate determination of code that - at the time - was receiving zero detections on VirusTotal. In our testing with other similar gen AI tools, we were required to divide the code into chunks, which led to vague and non-specific outcomes, and affected the overall analysis. Gemini 1.5 Pro, however, processed the entire code in a single pass, and often in about 30 to 40 seconds. Introduction The explosive growth of malware continues to challenge traditional, manual analysis methods, underscoring the urgent need for improved automation and innovative approaches. Generative AI models have become invaluable in some aspects of malware analysis, yet their effectiveness in handling large and complex malware samples has been limited. The introduction of Gemini 1.5 Pro, capable of processing up to 1 million tokens, marks a significant breakthrough. This advancement not only empowers AI to function as a powerful assistant in automating the malware analysis workflow but also significantly scales up the automation of code analysis. By substantially increasing the processing capacity, Gemini 1.5 Pro paves the way for a more adaptive and robust approach to cybersecurity, helping analysts manage the asymmetric volume of threats more effectively and efficiently. Traditional Techniques for Automated Malware Analysis The foundation of automated malware analysis is built on a combination of static and dynamic analysis techniques, both of which play crucial roles in dissecting and understanding malware behavior. Static analysis involves examining the malware without executing it, providing insights into its code structure and unobfuscated logic. Dynamic analysis, on the other hand, involves observing the execution of the malware in a controlled environment to monitor its behavior, regardless of obfuscation. Together, these techniques are leveraged to gain a comprehensive understanding of malware. Parallel to these techniques, AI and machine learning (ML) have increasingly been employed to classify and cluster malware based on behavioral patterns, signatures, and anomalies. These methodologies have ranged from supervised learning, where models are trained on labeled datasets, to unsupervised learning for clustering, which identifies patterns without predefined labels to group similar malware.	Malware Hack Tool Vulnerability Threat Studies Prediction Cloud Conference	Wannacry	★★★
	2024-04-29 11:59:47	Comment nous avons combattu de mauvaises applications et de mauvais acteurs en 2023 How we fought bad apps and bad actors in 2023 (lien direct)	Posted by Steve Kafka and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Play Trust and Safety) A safe and trusted Google Play experience is our top priority. We leverage our SAFE (see below) principles to provide the framework to create that experience for both users and developers. Here\'s what these principles mean in practice: (S)afeguard our Users. Help them discover quality apps that they can trust. (A)dvocate for Developer Protection. Build platform safeguards to enable developers to focus on growth. (F)oster Responsible Innovation. Thoughtfully unlock value for all without compromising on user safety. (E)volve Platform Defenses. Stay ahead of emerging threats by evolving our policies, tools and technology. With those principles in mind, we\'ve made recent improvements and introduced new measures to continue to keep Google Play\'s users safe, even as the threat landscape continues to evolve. In 2023, we prevented 2.28 million policy-violating apps from being published on Google Play1 in part thanks to our investment in new and improved security features, policy updates, and advanced machine learning and app review processes. We have also strengthened our developer onboarding and review processes, requiring more identity information when developers first establish their Play accounts. Together with investments in our review tooling and processes, we identified bad actors and fraud rings more effectively and banned 333K bad accounts from Play for violations like confirmed malware and repeated severe policy violations. Additionally, almost 200K app submissions were rejected or remediated to ensure proper use of sensitive permissions such as background location or SMS access. To help safeguard user privacy at scale, we partnered with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over 31 SDKs impacting 790K+ apps. We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem. This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks. Protecting the Android Ecosystem Building on our success with the App Defense Alliance (ADA), we partnered with Microsoft and Meta as steering committee members in the newly restructured ADA under the Joint Development Foundation, part of the Linux Foundation family. The Alliance will support industry-wide adoption of app security best practices and guidelines, as well as countermeasures against emerging security risks. Additionally, we announced new Play Store transparency labeling to highlight VPN apps that have completed an independent security review through App Defense Alliance\'s Mobile App Security Assessment (MASA). When a user searches for VPN apps, they will now see a banner at the top of Google Play that educates them about the “Independent security review” badge in the Data safety section. This helps users see at-a-glance that a developer has prioritized security and privacy best practices and is committed to user safety.	Malware Tool Threat Mobile		★★★
	2024-04-28 19:22:00	Okta met en garde contre une augmentation sans précédent des attaques de rembourrage des diplômes axés sur la procuration Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks (lien direct)	Le fournisseur de services de gestion de l'identité et de l'accès (IAM), Okta, a mis en garde contre un pic dans la "fréquence et l'échelle" des attaques de bourrage d'identification destinées aux services en ligne. Ces attaques sans précédent, observées au cours du dernier mois, seraient facilitées par "la grande disponibilité des services de proxy résidentiel, des listes d'identification précédemment volées (\\ 'Listtes combo \') et des outils de script," les outils de script " Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential proxy services, lists of previously stolen credentials (\'combo lists\'), and scripting tools," the	Tool		★★★
	2024-04-26 22:25:37	Plate-forme de cybersécurité Cybersecurity Platformization (lien direct)	> La plate-forme présente l'occasion de moderniser et de simplifier la sécurité en effectuant un examen de tous les outils de cybersécurité et en recherchant des moyens de consolider. >Platformization presents an opportunity to modernize and simplify security by doing a review of all cybersecurity tools and looking for ways to consolidate.	Tool		★★
	2024-04-26 19:12:08	Todckat APT Group Honne les tactiques d'expiltration des données, exploite les outils légitimes ToddyCat APT Group Hones Data Exfiltration Tactics, Exploits Legitimate Tools (lien direct)	#### Targeted Geolocations - Oceania - Southeast Asia - South Asia - East Asia - Central Asia #### Targeted Industries - Government Agencies & Services - Defense ## Snapshot Kaspersky reports the APT group ToddyCat has been observed targeting governmental organizations, particularly defense-related ones in the Asia-Pacific region, with the goal of stealing sensitive information on an industrial scale. ## Description They employ various tools and techniques, including traffic tunneling and the creation of reverse SSH tunnels, to maintain constant access to compromised infrastructure. The attackers utilize disguised OpenSSH private key files, execute scripts to modify folder permissions, create SSH tunnels to redirect network traffic, and employ the SoftEther VPN package to potentially facilitate unauthorized access and data exfiltration. Additionally, they use various files and techniques, such as concealing file purposes, copying files through shared resources, and tunneling to legitimate cloud providers, to gain access to victim hosts and evade detection. The threat actors initially gain access to systems by installing servers, modifying server settings, and utilizing tools like Ngrok and Krong to redirect C2 traffic and create tunnels for unauthorized access. They also employ the FRP client, a data collection tool named "cuthead", and a tool called "WAExp" to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers demonstrate a sophisticated and evolving approach to data collection and exfiltration, utilizing multiple tools and techniques to achieve their objectives. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentic	Ransomware Spam Malware Tool Threat Industrial Cloud		★★
	2024-04-26 18:33:10	Accélération de la réponse aux incidents en utilisant une AI générative Accelerating incident response using generative AI (lien direct)	Lambert Rosique and Jan Keller, Security Workflow Automation, and Diana Kramer, Alexandra Bowen and Andrew Cho, Privacy and Security Incident ResponseIntroductionAs security professionals, we\'re constantly looking for ways to reduce risk and improve our workflow\'s efficiency. We\'ve made great strides in using AI to identify malicious content, block threats, and discover and fix vulnerabilities. We also published the Secure AI Framework (SAIF), a conceptual framework for secure AI systems to ensure we are deploying AI in a responsible manner. Today we are highlighting another way we use generative AI to help the defenders gain the advantage: Leveraging LLMs (Large Language Model) to speed-up our security and privacy incidents workflows.	Tool Threat Industrial Cloud		★★★
	2024-04-26 17:23:14	Ransomware Roundup - KageNoHitobito and DoNex (lien direct)	#### Géolocations ciblées - Chili - Chine - Cuba - Allemagne - L'Iran - Lituanie - Pérou - Roumanie - Royaume-Uni - États-Unis - Taïwan - Suède - Belgique - Tchéchie - Italie - Pays-Bas ## Instantané La recherche sur les menaces Fortiguard Labs fournit un aperçu des variantes de ransomware Kagenohitobito et Donex.Kagenohitobito a émergé fin mars 2024 et chiffre les fichiers victimes de victimes, tandis que Donex est un groupe de ransomware à motivation financière qui crypte les fichiers sur les lecteurs locaux et les parts de réseau.Les méthodes d'infiltration initiales utilisées par les acteurs de la menace ne sont pas spécifiées. ## Description Kagenohitobito affiche une note de rançon sur le bureau de la victime et demande aux victimes de visiter un site Tor pour les négociations de rançon, tandis que Donex ajoute un identifiant de victime comme extension de fichier aux fichiers affectés, modifie leurs icônes et met fin aux processus et services spécifiques en tant que services en tant que services spécifiques en tant que servicesSelon le fichier de configuration défini par l'acteur de menace.L'article suggère également une connexion possible entre les ransomwares Donex et DarkRace, car ils partagent des similitudes dans les notes de rançon et les fichiers de configuration.DOTYX est configuré pour supprimer des copies d'ombre, ce qui rend la récupération du fichier difficile. ## Recommandations Étant donné que la majorité des ransomwares sont livrés via le phishing, Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Pilot et déploiement [méthodes d'authentification résistantes au phishing] (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?ocid=Magicti_TA_Learndoc) pour les utilisateurs. - Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (ReCHECK% 20LINKS% 20ON% 20CLICK).Safe Links fournit une analyse et une réécriture des URL des e-mails entrants dans le flux de messagerie et une vérification du temps de clic des URL et des liens dans les e-mails, d'autres applications Microsoft 365 telles que des équipes et d'autres emplacements tels que SharePoint Online.La numérisation des liens sûrs se produit en plus de la [anti-spam] régulière (https://learn.microsoft.com/en-us/defenderofice-365/anti-spam-protection-about?ocid=Magicti_ta_learndoc) et [anti-Malware] (https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about?ocid=magicti_ta_learndoc) Protection dans les messages e-mail entrants dans Microsoft Exchange en ligne Protection en ligne (EOP).La numérisation des liens sûrs peut aider à protéger votre organisation contre les liens malveillants utilisés dans le phishing et d'autres attaques. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [Microsoft Defender SmartScreen] (https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), qui s'identifie, qui identifie)et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [protection en livraison du cloud] (https://learn.miqueCouvrir les outils et techniques d'attaque en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Exécuter [Détection et réponse Endpoint (EDR)] (https://learn.microsoft.com/en-us/defender-endpoint/edr-in-lock-mode?ocid=Magicti_TA_LearnDoc) en mode bloc, de sorte que le défenseur MicrosoftPour le point final, peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctio	Ransomware Malware Tool Threat		★★
	2024-04-26 16:20:45	Les outils de suivi du site Web de Kaiser \\ ont peut-être compromis des données sur 13 millions de clients Kaiser\\'s website tracking tools may have compromised data on 13 million customers (lien direct)	#### Géolocations ciblées - Chili - Chine - Cuba - Allemagne - L'Iran - Lituanie - Pérou - Roumanie - Royaume-Uni - États-Unis - Taïwan - Suède - Belgique - Tchéchie - Italie - Pays-Bas ## Instantané La recherche sur les menaces Fortiguard Labs fournit un aperçu des variantes de ransomware Kagenohitobito et Donex.Kagenohitobito a émergé fin mars 2024 et chiffre les fichiers victimes de victimes, tandis que Donex est un groupe de ransomware à motivation financière qui crypte les fichiers sur les lecteurs locaux et les parts de réseau.Les méthodes d'infiltration initiales utilisées par les acteurs de la menace ne sont pas spécifiées. ## Description Kagenohitobito affiche une note de rançon sur le bureau de la victime et demande aux victimes de visiter un site Tor pour les négociations de rançon, tandis que Donex ajoute un identifiant de victime comme extension de fichier aux fichiers affectés, modifie leurs icônes et met fin aux processus et services spécifiques en tant que services en tant que services spécifiques en tant que servicesSelon le fichier de configuration défini par l'acteur de menace.L'article suggère également une connexion possible entre les ransomwares Donex et DarkRace, car ils partagent des similitudes dans les notes de rançon et les fichiers de configuration.DOTYX est configuré pour supprimer des copies d'ombre, ce qui rend la récupération du fichier difficile. ## Recommandations Étant donné que la majorité des ransomwares sont livrés via le phishing, Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Pilot et déploiement [méthodes d'authentification résistantes au phishing] (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?ocid=Magicti_TA_Learndoc) pour les utilisateurs. - Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (ReCHECK% 20LINKS% 20ON% 20CLICK).Safe Links fournit une analyse et une réécriture des URL des e-mails entrants dans le flux de messagerie et une vérification du temps de clic des URL et des liens dans les e-mails, d'autres applications Microsoft 365 telles que des équipes et d'autres emplacements tels que SharePoint Online.La numérisation des liens sûrs se produit en plus de la [anti-spam] régulière (https://learn.microsoft.com/en-us/defenderofice-365/anti-spam-protection-about?ocid=Magicti_ta_learndoc) et [anti-Malware] (https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about?ocid=magicti_ta_learndoc) Protection dans les messages e-mail entrants dans Microsoft Exchange en ligne Protection en ligne (EOP).La numérisation des liens sûrs peut aider à protéger votre organisation contre les liens malveillants utilisés dans le phishing et d'autres attaques. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [Microsoft Defender SmartScreen] (https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), qui s'identifie, qui identifie)et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants. - Allumez [protection en livraison du cloud] (https://learn.miqueCouvrir les outils et techniques d'attaque en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Exécuter [Détection et réponse Endpoint (EDR)] (https://learn.microsoft.com/en-us/defender-endpoint/edr-in-lock-mode?ocid=Magicti_TA_LearnDoc) en mode bloc, de sorte que le défenseur MicrosoftPour le point final, peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctio	Tool		★★★
	2024-04-26 13:00:25	7 Essentials Chaque gestion de la posture de sécurité des données (DSPM) doit avoir 7 Essentials Every Data Security Posture Management (DSPM) Must Have (lien direct)	> Un effet secondaire intéressant de la prolifération du développement de logiciels natifs du cloud est les lignes floues entre les rôles des équipes Infosec et DevOps pour protéger les données de l'application et des utilisateurs.Jusqu'à récemment, DevSecops consistait principalement à sécuriser et à protéger le code, les outils utilisés dans le SDLC et l'infrastructure des applications \\ 'contre les vulnérabilités, les fuites et les erreurs de configuration potentiels.Aujourd'hui, les données sensibles ne vit plus dans des bases de données sécurisées et centralisées.Au lieu de cela, il est dispersé dans des instances fluides et amorphes sur diverses plates-formes cloud et hybrides, ce qui rend le problème de la protection des données.Si vous regardez les chiffres, l'état de la sécurité des données aujourd'hui est carrément terrifiant.[& # 8230;] >An interesting side-effect of the proliferation of cloud-native software development is the blurred lines between the roles of InfoSec and DevOps teams in protecting application and user data. Until recently, DevSecOps was mostly about securing and protecting the code, the tools used in the SDLC, and the applications\' infrastructure from potential vulnerabilities, leaks, and misconfigurations. Today, sensitive data no longer lives in secure and centralized databases. Instead, it\'s scattered in fluid and amorphic instances on various cloud and hybrid platforms, making data protection everyone\'s problem. If you look at the numbers, the state of data security today is downright terrifying. […]	Tool Vulnerability Cloud		★★★
	2024-04-25 16:43:00	Menaces de réseau: une démonstration d'attaque étape par étape Network Threats: A Step-by-Step Attack Demonstration (lien direct)	Suivez cette simulation d'attaque de réseau réelle, couvrant & nbsp; 6 & nbsp; étapes de l'accès initial à l'exfiltration des données.Voyez comment les attaquants restent non détectés avec les outils & nbsp; simples & nbsp; et pourquoi vous avez besoin de plusieurs points d'étranglement dans votre stratégie de défense. Étonnamment, la plupart des attaques de réseaux ne sont pas exceptionnellement sophistiquées, technologiquement avancées ou dépendent d'outils zéro jour qui exploitent Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit	Tool Vulnerability Threat		★★
	2024-04-25 14:54:20	Nouveau dans le correctif Veracode: support linguistique supplémentaire et correctif de lots New in Veracode Fix: Additional Language Support and Batch Fix (lien direct)	Nous sommes ravis de vous apporter deux mises à jour significatives à Veracode Fix: notre outil de remédiation de faille de sécurité alimentée par l'IA.Depuis que nous avons lancé Fix il y a près d'un an, deux demandes ont dominé les commentaires de nos clients: Pouvons-nous l'avoir? Pouvez-vous le faire fonctionner? Nous avons récemment lancé une nouvelle version de Veracode Scan pour le code VS qui comprenait FIX (avec plus d'ides à suivre), qui a répondu à certaines de ces demandes, et maintenant nous mettons à jour le correctif pour couvrir plus de langues et un nouveauMode qui appliquera automatiquement le correctif le mieux classé. Correction par lots Veracode En utilisant Fix dans l'outil Veracode CLI avec le nouveau drapeau & # 8211; -apply, vous pourrez appliquer la suggestion de correction supérieure au code source dans l'un des deux modes: Appliquer une seule recherche à un seul fichier En fournissant une correction de Veracode avec le fichier JSON des résultats, le fichier de code source à mettre à jour et l'ID de problème pertinent (contenu dans le fichier de résultats), vous pouvez appliquer le correctif recommandé le plus recommandé au fichier de code source. ./… We\'re excited to bring you two significant updates to Veracode Fix: our AI-powered security flaw remediation tool. Since we launched Fix nearly a year ago, two requests have dominated our customer feedback: Can we have it for ? Can you make it work for ? We recently launched a new version of Veracode Scan for VS Code that included Fix (with more IDE\'s to follow), which answered some of those requests, and now we\'re updating Fix to cover more languages and a new mode that will automatically apply the top-ranked fix. Veracode Batch Fix Using Fix in the Veracode CLI tool with the new –-apply flag, you will be able to apply the top fix suggestion to the source code in one of two modes: Apply Single Finding to a Single File By supplying Veracode Fix with the results JSON file, the source code file to update, and the relevant issue ID (contained in the results file) you can apply the top-recommended fix to the source code file. ./…	Tool		★★★
	2024-04-25 14:31:25	J & J spin-off CISO sur la maximisation de la cybersécurité J&J Spin-Off CISO on Maximizing Cybersecurity (lien direct)	Comment le CISO de Kenvue, une entreprise de soins de santé grand public, a été transféré de Johnson &Johnson, outils combinés et nouvelles idées pour construire le programme de sécurité. How the CISO of Kenvue, a consumer healthcare company spun out from Johnson & Johnson, combined tools and new ideas to build out the security program.	Tool Medical		★★
	2024-04-25 13:59:36	NDR dans le paysage moderne de la cybersécurité NDR in the Modern Cybersecurity Landscape (lien direct)	> Par uzair amir Le rôle de la détection et de la réponse du réseau (NDR) dans la cybersécurité.Apprenez comment les outils NDR permettent aux organisations de lutter contre les menaces évolutives efficacement. Ceci est un article de HackRead.com Lire le post original: NDR dans le paysage moderne de la cybersécurité >By Uzair Amir The role of Network Detection and Response (NDR) in cybersecurity. Learn how NDR tools empower organizations to tackle evolving threats effectively. This is a post from HackRead.com Read the original post: NDR in the Modern Cybersecurity Landscape	Tool		★★
	2024-04-25 11:58:40	AI-driven cyber attacks to be the norm within a year, say security leaders (lien direct)	Netacea, le spécialiste de la détection et de la réponse des bots, a annoncé aujourd'hui de nouvelles recherches sur la menace des cyberattaques axées sur l'IA.Il constate que la plupart des entreprises voient rapidement «l'IA offensive» devenir rapidement un outil standard pour les cybercriminels, avec 93% des chefs de sécurité s'attendant à faire face à des attaques quotidiennes basées sur l'IA.La recherche, la cybersécurité à l'ère de l'IA offensive, interrogé la sécurité [& # 8230;] Le message Cyber Attacks dirigés par AI sont la norme dans un an, disons les leaders de la sécurité a>. Netacea, the bot detection and response specialist, today announced new research into the threat of AI-driven cyberattacks. It finds that most businesses see “offensive AI” fast becoming a standard tool for cybercriminals, with 93% of security leaders expecting to face daily AI-driven attacks. The research, Cyber security in the age of offensive AI, surveyed security […] The post AI-driven cyber attacks to be the norm within a year, say security leaders first appeared on IT Security Guru.	Tool Threat		★★
	2024-04-25 10:00:00	Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct)	Written by: Kelli Vanderlee, Jamie Collier Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.	Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical	APT 40 APT 29 APT 28 APT 43 APT 31 APT 42	★★★
	2024-04-24 19:34:05	Arcaneroor - Nouvelle campagne axée sur l'espionnage a trouvé des dispositifs de réseau de périmètre ciblant ArcaneDoor - New Espionage-Focused Campaign Found Targeting Perimeter Network Devices (lien direct)	## Instantané Cisco Talos rend compte de la campagne ArcaneDoor, attribuée à l'acteur parrainé par l'État UAT4356 (suivi par Microsoft en tant que Storm-1849), cible les appareils de réseau périmètre de plusieurs fournisseurs, en particulier les appareils de sécurité adaptatifs Cisco (ASA). Microsoft suit cet acteur en tant que Storm-1849, [en savoir plus ici.] (Https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) ## Description Ces appareils sont cruciaux pour le flux de données dans et hors des réseaux, ce qui les rend idéaux pour les campagnes axées sur l'espionnage.L'UAT4356 a déployé deux baignoires, "Line Runner" et "Line Dancer", pour mener des actions malveillantes telles que la modification de la configuration, la reconnaissance, la capture / exfiltration du trafic réseau et les mouvements potentiellement latéraux.Le vecteur d'accès initial utilisé dans cette campagne reste non identifié, mais deux vulnérabilités (CVE-2024-20353 et CVE-2024-20359) ont été exploitées. L'acteur a démontré un accent clair sur l'espionnage et une connaissance approfondie des dispositifs ciblés, indiquant une activité sophistiquée parrainée par l'État.Le calendrier de la campagne suggère que l'infrastructure contrôlée par l'acteur était active au début de novembre 2023, la plupart des activités se déroulant entre décembre 2023 et début janvier 2024. L'implant "Line Dancer", un interprète ShellCode résident à la mémoire, permet aux adversaires de télécharger et d'exécuter des charges utiles de shellcode arbitraires sur les périphériques ASA compromis.Il permet aux acteurs de menace de désactiver les commandes syslog, exécuter et exfiltrater, créer et exfiltrater les captures de paquets et exécuter les commandes CLI, entre autres actions. La porte dérobée "Line Runner", en revanche, maintient la persistance sur les appareils ASA compromis en tirant parti d'une capacité héritée qui permet la précharge de clients VPN et de plugins. L'UAT4356 a pris des mesures délibérées pour prévenir la capture médico-légale des artefacts malveillants, y compris les capacités anti-forensiques et anti-analyse.Le niveau élevé de la campagne, le développement des capacités et l'exploitation des vulnérabilités de 0 jour indiquent un acteur parrainé par l'État. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de l'activité associée au Storm-1849. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge SmartScreen, qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites contenant des exploits et hébergent des logiciels malveillants. - Allumez la protection livrée par le cloud dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. ## Les références [https://blog.talosintelligence.com/arcaneroor-new-espionage-foccused-campaign-found-targeting-perimeter-network-devices/-Campaign-Found-Targeting-Périmètre-Network-Devices /) ## Snapshot Cisco Talos reports on the ArcaneDoor campaign, attributed to the state-sponsored actor UAT4356 (Tracked by Microsoft as Storm-1849), targets perimeter network devices from multiple vendors, particularly Cisco Adaptive Security Appliances (ASA). Microsoft tracks this actor as Storm-1849, [read more about them here.](https://sip.security.microsoft.com/intel-profiles/f3676211c9f06910f7f1f233d81347c1b837bddd93292c2e8f2eb860a27ad8d5) #	Malware Tool Vulnerability Threat		★★★
	2024-04-24 14:51:27	Falcon Fund in Focus: Nagomi aide les clients à maximiser leurs investissements en cybersécurité Falcon Fund in Focus: Nagomi Helps Customers Maximize Their Cybersecurity Investments (lien direct)	Les violations évitables sont un problème courant.Selon des recherches de Nagomi, un leader dans le domaine naissant de l'évaluation automatisée du contrôle de la sécurité, 80% des organisations violées avaient déjà un outil en place qui aurait pu l'empêcher.Une solution consiste à maximiser l'utilisation des outils de sécurité qu'ils ont déjà.De nombreuses entreprises se débattent avec inefficaces [& # 8230;] Preventable breaches are a common problem. According to research by Nagomi, a leader in the nascent field of automated security control assessment, 80% of breached organizations already had a tool in place that could have prevented it. One solution is to maximize the use of security tools they already have. Many enterprises grapple with ineffective […]	Tool		★★
	2024-04-24 12:35:50	La sécurité des amplificateurs émerge de la furtivité furtive à la division entre les effectifs et la sécurité avec une copilote IA et l'automatisation humaine dans la boucle Amplifier Security emerges from stealth to bridge divide between the workforce and security with AI copilot and human-in-the-loop automation (lien direct)	avec un tour de financement de 3,3 millions de dollars, l'amplificateur relève le défi de sécurité du dernier kilomètre avec une approche d'auto-guérison qui transforme la façon dont les employés interagissent avec les outils de sécurité d'entreprise, améliorant la sécurité sans entraver la productivité Les équipes de sécurité comptent sur des comptesUne pile en constante augmentation d'outils de sécurité pour assurer la sécurité de leur organisation.Pourtant, les écarts de couverture et les alertes à travers ces outils n'obtiennent pas une attention appropriée et opportune en raison de la difficulté à engager les employés de l'entreprise occupées avec leur travail quotidien pour (...) - revues de produits With $3.3m funding round, Amplifier tackles the last mile security challenge with a self-healing approach that transforms how employees interact with corporate security tools, enhancing security without hindering productivity Security teams rely on an ever-growing stack of security tools to keep their organization safe. Yet, coverage gaps and alerts across these tools do not get proper and timely attention because of the difficulty engaging company employees busy with their daily work to (...) - Product Reviews	Tool		★★
	2024-04-24 12:29:33	Fraudes DeepFake en augmentation: un tiers des entreprises déjà affectées par une fraude assistée par l'IA, plus de 80% le voient comme une menace Deepfake Frauds on the Rise: One-Third of Businesses Already Affected by Some AI-Assisted Fraud, more than 80% See it as a Threat (lien direct)	La Renaissance de l'IA, qui a transformé l'intelligence artificielle en l'un des sujets les plus chauds des secteurs des consommateurs et des affaires, est livré avec son côté sombre, car de plus en plus de fraudeurs utilisent des outils d'IA pour les cyberattaques et les violations de données.Les fraudes assistées par l'IA et DeepFake ont explosé au cours des deux dernières années, confrontées aux entreprises et aux consommateurs avec un nouveau type d'arnaque qui est beaucoup plus difficile à prévenir et à reconnaître. Selon les données présentées par Altindex.com, un tiers des entreprises ont déjà été (...) - rapports spéciaux The AI renaissance, which turned artificial intelligence into one of the hottest topics in both the consumer and business sectors, comes with its dark side, as more and more scammers use AI tools for cyber attacks and data breaches. AI-assisted and deepfake frauds have exploded over the past two years, facing companies and consumers with a new type of scam that is much harder to prevent and recognize. According to data presented by AltIndex.com, one-third of businesses have already been (...) - Special Reports	Tool Threat		★★★
	2024-04-24 11:54:21	Russian APT28 Exploitation de Windows Vulnérabilité avec outil d'Oeeegg Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool (lien direct)	> Par waqas Mettez à jour les fenêtres maintenant ou soyez piraté: Microsoft met en garde contre la vulnérabilité activement exploitée! Ceci est un article de HackRead.com Lire le post original: Russian APT28 Exploitation de Windows Vulnérabilité avec l'outil Gooseegg >By Waqas Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability! This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool	Tool Vulnerability	APT 28	★★★
	2024-04-24 10:53:13	Dernière version de Logpoint : prenez le contrôle de vos opérations de sécurité (lien direct)	>Les entreprises dépendent de leurs analystes en sécurité pour détecter, investiguer et répondre à tout incident de sécurité, mais elles ne leur fournissent pas toujours les outils adaptés pour mener à bien leur mission. Elles se concentrent trop sur la mise à disposition d'outils mais pas assez sur les moyens de relever leurs défis opérationnels. En [...]	Tool		★★
	2024-04-24 10:00:00	Comprendre comment la rationalité, la théorie de la dissuasion et l'indéterminisme influencent la cybercriminalité. Understanding how Rationality, Deterrence Theory, and Indeterminism Influence Cybercrime. (lien direct)	Understanding the factors influencing cybercriminal behavior is essential for developing effective cybercrime prevention strategies. Rationality plays a significant role in shaping criminal decisions, particularly through the lens of the rational actor model and deterrence theory. This blog explores how rationality influences cybercriminal behavior, focusing on the rational actor model, the concepts of deterrence theory, their implications for understanding and preventing cybercrime activities, and how Bayesian theory can help overcome indeterministic human criminal behavior to provide risk management. Brief History of Deterrence Theory: Deterrence theory has its roots in classical criminology and the works of philosophers such as Cesare Beccaria and Jeremy Bentham, who introduced the concept of deterrence as a means of preventing crime through the application of punishment. This idea became further developed during the mid-20th century when the theory of nuclear deterrence emerged as a prominent concept in international relations. The understanding of deterrence broadened to be applied not only in preventing nuclear conflict but also in the context of criminal justice. It was John Nash through his work in game theory that contributed significantly to the understanding of strategic decision-making and the potential for deterrence in various competitive situations. His insights were crucial in shaping the modern understanding of deterrence theory, particularly when applied to criminal decision-making and cybersecurity.[1] Explanation of Deterministic, Non-Deterministic, and Indeterministic: Deterministic: In the context of decision-making, determinism refers to the philosophical concept that all events, including human actions, are the inevitable result of preceding causes. This perspective suggests that given the same initial conditions and knowledge, an individual\'s choices can be predicted with certainty. In other words, under deterministic assumptions, human behavior can be seen as fully predictable.[2] Non-Deterministic: Non-deterministic views reject the idea that every event, including human actions, can be precisely determined or predicted based on preceding causes. Instead, non-deterministic perspectives acknowledge the role of uncertainty, chance, and randomness in decision-making. From this standpoint, human behavior is seen as influenced by a combination of factors, including personal choice, external circumstances, and unpredictable elements.[3] Indeterministic: Indeterminism represents a specific form of non-determinism. In the context of decision-making, indeterministic views emphasize the idea that certain events or actions, particularly human choices, are not entirely determined by preceding causes or predictable factors. Instead, they are seen as influenced by random or unpredictable elements, such as personal spontaneity, free will, or external factors that defy precise prediction.[4] The Indeterministic Nature of Cybercriminal Behavior: The indeterministic nature of cybercriminal behavior suggests that not all cybercrimes are the result of rational choices. Some individuals may engage in cybercriminal behavior due to impulsive actions, vulnerabilities in systems, or external pressures that override rational decision-making processes. These factors highlight the limitations of solely relying on rationality as an explanatory framework for cybercriminal behavior. Rationality and the Rational Actor Model in Cybercrime: The rational actor model suggests that cybercriminals are rational decision-makers who engage in a cost-benefit analysis before committing a cybercrime.[5] According to this model, cybercriminals weigh the potential benefits and costs of engaging in cybercriminal behavior and make a rational choice based on their assessment. The rational actor model assumes that cybercriminals have the capability to accurately assess the potential outcomes of their cyber actions and aim to maximize th	Tool Vulnerability Studies Legislation Prediction		★★★
	2024-04-24 08:43:16	Cybersécurité : des boîtes à outils aux services managés (lien direct)	Le contexte géopolitique et les grands événements sportifs comme les JO ne font qu'accentuer le risque de cyberattaques visant aussi bien les entreprises que les services publics. À titre d'exemple, en moyenne 10 incidents cyber ont visé chaque mois[1] les collectivités territoriales de début 2022 à mi 2023 en France : compromissions de comptes de messagerie, intrusions, rançongiciels... Ces offensives déstabilisent les organisations, mettent les services en panne et les équipes sur les dents. Leur (...) - Points de Vue	Tool		★★★
	2024-04-24 08:05:50	Nuageux avec une chance de ransomware: des outils cloud tiers vous mettent en danger, dit omniindex Cloudy with a chance of ransomware: Third-party cloud tools are putting you at risk, says OmniIndex (lien direct)	Il est temps de passer de notre dépendance à l'égard des outils tiers construits sur une infrastructure facilement exploitée Actuellement, une proportion écrasante d'entreprises placent leurs données sensibles entre les mains dans les mainsd'outils cloud tiers qui sont en proie à une multitude de vulnérabilités.Ceci est selon le PDG d'OmniIndex et l'expert en sécurité des données Simon Bain, qui soutient que les entreprises doivent adopter des technologies modernes ou des attaques à risque, car les attaquants de ransomware exploitent continuellement le cloud tiers (...) - opinion It\'s time to move on from our reliance on third-party tools built on easily exploited infrastructure At present, an overwhelming proportion of businesses are placing their sensitive data in the hands of third-party cloud tools that are plagued by a multitude of vulnerabilities. This is according to OmniIndex CEO and data security expert Simon Bain, who argues that businesses must embrace modern technologies or risk attacks, as ransomware attackers continually exploit third-party cloud (...) - Opinion	Ransomware Tool Vulnerability Threat Cloud		★★★
	2024-04-23 22:47:49	Les pirates de la Russie ont exploité Windows Flaw pour déployer & # 8216; GooseEgg & # 8217;Malware Russia’s APT28 Hackers Exploited Windows Flaw To Deploy ‘GooseEgg’ Malware (lien direct)	Microsoft a récemment révélé que le groupe de menaces russes & # 8220; APT28 & # 8243;utilisé un outil de piratage précédemment inconnu, «GooseEgg & # 8221;Pour exploiter la vulnérabilité Windows Print Spooler pour obtenir un accès élevé aux systèmes cibles et voler des informations d'identification et des informations. Selon l'équipe de renseignement des menaces de Redmond, APT28, également appelée Fancy Bear and Forest Blizzard (anciennement Strontium), utilise l'outil post-compromis depuis au moins juin 2020 et peut-être dès avril 2019Pour exploiter le CVE-2022-38028 (score CVSS: 7.8) Vulnérabilité dans Windows Print Spooler Service. Cet outil modifie un fichier de contraintes JavaScript et l'exécute avec des autorisations au niveau du système. Bien que la société ait abordé la vulnérabilité, CVE-2022-38028, rapportée par la U.S.Mate Security Agency (NSA) dans le cadre de Microsoft & # 8217; s octobre 2022 Patch Mardi Security Mises à jour, elle n'a fait aucune mention du défaut dans son avis . Microsoft a observé APT28 en utilisant GooseEgg dans le cadre des activités post-compromis contre diverses cibles, y compris les organisations gouvernementales, non gouvernementales, de l'éducation et des transports en Ukraine, en Europe occidentale et en Amérique du Nord. Bien que Gooseegg soit une application de lanceur simple, il peut engendrer d'autres applications sur la ligne de commande avec des autorisations élevées. Cela permet aux acteurs de menace de prendre en charge les activités malveillantes telles que l'exécution du code distant, l'installation d'une porte dérobée et le déplacement latéralement à travers des réseaux compromis. Les gouvernements américains et britanniques ont lié Forest Blizzard à l'unité 26165 de la Fédération de Russie \'s Military Intelligence Agency, la principale Direction du renseignement de l'état-major général des Forces armées de la Fédération de Russie (GRU). «Microsoft a observé qu'après avoir obtenu l'accès à un appareil cible, Forest Blizzard utilise GooseEgg pour élever les privilèges dans l'environnement.GooseEgg est généralement déployé avec un script de lot, que nous avons observé en utilisant le nom execute.bat et doit.bat .Ce script de lot écrit le fichier servtask.bat, qui contient des commandes pour enregistrer / compresser les ruches de registre.Le script de lot invoque l'exécutable de GooseEgg apparié et configure la persistance en tant que tâche planifiée conçue pour exécuter servtask.bat », lit le Advisory publié par Microsoft lundi. Les chercheurs de Microsoft ont noté qu'un fichier DLL malveillant intégré généralement, qui comprend l'expression « wayzgoose»; par exemple, wayzgoose23.dll , est une application de lanceur utilisée par la menaceLes acteurs doivent lancer d'autres charges utiles avec des autorisations au niveau du système et installer une porte dérobée, se déplacer latéralement dans le réseau de la victime et exécuter à distance le code sur les systèmes violés. Comme mentionné précédemment, la société a corrigé le défaut de sécurité des spouleurs imprimés en 2022. Il a également corrigé les vulnérabilités imprimées précédemment exploitées en 2021. «Les clients qui n'ont pas encore mis en œuvre ces correctifs sont invités à le faire dès que possible pour la sécurité de leur organisation», a déclaré Microsoft dans son avis. De plus, la société recommande également de dé	Malware Tool Vulnerability Threat	APT 28	★★★
	2024-04-23 13:21:39	Russie \\'s Fancy Bear Pummels Windows Print Spooler Bogue Russia\\'s Fancy Bear Pummels Windows Print Spooler Bug (lien direct)	Le tristement célèbre acteur de menace russe a créé un outil personnalisé appelé GooseEgg pour exploiter CVE-2022-38028 dans des attaques de cyber-espionnage contre les cibles en Ukraine, en Europe occidentale et en Amérique du Nord. The infamous Russian threat actor has created a custom tool called GooseEgg to exploit CVE-2022-38028 in cyber-espionage attacks against targets in Ukraine, Western Europe, and North America.	Tool Threat	APT 28	★★★
	2024-04-23 13:15:47	Découvrir des menaces potentielles à votre application Web en tirant parti des rapports de sécurité Uncovering potential threats to your web application by leveraging security reports (lien direct)	Posted by Yoshi Yamaguchi, Santiago Díaz, Maud Nalpas, Eiji Kitamura, DevRel team The Reporting API is an emerging web standard that provides a generic reporting mechanism for issues occurring on the browsers visiting your production website. The reports you receive detail issues such as security violations or soon-to-be-deprecated APIs, from users\' browsers from all over the world. Collecting reports is often as simple as specifying an endpoint URL in the HTTP header; the browser will automatically start forwarding reports covering the issues you are interested in to those endpoints. However, processing and analyzing these reports is not that simple. For example, you may receive a massive number of reports on your endpoint, and it is possible that not all of them will be helpful in identifying the underlying problem. In such circumstances, distilling and fixing issues can be quite a challenge. In this blog post, we\'ll share how the Google security team uses the Reporting API to detect potential issues and identify the actual problems causing them. We\'ll also introduce an open source solution, so you can easily replicate Google\'s approach to processing reports and acting on them. How does the Reporting API work? Some errors only occur in production, on users\' browsers to which you have no access. You won\'t see these errors locally or during development because there could be unexpected conditions real users, real networks, and real devices are in. With the Reporting API, you directly leverage the browser to monitor these errors: the browser catches these errors for you, generates an error report, and sends this report to an endpoint you\'ve specified. How reports are generated and sent. Errors you can monitor with the Reporting API include: Security violations: Content-Security-Policy (CSP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP) Deprecated and soon-to-be-deprecated API calls Browser interventions Permissions policy And more For a full list of error types you can monitor, see use cases and report types. The Reporting API is activated and configured using HTTP response headers: you need to declare the endpoint(s) you want the browser to send reports to, and which error types you want to monitor. The browser then sends reports to your endpoint in POST requests whose payload is a list of reports. Example setup:#	Malware Tool Vulnerability Mobile Cloud		★★★
	2024-04-23 13:00:16	Protéger contre les attaques de tsunami DDOS Protecting Against DDoS Tsunami Attacks (lien direct)	> Le protecteur DDOS quantique aide à se défendre contre les attaques sophistiquées du tsunami DDOS sans temps d'arrêt ni perturbation de service.Check Point a une histoire de longue date de protection de nombreux clients dans le monde entier contre les attaques DDOS Web à grande échelle (déni de service distribué), gérant efficacement de grandes quantités de trafic dépassant 1 million de demandes par seconde (RPS).Les attaques émergentes du DDOS, notamment les attaques au tsunami, ont augmenté en fréquence et en sophistication depuis le début de la guerre de Russie-Ukraine, tirée à la fois par des acteurs parrainés par l'État et des «hacktivistes» à l'aide de botnets et d'outils de pointe.Ces cybercriminels évoluent continuellement, tirant parti des techniques avancées pour exploiter les vulnérabilités, en magnifiant la surface d'attaque des organisations du monde entier.À Check [& # 8230;] >Quantum DDoS Protector helps defend against sophisticated Tsunami DDoS Attacks without downtime or service disruption. Check Point has a long-standing history of protecting numerous customers worldwide from large-scale web DDoS (Distributed Denial of Service) attacks, effectively handling large amounts of traffic exceeding 1 million requests per second (RPS). Emerging DDoS attacks, notably Tsunami attacks, have surged in frequency and sophistication since the start of the Russia-Ukraine War, driven by both state-sponsored actors and “hacktivists” using botnets and cutting-edge tools. These cyber criminals are continuously evolving, leveraging advanced techniques to exploit vulnerabilities, magnifying the attack surface for organizations worldwide. At Check […]	Tool Vulnerability Threat		★★★
	2024-04-23 12:50:57	Les cyberespaces russes livrent \\ 'gooseegg \\' malware aux organisations gouvernementales Russian Cyberspies Deliver \\'GooseEgg\\' Malware to Government Organizations (lien direct)	APT28, lié à la Russie, déploie l'outil post-exploitation d'OeEEGG contre de nombreuses organisations américaines et européennes. Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations.	Malware Tool	APT 28	★★★
	2024-04-23 12:00:00	M-Trends 2024: Notre vue depuis les fronts M-Trends 2024: Our View from the Frontlines (lien direct)	Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats. This year\'s M-Trends report covers Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. During that time, many of our observations demonstrate a more concerted effort by attackers to evade detection, and remain undetected on systems for longer periods of time: Increased targeting of edge devices, and platforms that traditionally lack endpoint detection and response solutions. A more than 50% growth in zero-day usage over the same reporting period in 2022, both by espionage groups as well as financially-motivated attackers. More “living off the land,” or use of legitimate, pre-installed tools and software within an environment. Despite the increased focus on evasion by attackers, we are pleased to report that defenders are generally continuing to improve at detecting threats. Dwell time represents the period an attacker is on a system from compromise to detection, and in 2023 the global median dwell time is now 10 days, down from 16 days in 2022. While various factors (such as ransomware) help drive down dwell time, it\'s still a big win for defenders. We can\'t let up, however. Mandiant red teams need only five to seven days on average to achieve their objectives, so organizations must remain vigilant. Other M-Trends 2024 metrics include: 54% of organizations first learned of a compromise from an external source (down from 63% in 2022), while 46% first identified evidence of a compromise internally. Our engagements most frequently occurred at financial services organizations (17.3%), business and professional services (13.3%), high tech (12.4%), retail and hospitality (8.6%), healthcare (8.1%), and government (8.1%). The most common initial infection vectors were exploits (38%), phishing (17%), prior compromise (15%), and stolen credentials (10%). Additional topics covered in detail in M-Trends 2024 include Chinese espionage operations targeting the visibility gap, the evolution of phishing amid shifting security controls, the use of adversary-in-the-middle to overcome multi-factor authentication, cloud intrusion trends, an	Tool Vulnerability Threat Medical Cloud		★★★★
	2024-04-23 10:54:54	Amélioration de l'efficacité des développeurs avec une correction alimentée par l'IA Enhancing Developer Efficiency With AI-Powered Remediation (lien direct)	Les méthodes traditionnelles d'assainissement des défauts ne sont pas équipées de la technologie pour suivre le rythme de l'évolution rapide des pratiques de génération de code, laissant les développeurs incapables de gérer des dettes de sécurité lourdes et écrasantes.La sécurité du code est toujours une préoccupation critique dans le développement de logiciels.Par exemple, lorsque GitHub Copilot a généré 435 extraits de code, près de 36% d'entre eux avaient des faiblesses de sécurité, quel que soit le langage de programmation.En l'état, de nombreux développeurs ne sont toujours pas équipés d'une méthode automatisée qui peut résoudre les problèmes en toute sécurité dans le code. Ce blog se plonge dans le changement de paradigme provoqué par Veracode Fix, une solution d'IA innovante conçue pour révolutionner l'assainissement automatisé des défauts. Les principaux risques de sécurité dans le code automatisé L'émergence d'outils automatisés de génération de code a provoqué une nouvelle ère d'efficacité et d'innovation.Cependant, ces progrès s'accompagnent d'une variété de risques de sécurité qui menacent l'intégrité et la sécurité des applications.… Traditional methods of flaw remediation are not equipped with the technology to keep pace with the rapid evolution of code generation practices, leaving developers incapable of managing burdensome and overwhelming security debt. Code security is still a critical concern in software development. For instance, when GitHub Copilot generated 435 code snippets, almost 36% of them had security weaknesses, regardless of the programming language. As it is, many developers are still unequipped with an automated method that can securely remediate issues in code. This blog delves into the paradigm shift brought about by Veracode Fix, an innovative AI solution designed to revolutionize automated flaw remediation. The Main Security Risks in Automated Code The emergence of automated code-generation tools has brought in a new era of efficiency and innovation. However, this progress comes with a variety of security risks that threaten the integrity and safety of applications.…	Tool		★★★

Last update at: 2024-06-04 05:07:58
See our sources.

To see everything: Our RSS (filtrered)