SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-04-25 10:00:00	Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct)	Written by: Kelli Vanderlee, Jamie Collier Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.	Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical	APT 40 APT 29 APT 28 APT 43 APT 31 APT 42	★★★
	2024-03-22 11:00:00	APT29 utilise Wineloader pour cibler les partis politiques allemands APT29 Uses WINELOADER to Target German Political Parties (lien direct)	Résumé exécutif fin février, l'APT29 a utilisé une nouvelle variante de porte dérobée suivie publiquement comme wineloader pour cibler les fêtes politiques allemandes avecun leurre sur le thème de la CDU. & nbsp; & nbsp; C'est la première fois que nous voyons ce cluster APT29 cible des partis politiques, indiquant une zone émergente émergenteFocus opérationnel au-delà du ciblage typique des missions diplomatiques. basée sur la responsabilité du SVR \\ de collecter l'intelligence politique et cette cluster APT29 \\ 'sModèles de ciblage historiques, nous jugeons cette activité pour présenter une large menace pour les partis politiques européens et autres occidentaux de tous les politiques Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political	Threat	APT 29	★★
	2024-03-22 00:00:00	APT29 Uses WINELOADER to Target German Political Parties (lien direct)	Written by: Luke Jenkins, Dan Black Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER. Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations. Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1). The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”. ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”. WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru. The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details).	Malware Threat Cloud Technical	APT 29	★★★
	2022-05-02 09:30:00	UNC3524: Eye Spy sur votre e-mail UNC3524: Eye Spy on Your Email (lien direct)	Mise à jour (novembre 2022): Nous avons fusionné UNC3524 avec APT29. L'activité UNC3524 décrite dans ce post est désormais attribuée à APT29. Depuis décembre 2019, Mandiant a observé que les acteurs avancés des menaces augmentent leur investissement dans des outils pour faciliter la collecte de courriels en vrac dans les environnements de victime, en particulier en ce qui concerne leur soutien aux objectifs d'espionnage présumés.Les e-mails et leurs pièces jointes offrent une riche source d'informations sur une organisation, stockée dans un emplacement centralisé pour les acteurs de menace à collecter.La plupart des systèmes de messagerie, qu'ils soient sur site ou dans le cloud, offrent UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer	Tool Threat	APT 29	★★
	2021-12-06 10:00:00	Activité russe présumée ciblant le gouvernement et les entités commerciales du monde entier Suspected Russian Activity Targeting Government and Business Entities Around the Globe (lien direct)	Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by	Threat	Solardwinds APT 29	★★★
	2021-01-19 14:00:00	Les stratégies de remédiation et de durcissement pour Microsoft 365 pour se défendre contre UNC2452 \|Blog Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 \| Blog (lien direct)	Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post et ce rapport est désormais attribuée à APT29. Mise à jour (28 octobre 2021): Mandiant a récemment observé des acteurs de menace ciblés utilisant l'identité EWS (via le rôle de l'impression d'application) pour maintenir un accès persistant aux boîtes aux lettres dans les environnements victimes.Une fois que l'acteur de menace a accès à ce rôle, ses abus sont difficiles à détecter et fournissent le contrôle de l'acteur de menace sur chaque boîte aux lettres d'un locataire victime.Mandiant a également observé des acteurs de menace ciblés abusant de la relation de confiance entre le cloud UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post and report is now attributed to APT29. UPDATE (Oct. 28, 2021): Mandiant has recently observed targeted threat actors using EWS impersonation (via the ApplicationImpersonation role) to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the threat actor control over every mailbox in a victim tenant. Mandiant has also observed targeted threat actors abusing the trust relationship between Cloud	Threat	APT 29	★★★★

Last update at: 2024-06-30 20:07:34
See our sources.

To see everything: Our RSS (filtrered)