What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-10-31 16:30:08 | Ordinary web access request or command to malware? (lien direct) | Cranefly group unleashes nasty little technique using Microsoft Internet Information Services (IIS) logs A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services (IIS) logs to send commands disguised as web access requests.… | Malware Threat | ||
 |
2022-10-31 14:37:01 | Wannacry, the hybrid malware that brought the world to its knees (lien direct) | >Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it. In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding […] | Ransomware Malware | Wannacry Wannacry | ★★ |
 |
2022-10-31 11:34:52 | Hacking group abuses antivirus software to launch LODEINFO malware (lien direct) | The Chinese Cicada hacking group, tracked as APT10, was observed abusing security software to install a new version of the LODEINFO malware against Japanese organizations. [...] | Malware | APT 10 | |
 |
2022-10-31 01:57:31 | A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (lien direct) | In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in... | Malware Hack Vulnerability Threat Medical | APT 38 | |
 |
2022-10-28 16:31:00 | Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers (lien direct) | A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan. This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News. The dropper "is being used to install a new backdoor and other tools | Malware | ||
|
2022-10-28 16:08:28 | The Week in Ransomware - October 28th 2022 - Healthcare leaks (lien direct) | This week, we learned of healthcare data leaks out of Australia, information about existing attacks, and reports on how ransomware gangs operate and partner with malware developers for initial access. [...] | Ransomware Malware | ||
 |
2022-10-28 16:00:00 | Cranefly Hackers Use Stealthy Techniques to Deliver and Control Malware (lien direct) | These attackers reportedly spent at least 18 months on victim networks | Malware | ||
|
2022-10-28 15:48:00 | Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints (lien direct) | The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC | Malware Threat | ||
 |
2022-10-28 10:01:00 | Phishing attacks increase by over 31% in third quarter: Report (lien direct) | Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.To read this article in full, please click here | Malware Threat | ★★★★ | |
|
2022-10-28 06:00:00 | Hackers use Microsoft IIS web server logs to control malware (lien direct) | The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. [...] | Malware | ||
|
2022-10-28 06:00:00 | Android malware droppers with 130K installs found on Google Play (lien direct) | A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates. [...] | Malware | ||
|
2022-10-27 19:49:00 | Researchers Expose Over 80 ShadowPad Malware C2 Servers (lien direct) | As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. That's according to VMware's Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications. ShadowPad, seen as a successor to PlugX, is a modular | Malware Threat | ||
|
2022-10-27 13:10:18 | Drinik Android malware now targets users of 18 Indian banks (lien direct) | A new version of the Drinik Android banking trojan targets 18 Indian banks, masquerading as the country's official tax management app to steal victims' personal information and banking credentials. [...] | Malware | ||
 |
2022-10-27 13:00:00 | Analyzing PIPEDREAM: Results from Runtime Testing (lien direct) | >PIPEDREAM is the seventh known malware affecting industrial control systems (ICS). It’s a flexible ICS attack framework and the first... The post Analyzing PIPEDREAM: Results from Runtime Testing first appeared on Dragos. | Malware | ||
 |
2022-10-27 10:00:00 | 11 Cybersecurity investments you can make right now (lien direct) | This blog was written by an independent guest blogger. The average cost of a data breach will continue to rise, which means companies need to start planning accordingly. To protect your business, you need to invest in cybersecurity. Here are 11 areas you should focus on. Cyber insurance Cyber insurance is designed to protect businesses from the financial repercussions of a cyber-attack. It can cover costs such as business interruption, data recovery, legal expenses, and reputational damage. It is increasingly common across industries and at companies of all sizes, even small businesses, which have become a growing target of cybercriminals. Cyber insurance has also become a new compliance requirement in many industries, including healthcare, finance, and retail. In the event of a data breach, companies are often required to notify their customers and partners, which can be costly. Cyber insurance can help cover these expenses. Employee training Employees are often the weakest link in a company's cybersecurity defenses. They may not be aware of the latest cyber threats or how to protect themselves from them. That's why it's important to provide employees with regular training on cybersecurity risks and best practices. There are many different types of employee training programs available, ranging from in-person seminars to online courses. Some companies even offer financial incentives for employees who complete training programs. In the remote work era, employee education also increasingly means arming remote workers with knowledge that will keep company data safe while they are working on networks that might not be well secured. This is especially the case if you know people are connecting via public networks at cafes, co-working spaces, and airports. Endpoint security Endpoints are the devices that connect to a network, such as laptops, smartphones, and tablets. They are also a common entry point for cyber-attacks. That's why it's important to invest in endpoint security, which includes solutions such as antivirus software, firewalls, and encryption. You can invest in endpoint security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available. Make sure you test any endpoint security solution before deploying it in your environment. Identity and access management Identity and access management (IAM) is a process for managing user identities and permissions. It can be used to control who has access to what data and resources, and how they can use them. IAM solutions often include features such as Single Sign-On (SSO), which allows users to access multiple applications with one set of credentials, and two-factor authentication (2FA), which adds an extra layer of security. IAM solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems. Intrusion detection and prevention Intrusion detection and prevention systems (IDPS) are designed to detect and prevent cyber-attacks. They work by monitoring network traffic for suspicious activity and blocking or flagging it as needed. IDPS solutions can be deployed on-premises or in the cloud. There are many different types of IDPS solutions available, ranging from simple network-based solutions to more sophisticated host-based ones. Make sure you choose a solution that is right for your environment and needs. Security information and event management Security information and event management (SIEM) solutions are designed to collect and analyze data from a variety of security | Data Breach Spam Malware Vulnerability Patching | ||
|
2022-10-27 00:16:33 | (Déjà vu) ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 17th, 2022 (Monday) to October 23rd (Sunday). For the main category, info-stealer ranked top with 52.7%, followed by downloader with 37.0%, backdoor with 8.8%, ransomware with 1.0%, and banking malware with 0.5%. Top 1 – Agent Tesla AgentTesla is an infostealer that ranked first place with 23.4%. It is an info-stealer that leaks... | Ransomware Malware | ||
|
2022-10-27 00:05:57 | Qakbot Malware Being Distributed in Korea (lien direct) | The ASEC analysis team has identified the Qakbot malware that was introduced in the past is being distributed to Korean users. The overall operation process, including the fact that it uses ISO files, is similar to the previous version, but a process to bypass behavior detection was added. The email distributed to Korean users is as shown below. It has hijacked a normal existing email and replied to it with a malicious file in the attachment, and this distribution process... | Malware | ||
|
2022-10-26 23:52:48 | FormBook Malware Being Distributed as .NET (lien direct) | The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary... | Spam Malware | ||
|
2022-10-26 23:06:26 | Feds accuse Ukrainian of renting out PC-raiding Raccoon malware to fiends (lien direct) | Separately, charges slapped on alleged operator of dark market, The Real Deal Mark Sokolovsky, 26, a Ukrainian national, is being held in the Netherlands while he awaits extradition to America on cybercrime charges, the US Justice Department said on Tuesday.… | Malware | ||
 |
2022-10-26 22:30:00 | Point-of-sale malware used to steal 167,000 credit cards (lien direct) | >Categories: NewsTags: POS Tags: malware Tags: credit card Tags: credit identity theft Tags: C2 Tags: MajikPOS Tags: Treasure Hunter Researchers have discovered the theft of 167,000 sets of credit card detials by MajikPOS and Treasure Hunter POS malware (Read more...) | Malware | ★★ | |
|
2022-10-26 21:39:00 | U.S. Charges Ukrainian Hacker Over Role in Raccoon Stealer Malware Service (lien direct) | A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation. Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what's said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S. "Individuals who deployed Raccoon | Malware | ||
|
2022-10-26 21:20:00 | Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans (lien direct) | The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire, FastViewer, and FastSpy. "The FastFire malware is disguised as a Google security plugin, and the | Malware | ||
 |
2022-10-26 18:38:03 | Feds say Ukrainian man running malware service amassed 50M unique credentials (lien direct) | Wondering if your data got swept up by Raccoon? Here's how to find out. | Malware | ||
|
2022-10-26 14:00:00 | Malformed signature trick can bypass Mark of the Web (lien direct) | >Categories: NewsTags: MOTW Tags: mark of the web Tags: signature Tags: malformed Tags: malware Tags: ransomware Tags: bypass Tags: SmartScreen We take a look at reports that malware authors are using what appears to be a years-old bug to bypass Mark of the Web alerts. (Read more...) | Malware | ||
 |
2022-10-25 21:05:19 | US Charges Ukrainian \'Raccoon Infostealer\' With Cybercrimes (lien direct) | A Ukrainian man has been charged with computer fraud for allegedly infecting millions of computers with malware in a cybercrime operation known as "Raccoon Infostealer," the US Justice Department said Tuesday. | Malware | ||
|
2022-10-25 17:03:00 | Cybercriminals Used Two PoS Malware to Steal Details of Over 167,000 Credit Cards (lien direct) | Two point-of-sale (PoS) malware variants have been put to use by a threat actor to steal information related to more than 167,000 credit cards from payment terminals. According to Singapore-headquartered cybersecurity company Group-IB, the stolen data dumps could net the operators as much as $3.34 million by selling them on underground forums. While a significant proportion of attacks aimed at | Malware Threat | ||
 |
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
|
2022-10-25 15:02:37 | Ukrainian charged for operating Raccoon Stealer malware service (lien direct) | 26-year-old Ukrainian national Mark Sokolovsky has been charged for his involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation. [...] | Malware | ||
|
2022-10-25 15:00:00 | POS Malware Used to Steal Details of Over 167,000 Credit Cards (lien direct) | The operators could make over $3m if they decide to sell the card dumps on underground forums | Malware | ||
|
2022-10-25 14:59:22 | Two PoS Malware used to steal data from more than 167,000 credit cards (lien direct) | >Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards. Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals. On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. […] | Malware Threat | ||
 |
2022-10-25 14:12:28 | (Déjà vu) Thousands Of Fake PoC Exploits In GitHub Repositories Deliver Malware – Expert Comments (lien direct) | A technical paper from the researchers at Leiden Institute of Advanced Computer Science details how researchers discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. In an inspection of 47,313 downloaded and checked repositories, fully 10.3% (4893), were found to “have symptoms of malicious intent.” This number […] | Malware | ||
|
2022-10-25 13:40:13 | Payment Card Attack Could Be Worth $3.3M (lien direct) | It has been reported that a PoS payment card attack involving a pair of malware variants was used to steal more than 167,000 payment records from 212 infected devices mostly in the U.S. Full story: Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. – CyberScoop | Malware | ||
|
2022-10-25 13:28:52 | Typosquat Campaign Mimics 27 Brands To Push Windows, Android Malware (lien direct) | It has been reported that the Typosquat campaign mimics 27 brands to push Windows, Android malware. Full story: Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com) | Malware | ||
 |
2022-10-25 13:27:54 | Massive Typosquatting Racket Pushes Malware at Windows, Android Users (lien direct) | Pas de details / No more details | Malware | ||
|
2022-10-25 01:04:42 | Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed (lien direct) | On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,... | Malware | ||
|
2022-10-25 00:52:47 | (Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place... | Ransomware Malware | ||
|
2022-10-24 22:11:11 | Payment terminal malware steals $3.3m worth of credit card numbers – so far (lien direct) | With shops leaving VNC and RDP open, quelle surprise Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals. If sold on underground forums, the haul could net the thieves upwards of $3.3 million.… | Malware | ||
|
2022-10-24 16:00:00 | Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App (lien direct) | The Veeamp malware was used by the Monti and Yanluowang ransomware groups in these attacks | Ransomware Malware | ★★ | |
 |
2022-10-24 14:45:43 | Android-Clicker Malware Garners Reaches 20 Million Downloads (lien direct) | Earlier today, a so-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. Once notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads. Having been detected as Android/Clicker, […] | Malware | ||
|
2022-10-24 11:55:00 | SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan (lien direct) | SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk. "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection | Malware | APT-C-17 | |
 |
2022-10-24 11:00:00 | Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. (lien direct) | >Using two malware variants, unknown operators managed to compile stolen card data potentially worth more than $3 million, researchers said. | Malware | ★★ | |
|
2022-10-24 09:30:00 | Clicker Malware Garners Estimated 20 Million Downloads (lien direct) | Google forced to remove over a dozen malicious apps | Malware | ||
 |
2022-10-24 07:12:13 | C2 Communications Through outlook.com, (Mon, Oct 24th) (lien direct) | Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. | Malware | ||
|
2022-10-23 11:15:19 | Thousands of GitHub repositories deliver fake PoC exploits with malware (lien direct) | Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. [...] | Malware | ||
|
2022-10-23 10:17:34 | Typosquat campaign mimics 27 brands to push Windows, Android malware (lien direct) | A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. [...] | Malware | ||
 |
2022-10-21 22:31:58 | VMware bug with 9.8 severity rating exploited to install witch\'s brew of malware (lien direct) | If you haven't patched CVE-2022-22954 yet, now would be an excellent time to do so. | Malware | ||
|
2022-10-21 22:17:00 | Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware (lien direct) | The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch | Malware | ||
 |
2022-10-21 13:15:23 | APT‑C‑50 updates FurBall Android malware – Week in security with Tony Anscombe (lien direct) | ESET Research spots a new version of Android malware known as FurBall that APT-C-50 is using in its wider Domestic Kitten campaign | Malware | ||
|
2022-10-21 11:00:36 | OldGremlin Ransomware Fierce Comeback Against Russian Targets (lien direct) | Earlier today. a ransomware group which unusually targets Russian organizations has upped its efforts this year, demanding larger ransoms from its victims and developing new malware for Linux, according to Group-IB. Yesterday, the security vendor released what it claimed was the first comprehensive report on the group known as “OldGremlin,” which was first spotted in 2020. […] | Ransomware Malware | ||
|
2022-10-21 10:28:32 | CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks. | Malware Vulnerability |
To see everything:
Our RSS (filtrered)
