What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-01-23 09:44:13 | Microsoft plans to kill malware delivery via Excel XLL add-ins (lien direct) | Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. [...] | Malware | ★★ | |
 |
2023-01-23 09:20:59 | Attackers Exploit Fortinet Zero-Day CVE-2022-42475 with BoldMove Malware (lien direct) | >Researchers have discovered a sophisticated new BoldMove malware created specifically to operate on Fortinet’s FortiGate firewalls after collecting data... | Malware | ★★★ | |
 |
2023-01-23 07:15:10 | CVE-2023-24068 (lien direct) | Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory. Client mechanisms fail to validate modifications of existing cached files, resulting in an attacker's ability to insert malicious code into pre-existing attachments or replace them completely. A threat actor can forward the existing attachment in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file. | Malware Threat | ||
 |
2023-01-22 00:56:23 | Excelling at Excel, Part 3 (lien direct) | One of the most common use cases we come across during our malware analysis exercises is a ROI-driven comparison of features between many samples of the same malware family. Yes, […] | Malware | ★★★★★ | |
|
2023-01-21 11:15:30 | (Déjà vu) Hackers now use Microsoft OneNote attachments to spread malware (lien direct) | Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. [...] | Malware Threat | ★★★★★ | |
|
2023-01-21 11:15:30 | Beware: Hackers now use OneNote attachments to spread malware (lien direct) | Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets. [...] | Malware Threat | ★ | |
 |
2023-01-21 01:58:26 | DDE Command Execution malware samples (lien direct) |  Here are a few samples related to the recent DDE Command executionReading:10/18/2017 InQuest/yara-rules 10/18/2017 https://twitter.com/i/moments/918126999738175489 10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland10/16/2017 https://twitter.com/noottrak/status/91997508182826188810/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 10/10/2017 NViso labs: MS Office DDE YARA rules |
Ransomware Malware | ★★ | |
 |
2023-01-20 22:03:00 | Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers\' DNS Settings (lien direct) | Threat actors associated with the Roaming Mantis attack campaign have been observed delivering an updated variant of their patent mobile malware known as Wroba to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking. Kaspersky, which carried out an analysis of the malicious artifact, said the feature is designed to target specific Wi-Fi routers located in South Korea. | Malware Threat | ★★ | |
|
2023-01-20 12:29:00 | New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability (lien direct) | A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were | Malware Vulnerability Threat | ★★ | |
|
2023-01-20 11:02:16 | New Boldmove Linux malware used to backdoor Fortinet devices (lien direct) | Suspected Chinese hackers exploited a recently disclosed FortiOS SSL-VPN vulnerability as a zero-day in December, targeting a European government and an African MSP with a new custom 'BOLDMOVE' Linux and Windows malware. [...] | Malware Vulnerability | ★★★ | |
 |
2023-01-20 05:04:47 | (Déjà vu) ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 9th, 2023 (Monday) to January 15th, 2023 (Sunday). For the main category, downloader ranked top with 38.4%, followed by Infostealer with 37.0%, backdoor with 18.2%, ransomware with 4.0%, CoinMiner with 1.5%. Top 1 – SmokeLoader SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with... | Ransomware Malware | ★★ | |
 |
2023-01-19 21:30:00 | Attackers Crafted Custom Malware for Fortinet Zero-Day (lien direct) | The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China. | Malware | ★★ | |
 |
2023-01-19 19:57:37 | Cloud Threats Memo: Threat Actors Continue to Abuse Cloud Services to Deliver Malware in 2023 (lien direct) | >Our most recent Cloud and Threat Report highlighted how threat actors abuse cloud services (with a special focus on cloud storage apps) to deliver malicious content (and yes, OneDrive leads the chart of the most exploited apps). To confirm that this trend will likely continue in 2023, researchers at Trend Micro have discovered an active […] | Malware Threat Guideline Prediction | ★★★ | |
 |
2023-01-19 19:17:18 | Canada\'s largest alcohol retailer infected with card skimming malware twice since December (lien direct) |  On January 12, Canadian alcohol retail giant LCBO announced that an “unauthorized party embedded malicious code” onto its website in order to steal information from customers in the process of checking out. Over five days in January, they wrote, customers “may have had their information compromised.” In fact, the infection was one of several to […] |
Malware | ★★★ | |
|
2023-01-19 18:57:00 | Android Users Beware: New Hook Malware with RAT Capabilities Emerges (lien direct) | The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring | Malware Threat | ★★★ | |
|
2023-01-19 18:30:22 | New \'Hook\' Android malware lets hackers remotely control your phone (lien direct) | A new Android malware named 'Hook' is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). [...] | Malware | ★★★ | |
 |
2023-01-19 15:00:00 | Des acteurs de menace chinois présumés exploitant la vulnérabilité de Fortios (CVE-2022-42475) Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (lien direct) |
mandiant suit une campagne suspectée de China-Nexus qui aurait exploité une vulnérabilité récemment annoncée dans Fortios SSL-VPN de Fortinet \\, CVE-2022-42475, commeun jour zéro. Les preuves suggèrent que l'exploitation se produisait dès octobre 2022 et que les objectifs identifiés incluent une entité gouvernementale européenne et un fournisseur de services gérés situé en Afrique.
mandiant a identifié un nouveau malware que nous suivons comme "Boldmove" dans le cadre de notre enquête.Nous avons découvert une variante Windows de Boldmove et une variante Linux, qui est spécialement conçue pour fonctionner sur des pare-feu FortiGate.Nous
Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet\'s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa. Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We |
Malware Vulnerability Threat | ★★★★ | |
|
2023-01-19 12:55:02 | Roaming Mantis\' Android malware adds DNS changer to hack WiFi routers (lien direct) | Starting in September 2022, the 'Roaming Mantis' credential theft and malware distribution campaign was observed using a new version of the Wroba.o/XLoader Android malware that incorporates a function for detecting specific WiFi routers and changing their DNS. [...] | Malware Hack | ★★ | |
 |
2023-01-19 10:49:02 | New Linux malware hits record highs in 2022, rising by 50% (lien direct) | New Linux malware hits record highs in 2022, rising by 50% - Malware Update | Malware | ★★★ | |
 |
2023-01-19 10:00:06 | Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 (lien direct) | Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o. | Malware | ★★★ | |
 |
2023-01-19 04:27:00 | Chinese hackers targeted Iranian government entities for months: Report (lien direct) | Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here | Malware Threat | APT 15 APT 25 | ★★★ |
 |
2023-01-18 19:46:05 | Rise of cloud-delivered malware poses key security challenges (lien direct) | >The volume of cloud-based malware tripled in 2022 over the prior year, says Netskope, with 30% of the malicious downloads coming from Microsoft OneDrive. | Malware | ★ | |
|
2023-01-18 19:21:00 | ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn (lien direct) | The powerful AI bot can produce malware without malicious code, making it tough to mitigate. | Malware | ChatGPT | ★★★ |
|
2023-01-18 17:10:00 | ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware (lien direct) | Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security. | Malware Threat Industrial | ★★ | |
 |
2023-01-18 16:35:00 | Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware
(published: January 16, 2023)
On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.
Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores
Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows
Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd
(published: January 11, 2023)
In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.
Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.
MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: FG-IR-22-398, CVE-2022-42 |
Malware Tool Vulnerability Threat Guideline | LastPass | ★★ |
|
2023-01-18 16:35:00 | Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks (lien direct) | The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated | Malware Threat | ★★★ | |
 |
2023-01-18 16:00:00 | ChatGPT Creates Polymorphic Malware (lien direct) | The first step to creating the malware was to bypass ChatGPT content filters | Malware | ChatGPT | ★★ |
|
2023-01-18 14:57:51 | Ukraine links data-wiping attack on news agency to Russian hackers (lien direct) | The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country's National News Agency of Ukraine (Ukrinform) to Sandworm Russian military hackers. [...] | Malware | ★★★ | |
|
2023-01-18 11:45:00 | Almost Half of Critical Manufacturing at Risk of Breach (lien direct) | Critical manufacturing experienced an increase in severe vulnerabilities and malware infections in 2022 | Malware | ★★ | |
|
2023-01-18 10:32:15 | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France (lien direct) | Classement Top Malware Check Point décembre 2022 : Emotet, Qbot et Kryptik sont sur le podium en France - Malwares | Malware | ★★★ | |
|
2023-01-17 18:15:00 | Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware (lien direct) | New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. GitHub Codespaces is a cloud-based configurable development environment that allows users to debug, maintain, and commit changes to a given codebase from a web browser or via an integration in Visual Studio Code. It also comes with a port | Malware Threat | ★★★ | |
|
2023-01-17 18:09:38 | (Déjà vu) Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner (lien direct) | Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. [...] | Malware | CCleaner CCleaner | ★ |
|
2023-01-17 18:09:38 | Hackers turn to Google search ads to push info-stealing malware (lien direct) | Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. [...] | Malware | ★★★ | |
|
2023-01-17 17:15:00 | Phishing parti: la chasse aux e-mails malveillants sur le thème industriel pour prévenir les compromis technologiques opérationnels Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology Compromises (lien direct) |
Le phishing est l'une des techniques les plus courantes utilisées pour fournir des logiciels malveillants et accéder aux réseaux cibles.Ce n'est pas seulement en raison de sa simplicité et de son évolutivité, mais aussi en raison de son efficacité dans l'exploitation des vulnérabilités du comportement humain.Malgré l'existence d'outils de détection sophistiqués et la sensibilisation à la sécurité des techniques de phishing, les défenseurs de tous les secteurs verticaux de l'industrie continuent de lutter pour éviter les compromis de phishing.
mandiant observe régulièrement les acteurs qui propagent des e-mails de phishing contenant une terminologie et des concepts spécifiques aux secteurs industriels, tels que l'énergie
Phishing is one of the most common techniques used to deliver malware and gain access to target networks. This is not only because of its simplicity and scalability, but also because of its efficiency in exploiting vulnerabilities in human behavior. Despite the existence of sophisticated detection tooling and security awareness of phishing techniques, defenders across all industry verticals continue to struggle to avoid phishing compromises. Mandiant regularly observes actors spreading phishing emails that contain terminology and concepts specific to industrial sectors, such as energy |
Malware Vulnerability Industrial | ★★★★ | |
|
2023-01-17 14:53:40 | Hackers can use GitHub Codespaces to host and deliver malware (lien direct) | GitHub Codespaces, a cloud-hosted integrated development environment (IDE), has a port forwarding feature that malicious actors can abuse to host and distribute malware to unaware developers. [...] | Malware | ★ | |
|
2023-01-17 13:53:00 | How attackers might use GitHub Codespaces to hide malware delivery (lien direct) | Attackers could start abusing GitHub Codespaces, a new service that allows developers to create and test applications inside development containers running on GitHub's servers. Developers can make their applications accessible via public GitHub URLs for preview by others, a functionality that can be abused to distribute malware payloads in a stealthy way."If the application port is shared privately, browser cookies are used and required for authentication," researchers from security firm Trend Micro said in a new report. "However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples."To read this article in full, please click here | Malware Prediction | ★ | |
 |
2023-01-17 13:09:56 | Attackers Can Abuse GitHub Codespaces for Malware Delivery (lien direct) | A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. | Malware Prediction | ★ | |
|
2023-01-17 12:06:00 | Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems (lien direct) | A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – by the author between January 7, 2023, and January 12, 2023. They have since been | Malware Threat | ★★★ | |
|
2023-01-17 00:31:00 | Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers) (lien direct) | On January 8th, the ASEC analysis team identified the distribution of a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro. Such a technique is called the template Injection method. and a similar attack case was covered in a previous blog post. When the Word document is opened, it downloads and executes an additional malicious Word macro document from the threat actor’s C&C server.... | Malware Threat | ★★ | |
 |
2023-01-17 00:00:00 | Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks (lien direct) | We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader). | Malware | ★★ | |
|
2023-01-16 18:17:00 | Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software (lien direct) | A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. The infection chain "uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub," cybersecurity firm SEKOIA said in | Malware | ★★★ | |
|
2023-01-16 17:00:00 | CircleCI Confirms Data Breach Was Caused By Infostealer on Employee Laptop (lien direct) | According to CTO Rob Zuber, the malware was not detected by the CircleCI antivirus program | Data Breach Malware | Uber | ★★★★ |
|
2023-01-16 16:00:00 | Qbot Overtakes Emotet in December 2022\'s Most Wanted Malware List (lien direct) | The findings come from Check Point Software's latest Global Threat Index report | Malware Threat | ★★★ | |
|
2023-01-16 15:39:00 | New Backdoor Created Using Leaked CIA\'s Hive Malware Discovered in the Wild (lien direct) | Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017. "This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33," | Malware Threat | ★★★★ | |
|
2023-01-16 13:54:36 | IcedID malware ATTACK comment (lien direct) | Stories on the IcedID malware ATTACK which gained access to organisations' networks through Active Directory (AD), please see comment below from Sean Deuby at Semperis. Semperis is a pioneer in identity security, specifically AD. Comment from Sean Deuby, Director of Services, Semperis on the reported IcedID malware ATTACK: - Opinion | Malware | ★★ | |
|
2023-01-16 11:53:44 | CircleCI Hacked via Malware on Employee Laptop (lien direct) | Software development service CircleCI has revealed that a recently disclosed data breach was the result of information stealer malware being deployed on an engineer's laptop. The incident was initially disclosed on January 4, when CircleCI urged customers to rotate their secret keys. | Data Breach Malware | ★★★ | |
|
2023-01-16 11:41:30 | Malicious \'Lolip0p\' PyPi packages install info-stealing malware (lien direct) | A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers' systems. [...] | Malware Threat | ★★★ | |
|
2023-01-16 10:36:01 | Attackers Infected a CircleCI Employee with Malware to Steal Customer Session Tokens (lien direct) | Software provider CircleCI confirmed that a data breach in December resulted in the theft of some of... | Data Breach Malware | ★★ | |
|
2023-01-16 07:15:34 | Avast releases free BianLian ransomware decryptor (lien direct) | Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. [...] | Ransomware Malware | ★★ | |
|
2023-01-16 05:00:03 | Ransomware Diaries: Undercover with the Leader of Lockbit (lien direct) |  An unusual announcement appeared in Russian Dark Web forums in June of 2020. Amid the hundreds of ads offering stolen credit card numbers and batches of personally identifiable information there was a Call for Papers. “We're kicking off the summer PAPER CONTEST,” it read. “Accepted article topics include any methods for popuring shells, malware and [… |
Ransomware Malware Guideline | ★★★ |
To see everything:
Our RSS (filtrered)
