What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-12-15 00:00:00 | Développez votre cloud natif apps la manière durable Develop Your Cloud Native Apps the Sustainable Way (lien direct) |
Le développement d'applications utilisant Cloud Native Technologies change la donne pour les développeurs.Avec une base de code robuste et maintenable, ils sont positionnés pour faire de leur mieux.Découvrez comment Sonar a le plan de jeu Clean Code pour compléter parfaitement vos initiatives natives cloud.
Application development using cloud native technologies is a game changer for developers. With a robust, maintainable codebase, they are positioned to do their best work. Learn how Sonar has the clean code game plan to perfectly complement your cloud native initiatives. |
Cloud | ★★★ | |
 |
2022-12-12 00:00:00 | WatchGuard dévoile l\'appliance Firebox NV5 et le point d\'accès AP332CR pour le travail à distance et les environnements extérieurs (lien direct) | Paris, le 12 décembre 2022 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, présente Firebox NV5, une appliance VPN en version tabletop, ainsi que l'AP332CR, un nouveau point d'accès Wi-Fi 6 pour les déploiements en extérieur ou en milieu difficile. Conçus pour subvenir aux besoins des MSP et des utilisateurs finaux dans des lieux de déploiement ciblés, ces deux ajouts à la robuste gamme de produits et de services de sécurité de WatchGuard viennent renforcer la protection pour les entreprises dont les opérations sont distribuées, et ce dans le cadre d'une expérience transparente partout, peu importe où se trouvent les utilisateurs. Associés à WatchGuard Cloud pour obtenir une plateforme simplifiée pour la gestion centralisée de la sécurité, l'appliance NV5 et le point d'accès AP332CR sont faciles à déployer et à configurer avec un reporting simplifié grâce au framework Unified Security Platform® de WatchGuard. " WatchGuard reste concentré sur sa vision d'être le fournisseur de sécurité de choix pour les MSP, en leur offrant des solutions de sécurité qui répondent à un large éventail d'exigences et de besoins côté clients, y compris dans les environnements distants et distribués ", a déclaré Ryan Poutre, Product Manager chez WatchGuard Technologies. " Nous tenons notre promesse d'établir une nouvelle norme en matière de sécurité, grâce à notre technologie, à notre équipe et à l'écosystème florissant des partenaires de WatchGuard. Ensemble, nous continuerons à repousser toujours plus haut l'excellence. " L'expansion continue du robuste portefeuille de sécurité de WatchGuard, tant en ampleur qu'en pertinence, constitue un élément clé de la mission de l'éditeur, qui vise à rendre une sécurité de pointe accessible à toutes les organisations, et cette expansion permet à l'éditeur de simplifier et de faire évoluer chaque aspect de de la mise à disposition et de la gestion de la sécurité. Firebox NV5 : connectivité en périphérie pour les succursales et les applications à distance Solution puissante pour le trafic VPN distribué et sécurisé, l'appliance Firebox NV5 s'accompagne d'une solution de sécurité et de journalisation centralisée pour les administrateurs. Conçue pour prendre en charge les connexions VPN à distance vers une appliance Firebox virtuelle ou physique d'entreprise, la solution NV5 peut rediriger le trafic vers l'appliance de sécurité de l'entreprise grâce aux capacités Branch Office VPN (BOVPN) de WatchGuard afin de fournir le même niveau de protection qu'un appareil installé dans les bureaux de l'entreprise. Avec ses capacités SD-WAN avancées, l'appliance NV5 convient parfaitement aux déploiements dans des applications à distance telles que les kiosques, les distributeurs automatiques et les équipements de bureau. Les principales caractéristiques de l'appliance Firebox NV5 sont les suivantes : Déploiement sans intervention – WatchGuard Cloud offre un outil de déploiement et de configuration " Zero Touch " fourni en standard avec l'appliance Firebox NV5. Le déploiement sans intervention élimine une grande partie du travail nécessaire à la mise en place d'une appliance Firebox sur le réseau, que les équipes informatiques peuvent effectuer sans quitter leur bureau. Le personnel local connecte simplement l'appareil &a | Cloud | ★★★ | |
 |
2022-12-08 13:29:00 | Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers (lien direct) | An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is | Vulnerability Threat Cloud | APT 37 | ★★★ |
 |
2022-12-06 19:07:40 | Cloud Threats Memo: Cyber Espionage Exploiting Google Drive for C2 Infrastructure (lien direct) | >Another day, another legitimate cloud service exploited for a cyber espionage campaign… Researchers at ESET recently discovered Dolphin, a previously unreported backdoor used by the North-Korean threat actor APT37 (AKA ScarCruft and Reaper) against selected targets. The backdoor, deployed after the initial compromise using less sophisticated malware, was observed for the first time in early […] | Threat Cloud | APT 37 | ★★★ |
 |
2022-12-01 11:02:51 | North Korea ScarCruft APT used previously undetected Dolphin Backdoor against South Korea (lien direct) | >North Korea-linked ScarCruft group used a previously undocumented backdoor called Dolphin against targets in South Korea. ESET researchers discovered a previously undocumented backdoor called Dolphin that was employed by North Korea-linked ScarCruft group (aka APT37, Reaper, and Group123) in attacks aimed at targets in South Korea. ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers […] | Cloud | APT 37 | ★★ |
|
2022-12-01 00:00:00 | North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets (lien direct) | The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing | Threat Cloud | APT 37 | ★★ |
 |
2022-11-30 14:15:11 | Un groupe de pirates lié à la Corée du Nord vole des fichiers de valeur en s\'appuyant sur Google Drive (lien direct) | Des chercheurs ont analysé une porte dérobée sophistiquée, jusqu'alors inconnue et utilisée par le groupe de pirates ScarCruft. Baptisée Dolphin la porte dérobée dispose d'un large éventail de fonctionnalités d'espionnage. | Cloud | APT 37 | ★★★ |
 |
2022-11-30 13:59:28 | ESET Research : un groupe de pirates lié à la Corée du Nord vole des fichiers de valeur en s\'appuyant sur Google Drive (lien direct) | ESET Research : un groupe de pirates lié à la Corée du Nord vole des fichiers de valeur en s'appuyant sur Google Drive ● Les chercheurs d'ESET ont analysé Dolphin, une porte dérobée jusqu'à présent inconnue, utilisée par le groupe de pirates ScarCruft. ● Dolphin possède de nombreuses fonctionnalités d'espionnage, notamment de surveillance des lecteurs et des appareils portables, d'exfiltration de fichiers d'intérêt, d'enregistrement des frappes de clavier, de capture d'écran et de vol d'identifiants dans les navigateurs. ● Elle est uniquement déployée sur des cibles sélectionnées. Elle parcourt les lecteurs des systèmes compromis à la recherche de fichiers intéressants et les exfiltre vers Google Drive. ● ScarCruft, également connu sous le nom d'APT37 ou Reaper, est un groupe d'espionnage qui opère depuis au moins 2012. Il se concentre principalement sur la Corée du Sud. Les cibles de ScarCruft semblent être liées aux intérêts de la Corée du Nord. ● La porte dérobée est le malware final d'une attaque menée en plusieurs étapes au début de l'année 2021, qui se compose d'une attaque dite de " point d'eau " sur un journal en ligne sud-coréen, l'exploitation d'une vulnérabilité d'Internet Explorer, et une autre porte dérobée de ScarCruft appelée BLUELIGHT. ● Depuis la découverte initiale de Dolphin en avril 2021, les chercheurs d'ESET ont observé de multiples versions et améliorations de cette porte dérobée, dont l'ajout de techniques pour échapper à sa détection. ● La possibilité de modifier les paramètres des comptes Google et Gmail connectés des victimes afin d'en réduire la sécurité est une caractéristique notable des versions antérieures de Dolphin. - Malwares | Malware Cloud | APT 37 | ★★★ |
 |
2022-11-30 10:30:33 | Who\'s swimming in South Korean waters? Meet ScarCruft\'s Dolphin (lien direct) | ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group | Cloud | APT 37 | ★★★ |
 |
2022-11-22 17:01:40 | Cloud " souverain " : Inria et Hive lancent un défi (lien direct) | Soutenir l'émergence d'un cloud distribué capable de contourner les fournisseurs historiques, Hive et des équipes-projets d'Inria le tentent. | Cloud | ★★★★ | |
|
2022-11-21 04:41:00 | Hermitage Solutions signe un accord de distribution avec JumpCloud (lien direct) | Hermitage Solutions signe un accord de distribution avec JumpCloud , fournisseur d'une plateforme d'annuaire d'entreprise dans le cloud (Open Directory) qui unifie la gestion des périphériques et des identités pour tous les types de ressources informatiques - sur site, dans le cloud et pour Windows, Mac, Linux, iOS. - Business | Cloud | APT 37 | |
|
2022-11-18 23:30:00 | 24 nov. 2022 12:00 - 13:00 Webinaire ACCEDIAN et Hermitage Solutions : Pourquoi utiliser une solution NDR pour couvrir les angles morts des EDR & pare-feux (Firewall) de vos clients ? (lien direct) | Face aux moyens de protection avancés, les attaquants sont devenus de plus en plus innovants avec des techniques d'attaques évoluées telles que le DNS tunnelling, le balisage (beaconing), des typologies d'attaque difficilement identifiables par les pare-feux et EDR de vos clients. Comment donc combler cette faille pour assurer une protection complète de vos clients ? Ce jeudi 24 novembre à 12h, nos experts Yvan Lanzada, responsable commercial pour Hermitage Solutions, et Romain Ollier, (...) - Événements | Cloud | APT 37 | |
|
2022-11-17 17:40:11 | Hermitage Solutions intègre la solution de détection et de réponse réseau (NDR) d\'Accedian à son catalogue (lien direct) | Hermitage Solutions intègre la solution de détection et de réponse réseau (NDR) d'Accedian à son catalogue - Business | Cloud | APT 37 | |
 |
2022-11-16 19:00:00 | Plus intelligent, pas plus difficile: comment hiérarchiser intelligemment le risque de surface d'attaque Smarter, Not Harder: How to Intelligently Prioritize Attack Surface Risk (lien direct) |
Il y a un dicton commun dans la cybersécurité: «Vous ne pouvez pas protéger ce que vous ne savez pas», et cela s'applique parfaitement à la surface d'attaque d'une organisation donnée.
De nombreuses organisations ont des risques cachés tout au long de leur infrastructure informatique et de sécurité étendue.Que le risque soit introduit par la croissance du nuage organique, l'adoption de dispositifs IoT ou par des fusions et acquisitions, le risque caché est dormant.En conséquence, les équipes informatiques et de sécurité n'ont pas toujours une image à jour de l'écosystème étendu qu'ils doivent défendre.Les outils hérités ont souvent des listes statiques de l'inventaire des actifs \\ 'connu
There\'s a common saying in cyber security, “you can\'t protect what you don\'t know,” and this applies perfectly to the attack surface of any given organization. Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant. As a result, IT and security teams do not always have an up-to-date picture of the extended ecosystem they need to defend. Legacy tools often have static lists of the \'known\' asset inventory |
Tool Cloud | ★★★★ | |
 |
2022-10-18 08:41:18 | The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct) |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
Threat Medical Cloud | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 | |
|
2022-10-11 08:00:00 | Protection des risques numériques mandialiants pour les clients Splunk Enterprise Mandiant Digital Risk Protection for Splunk Enterprise Customers (lien direct) |
Une surface d'attaque d'une organisation \\ est en constante évolution à mesure que les empreintes numériques et l'adoption du cloud se développent, de nouvelles relations commerciales sont conçues et que les employés travaillent de n'importe où.En conséquence, chaque appareil, application, service réseau, fournisseur ou employé peut désormais être une cible pour le compromis initial dans le grand schéma d'une campagne d'acteur de menace.
Pour atténuer les risques, les équipes de sécurité ont besoin d'une visibilité sur la surface d'attaque mondiale et le Web profond et sombre.La visibilité requise comprend l'établissement et la surveillance d'un inventaire complet d'actifs (connu et inconnu), comment leur marque est discutée sur
An organization\'s attack surface is ever-changing as digital footprints and cloud adoption grow, new business relationships are conceived, and employees work from anywhere. As a result, every device, application, network service, supplier, or employee can now be a target for initial compromise in the grand scheme of a threat actor campaign. To mitigate risk, security teams need visibility into the global attack surface and deep and dark web. The required visibility includes establishing and monitoring a complete inventory of assets (known and unknown), how their brand is being discussed on |
Threat Cloud | ★★★ | |
|
2022-10-05 00:00:00 | WatchGuard AuthPoint plus performant en termes de fonctionnalités MFA, de facilité d\\'utilisation et de rentabilité, selon le laboratoire Miercom (lien direct) | Paris, le 19 octobre 2022 - WatchGuard® Technologies, acteur mondial de la cybersécurité unifiée, annonce que sa solution d'authentification multifacteur (MFA) AuthPoint® a obtenu la certification " Performance Verified " du laboratoire de test et certification indépendant, Miercom. En évaluant AuthPoint par rapport à des solutions concurrentes dans une grande diversité de catégories, Miercom a constaté que la solution MFA de WatchGuard offrait une plus grande richesse fonctionnelle à un coût moindre, une configuration et une administration plus aisées, et une meilleure expérience pour l'utilisateur final. " Face à des acteurs de la menace accédant facilement à des milliards d'informations d'identification volées et divulguées en ligne, sans parler de la sophistication croissante des attaques de phishing, l'authentification par mot de passe seule n'est plus une protection adéquate dans l'environnement de sécurité actuel ", déclare Tracy Hillstrom, Vice President of Content Strategy & Experience chez WatchGuard Technologies. " Désormais, avec le passage au travail distant ou hybride notamment, les entreprises sont devenues dépendantes de la MFA pour vérifier l'identité des télétravailleurs où qu'ils se trouvent ". Le laboratoire Miercom a évalué les solutions MFA proposées par WatchGuard, Cisco Duo et Microsoft Azure en fonction de 24 critères différents. L'analyse a montré qu'AuthPoint procurait un ensemble complet de fonctionnalités à un prix abordable (y compris de nombreuses fonctions pour lesquelles ses concurrents facturent des frais supplémentaires), tout en surpassant les deux alternatives en termes de facilité d'utilisation et de fonctionnalités, pour les administrateurs comme pour les utilisateurs finaux. Tout cela représentant un retour sur investissement global incomparable. Miercom a ainsi noté qu'AuthPoint : Procure la plus grande simplicité de configuration et d'utilisation de l'authentification unique (SSO) pour les administrateurs et les utilisateurs. Offre une expérience utilisateur transparente et intuitive, ce qui la rend idéale pour les utilisateurs novices Intègre des fonctionnalités modernes comme l'authentification basée sur les risques, qui offre des capacités d'accès sécurisé encore améliorées par l'utilisation de politiques de risque personnalisables. Est la seule solution parmi celles testées offrant une migration fondée sur l'empreinte dans le Cloud sur toutes les plateformes lors de l'activation (l'approche qui offre le plus haut niveau de sécurité face aux pirates). Offre une valeur ajoutée et un retour sur investissement élevés grâce à la combinaison d'un riche éventail de fonctionnalités, d'un prix d'achat unique abordable et d'une extrême facilité d'utilisation. Dans l'ensemble, Miercom a estimé que WatchGuard AuthPoint " s'est montré compétitivement supérieur dans le provisioning de l'authentification, le déploiement et les tests de sécurité ", notant que " Cisco and Microsoft sont loin d'offrir autant de fonctionnalités, de facilité d'utilisation ou d'interfaces intuitives que WatchGuard ". Cliquer ici pour lire le rapport complet de Miercom (en anglais) et ici pour accéder au rapport de synthèse en français. Cliquer ici pour plus d'informations sur AuthPoint. | Cloud | ★★ | |
 |
2022-09-21 18:36:17 | Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance (lien direct) | At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes. | Cloud | APT 37 | |
 |
2022-09-19 13:47:00 | Meeting the “Ministrer” (lien direct) | FortiGuard Labs discovered an unassuming phishing email that attempts to deploy malware. The actions used to execute this strategy are consistent with Konni, a RAT that has been tied to the group APT 37. Read to learn more about this social engineering lure. | Cloud | APT 37 | |
|
2022-09-12 08:00:00 | Déplacer la mission vers l'avant: Mandiant rejoint Google Cloud Moving the Mission Forward: Mandiant Joins Google Cloud (lien direct) |
google \\ 's acquisition of Mandiant est désormais complet , marquant un grand moment pour notre équipe et pour la communauté de sécurité que nous servons.
Dans le cadre de Google Cloud, Mandiant a désormais une capacité beaucoup plus grande pour combler l'écart de sécurité créé parun nombre croissant d'adversaires.Au cours de mes 29 ans en première ligne de la sécurisation des réseaux, j'ai vu des criminels, des États-nations et de mauvais acteurs à faire nuire aux bonnes personnes.En combinant notre expertise et notre intelligence avec l'échelle et les ressources de Google Cloud, nous pouvons faire une grande différence dans la prévention et la lutte contre les cyberattaques, tout en pincement
Google\'s acquisition of Mandiant is now complete, marking a great moment for our team and for the security community we serve. As part of Google Cloud, Mandiant now has a far greater capability to close the security gap created by a growing number of adversaries. In my 29 years on the front lines of securing networks, I have seen criminals, nation states, and plain bad actors bring harm to good people. By combining our expertise and intelligence with the scale and resources of Google Cloud, we can make a far greater difference in preventing and countering cyber attacks, while pinpointing |
Cloud | ★★★ | |
 |
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
 |
2022-08-29 00:00:00 | Le nouveau certificat de cybersécurité offre aux PME une voie vers une plus grande résilience commerciale et un sauvetage en ligne New cyber security certificate offers SMEs a pathway to greater business resilience and online savviness (lien direct) |
Chair of Cybersecurity in Munster Technological University, Dr. Donna O\'Shea, and Head of School of Informatics & Cybersecurity at TU Dublin, Dr. Anthony Keane contributed to this article in the Independent.ie In recent years, cyber security has emerged as a key issue for businesses in Ireland and across the world. Small enterprises are exposed to the same digital threats as larger businesses, but may lack the resources to defend themselves. It has been estimated that almost half of SMEs that suffer a serious cyber attack can go out of business within months. Enhanced cyber security is a matter of great societal importance, because SMEs operating in myriad industries such as retail, health care and construction are the backbone of the Irish economy. They constitute 99pc of all businesses and account for more than half of EU Gross Domestic Product (GDP). SMEs play a vital role in adding value to all sector of the economy, but they may lack essential skills on how to protect their businesses, which are often heavily dependent on digital systems that are vulnerable to cyber-attacks. The urgency of addressing this skills gap was highlighted by the COVID-19 pandemic, which forced many businesses online, exposing them to a higher risk of cyber attacks with little support available. Irish businesses operating online often possess a low cyber security awareness, have inadequate knowledge of GDPR requirements in the protection of critical and sensitive information, and have a low level of Information and Communications Technology (ICT) skills to protect their business. They can also experience significant budgetary constraints that lead them to view cyber security as a relatively significant cost, rather than an important investment in their business resilience. In addition, many SMEs have direct and indirect business relationships with larger organisations. For this reason, cyber criminals often focus on SMEs as a gateway into the larger organisations, knowing that these smaller businesses\' cyber awareness and defensive structures are typically less robust than those of the criminals\' larger targets. Recently, the National Cyber Security Centre (NCSC) and the Garda National Crime Bureau have written to the Small Firms Association to warn business owners of the ongoing series of ransomware attacks. They have observed a growing trend of small and medium sized enterprises being targeted by cybercrime groups with ransomware malicious software that is designed to block access to a computer system. Another common cyber crime tactic is threatening to leak sensitive stolen data until a sum of money is paid. The NCSC said it has noticed a change in tactics whereby hackers are now turning their attention away from big business and Government departments, towards smaller businesses. Providing businesses with cyber skills Professor Donna O\'Shea is Chair of Cybersecurity in Munster Technological University and currently leads a Higher Education Authority (HEA) Human Capital Initiative (HCI) project called CYBER-SKILLS: a nationally funded project in collaboration with University of Limerick, Technological University (TU) Dublin, and Commonwealth Cyber Initiative, Virginia Tech U.S. This ground-breaking initiative aims to address the cybersecurity skills challenge in Irish SMEs. Prof. O\'Shea says, “Growing up, my family owned an electrical retail store, so I really understood the challenges that small businesses face, their limitations in terms of time and how cost can sometimes be a barrier. When designing the course Certificate in Cybersecurity for Business for CYBER-SKILLS, we really wanted a pathway to be open to everyone and we wanted to reduce the barriers to participating in the course, by reducing the cost, making it flexible in delivery, focusing on applied skills and providing the essential necessary knowledge and skills to protect small businesses everywhere against cyber attacks.” Irish professionals and businesses have expressed a growing interest in cybersecurity courses and careers, as borne out by the recen | Ransomware Data Breach Malware Patching Prediction Cloud | ★★ | |
 |
2022-08-25 01:00:31 | Kimsuky\'s GoldDragon cluster and its C2 operations (lien direct) | Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea. | Threat Cloud | APT 37 | |
|
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
 |
2022-07-28 00:00:00 | 2022 semble être sur la cible de l'année la plus basse des violations signalées par les grandes sociétés américaines dans les six premiers mois de 2022, les grandes sociétés américaines [de revenus> 2 milliards] ont déclaré le moins de violations de données au cours des cinq dernières années. 2022 seems to be on target for the lowest year of reported breaches by large US corporationsIn the first six months of 2022, large [Revenue >2bn] US corporations reported the fewest data breaches in the past five years.Read More (lien direct) |
âThe number of data breaches reported in the first 6 months of 2022 has put this year on track to be the lowest year of reports in the last 5 years for large [Revenue >2bn] US corporations. By looking at the rate at which data breach events have been reported so far this year, we predict that the number of events reported is expected to be15-20% of the number of breaches reported in 2021âPossible causes:Increased reporting delays: But the time to report has shown a decreasing trend over the last 4 yearsGenuine improvement in cyber defenses preventing data exfiltration Reduction in reporting requirements, or public disclosure preventionIn this analysis we look at all the reported cyber events which involve data exfiltration (data breach), allocated to the year in which the event started. Comparing the number of events reported at each point during the year then gives us an indication for the rate which can be compared between years.The data and populationThe data collected represents public reports of data breaches from US companies with an annual revenue above $2bn (Excluding public services).The data used includes breach events reported up to end of Q2 2022It is this area where the cyber reporting requirements are highest, there is a high level of data available. It is important to note that this will not be all events which occur, only those disclosed, but by looking for changes in the behavior we can look at the potential causes.Overall Breach CountAs of the end of Q2 2022, we have seen 18 breach reports of events occurring in 2022 compared to the 160 cyber events reported from 2021, and 292 from 2020. While we are only 50% through 2022, the number of events reported so far from the first half is 25% of the 2021 total reported at the same point through 2021. To fully compare 2022 against prior years we need to take into account a number of factors:Events not yet reported: some events have occurred but have not yet been reported either because they have not yet been discovered, or because the have been discovered but not publicly disclosedEvents not yet occurred: events which have yet to occur, in the second half of 2022 (and have not yet been reported)âââHow the year unfoldsTo explore how 2022 is emerging, we can look at the rate at which events are being reported. That is to show not just the total report to date, but how the total number of events reported in a year has emerged from the start of the year. To do this we plot the cumulative number of events reported vs the number of days from the start of each incident year.What we see is an indication of how many incidents have been reported from each year have been reported after the same number of days. A steep curve indicates a greater number of incidents reported per month.** Note that the event counts are lower because we do not have exact disclosure dates for all events.ââFrom the chart we can see that the number of reported cyber incidents after 6 months (180 days) of experience is low for 2022 compared with all other years since 2015. This leads us to believe that 2022 is on track to have a very low number of overall incidents reported.There could be a few explanations for thisReporting Delay: The time taken to report incidents has increased in 2022, and there will be a correction in the later part of the yearCybersecurity Investment: The overall number of incidents reported will be lower due to improvements in security postureRegulatory Action: the overall number of incidents reported will be lower due to changes in how the events are reported (or required to be reported)âReporting DelayTo consider if the low reported number of events in 2022 is being driven by an increase in a delay between a cyber event starting and it being reported, we have looked at the trend over the last 10 yearsThe chart below shows the trend over the last 10 years.âââThere has been a steady reduction in median reporting delay from 204 days in 2017 to 63 days | Data Breach Prediction Cloud | ★★★ | |
|
2022-07-24 13:53:53 | Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? (lien direct) | >North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka […] | Threat Cloud | APT 37 APT 28 | |
 |
2022-07-23 12:08:04 | North Korean hackers attack EU targets with Konni RAT malware (lien direct) | Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries. [...] | Malware Threat Cloud | APT 37 | |
|
2022-07-09 16:53:07 | Apple Lockdown Mode will protect users against highly targeted cyberattacks (lien direct) | >Apple plans to introduce a security feature, called Lockdown Mode, to protect its users against “highly targeted cyberattacks.” The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. The new feature will be implemented in iOS 16, iPadOS […] | Cloud | APT 37 | |
 |
2022-06-29 10:03:54 | Hermit spyware is deployed with the help of a victim\'s ISP (lien direct) | A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions. | Cloud | APT 37 | |
 |
2022-06-24 15:00:00 | What is iOS Hermit spyware? (lien direct) | >iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe. | Tool Cloud | APT 37 | |
 |
2022-06-24 12:37:15 | Google details commercial spyware that targets both Android and iOS devices (lien direct) | Hermit highlights a wider issue concerning our privacy and freedom. | Cloud | APT 37 | |
|
2022-06-24 03:40:50 | Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware (lien direct) | A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices. Additionally, necessary changes have been implemented in Google Play Protect - Android's built-in malware defense service - to protect all users, Benoit Sevens and Clement Lecigne of Google Threat | Malware Cloud | APT 37 | |
 |
2022-06-21 08:58:07 | Lookout Discovers Android Spyware Deployed in Kazakhstan (lien direct) | Lookout has announced the discovery of an enterprise-grade Android surveillanceware currently used by the government of Kazakhstan within its borders. Lookout researchers also found evidence of deployment of the spyware – which Lookout researchers have named “Hermit” – in Italy and in northeastern Syria. Hermit is likely developed by Italian spyware vendor RCS Lab S.p.A. […] | Cloud | APT 37 | |
|
2022-06-17 20:00:33 | Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company (lien direct) | >Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019. Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country. The latest samples of this spyware were detected by the researchers in April 2022, four […] | Malware Threat Cloud | APT 37 | |
|
2022-06-17 06:12:54 | Researchers Uncover \'Hermit\' Android Spyware Used in Kazakhstan, Syria, and Italy (lien direct) | An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front | Cloud | APT 37 | |
|
2022-06-16 12:45:37 | Lookout découvre un logiciel espion Android déployé au Kazakhstan (lien direct) | Lookout annonce la découverte d'un logiciel de surveillance Android de niveau enterprise actuellement utilisé par le gouvernement du Kazakhstan à l'intérieur de ses frontières. Les chercheurs de Lookout ont également trouvé des preuves du déploiement du logiciel espion - que les chercheurs de Lookout ont nommé " Hermit " - en Italie et dans le nord-est de la Syrie. Hermit est probablement développé par le vendeur italien de logiciels espions RCS Lab S.p.A. et Tykelab Srl, une société de solutions de (...) - Malwares | Cloud | APT 37 | |
|
2022-05-04 09:00:00 | Anciennes services, nouvelles astuces: abus de métadonnées du cloud par UNC2903 Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 (lien direct) |
Depuis juillet 2021, Mandiant a identifié l'exploitation des applications Web accessibles au public par UNC2903 pour récolter et abuser des informations d'identification à l'aide du service d'instance d'Amazon \\ (IMD).Mandiant Tracked Access Tumps by UNC2903 pour accéder à des seaux S3 et des ressources cloud supplémentaires à l'aide des informations d'identification volées.Cet article de blog couvre comment UNC2903 a effectué l'exploitation et les abus IMD, ainsi que les meilleures pratiques connexes sur les techniques de durcissement du cloud.
Bien que les environnements de services Web Amazon Web ciblés UNC2903 (AWS), de nombreuses autres plates-formes cloud proposent des services de métadonnées similaires qui pourraient être à risque de
Since July 2021, Mandiant identified exploitation of public-facing web applications by UNC2903 to harvest and abuse credentials using Amazon\'s Instance Metadata Service (IMDS). Mandiant tracked access attempts by UNC2903 to access S3 buckets and additional cloud resources using the stolen credentials. This blog post covers how UNC2903 performed exploitation and IMDS abuse, as well as related best practices on cloud hardening techniques. Although UNC2903 targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of |
Cloud | ★★★ | |
|
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
 |
2022-04-28 17:15:39 | CVE-2022-29413 (lien direct) | Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin | Guideline Cloud | APT 37 | |
|
2022-04-28 17:15:39 | CVE-2022-29412 (lien direct) | Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Hermit ????? plugin | Cloud | APT 37 | |
|
2022-04-28 17:15:39 | CVE-2022-29411 (lien direct) | SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin | Vulnerability Cloud | APT 37 | |
|
2022-04-28 17:15:38 | CVE-2022-29410 (lien direct) | Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin | Vulnerability Cloud | APT 37 | |
 |
2022-04-26 11:38:17 | Nation-state Hackers Target Journalists with Goldbackdoor Malware (lien direct) | A campaign by APT37 used a sophisticated malware to steal information about sources , which appears to be a successor to Bluelight. | Malware Cloud | APT 37 | |
|
2022-04-26 10:13:51 | North Korea targets journalists with novel malware (lien direct) | State sponsored hackers operating out of North Korea have been targeting journalists with a novel malware strain, it has been revealed. The group, known as APT37, distribute the malware through a phishing attack originally discovered by NK news, a US news site specialising in covering news and providing research and analysis about North Korea, using […] | Malware Cloud | APT 37 | |
|
2022-04-26 08:25:03 | North Korea-linked APT37 targets journalists with GOLDBACKDOOR (lien direct) | North Korea-linked APT37 group is targeting journalists that focus on DPRK with a new piece of malware. North Korea-linked APT37 group (aka Ricochet Chollima) has been spotted targeting journalists focusing on DPRK with a new piece of malware. The campaign was discovered by journalists at NK News, an American news site that focuses on North […] | Cloud | APT 37 | |
|
2022-04-26 02:53:07 | North Korean Hackers Target Journalists with GOLDBACKDOOR Malware (lien direct) | A state-backed threat actor with ties to the Democratic People's Republic of Korea (DRPK) has been attributed to a spear-phishing campaign targeting journalists covering the country with the ultimate goal of deploying a backdoor on infected Windows systems. The intrusions, said to be the work of Ricochet Chollima, resulted in the deployment of a novel malware strain called GOLDBACKDOOR, an | Malware Threat Cloud | APT 37 | |
 |
2022-03-22 16:12:11 | Storm Cloud à l'horizon: Gimmick malware frappe à MacOS Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS (lien direct) |
> Fin 2021, Volexity a découvert une intrusion dans un environnement surveillé dans le cadre de son service de surveillance de la sécurité du réseau.La volexité a détecté un système exécutant FRP, autrement connu sous le nom de proxy inverse rapide, et a ensuite détecté le balayage de port interne peu de temps après.Ce trafic a été déterminé comme non autorisé et le système, un MacBook Pro exécutant MacOS 11.6 (Big Sur), a été isolé pour une analyse médico-légale supplémentaire.Volexity a pu exécuter la surtension Collect pour acquérir la mémoire du système (RAM) et sélectionner les fichiers d'intérêt dans la machine pour l'analyse.Cela a conduit à la découverte d'une variante macOS d'un gadget d'appels de volexité d'implant de logiciels malveillants.La volexité a rencontré des versions Windows de la famille des logiciels malveillants à plusieurs reprises.Gimmick est utilisé dans les attaques ciblées de Storm Cloud, un acteur de menace d'espionnage chinois connue pour attaquer les organisations à travers l'Asie.Il s'agit d'une famille de logiciels malveillants multiplateforme riche en fonctionnalités qui utilise des services d'hébergement de cloud public (tels que Google [& # 8230;]
>In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […] |
Malware Threat Cloud | ★★★ | |
|
2022-03-16 00:00:00 | Cybersécurité - la valeur et le besoin de formation pratique Cyber Security -The Value and Need for Practical Training (lien direct) |
Whenever we are trying to master a new skill, we have all heard about the importance of practise. The associated attention, rehearsal and repetition leads to the acquisition of new knowledge or skills that can later be developed into more complex skillsets. This sentiment has been seen throughout history, where some of the world\'s most masterful people have shared a similar philosophy that is still true today: Bruce Lee - “Practice makes perfect. After a long time of practising, our work will become natural, skillfull, swift and steady” Abraham Lincoln - “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” Japanese Proverb – “Tomorrow\'s battle is won during todays practice” Vincent Van Gough – “As practise makes perfect, I cannot but make progress, each drawing one makes, each study one paints is a step forward” Marshawn Lynch - “When you get to practice against the best, it brings the best out of you.” Martha Graham – “Practice means to perform, over and over again in the face of all obstacles, some act of vision, of faith, of desire. Practice is a means of inviting the perfection desired” Unknown - “Don\'t practise until you get it right, practice until you can\'t get it wrong” Others might disagree slightly: Vince Lombardi – “Practise does not make perfect. Only perfect practise makes perfect” So, the message is clear, to master a skill, we need to practise but we need to practise against the best and in the best most realistic possible environment. In terms of cybersecurity, as the cyber threat environment grows more intense, cyber defence groups require more and more skilled professionals to help with the onslaught of cyberattacks. However, they are finding it increasingly difficult to recruit and hire trained security professionals as having a degree in cybersecurity is usually not enough to give an individual the skills required for mitigating sophisticated attacks. For Cyber Security professionals, the required practise involves realistic breach scenarios or cyberattacks. These breaches or cyberattacks are any attempt to gain unauthorized access to a computer, computing system or computer network with the intent to cause damage. The aim to disable, disrupt, destroy or control computer systems or to alter, block, delete, manipulate or steal the data held within these systems. Day-to-day work in cybersecurity offers few opportunities for such training on the job, resulting in the required practise being an extremely difficult thing to achieve. When you think about it, cyberattacks are seemingly in the news every day, which seems to contradict my previous statement. However, the results of a cyberattack can range from causing inconvenience to dire consequences. A cyberattack on critical infrastructure and/or healthcare sectors don\'t just affect data or computer systems, they can wreak havoc in the physical world. This was seen all too well in Ireland in the not so distant past. So, cyberattacks are prevalent but the consequences mean we aim to prevent as many breaches as possible and reduce the impact, contain and eradicate any attack that exploits a system. There lies the problem, cyber security professionals require realistic breach scenarios and cyberattacks to train and become sufficiently skilled but cyber professionals are consistently working hard to prevent such attacks in the real-world. So the question is, “how do we train cyber security professionals to deal with the challenging ever-changing cyber environment?”. The answer is a Cyber Range! A Cyber Range provides a secure, sandboxed virtual interactive training environment that can simulate real-world feel scenarios and environments, including complex IT environments and attacks on IT infrastructure, networks, software platforms and applications. As a result, a cyber range infrastructure provides the required training and practise elements of realistic breach scenarios and cyberattacks. A Cyber Range enables students to practice newly acquire | Tool Threat Studies Mobile Industrial Medical Cloud | ★★ |
To see everything:
Our RSS (filtrered)
