What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-02-17 23:40:44 | Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (lien direct) | A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group "TunnelVision" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus | Ransomware Conference | APT 35 | |
 |
2022-02-08 16:00:00 | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
Ransomware Malware Threat Conference | APT 35 APT 35 APT 29 APT 29 APT 36 | ★★ |
 |
2022-02-08 14:23:51 | CyberheistNews Vol 12 #06 [Heads Up] Beware of New Quickbooks Payment Scams (lien direct) |
![CyberheistNews Vol 12 #06 [Heads Up] Beware of New Quickbooks Payment Scams](https://blog.knowbe4.com/hubfs/Stu_Headshot_2021_resize.png)
[Heads Up] Beware of New QuickBooks Payment Scams
Email not displaying? |
CyberheistNews Vol 12 #06 | Feb. 8th., 2022
[Heads Up] Beware of New QuickBooks Payment Scams
Many small and mid-sized companies use Intuit's popular QuickBooks program. They usually start out using its easy-to-use base accounting program and then the QuickBooks program aggressively pushes other complimentary features. One of those add-on features is the ability to send customers' invoices via email.
The payee can click on a “Review and pay” button in the email to pay the invoice. It used to be a free, but less mature, feature years ago, but these days, it costs extra. Still, if you are using QuickBooks for your accounting, the ability to generate, send, receive and electronically track invoices all in one place is a pretty easy sell.
Unfortunately, phishing criminals are using QuickBooks' popularity to send business email compromise (BEC) scams. The emails appear as if they are coming from a legitimate vendor using QuickBooks, but if the potential victim takes the bait, the invoice they pay will be to the scammer.
Worse, the payment request can require that the payee use ACH (automated clearing house) method, which requires the payee to input their bank account details. So, if the victim falls for the scam, the criminal now has their bank account information. Not good.
Note: Some other QuickBooks scam warnings will tell you that QuickBooks will never ask for your ACH or banking details. This is not completely true. QuickBooks, the company and its support staff, never will, but QuickBooks email payment requests often do. Warn your users in Accounting.
CONTINUED at the KnowBe4 blog with both legit and malicious example screenshots:
https://blog.knowbe4.com/beware-of-quickbooks-payment-scams
|
Malware Hack Threat Conference | APT 35 | |
 |
2022-02-02 11:55:18 | Experts warn of a spike in APT35 activity and a possible link to Memento ransomware op (lien direct) | The Cybereason Nocturnus Team reported a spike in the activity of the Iran-linked APT group APT35 (aka Phosphorus or Charming Kitten). The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka 'Charming Kitten', 'Phosphorus', Newscaster, and Ajax Security Team) The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized […] | Ransomware Conference | APT 35 APT 35 | |
 |
2022-02-01 16:24:06 | Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware (lien direct) | Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group's arsenal, and a connection with the Memento ransomware, have been discovered. | Ransomware Conference | APT 35 APT 35 | |
 |
2022-02-01 14:00:00 | Cyberspies linked to Memento ransomware use new PowerShell malware (lien direct) | An Iranian state-backed hacking group tracked as APT35 (aka Phosphorus or Charming Kitten) is now deploying a new backdoor called PowerLess and developed using PowerShell. [...] | Ransomware Malware Conference | APT 35 APT 35 | |
 |
2022-02-01 05:01:00 | PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage (lien direct) |
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019. |
Conference | APT 35 APT 35 | |
|
2022-02-01 02:28:30 | Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks (lien direct) | An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's | Malware Threat Conference | APT 35 APT 35 | |
|
2022-01-12 11:22:16 | Iran-linked APT35 group exploits Log4Shell flaw to deploy a new PowerShell backdoor (lien direct) | Iran-linked APT35 group has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor. Iran-linked APT35 cyberespionege group (aka ‘Charming Kitten‘ or ‘Phosphorus‘) has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor, Check Point researchers states. The experts also details the use of a modular PowerShell-based framework dubbed CharmPower, that allows […] | Conference | APT 35 | |
|
2022-01-11 18:17:45 | State hackers use new PowerShell backdoor in Log4j attacks (lien direct) | Hackers believed to be part of the Iranian APT35 state-backed group (aka 'Charming Kitten' or 'Phosphorus') has been observed leveraging Log4Shell attacks to drop a new PowerShell backdoor. [...] | Conference | APT 35 | |
|
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 | |
 |
2021-10-14 14:36:04 | A Telegram Bot Told Iranian Hackers When They Got a Hit (lien direct) | APT35 may not be the most dangerous group out there, but they've got a new phishing trick. | Conference | APT 35 | |
|
2021-08-05 15:48:35 | Iran-Linked Hackers Expand Arsenal With New Android Backdoor (lien direct) | The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM's X-Force threat intelligence team. | Threat Conference | APT 35 APT 35 | |
 |
2021-08-04 20:30:00 | ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group (lien direct) | This blog supplements a Black Hat USA 2021 talk given August 2021. IBM Security X-Force threat intelligence researchers continue to track the infrastructure and activity of a suspected Iranian threat group ITG18. This group’s tactics, techniques and procedures(TTPs) overlap with groups known as Charming Kitten, Phosphorus and TA453. Since our initial report on the group’s training […] | Threat Conference | APT 35 APT 35 | |
 |
2021-07-31 09:53:50 | TA453 usurpe secrètement l\'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien (lien direct) | Alors qu'ils ciblaient en mars dernier les éminents chercheurs en médecine via des campagnes de phishing principalement aux États-Unis et en Israël, l'acteur malveillant TA453 affilié au gouvernement iranien, également connu sous les noms de CHARMING KITTEN et PHOSPHORUS, est de retour avec une nouvelle campagne de leurres par mail, détectée par les chercheurs Proofpoint. The post TA453 usurpe secrètement l'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien first appeared on UnderNews. | Conference | APT 35 APT 35 | |
 |
2021-04-23 09:00:00 | APT35 âCharming Kitten\' discovered in a pre-infected environment (lien direct) | This blog discusses how Darktrace discovered a stealthy pre-existing APT35 infection in a customer environment. | Conference | APT 35 | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
 |
2021-01-15 12:14:17 | Experts Insight On APT35 Recent Phishing Attacks (lien direct) | It has been reported that the Iranian group APT35 (also known as Charming Kitten or Phosphorus) executed sophisticated spear-phishing campaigns that involved not only email attacks but also SMS messages… The ISBuzz Post: This Post Experts Insight On APT35 Recent Phishing Attacks | Conference | APT 35 APT 35 | |
 |
2021-01-08 20:19:37 | APT Horoscope (lien direct) | This delightful essay matches APT hacker groups up with astrological signs. This is me: Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks... | Conference | APT 35 APT 35 APT 34 | |
|
2020-10-29 15:21:08 | Expert Reacted On Microsoft Says Iranian Hackers “Phosphorus” Targeted Conference Attendees (lien direct) | Microsoft says it detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals. Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia. The … The ISBuzz Post: This Post Expert Reacted On Microsoft Says Iranian Hackers “Phosphorus” Targeted Conference Attendees | Threat Conference | APT 35 | |
|
2020-10-29 11:16:42 | Iran-linked Threat Actor Targets T20 Summit Attendees (lien direct) | It has been reported that an Iranian threat actor has successfully compromised attendees of two global conferences – including ambassadors and senior policy experts – in an effort to steal their email credentials. Microsoft linked the attack, which targeted more than 100 conference attendees, to Phosphorus, which it said is operating from Iran. The group – also known … The ISBuzz Post: This Post Iran-linked Threat Actor Targets T20 Summit Attendees | Threat Conference | APT 35 | |
|
2020-10-29 08:28:32 | Iran-linked Phosphorous APT hacked emails of security conference attendees (lien direct) | Iran-linked APT group Phosphorus successfully hacked into the email accounts of multiple high-profile individuals and security conference attendees. Microsoft revealed that Iran-linked APT Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) successfully hacked into the email accounts of multiple high-profile individuals and attendees at this year’s Munich Security Conference and the Think 20 (T20) summit. “Today, we're sharing […] | Conference | APT 35 | |
|
2020-09-15 15:00:00 | Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Conti Ransomware, Cryptominers, Emotet, Linux, US Election, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal
(published: September 14, 2020)
A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system.
Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online.
Tags: China, spying
US Criminal Court Hit by Conti Ransomware; Critical Data at Risk
(published: September 11, 2020)
The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns.
Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks.
Tags: conti, ryuk, ransomware
|
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 28 APT 31 | ★★★ |
 |
2020-09-14 14:49:08 | Lock and Code S1Ep15: Safely using Google Chrome Extensions with Pieter Arntz (lien direct) |
This week on Lock and Code, we talk to Pieter Arntz, malware intelligence researcher for Malwarebytes, about Google Chrome extensions.
Categories:
Podcast
Tags: advanced persistent threatsAPTCenter for Public Health ResearchCharming Kittencovid-19data breachddosDDos attackdistributed denial of service attackelection interferenceelectionsLugar CentremalvertisingNetflix scampandemic
(Read more...)
|
Malware Conference | APT 35 | |
|
2020-08-28 15:33:29 | Iran-linked Charming Kitten APT contacts targets via WhatsApp, LinkedIn (lien direct) | The Iran-linked Charming Kitten APT group leveraged on WhatsApp and LinkedIn to carry out phishing attacks, researchers warn. Clearsky security researchers revealed that Iran-linked Charming Kitten APT group is using WhatsApp and LinkedIn to conduct spear-phishing attacks. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying […] | Conference | APT 35 | |
|
2020-08-28 03:36:28 | Iranian Hackers Pose as Journalists to Trick Victims Into Installing Malware (lien direct) | An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware.
Detailing the new tactics of the "Charming Kitten" APT group, Israeli firm Clearsky said, "starting July 2020, we have identified a new TTP of the group, |
Malware Conference | APT 35 | |
|
2020-07-17 13:49:25 | Iran-linked APT35 accidentally exposed 40 GB associated with their operations (lien direct) | Iran-linked APT35 group accidentally exposed one of its servers, leaving online roughly 40 GB of videos and other files associated with its operations. Researchers at IBM X-Force Incident Response Intelligence Services (IRIS) discovered an unsecured server belonging to Iran-linked APT35 group (aka ITG18, Charming Kitten, Phosphorous, and NewsBeef) containing data for many domains managed by […] | Conference | APT 35 | |
|
2020-07-17 03:23:46 | Iranian Hackers Accidentally Exposed Their Training Videos (40 GB) Online (lien direct) | An OPSEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the "behind-the-scenes look into their methods."
IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours worth of video recordings of the state-sponsored group it calls ITG18 (also called Charming Kitten, Phosphorous, or APT35) that |
Threat Conference | APT 35 | ★★★★★ |
|
2020-07-16 10:00:00 | Iranian Spies Accidentally Leaked a Video of Themselves Hacking (lien direct) | IBM's X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group breaks into email accounts-and who it's targeting. | Conference | APT 35 | |
|
2020-07-16 09:00:00 | New Research Exposes Iranian Threat Group\'s Operations (lien direct) | IBM X-Force Incident Response Intelligence Services (IRIS) has uncovered rare details on the operations of the suspected Iranian threat group ITG18, which overlaps with Charming Kitten and Phosphorous. In the past few weeks, ITG18 has been associated with targeting of pharmaceutical companies and the U.S. presidential campaigns. Now, due to operational errors-a basic misconfiguration-by suspected […] | Threat Conference | APT 35 | |
|
2020-02-07 10:59:52 | Iran-linked APT group Charming Kitten targets journalists, political and human rights activists (lien direct) | Iran-linked APT group Charming Kitten has been targeting journalists, political and human rights activists in a new campaign. Researchers from Certfa Lab reports have spotted a new cyber espionage campaign carried out by Iran-linked APT group Charming Kitten that has been targeting journalists, political and human rights activists. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the […] | Conference | APT 35 | |
|
2019-10-13 23:06:24 | Charming Kitten Campaign involved new impersonation methods (lien direct) | Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September. Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to […] | Threat Conference | APT 35 | |
|
2019-10-09 18:20:48 | Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign (lien direct) | The Iranian state-sponsored threat actor known as Charming Kitten employed new spear-phishing methods in a campaign observed in August and September, ClearSky's security researchers report. | Threat Conference | APT 35 | |
|
2019-10-06 14:10:54 | Iran-linked Phosphorus group hit a 2020 presidential campaign (lien direct) | Microsoft says that the Iran-linked cyber-espionage group tracked as Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) a 2020 presidential campaign. Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals […] | Threat Conference | APT 35 | |
|
2019-10-04 14:53:19 | Microsoft Discovers Iranian Hacking Campaign Targeting U.S. Politics (lien direct) | Microsoft says that a state-sponsored Iranian cyber-espionage group tracked as Phosphorus by the Microsoft Threat Intelligence Center (MSTIC) attempted to get account info on over 2,700 of its customers, attack 241 of them, and compromised four accounts between August and September. [...] | Threat Conference | APT 35 | |
|
2019-03-28 06:57:04 | Microsoft Takes Control of 99 Domains Used by Iranian Cyberspies (lien direct) | Microsoft on Wednesday announced that it had taken control of 99 domains used by an Iran-linked cyberespionage group it tracks as Phosphorus. | Conference | APT 35 | |
 |
2019-03-27 18:04:01 | Microsoft takes control of 99 domains operated by Iranian state hackers (lien direct) | Microsoft takes control of 99 domains operated by APT35/Phosphorus cyber-espionage group. | Conference | APT 35 | |
|
2019-01-21 16:15:03 | Has two-factor authentication been defeated? A spotlight on 2FA\'s latest challenge (lien direct) | Read more...) | Conference | APT 35 | |
 |
2018-12-15 12:07:04 | Charming Kitten, pirates Iraniens, infiltrent les Gmail et Yahoo de responsables US (lien direct) | Charming Kitten, des pirates informatiques iraniens tentent d’infiltrer les comptes mails de responsables américains en passant outre la double authentification proposée par les deux webmails. La société britannique Certfa annonce que des pirates informatiques iraniens auraient réussi à infilt... Cet article Charming Kitten, pirates Iraniens, infiltrent les Gmail et Yahoo de responsables US est apparu en premier sur ZATAZ. | Conference | Yahoo APT 35 | |
|
2018-07-03 12:26:00 | Iranian Charming Kitten ATP group poses as Israeli cybersecurity firm in phishing campaign (lien direct) | Iranian APT groups continue to very active, recently Charming Kitten cyber spies attempted to pose as an Israeli cyber-security firm that uncovered previous hacking campaigns. The Iranian Charming Kitten ATP group, aka Newscaster or Newsbeef, launched spear phishing attacks against people interested in reading reports about it. The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the […] | Conference | APT 35 | |
|
2018-04-04 14:00:03 | Breaches Increasingly Discovered Internally: Mandiant (lien direct) | >Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant.
The company's M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016.
On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016.
Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days).
Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation.
In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor.
Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region.
When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups.
Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten).
|
Conference | APT33 APT 35 APT 33 APT 32 APT 34 | |
|
2017-12-07 17:30:56 | Iranian Hacker Charged For HBO Breach Part Of Charming Kitten Group (lien direct) | The ISBuzz Post: This Post Iranian Hacker Charged For HBO Breach Part Of Charming Kitten Group | Conference | APT 35 | |
|
2017-12-07 09:13:17 | HBO hacker linked to the Iranian Charming Kitten APT group (lien direct) | >A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten. Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef. The Newscaster group made the headlines […] | Conference | APT 35 | |
|
2017-12-06 13:49:19 | HBO Hacker Linked to Iranian Spy Group (lien direct) | A man accused by U.S. authorities of hacking into the systems of HBO and attempting to extort millions of dollars from the company has been linked by security researchers to an Iranian cyber espionage group tracked as Charming Kitten. | Conference | APT 35 | |
|
2017-12-06 04:45:40 | HBO Hacker Was Part of Iran\'s "Charming Kitten" Elite Cyber-Espionage Unit (lien direct) | Behzad Mesri, the Iranian national the US has accused of hacking HBO this year, is part of an elite Iranian cyber-espionage unit known in infosec circles as Charming Kitten, according to a report released yesterday by Israeli firm ClearSky Cybersecurity. [...] | Conference | APT 35 | |
 |
2017-03-27 20:51:22 | New Clues Surface on Shamoon 2\'s Destructive Behavior (lien direct) | Researchers report new connections between Magic Hound and Shamoon 2, along with descriptions of how the Disttrack malware component of campaigns moves laterally within infected networks. | Conference | APT 35 | |
|
2017-03-06 19:27:49 | Destructive StoneDrill Wiper Malware On The Loose (lien direct) | Kaspersky Lab released details about new wiper malware called StoneDrill that bears similarities to Shamoon2 and an APT outfit known as NewsBeef. | Conference | APT 35 | |
 |
2017-02-16 05:16:26 | Magic Hound Campaign Attacks Saudi Targets (lien direct) | Unit 42 discovers a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which they have named Magic Hound. | Conference | APT 35 | |
 |
2014-04-03 09:48:00 | DLL à chargement latéral: un autre point mort pour antivirus DLL Side-Loading: Another Blind-Spot for Anti-Virus (lien direct) |
Le mois dernier, j'ai présenté une conférence à la conférence RSA USA sur un vecteur de menace de plus en plus populaire appelé «Dynamic-Link Library-Wadinging» (DLL Side-Wading).Comme pour de nombreuses vulnérabilités, cet exploit existe depuis assez longtemps et est le résultat de Microsoft qui cherche à faciliter les mises à jour binaires pour les développeurs Windows via la fonction d'assemblage Windows côte à côte (WINSXS).
Maintenant, cependant, les développeurs avancés de menace persistante (APT) utilisent la méthode inoffensive de chargement latéral DLL pour faufiler les scanners antivirus (AV) de malware (AV) alors que les fichiers infectés fonctionnent en mémoire.Ce faisant, le
Last month, I presented a talk at the RSA USA Conference on an increasingly popular threat vector called “Dynamic-Link Library Side-Loading” (DLL Side-Loading). As with many vulnerabilities, this exploit has existed for a rather long time and is the result of Microsoft looking to make binary updates easier for Windows developers through the Windows side-by-side (WinSxS) assembly feature. Now, though, advanced persistent threat (APT) developers are using the innocuous DLL Side-Loading method to sneak malware past anti-virus (AV) scanners as the infected files run in-memory. In doing-so, the |
Malware Threat Conference Technical | ★★★★ |
To see everything:
Our RSS (filtrered)
