What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-02-23 10:13:36 | AT&T dit que la panne de son réseau de téléphones portables américains n'a pas été causée par une cyberattaque AT&T Says the Outage to Its US Cellphone Network Was Not Caused by a Cyberattack (lien direct) |
AT & # 038; t a déclaré que la panne de temps de son réseau de téléphones portables américains semblait être le résultat d'une erreur technique, pas d'une attaque malveillante.
AT&T said the hourslong outage to its U.S. cellphone network Thursday appeared to be the result of a technical error, not a malicious attack. |
Technical | ★★ | |
 |
2024-02-22 19:41:25 | Playbooks sur site Playbooks on-prem (lien direct) |
> L'automatisation joue un rôle central dans la rationalisation des opérations, l'amélioration de la posture de sécurité et la minimisation des risques.Cependant, l'exécution des tâches d'automatisation peut toujours être difficile pour les organisations ayant une infrastructure sur site en raison de la complexité et des contraintes techniques.Pour relever ce défi, Sekoia.io a récemment publié PlayBooks sur prém.Cette nouvelle fonctionnalité aide à exécuter en toute sécurité des actions dans un environnement sur prémal, [& # 8230;]
la publication Suivante playbooks on-prem est un article de sekoia.io blog .
>Automation plays a pivotal role in streamlining operations, enhancing security posture, and minimizing risks. However, executing automation tasks can still be challenging for organizations with on-premises infrastructure due to technical complexities and constraints. To address this challenge, Sekoia.io has recently released Playbooks on-prem. This new feature helps to safely execute actions across an on-prem environment, […] La publication suivante Playbooks on-prem est un article de Sekoia.io Blog. |
Technical | ★★★ | |
 |
2024-02-21 12:18:14 | Screenconnect Critical Bug maintenant attaqué à mesure que le code d'exploit émerge ScreenConnect critical bug now under attack as exploit code emerges (lien direct) |
Les détails techniques et les exploits de preuve de concept sont disponibles pour les deux vulnérabilités que Connectwise a divulguées plus tôt cette semaine pour Screenconnect, son bureau à distance et son logiciel d'accès.[...]
Both technical details and proof-of-concept exploits are available for the two vulnerabilities ConnectWise disclosed earlier this week for ScreenConnect, its remote desktop and access software. [...] |
Vulnerability Threat Technical | ★★★ | |
 |
2024-02-20 20:50:00 | Nouveaux logiciels malveillants Migo ciblant les serveurs Redis pour l'exploitation des crypto-monnaies New Migo Malware Targeting Redis Servers for Cryptocurrency Mining (lien direct) |
Une nouvelle campagne de logiciels malveillants a été observée ciblant les serveurs Redis pour l'accès initial avec l'objectif ultime de l'exploitation de la crypto-monnaie sur des hôtes Linux compromis.
"Cette campagne particulière implique l'utilisation d'un certain nombre de nouvelles techniques d'affaiblissement du système par rapport au magasin de données lui-même", a déclaré le chercheur en sécurité CADO Matt Muir & Nbsp; a déclaré & NBSP; dans un rapport technique.
L'attaque de cryptojacking est facilitée
A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts. "This particular campaign involves the use of a number of novel system weakening techniques against the data store itself," Cado security researcher Matt Muir said in a technical report. The cryptojacking attack is facilitated |
Malware Technical | ★★ | |
 |
2024-02-16 22:24:14 | À quoi pourrait ressembler à la sécurité pour réguler les puces d'IA What Using Security to Regulate AI Chips Could Look Like (lien direct) |
Une proposition de recherche exploratoire recommande la réglementation des puces d'IA et des mesures de gouvernance plus fortes pour suivre les innovations techniques rapides de l'intelligence artificielle.
An exploratory research proposal is recommending regulation of AI chips and stronger governance measures to keep up with the rapid technical innovations in artificial intelligence. |
Technical | ★★ | |
 |
2024-02-15 17:07:14 | Sécuriser les chaînes d'approvisionnement en XDR ouvert Securing Supply Chains with Open XDR (lien direct) |
> Comment l'Open XDR fournit un moyen efficace et complet de lutter contre les menaces & # 8211;Aimei Wei, directeur technique, stellaire Cyber San Jose, Californie & # 8211;15 février 2024 Les cyberattaques sont en hausse dans chaque industrie, mais les sociétés de logiciels et leurs clients restent particulièrement vulnérables parce que
>How Open XDR provides an effective and comprehensive means of combating threats – Aimei Wei, Chief Technical Officer, Stellar Cyber San Jose, Calif. – Feb. 15, 2024 Cyberattacks are on the rise in every industry, but software companies and their clients remain especially vulnerable because |
Technical | ★★ | |
 |
2024-02-15 11:00:00 | 2024: Plan de cyber-action pratique - survivre et prospérer 2024: Practical cyber action plan- Survive and thrive (lien direct) |
\'Cyber insecurity\' is among the most pressing issues facing organizations globally in 2024, according to new research from the World Economic Forum (WEF). In its Global Cybersecurity Outlook 2024 report, the WEF found that more than eight in ten organizations surveyed feel more or as exposed to cyber crime than last year. How can businesses implement proficient cyber capabilities in an era where cyber threats from criminals and hacktivists are escalating in complexity and magnitude? This is crucial for adapting swiftly to the constantly evolving security challenges and confidently pursuing growth through digital innovation in products, services, and organizational transformation. In today\'s rapidly changing cyber threat environment, Chief Information Security Officers (CISOs) and security operations teams must adopt forward-thinking strategies. These strategies should focus on quickly identifying and addressing the most pressing vulnerabilities in their digital environments. Cyber attackers\' increasing sophistication and speed have prompted organizations of various sizes to re-evaluate their legacy systems, governance policies, and overall security stances, aiming to align with the latest industry standards The shift towards digital platforms and the widespread adoption of cloud technologies have expanded the avenues for cyber-attacks, consequently enlarging the attack surface. This growing attack surface includes vulnerable systems, compromised data, and unauthorized assets, highlighting the necessity for a consistent and ongoing security strategy. This strategy should be centered on managing and mitigating threats efficiently and accurately. Security leaders are becoming increasingly aware of the importance of such an approach. Its effectiveness and streamlined methodology significantly enhance cyber resilience by prioritizing the most urgent risks for immediate response and remediation. What is top of mind for the CISO in 2024? How do we build a cyber security ecosystem that can manage the threats and opportunities of the future? How do we ensure future technologies are secure by design, not as an afterthought? How do we anticipate the threat picture will change as new technologies, like AI and quantum computing, develop? Must haves for CISOs in 2024 Protecting privacy Protecting critical assets Mitigating risk Minimizing disruption Maintaining compliance Establishing and maintaining "CRUST" (credibility and trust) Ensuring secure productivity & efficiency At the top of the list of issues driving cybersecurity concerns include: Growing number of hackers/cybercriminals. Evolving threats & advanced skillset of criminals. Privacy concerns handling other\'s data. Generative AI Practical action plan: Proactively understanding your expanding attack surface, prioritizing risk management efforts, and building resilience helps achieve the following: 1) Prevents breaches & minimizes the impact of a potential breach Enhance the effectiveness of the Security Operations Center (SOC) by reducing the volume of security incidents, events, and breaches impacting the SOC over time. Adopt a proactive, preventative approach that bolsters cyber resilience quickly and improves security maturity year-over-year. 2) Reduces cybersecurity risks Real-time risk reduction is often impractical due to business constraints and a backlog of pending security issues. Focus on prioritizing risk reduction actions and optimizing resource allo | Vulnerability Threat Cloud Technical | ★★ | |
 |
2024-02-15 09:18:45 | Rhysida ransomware a fissuré!Outil de décryptage gratuit publié Rhysida ransomware cracked! Free decryption tool released (lien direct) |
Bonne nouvelle pour les organisations qui ont été victimes du célèbre ransomware de Rhysida.Un groupe de chercheurs sud-coréens en matière de sécurité a découvert une vulnérabilité dans le tristement célèbre ransomware.Cette vulnérabilité offre un moyen pour que les fichiers cryptés soient non recueillis.Des chercheurs de l'Université de Kookmin décrivent comment ils ont exploité un défaut de mise en œuvre dans le code de Rhysida \\ pour régénérer sa clé de cryptage dans un document technique sur leurs résultats."Rhysida Ransomware a utilisé un générateur de nombres aléatoires sécurisé pour générer la clé de chiffrement et crypter ensuite les données. Cependant, un ...
Good news for organisations who have fallen victim to the notorious Rhysida ransomware . A group of South Korean security researchers have uncovered a vulnerability in the infamous ransomware. This vulnerability provides a way for encrypted files to be unscrambled. Researchers from Kookmin University describe how they exploited an implementation flaw in Rhysida\'s code to regenerate its encryption key in a technical paper about their findings. "Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an... |
Ransomware Tool Vulnerability Technical | ★★★ | |
|
2024-02-15 08:27:50 | La nouvelle variante de logiciels malveillants QBOT utilise une fausse popup d'installation d'Adobe pour l'évasion New Qbot malware variant uses fake Adobe installer popup for evasion (lien direct) |
Le développeur de Qakbot Malware, ou une personne ayant accès au code source, semble expérimenter de nouvelles versions car des échantillons nouveaux ont été observés dans les campagnes de courrier électronique depuis la mi-décembre.[...]
The developer of Qakbot malware, or someone with access to the source code, seems to be experimenting with new builds as fresh samples have been observed in email campaigns since mid-December. [...] |
Malware Technical | ★★★ | |
|
2024-02-14 23:00:00 | 10 catégories de métriques de sécurité Les Cisos devraient présenter au conseil d'administration 10 Security Metrics Categories CISOs Should Present to the Board (lien direct) |
Les conseils d'administration ne se soucient pas des moindres détails techniques du programme de sécurité.Ils veulent voir comment les indicateurs de performance clés sont suivis et utilisés.
Boards of directors don\'t care about the minute technical details of the security program. They want to see how key performance indicators are tracked and utilized. |
Technical | ★★ | |
 |
2024-02-12 17:27:08 | Les astuces de l'usurpation du DMARC de la Corée du Nord North Korea\\'s DMARC spoofing tricks (lien direct) |
Pas de details / No more details | Technical | ★★★★ | |
 |
2024-02-12 11:00:25 | La cyber-vengeance de la Chine |Pourquoi la RPC ne soutient pas ses affirmations d'espionnage occidental China\\'s Cyber Revenge | Why the PRC Fails to Back Its Claims of Western Espionage (lien direct) |
Les affirmations de piratage et d'espionnage de la Chine n'ont pas les détails techniques rigoureux observés dans la menace occidentale Intel.Pourquoi l'asymétrie et comment profite-t-elle à la RPC?
China\'s claims of hacks and espionage lack the rigorous technical detail seen in western threat intel. Why the asymmetry, and how does it benefit the PRC? |
Threat Technical | ★★★ | |
|
2024-02-08 12:23:00 | Le nouveau voleur de Golang de Kimsuky \\ a \\ 'troll \\' et \\ 'gobear \\' cible de porte dérobée de la Corée du Sud Kimsuky\\'s New Golang Stealer \\'Troll\\' and \\'GoBear\\' Backdoor Target South Korea (lien direct) |
L'acteur de l'État-nation lié à la Corée du Nord connue sous le nom de Kimsuky est soupçonné d'utiliser un voleur d'informations basé à Golang auparavant sans papiers appelé & nbsp; troll Stealer.
Le malware vole "SSH, Filezilla, C Fichiers / répertoires de lecteur, navigateurs, informations système, [et] captures d'écran" des systèmes infectés, la société sud-coréenne de cybersécurité S2W & NBSP; Said & Nbsp; dans un nouveau rapport technique.
Troll
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll |
Malware Technical | ★★★ | |
|
2024-02-07 21:45:09 | CISA: les pirates de typhon volt de la Chine planifiant une perturbation des infrastructures critiques CISA: China\\'s Volt Typhoon Hackers Planning Critical Infrastructure Disruption (lien direct) |
La nouvelle alerte de la CISA comprend des atténuations techniques pour durcir les surfaces d'attaque et les instructions pour chasser les pirates chinois soutenus par le gouvernement.
New CISA alert includes technical mitigations to harden attack surfaces and instructions to hunt for the Chinese government-backed hackers. |
Technical | Guam | ★★ |
 |
2024-02-05 11:12:23 | Hunting Down The Top 5 Most Common Price Manipulation Vulnerabilities in E-Commerce Websites (lien direct) | > Les magasins de commerce électronique peuvent perdre beaucoup de revenus si les vulnérabilités de manipulation des prix sont activement exploitées par les mauvais acteurs. & # 160;Ce sont souvent des vulnérabilités de sécurité causées par une mauvaise manipulation de la logique par les développeurs, ce qui peut entraîner une erreur de calcul des prix (injection de formule) à la caisse, permettant souvent aux acheteurs malveillants de commander des articles à un [& # 8230;] très réduit [& # 8230;]
>E-commerce stores can lose out on a lot of revenue if price manipulation vulnerabilities get actively exploited by bad actors. These are often security vulnerabilities caused by improper logic handling by developers which can cause the server to miscalculate prices (formula injection) at checkout, often allowing malicious shoppers to order items at a highly reduced […] |
Vulnerability Technical | ★★ | |
 |
2024-02-05 10:46:32 | Sauvegarde de la mise en œuvre de l'IEC 61850 dans les systèmes de contrôle industriel: une odyssée technique Safeguarding IEC 61850 Implementation in Industrial Control Systems: A Technical Odyssey (lien direct) |
> Introduction: naviguer dans l'odyssée de cybersécurité IEC 61850 dans la tapisserie complexe des systèmes de contrôle industriel (ICS) et du ...
>Introduction: Navigating the IEC 61850 Cybersecurity Odyssey In the intricate tapestry of Industrial Control Systems (ICS) and the... |
Industrial Technical | ★★★ | |
|
2024-02-02 05:00:36 | Développement d'une nouvelle norme Internet: le cadre de la politique relationnelle du domaine Developing a New Internet Standard: the Domain Relationship Policy Framework (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. In this blog post, we discuss the Domain Relationship Policy Framework (DRPF)-an effort that has been years in the making at Proofpoint. The DRPF is a simple method that is used to identify verifiably authorized relationships between arbitrary domains. We create a flexible way to publish policies. These policies can also describe complex domain relationships. The details for this new model require in-depth community discussions. These conversations will help us collectively steer the DRPF toward becoming a fully interoperable standard. We are now in the early proposal stage for the DRPF, and we are starting to engage more with the broader community. This post provides a glimpse down the road leading to standardization for the DRPF. Why Proofpoint developed DRPF To shine a light on why Proofpoint was inspired to develop the DRPF in the first place, let\'s consider the thinking of the initial designers of the Domain Name System (DNS). They assumed that subdomains would inherit the administrative control of their parent domains. And by extension, this should apply to all subsequent subdomains down the line. At the time, this was reasonable to assume. Most early domains and their subdomains operated in much the same way. For example, “university.edu” directly operated and controlled the administrative policies for subdomains such as “lab.university.edu” which flowed down to “project.lab.university.edu.” Since the mid-1980s, when DNS was widely deployed, there has been a growing trend of delegating subdomains to third parties. This reflects a breakdown of the hierarchical model of cascading policies. To see how this works, imagine that a business uses “company.com” as a domain. That business might delegate “marketing.company.com” to a third-party marketing agency. The subdomain must inherit some policies, while the subdomain administrator may apply other policies that don\'t apply to the parent domain. Notably, there is no mechanism yet for a domain to declare a relationship with another seemingly independent domain. Consider a parent company that operates multiple distinct brands. The company with a single set of policies may want them applied not only to “company.com” (and all of its subdomains). It may also want them applied to its brand domains “brand.com” and “anotherbrand.com.” It gets even more complex when any of the brand domains delegate various subdomains to other third parties. So, say some of them are delegated to marketing or API support. Each will potentially be governed by a mix of administrative policies. In this context, “policies” refers to published guidance that is used when these subdomains interact with the domain. Policies might be for information only. Or they might provide details that are required to use services that the domain operates. Most policies will be static (or appear so to the retrieving parties). But it is possible to imagine that they could contain directives akin to smart contracts in distributed ledgers. 3 Design characteristics that define DRPF The goal of the DRPF is to make deployment and adoption easier while making it flexible for future use cases. In many prior proposals, complex requirements bogged down efforts to get rid of administrative boundaries between and across disparate domains. Our work should be immediately useful with minimal effort and be able to support a wide array of ever-expanding use cases. In its simplest form, three design characteristics define the DRPF: A domain administrator publishes a policy assertion record for the domain so that a relying party can discover and retrieve it. The discovered policy assertion directs the relying party to where they can find | Tool Prediction Cloud Technical | ★★★ | |
 |
2024-01-31 21:23:24 | ESET participe à une opération mondiale pour perturber le Trojan bancaire Grandoreiro ESET Takes Part in Global Operation to Disrupt the Grandoreiro Banking Trojan (lien direct) |
#### Description
ESET a travaillé avec la police fédérale du Brésil dans le but de perturber le botnet Grandoreiro, fournissant une analyse technique, des informations statistiques et des serveurs C&C connus aux autorités.
Grandoreiro est un cheval de Troie bancaire latino-américain qui est actif depuis au moins 2017 et cible le Brésil, le Mexique et l'Espagne.Les opérateurs de Grandoreiro \\ ont abusé des fournisseurs de cloud tels que Azure et AWS pour héberger leur infrastructure réseau.
#### URL de référence (s)
1. https://www.welivesecurity.com/en/eset-research/eset-takes-partit-hobal-opération-srupt-grandoreiro-banking-trojan/
#### Date de publication
30 janvier 2024
#### Auteurs)
Recherche ESET
#### Description ESET has worked with the Federal Police of Brazil on an effort to disrupt the Grandoreiro botnet, providing technical analysis, statistical information and known C&C servers to the authorities. Grandoreiro is a Latin American banking trojan that has been active since at least 2017 and targets Brazil, Mexico, and Spain. Grandoreiro\'s operators have abused cloud providers such as Azure and AWS to host their network infrastructure. #### Reference URL(s) 1. https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/ #### Publication Date January 30, 2024 #### Author(s) ESET Research |
Cloud Technical | ★★★ | |
 |
2024-01-31 13:30:18 | Le domaine Internet de haut niveau russe souffre d'une panne massive Russian top-level internet domain suffers massive outage (lien direct) |
Les citoyens russes ne pouvaient pas accéder à la majorité des sites Web du domaine du pays \\..La panne était
Russian citizens couldn\'t access the majority of websites on the country\'s .ru domain for several hours on Tuesday, including the Yandex search engine, the VKontakte social media platform, the major state-owned bank Sberbank and news outlets. The outage was reportedly caused by a technical problem with the .ru domain\'s global Domain Name System Security Extensions, |
Technical | ★★ | |
 |
2024-01-30 11:30:00 | ESET participe à une opération mondiale pour perturber le Trojan bancaire Grandoreiro ESET takes part in global operation to disrupt the Grandoreiro banking trojan (lien direct) |
ESET a fourni une analyse technique, des informations statistiques, des serveurs C& C;
ESET provided technical analysis, statistical information, known C&C servers and was able to get a glimpse of the victimology |
Technical | ★★★ | |
|
2024-01-30 11:00:00 | Darkgate Malware livré via Microsoft Teams - Détection et réponse DarkGate malware delivered via Microsoft Teams - detection and response (lien direct) |
Executive summary
While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats. Perhaps predictably, this feature has provided malicious actors a new avenue by which to exploit untrained or unaware users.
In a recent example, an AT&T Cybersecurity Managed Detection and Response (MDR) customer proactively reached out with concerns about a user who was external to their domain sending an unsolicited Teams chat to several internal members. The chat was suspected to be a phishing lure. The customer provided the username of the external user as well as the IDs of multiple users who were confirmed to have accepted the message.
With this information, the AT&T Cybersecurity MDR SOC team was able to identify the targeted users, as well as suspicious file downloads initiated by some of them. A review of the tactics and indicators of compromise (IOCs) utilized by the attacker showed them to be associated with DarkGate malware, and the MDR SOC team was able to head off the attack before any significant damage was done.
Investigation
Initial event review
Indicators of compromise
The customer provided the below screenshot (Image 1) of the message that was received by one of their users and which was suspected to be a phishing lure. An important detail to note here is the “.onmicrosoft.com” domain name. This domain, by all appearances, is authentic and most users would probably assume that it is legitimate. OSINT research on the domain also shows no reports for suspicious activity, leading the MDR SOC team to believe the username (and possibly the entire domain) was likely compromised by the attackers prior to being used to launch the phishing attack.
Image 1: Screenshot from customer of received message
Expanded investigation
Events search
Performing a search of the external username in the customer’s environment led the MDR team to over 1,000 “MessageSent” Teams events that were generated by the user. Although these events did not include the IDs of the recipients, they did include the external user’s tenant ID, as displayed in Image 2 below.
Image 2: Event log showing external user tenant ID
A Microsoft 365 tenant ID is a globally unique identifier assigned to an organization. It is what allows members of different companies to communicate with one another via Teams. As long as both members of a chat have valid tenant IDs, and External Access is enabled, they can exchange messages. With this in mind, the MDR SOC team was able to query events that contained the external user’s tenant ID and found multiple “MemberAdded” events, which are generated when a user joins a chat in Teams.
Image 3: “MemberAdded” event
These events include the victim’s user ID, but not the external user ID. In addition to the external tenant ID, the MDR SOC team was able to positively link these “MemberAdded” events back to the attacker via the “ChatThreadId” field, which was also present in the original “MessageSent&rdq |
Malware Threat Technical | ★★★★ | |
|
2024-01-29 16:00:00 | Le district scolaire du New Jersey fermé par cyberattaque New Jersey School District Shut Down by Cyberattack (lien direct) |
Dimanche soir, les responsables du district du canton de Freehold ont informé son personnel et ses parents que l'école ne serait pas en session lundi en raison de difficultés techniques causées par un cyber-incident.
Sunday night, Freehold Township district officials notified its staff and parents that school would not be in session Monday due to technical difficulties caused by a cyber incident. |
Technical | ★★ | |
|
2024-01-29 01:51:11 | Pourquoi le Top 10 de la sécurité de l'API OWASP est essentiel pour chaque entreprise Why the OWASP API Security Top 10 is Essential for Every Business (lien direct) |
À une époque où la transformation numérique dicte le rythme de la croissance des entreprises, les API sont devenues la pierre angulaire de l'architecture d'entreprise moderne.Les API ne sont pas seulement des outils techniques;Ce sont des actifs vitaux qui stimulent les processus métier, améliorent les expériences des clients et ouvrent de nouvelles voies pour l'innovation.Cependant, avec une grande puissance s'accompagne d'une grande responsabilité, en particulier en termes de sécurité.OWASP API Security Top 10 offre une feuille de route pour protéger ces outils essentiels contre l'évolution des cyber-menaces.Pour les dirigeants d'entreprise et les professionnels de la sécurité, la compréhension et la mise en œuvre des principes ...
In an era where digital transformation dictates the pace of business growth, APIs have become the cornerstone of modern enterprise architecture. APIs are not just technical tools; they are vital assets that drive business processes, enhance customer experiences, and open new avenues for innovation. However, with great power comes great responsibility, especially in terms of security. OWASP API Security Top 10 offers a roadmap to safeguard these essential tools against evolving cyber threats. For business executives and security professionals alike, understanding and implementing the principles... |
Tool Technical | ★★ | |
|
2024-01-26 16:34:00 | Perfectionner la stratégie de défense en profondeur avec l'automatisation Perfecting the Defense-in-Depth Strategy with Automation (lien direct) |
Les châteaux médiévaux étaient comme des forteresses imprenables pendant des siècles, grâce à leur design méticuleux.Avance rapide à l'ère numérique, et cette sagesse médiévale fait toujours écho à la cybersécurité.Comme les châteaux avec des dispositions stratégiques pour résister aux attaques, la stratégie de défense en profondeur est le homologue moderne - une approche multicouche avec une redondance stratégique et un mélange de sécurité passive et active
Medieval castles stood as impregnable fortresses for centuries, thanks to their meticulous design. Fast forward to the digital age, and this medieval wisdom still echoes in cybersecurity. Like castles with strategic layouts to withstand attacks, the Defense-in-Depth strategy is the modern counterpart - a multi-layered approach with strategic redundancy and a blend of passive and active security |
Technical | ★★★ | |
 |
2024-01-26 09:00:54 | Securonix Threat Research Security Advisory: Analyse technique et détection de deux vulnérabilités zéro-jours dans Ivanti Connect Secure VPN Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN (lien direct) |
Securonix Threat Research Security Advisory: Analyse technique et détection de deux vulnérabilités zéro-jours dans Ivanti Connect Secure VPN
Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN |
Vulnerability Threat Technical | ★★ | |
|
2024-01-24 21:45:00 | La société de technologie financière équilibre dit que la reprise après la cyberattaque \\ 'peut prendre plusieurs jours \\' Financial tech firm EquiLend says recovery after cyberattack \\'may take several days\\' (lien direct) |
La société de technologie financière Equlend a été frappée par une cyberattaque cette semaine qui a forcé plusieurs de ses systèmes hors ligne et peut nécessiter plusieurs jours pour se remettre.La société, fondée en 2000 par plusieurs des plus grandes sociétés financières du monde \\, a réalisé des nouvelles futures vers une déclaration disant qu'elle a identifié un problème technique sur
Financial technology firm EquiLend was hit with a cyberattack this week which forced several of its systems offline and may require several days to recover from. The company, which was founded in 2000 by several of the world\'s largest financial firms, directed Recorded Future News to a statement saying it identified a technical issue on |
Technical | ★★★ | |
|
2024-01-23 15:29:37 | Plus d'un quart des 2000 mondiaux ne sont pas prêts pour les règles d'authentification des e-mails rigoureuses à venir More than One-Quarter of the Global 2000 Are Not Ready for Upcoming Stringent Email Authentication Rules (lien direct) |
Le courrier électronique reste le principal canal de communication pour les organisations et les moyens de communication préférés pour les consommateurs.Et partout où les gens vont, les acteurs de la menace suivent.Les cybercriminels continuent d'exploiter les e-mails pour livrer le phishing, la fraude par e-mail, le spam et d'autres escroqueries.Mais Google, Yahoo!, Et Apple se battent avec de nouvelles exigences d'authentification par e-mail conçues pour empêcher les acteurs de la menace d'abuser des e-mails.Bien que ce changement majeur soit une excellente nouvelle pour les consommateurs, les organisations n'ont pas beaucoup de temps pour préparer le google, Yahoo!Et Apple commencera à appliquer ses nouvelles exigences au premier trimestre de 2024. Avec seulement des semaines jusqu'à ce que ces règles commencent à prendre effet, plus d'un quart (27%) des Forbes Global 2000 ne sont pas prêts pour ces nouvelles exigences;Cela peut avoir un impact significatif sur leur capacité à fournir des communications par e-mail à leurs clients en temps opportun et met leurs clients en danger de fraude par e-mail et d'escroqueries.En fait, notre rapport State of the Phish 2023 a révélé que 44% des consommateurs mondiaux pensent qu'un e-mail est sûr s'il inclut simplement l'image de marque familière. L'analyse de Proofpoint \\ de la Forbes Global 2000 et leur adoption du protocole ouvert DMARC (reporting et conformité d'authentification des messages basés sur le domaine), un protocole d'authentification largement utilisé qui aide à garantir l'identité des communications par e-mail et protège les noms de domaine du site Web contre le fait d'êtreusurpé et mal utilisé, montre: Plus d'un quart (27%) du Global 2000 n'a aucun enregistrement DMARC en place, indiquant qu'ils ne sont pas préparés aux prochaines exigences d'authentification par e-mail. 69% stupéfiants ne bloquent pas activement les e-mails frauduleux en atteignant leurs clients;Moins d'un tiers (31%) ont mis en œuvre le plus haut niveau de protection pour rejeter les e-mails suspects en atteignant leurs clients de réception. 27% ont mis en œuvre une politique de moniteur, ce qui signifie que des e-mails non qualifiés peuvent toujours arriver dans la boîte de réception du destinataire;et seulement 15% ont mis en œuvre une politique de quarantaine pour diriger des e-mails non qualifiés aux dossiers spam / indésirables. L'authentification par e-mail est une meilleure pratique depuis des années.DMARC est l'étalon-or pour se protéger contre l'identité des e-mails, une technique clé utilisée dans la fraude par e-mail et les attaques de phishing.Mais, comme le révèle notre analyse du Global 2000, de nombreuses entreprises doivent encore la mettre en œuvre, et celles qui sont à la traîne de l'adoption du DMARC devront désormais rattraper leur retard rapidement s'ils souhaitent continuer à envoyer des e-mails à leurs clients.Les organisations qui ne se contentent pas ne pourraient pas voir leurs e-mails acheminés directement vers les dossiers de spam des clients ou rejeté. La mise en œuvre peut cependant être difficile, car elle nécessite une variété d'étapes techniques et une maintenance continue.Toutes les organisations n'ont pas les ressources ou les connaissances en interne pour répondre aux exigences en temps opportun.Vous pouvez profiter de ressources telles que le kit technique et d'authentification de l'e-mail technique de Proofpoint \\ pour vous aider à démarrer.ProofPoint propose également un outil pour vérifier les enregistrements DMARC et SPF de votre domaine, ainsi que pour créer un enregistrement DMARC pour votre domaine.Cet outil fait partie d'une solution complète de défense de fraude par e-mail, qui fournit un SPF hébergé, un DKIM hébergé et des fonctionnalités DMARC hébergées pour simplifier le déploiement et la maintenance tout en augmentant la sécurité.La solution comprend également l'accès à des consultants hautement expérimentés pour vous guider à travers les workflows d'im | Spam Tool Threat Cloud Technical | ★★★ | |
|
2024-01-22 22:17:00 | Les pirates nord-coréens ont armé de fausses recherches pour livrer la porte dérobée Rokrat North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor (lien direct) |
Les organisations médiatiques et les experts de haut niveau des affaires nord-coréennes ont été à la fin d'une nouvelle campagne orchestrée par un acteur de menace connu sous le nom de & nbsp; Scarcruft & nbsp; en décembre 2023.
"Scarcruft a expérimenté de nouvelles chaînes d'infection, notamment l'utilisation d'un rapport de recherche sur les menaces techniques comme leurre, ciblant probablement les consommateurs d'intelligence des menaces comme la cybersécurité
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity |
Threat Technical | ★★★ | |
|
2024-01-22 06:00:26 | Types de menaces et d'attaques d'identité que vous devez être consciente Types of Identity Threats and Attacks You Should Be Aware Of (lien direct) |
It\'s easy to understand why today\'s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user\'s valid credentials, they don\'t have to worry about finding creative ways to break into an environment. They are already in. Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it\'s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach. To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay. Types of identity-based attacks and methods Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats. 1. Credential stuffing Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites. Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites. 2. Password spraying Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames. Password spraying isn\'t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here\'s how this identity attack usually unfolds: The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means. They then select a small set of commonly used or easily guessable passwords. Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success. Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks. 3. Phishing Here\'s a classic and very effective tactic that\'s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker\'s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data. Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective. 4. Social engineering Social engineering is more of an ingredient in an identity attack. It\'s all about the deception and manipulation of users, and it\'s a feature in | Malware Vulnerability Threat Patching Technical | ★★ | |
 |
2024-01-18 06:15:00 | Cyber sans but lucratif enrôles ex-NCSC chef en tant que chaise technique Cyber non-profit enlists ex-NCSC head as technical chair (lien direct) |
Pas de details / No more details | Technical | ★★ | |
|
2024-01-17 15:52:00 | La nouvelle méthode Ishutdown expose des logiciels espions cachés comme Pegasus sur votre iPhone New iShutdown Method Exposes Hidden Spyware Like Pegasus on Your iPhone (lien direct) |
Les chercheurs en cybersécurité ont identifié une "méthode légère" appelée & nbsp; Ishutdown & nbsp; pour identifier de manière fiable des signes de logiciels espions sur les appareils Apple iOS, y compris des menaces notoires comme NSO Group \\ 'S & nbsp; Pegasus, Quadream \' s & nbsp; Reign, and Intellexa \\ 's & nbsp; Predator. & nbsp;
Kaspersky, qui a analysé un ensemble d'iphones compromis avec Pegasus, a déclaré que les infections laissaient les traces dans un fichier
Cybersecurity researchers have identified a "lightweight method" called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group\'s Pegasus, QuaDream\'s Reign, and Intellexa\'s Predator. Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file |
Mobile Technical | ★★★ | |
|
2024-01-17 06:00:02 | Comment mettre en place un programme de gestion des menaces d'initié et de prévention des pertes de données How to Set Up an Insider Threat Management and Data Loss Prevention Program (lien direct) |
This blog post is adapted from our e-book, Getting Started with DLP and ITM. The last few years have brought unprecedented change. An increasingly distributed workforce, access to more data through more channels and a shift to the cloud have transformed the nature of work. These trends have made protecting sensitive data more complicated and demanding. What\'s clear is that organizations are struggling to rise to the challenge. Between 2020 and 2022, insider threats increased by a staggering 44%. And the costs of addressing them increased 34%-from $11.45 million to $15.38 million. This upswing mainly comes down to two factors. For starters, most security teams have little visibility into people-caused data loss and insider-led security incidents. And few have the tools or resources to handle it. That\'s why Gartner sees platforms for data loss prevention and insider threat management (DLP and ITM) increasingly converging. Businesses need tools and processes that give them holistic, contextualized insights that take user behavior into account. It\'s no longer enough to focus on data-and where it\'s moving. To prevent data loss, industry leaders need to take a people-centric approach that expands beyond traditional drivers like compliance. In this blog post, we\'ll explore some basics for designing an ITM and DLP program. This can help you approach information protection in a way that\'s built for how modern organizations work. Why information protection is so challenging Risks are everywhere in today\'s complex landscape. Here are a few changes making it difficult for companies to protect their data. More data is open to exposure and theft. As businesses go digital, more data is being generated than ever before. According to IDC\'s Worldwide Global DataSphere Forecast, the total amount of data generated data will double from 2022 to 2026. That means malicious insiders will have more access to more sensitive data through more channels. It will also be easier for careless users to expose data inadvertently. Plus, any security gap between channels, any misconfiguration or any accidental sharing of files can give external attackers more opportunities to steal data. New data types are hard to detect. Data isn\'t just growing in volume. It\'s also becoming more diverse, which makes it harder to detect and control. With traditional DLP program tools, data typically fits within very tightly defined data patterns (such as payment card number). But even then, it generates too many false positives. Now, key business data is more diverse and can be graphical, tabular or even source code. The network security perimeter no longer exists. With more employees and contractors working remotely, the security perimeter has shifted from brick and mortar to one based on people. Add to the mix bring-your-own-device (BYOD) practices, where the personal and professional tend to get blurred, and security teams have even more risks to contend with. In a survey for the 2023 State of the Phish report from Proofpoint, 72% of respondents said they use one or more of their personal devices for work. Employee churn is high. Tech industry layoffs in 2022 and 2023 have seen many employees leaving and joining businesses at a rapid rate. The result is greater risk of data exfiltration, infiltration and sabotage. Security leaders know it, too-39% of chief information security officers rated improving information protection as the top priority over the next two years. Security talent is in short supply. A lack of talent has left many security teams under-resourced. And the situation is likely to get worse. In 2023, the cybersecurity workforce gap hit an all-time high-there are 4 million more jobs than there are skilled workers. DLP vs. ITM What\'s the difference between DLP and ITM? Both DLP and ITM work to prevent data loss. But they achieve it in different ways. DLP tracks data movement and exfiltration DLP monitors file activity and scans content to see whether users are handling sen | Tool Threat Cloud Technical | ★★ | |
 |
2024-01-16 14:41:59 | Binaires mal comportementaux: comment détecter les abus de lolbin dans la nature Misbehaving binaries: How to detect LOLBin abuse in the wild (lien direct) |
Faites passer vos compétences survivalistes au niveau supérieur avec cette rupture des binaires de vie d'un ingénieur de détection de canaries rouges
Take your survivalist skills to the next level with this break down of living-off-the-land binaries from a Red Canary detection engineer |
Technical | ★★★★ | |
|
2024-01-16 11:00:00 | Prédictions inhabituelles et stimulantes pour la cybersécurité en 2024 Unusual, thought-provoking predictions for cybersecurity in 2024 (lien direct) |
This is part one of a three-part series written by AT&T Cybersecurity evangelist Theresa Lanowitz. It’s intended to be future-looking and provocative and to encourage discussion. The author wants to assure you that no generative AI was used in any part of this blog. Entering 2024 brings us well into the third decade of the new millennium. Do you recall how tentatively and maybe naively we approached the year 2000, otherwise known as Y2K? We stressed over two bytes in COBOL programs and regression tested every line of code to ensure our systems were ready to go at midnight on January 1, 2000. The clock struck 12, and the world breathed a collective sigh of relief – we survived the predicted digital disaster. And just like that, off we went - to create web, mobile, and cloud apps, to turn embedded software into the Internet of Things (IoT), and to democratize computing in a way that was only a dream just 23 years ago. With massive shifts and changes in computing in the wake, it’s time to ask: where are we going in 2024, and what cybersecurity opportunities and challenges lie ahead? Maturing the industry: It’s the business that matters. Cybersecurity is not about fear, uncertainty, and doubt (FUD). It is about delivering business outcomes such as boarding a plane quicker to mitigate flight delay penalties, heating or cooling my house efficiently to manage energy consumption in various climates, or reducing waste in manufacturing to minimize product recalls. Notice there was no mention of security, data, network, coding, or anything remotely IT-centric or technical in the stated business outcomes above. We must aspire to this when thinking about our businesses and cybersecurity. It must be about the business first, advancing the customer experience, and removing friction. Cybersecurity is now a business requirement. For cybersecurity to be part of business planning, cybersecurity teams need to become members of the business teams. Over the past three years, the cybersecurity market has rapidly matured. We are in the midst of market consolidation, with individual point products being acquired and integrated into platform offerings. These platform offerings will continue to evolve by acquiring smaller vendors, partnering, and innovating. The platform vendors clearly see the need for cybersecurity to be a part of the business conversation and want to act as a business partner and trusted advisor, not merely a product provider. Cybersecurity budgets are changing, creating an approach to get funding differently. This year, our research revealed an unexpected change: money is being redistributed as computing moves closer to the data source. Our respondents reported they are investing in new computing development – in this case, edge computing - in a way that’s different from what we’ve seen in the past. They are proactively investing in strategy and planning, the network, application development, and security to create a balanced, collaborative ecosystem. The big surprise isn’t a new secret weapon or killer application. The surprise is what’s needed: a new way of thinking about resource allocation. You’ll still need your usual hardware, software, storage, and security buckets. How you balance those expenses is what’s different. As computing moves closer to the data source, every deployment should contribute to the b | Tool Mobile Prediction Cloud Technical | ★★★ | |
 |
2024-01-15 11:23:03 | Le rapport ForeScout découvre de nouveaux détails dans le piratage d'énergie danoise Forescout Report Uncovers New Details in Danish Energy Hack (lien direct) |
> Par deeba ahmed
Les attaques, potentiellement liées au ver de sable russe, ont exploité les vulnérabilités dans les pare-feu zyxel.
Ceci est un article de HackRead.com Lire le post original: Le rapport de ForeScout découvre les nouveaux détails dans le piratage de l'énergie danoise
>By Deeba Ahmed The attacks, potentially linked to Russian APT Sandworm, exploited vulnerabilities in Zyxel firewalls. This is a post from HackRead.com Read the original post: Forescout Report Uncovers New Details in Danish Energy Hack |
Hack Vulnerability Industrial Technical | ★★★★ | |
 |
2024-01-15 11:18:00 | Catalogue de la bibliothèque britannique en ligne après une attaque de ransomware British Library Catalogue Back Online After Ransomware Attack (lien direct) |
Le principal catalogue de la bibliothèque britannique sera de retour en ligne le lundi 15 janvier, alors que l'institution poursuit sa reconstruction technique après l'attaque des ransomwares l'année dernière
The main British Library catalogue will be back online on Monday, January 15, as the institution continues its technical rebuild following the ransomware attack last year |
Ransomware Technical | ★★ | |
|
2024-01-14 14:37:00 | Les nouveaux résultats défient l'attribution dans les cyberattaques du secteur de l'énergie du Danemark New Findings Challenge Attribution in Denmark\\'s Energy Sector Cyberattacks (lien direct) |
Les cyberattaques ciblant le secteur de l'énergie au Danemark l'année dernière n'ont peut-être pas eu l'implication du groupe de piratage de ver de sable lié à la Russie, & NBSP; Nouvelles conclusions et NBSP; de ForeScout Show.
Les intrusions, qui & nbsp; ciblaient environ 22 organisations de l'énergie danoise et NBSP; en mai 2023, se sont produites dans deux vagues distinctes, une qui a exploité une faille de sécurité dans le pare-feu zyxel (CVE-2023-28771) et un
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a |
Industrial Technical | ★★★★ | |
 |
2024-01-13 23:09:46 | 2 petits secrets de scriptrunner.exe 2 little secrets of ScriptRunner.exe (lien direct) |
Scriptrunner.exe est un lolbin connu, mais le projet lolbas ne couvre pas toutes ces fonctionnalités de programme.Timeout Il peut exécuter les processus enfants et les tuer après un certain délai d'attente f.ex.: Scriptrunner.exe -appvscript cmd.exe -appvscriptrunnerParameters -imeout = 5 invocations multiples Il peut exécuter & # 8230; | Technical | ★★★ | |
|
2024-01-12 23:39:35 | Ajout de caractères (s) au traitement de la ligne de commande Adding character(s) to Command Line processing (lien direct) |
Dans mon ancien article sur CerUtil, j'ai mentionné qu'il accepte un certain nombre de caractères Unicode moins connus transmis à sa ligne de commande.PowerShell acceptant un certain nombre de caractères Unicode représentant & # 8220; - & # 8221;Et ses variations sont également un fait très connu.& # 8230; Continuer la lecture &# 8594;
In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing “-” and its variations is a very well-known fact too. … Continue reading → |
Technical | ★★★★ | |
|
2024-01-11 14:19:03 | Moyen facile de générer une coque inversée Easy way to Generate Reverse Shell (lien direct) |
Dans cet article, nous apprendrons à obtenir un revers en quelques étapes faciles.Habituellement, le problème lorsque les commandes de shell inversé sont de
In this article, we will learn how to get a reverse in a few easy steps. Usually, the problem when reverse shell commands is to |
Technical | ★★★ | |
 |
2024-01-10 23:15:50 | La Chine prétend avoir fissuré la fonction aérienne d'Apple \\ China Claims To Have Cracked Apple\\'s AirDrop Feature (lien direct) |
Une institution chinoise soutenue par l'État aurait élaboré un moyen d'identifier le numéro de téléphone, l'adresse e-mail et le nom des expéditeurs qui partagent du contenu via la fonction de lagramme aérien d'Apple. . Cette décision fait partie des efforts plus larges du gouvernement de Pékin \\ pour éliminer & # 8220; contenu indésirable & # 8221;. Pour ceux qui ne le savent pas, AirDrop est un outil crypté de bout en bout qui permet aux utilisateurs d'envoyer sans fil des photos, des vidéos, des documents, et plus encore aux autres appareils iOS et ordinateurs Mac, ce qui signifie que même Apple ne peut pas décrypter le contenu de laMatériaux que vous transférez. Pendant les transferts, la fonctionnalité ne partage que le nom de l'appareil (qui peut être défini sur n'importe quoi) et ne divulgue pas le numéro de téléphone et l'adresse e-mail associés au téléphone. selon un nouveau bloomberg report , Le Pékin Wangshendongjian, le Pékin de Chine, l'institut d'évaluation judiciaire de Wangshendongjian a développé une méthode pour faire un journal des appareils cryptés d'un iPhone \\ pour identifier les chiffres et les e-mails des expéditeurs qui partagent le contenu Airdrop. «Le cas des informations incorrectes diffusées via« Airdrop »sur les téléphones mobiles a permis les difficultés techniques de la traçabilité anonyme par Airdrop, a amélioré l'efficacité et la précision de la détection de cas, et a empêché la propagation des remarques inappropriées et une mauvaise influence potentielle,"Le Bureau municipal de la justice de Pékin a déclaré dans un | Tool Mobile Technical | ★★★★ | |
|
2024-01-10 17:59:58 | Txone reconnu par TSMC pour la collaboration OT de cybersécurité dans l'industrie des semi-conducteurs TXOne recognized by TSMC for OT cybersecurity collaboration in semiconductor industry (lien direct) |
> Txone Networks, un fournisseur de sécurité des systèmes cyber-physiques (CPS), a été reconnu par TSMC pour sa technique exceptionnelle ...
>TXOne Networks, a provider of cyber-physical systems (CPS) security, has been acknowledged by TSMC for its exceptional technical... |
Industrial Technical | ★★ | |
|
2024-01-10 17:59:41 | Industrial Defender nomme Patrick Miller comme conseiller technique stratégique Industrial Defender appoints Patrick Miller as strategic technical advisor (lien direct) |
> Industrial Defender, un fournisseur de solutions de données et de cybersécurité OT pour les organisations industrielles, annonce la nomination de ...
>Industrial Defender, a provider of OT asset data and cybersecurity solutions for industrial organizations, announces the appointment of... |
Industrial Technical | ★★ | |
|
2024-01-09 10:02:04 | IP criminel et partenaire tenable pour la détection de vulnérabilité rapide Criminal IP and Tenable Partner for Swift Vulnerability Detection (lien direct) |
Le moteur de recherche Cyber Threat Intelligence (CTI) Criminal IP a établi un partenariat technique avec Tenable.En savoir plus sur Criminal IP sur la façon dont ce partenariat peut aider à la vulnérabilité en temps réel et aux analyses de malveillance.[...]
Cyber Threat Intelligence (CTI) search engine Criminal IP has established a technical partnership with Tenable. Learn more from Criminal IP about how this partnership can assist in real-time vulnerability and maliciousness scans. [...] |
Vulnerability Threat Technical | ★★ | |
 |
2024-01-09 00:00:00 | Campagne de spam Pikabot de Water Water Black Basta. Black Basta-Affiliated Water Curupira\\'s Pikabot Spam Campaign (lien direct) |
Pikabot est un chargeur avec des similitudes avec Qakbot qui a été utilisé dans les campagnes de spam pendant la majeure partie de 2023. Notre entrée de blog fournit une analyse technique de ce malware.
Pikabot is a loader with similarities to Qakbot that was used in spam campaigns during most of 2023. Our blog entry provides a technical analysis of this malware. |
Spam Malware Technical | ★★ | |
|
2024-01-08 06:00:19 | ProofPoint reconnu en 2023 Gartner & Reg;Guide du marché pour les solutions de gestion des risques d'initiés Proofpoint Recognized in 2023 Gartner® Market Guide for Insider Risk Management Solutions (lien direct) |
It\'s easy to understand why insider threats are one of the top cybersecurity challenges for security leaders. The shift to remote and hybrid work combined with data growth and cloud adoption has meant it\'s easier than ever for insiders to lose or steal data. Legacy systems simply don\'t provide the visibility into user behavior that\'s needed to detect and prevent insider threats. With so much potential for brand and financial damage, insider threats are now an issue for the C-suite. As a result, businesses are on the lookout for tools that can help them to better manage these threats. To help businesses understand what to look for, Gartner has recently released Market Guide for Insider Risk Management Solutions. In this report, Gartner explores what security and risk leaders should look for in an insider risk management (IRM) solution. It also provides guidance on how to implement a formal IRM program. Let\'s dive into some of its highlights. Must-have capabilities for IRM tools Gartner states that IRM “refers to the use of technical solutions to solve a fundamentally human problem.” And it defines IRM as “a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts in the organization.” Gartner identifies three distinct types of users-careless, malicious and compromised. That, we feel, is in line with our view at Proofpoint. And the 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users. In its Market Guide, Gartner identifies the mandatory capabilities of enterprise IRM platforms: Orchestration with other cybersecurity tooling Monitoring of employee activity and assimilating into a behavior-based risk model Dashboarding and alerting of high-risk activity Orchestration and initiation of intervention workflows This is the third consecutive year that Proofpoint is a Representative Vendor in the Market Guide. Proofpoint was an early and established leader in the market for IRM solutions. Our platform: Integrates with a broad ecosystem of cybersecurity tools. Our API-driven architecture means it\'s easy for you to feed alerts into your security tools. That includes security information and event management (SIEM) as well as SOAR and service management platforms, such as Splunk and ServiceNow. That, in turn, helps you gain a complete picture of potential threats. Provides a single lightweight agent with a dual purpose. With Proofpoint, you get the benefit of data loss prevention (DLP) and ITM in a single solution. This helps you protect against data loss and get deep visibility into user activities. With one agent, you can monitor everyday users. That includes low-risk and regular business users, risky users, such as departing employees, privileged users and targeted users. Offers one centralized dashboard. This saves you time and effort by allowing you to monitor users, correlate alerts and triage investigations from one place. You no longer need to waste your time switching between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards. Includes tools to organize and streamline tasks. Proofpoint ITM lets you change the status of events with ease, streamline workflows and better collaborate with team members. Plus, you can add tags to help group and organize your alerts and work with more efficiency. DLP and IRM are converging In its latest Market Guide, Gartner says: “Data loss prevention (DLP) and insider risk strategies are increasingly converging into a unified solution. The convergence is driven by the recognition that preventing data loss and managing insider risks are interconnected goals.” A legacy approach relies on tracking data activity. But that approach is no longer sufficient because the modern way of working is more complex. Employees and third parties have access to more data than ever before. And ex | Tool Threat Cloud Technical | ★★★ | |
|
2024-01-05 11:00:00 | Chardeur asyncrat: obscurcissement, DGA, leurres et Govno AsyncRAT loader: Obfuscation, DGAs, decoys and Govno (lien direct) |
Executive summary
AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
Key takeaways:
The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the US.
The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections.
As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.
DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.
The ongoing registration of new and active domains indicates this campaign is still active.
There is an OTX pulse with more information.
Analysis
AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github. As with any remote access tool, it can be leveraged as a Remote Access Trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include: Keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.
Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro.
In early September, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. The gif attachment led to a svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023. The registration of domains and subsequent AsyncRAT samples is still being observed at the time of writing this blog.
Figure1: Number of samples observed by Alien Labs in this campaign.
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
Figure 2. Execution flow.
During the whole campaign, JavaScript files have been delivered to targete |
Malware Tool Threat Technical | ★★ | |
|
2024-01-01 19:30:00 | Nouvelle variante de la commande de recherche DLL Rijacking contourne les protections Windows 10 et 11 New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections (lien direct) |
Les chercheurs en sécurité ont détaillé une nouvelle variante d'une technique de détournement d'ordre de recherche de liens dynamiques (DLL) qui pourrait être utilisée par les acteurs de la menace pour contourner les mécanismes de sécurité et réaliser l'exécution d'un code malveillant sur les systèmes exécutant Microsoft Windows 10 et Windows 11.
L'approche "exploite les exécutables couramment trouvés dans le dossier de fiducie WINSXS et les exploite via la DLL classique
Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL |
Threat Technical | ★★★ | |
|
2024-01-01 17:23:21 | Bitmap Hunting in SPL (lien direct) | L'un des exercices de chasse les plus ennuyeux est de détecter une séquence d'échecs suivis d'un succès.Les attaques de force brute, les attaques de dictionnaires et enfin les attaques par pulvérisation de mot de passe ont tout cela en commun: beaucoup d'échecs, parfois suivis d'un succès.Le & # 8230; Continuer la lecture & # 8594;
One of the most annoying hunting exercises is detecting a sequence of failures followed by a success. Brute-force attacks, dictionary attacks, and finally password spray attacks have all this in common: lots of failures, sometimes followed by a success. The … Continue reading → |
Technical | ★★★★ | |
|
2024-01-01 13:21:53 | 1 Secret peu connu de hdwwiz.exe 1 little known secret of hdwwiz.exe (lien direct) |
Il existe un certain nombre de fichiers .cpl qui peuvent être chargés à l'aide de leurs équivalents exécutables natifs OS F.ex hdwwiz.exe charge hdwwiz.cpl.En tant que tel, nous pouvons copier hdwwiz.exe dans un autre dossier F.Ex.C: \ Tester et charger malveillant hdwwiz.cpl du même & # 8230; Continuer la lecture & # 8594;
There is a number of .cpl files that can be loaded using their OS-native executable equivalents f.ex hdwwiz.exe loads hdwwiz.cpl. As such, we can copy hdwwiz.exe to a different folder f.ex. c:\test and load malicious hdwwiz.cpl from the very same … Continue reading → |
Technical | ★★★ |
To see everything:
