What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-03-17 11:36:19 | RAT developer arrested for infecting 10,000 PCs with malware (lien direct) | Ukraine's cyberpolice has arrested the developer of a remote access trojan (RAT) malware that infected over 10,000 computers while posing as game applications. [...] | Malware Legislation | ★★★ | |
 |
2023-03-17 01:38:00 | ShellBot Malware Being Distributed to Linux SSH Servers (lien direct) | AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems. 1. Attack Campaigns Against Linux SSH Servers Unlike desktop, which is the main... | Malware | ★★ | |
 |
2023-03-17 01:00:06 | Here\'s how Chinese cyber spies exploited a critical Fortinet bug (lien direct) | Looks to be the same baddies attacking VMware hypervisors last year Suspected Chinese spies have exploited a critical Fortinet bug, and used custom networking malware to steal credentials and maintain network access, according to Mandiant security researchers.… | Malware | ★★ | |
|
2023-03-17 00:00:00 | Malware Distributed Disguised as a Password File (lien direct) | AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in... | Malware | ★★ | |
 |
2023-03-16 21:19:07 | MoqHao Part 3: Recent Global Targeting Trends (lien direct) | Introduction This blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a malware family... | Malware | ★★★ | |
 |
2023-03-16 21:00:00 | Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection (lien direct) | Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines. Dubbed SILKLOADER by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software. The development comes as | Malware Threat | ★★ | |
 |
2023-03-16 20:56:00 | Kaspersky releases decryptor for ransomware based on Conti source code (lien direct) |
Cybersecurity firm Kaspersky on Thursday released a decryptor that could help victims who had their data locked down by a version of the Conti ransomware. Kaspersky said the tool can be used on a malware strain that infected dozens of “companies and state institutions” throughout December 2022. Kaspersky did not name the strain, but experts |
Ransomware Malware Tool | ★★ | |
|
2023-03-16 19:09:00 | Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration (lien direct) | The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aimed at containerized environments to ultimately steal proprietary data and software. Specifically, the | Malware | ★★ | |
|
2023-03-16 15:36:49 | FakeCalls Android malware returns with new ways to hide on phones (lien direct) | Android malware 'FakeCalls' is circulating again in South Korea, imitating phone calls for over 20 financial organizations and attempting to fool targets into giving away their credit card details. [...] | Malware | ★★ | |
|
2023-03-16 14:45:11 | Adobe Acrobat Sign abused to push Redline info-stealing malware (lien direct) | Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. [...] | Malware | ★★★ | |
 |
2023-03-16 13:03:00 | Microsoft OneNote File Being Leveraged by Phishing Campaigns to Spread Malware (lien direct) | An in-depth analysis of a phishing campaign utilizing a Microsoft OneNote file. Learn about the contents of this malicious attack from how it executes, to evading detection, and fully controlling the victim's device. | Malware | ★★ | |
 |
2023-03-16 12:45:58 | L\'une des plus grandes menaces d\'Internet est de retour (lien direct) |  " L'une des menaces les plus répandues actuellement ". C'est la phase qu'a utilisée en 2020 la branche cybersécurité du département de la sécurité intérieure des États-Unis pour désigner le malware connu sous le nom d'Emotet. Après une longue absence, il est malheureusement de retour. |
Malware General Information | ★★ | |
 |
2023-03-16 11:00:00 | Fortinet Zero-Day et Custom Maleware utilisés par un acteur chinois suspecté dans l'opération d'espionnage Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation (lien direct) |
Les acteurs de la menace cyber-espionnage continuent de cibler les technologies qui ne prennent pas en charge les solutions de détection et de réponse (EDR) telles que les pare-feu, dispositifs IoT , hypervisors et VPN Technologies (par exemple Fortinet , Sonicwall , Pulse Secure et autres).Mandiant a enquêté sur des dizaines d'intrusions à Defense Industrial Base (DIB), le gouvernement, la technologie et les organisations de télécommunications au cours des années où les groupes de Chine-Nexus suspectés ont exploité des vulnérabilités zéro-jours et déployé des logiciels malveillants personnalisés pour voler des informations d'identification et maintenir un accès à long terme et déployéaux environnements victimes.
nous
Cyber espionage threat actors continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors and VPN technologies (e.g. Fortinet, SonicWall, Pulse Secure, and others). Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected China-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments. We |
Malware Vulnerability Threat Industrial | ★★★ | |
 |
2023-03-16 09:30:00 | Chinese SilkLoader Malware Sold to Russian Cyber-Criminals (lien direct) | Cobalt Strike beacon loader migrates across criminal ecosystems | Malware | ★★ | |
|
2023-03-16 06:00:00 | Winter Vivern APT hackers use fake antivirus scans to install malware (lien direct) | An advanced hacking group named 'Winter Vivern' targets European government organizations and telecommunication service providers to conduct espionage. [...] | Malware | ★★ | |
 |
2023-03-16 00:49:59 | Check Point Research conducts Initial Security Analysis of ChatGPT4, Highlighting Potential Scenarios For Accelerated Cybercrime (lien direct) | >Highlights: Check Point Research (CPR) releases an initial analysis of ChatGPT4, surfacing five scenarios that can allow threat actors to streamline malicious efforts and preparations faster and with more precision. In some instances, even non-technical actors can create harmful tools. The five scenarios provided span impersonations of banks, reverse shells, C++ malware and more. Despite… | Malware Threat | ChatGPT | ★★ |
|
2023-03-15 23:55:25 | ASEC Weekly Malware Statistics (March 6th, 2023 – March 12th, 2023) (lien direct) | AhnLab Security response Center (ASEC) uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from March 6th, 2023 (Monday) to March 12th, 2023 (Sunday). For the main category, Infostealer ranked top with 52.6%, followed by backdoor with 27.6%, downloader with 15.7%, ransomware with 3.0%, CoinMiner with 0.7%, and banking malware with 0.4%. Top 1 – AgentTesla AgentTesla is an infostealer that ranked first place with 25.4%. It leaks... | Ransomware Malware | ★★ | |
 |
2023-03-15 17:45:33 | Sophos Endpoint Security Advancements Improve Cyberthreat Defenses and Streamline Management (lien direct) | Sophos Endpoint Security Advancements Improve Cyberthreat Defenses and Streamline Management Introduces Adaptive Active Adversary Protection, Linux Malware Protection Enhancements, Account Health Check Capabilities, Integrated ZTNA Agent, and More - Product Reviews | Malware | ★★ | |
|
2023-03-15 17:30:00 | Tick APT Group Hacked East Asian DLP Software Firm (lien direct) | The hacker breached the DLP company's internal update servers to deliver malware within its network | Malware | ★★ | |
|
2023-03-15 17:00:00 | "FakeCalls" Android Malware Targets Financial Firms in South Korea (lien direct) | CPR discovered 2500 samples of the malware, impersonating 20 financial institutions in the region | Malware | ★★ | |
 |
2023-03-15 16:30:00 | GoatRAT Android Banking Trojan Targets Mobile Automated Payment System (lien direct) | The new malware was discovered targeting three banks in Brazil. | Malware | ★★★ | |
|
2023-03-15 14:53:00 | Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company (lien direct) | A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities. "The attackers compromised the DLP company's internal update servers to deliver malware inside the software developer's network, and trojanized installers of legitimate tools used by the company, which | Malware Threat | ★★★ | |
 |
2023-03-15 12:00:05 | Fans of Last Of Us warned of rising phishing and malware scams (lien direct) | Security experts are warning consumers of two new scams that are circulating in the wild which are taking advantage of the buzz and hype surrounding HBO’s new adaption of the popular video game franchise The Last Of US. Technology expert Prateek Jha from VPNOverview.com initiated the warning which has also been supported by Kaspersky. Kaspersky researchers […] | Malware General Information | ★★★ | |
|
2023-03-15 11:00:34 | Can your SASE solution block these top malware? (lien direct) | >Malware is a go-to tactic and essential tool for attackers. According to Check Point Research’s 2023 Cyber Security Report, 32% of cyber attacks globally are based on multipurpose malware with email as the attack vector in 86% of those attacks. The most vicious malware are wipers, whose only purpose is to cause irreversible damage and… | Malware Tool | ★★ | |
 |
2023-03-15 10:00:00 | 10 Ways B2B companies can improve mobile security (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Mobile security refers to the technologies and processes that are used to protect mobile devices from malicious attacks, data breaches, and other forms of cybercrime. It also includes measures taken to safeguard personal information stored on these devices, as well as protecting them from physical damage or theft. Mobile security is becoming increasingly important due to the rapid proliferation of smartphones and tablets being used for business purposes around the world. Businesses need to take steps to ensure their data remains secure when accessing company networks via mobile devices, including implementing a few key measures. Below are ten ways B2B companies can do better mobile security. 1. Use a secure email provider A secure domain email address is one of the most important ways to ensure that company emails and other sensitive data remain safe. Email providers such as Google, Microsoft, Zoho, and Postale offer secure domain email addresses which encrypt all emails sent and received in transit. This makes it more difficult for hackers to gain access to confidential information or launch attacks on vulnerable systems. Using a secure email provider is essential for any organization looking to maximize its data protection efforts. By taking advantage of these services, businesses can rest assured knowing their emails are secure and protected from malicious actors. 2. Implement strong authentication Strong authentication refers to the use of two or more forms of authentication to authenticate a user's identity. This could include using a one-time password for each login, biometric factors such as fingerprints, or utilizing an encrypted token. Strong authentication ensures that only authorized users can access company networks and confidential data. Having strong authentication measures in place is an essential step in protecting data, as it helps to prevent unauthorized access and keeps sensitive information secure. 3. Install mobile security software Mobile security software (also known as mobile device management or MDM) can help protect devices from malicious attacks. Mobile security software can be installed on all company-owned devices, providing a layer of protection by scanning for and blocking malicious applications. It can also offer additional layers of protection such as remote wiping capability, encryption, and the ability to remotely lock lost or stolen devices. 4. Enforce use policies By having clear use policies in place, businesses can ensure their employees understand the importance of mobile security and that they are adhering to the established rules. These policies should include restrictions on downloading or installing unapproved apps, accessing unknown or suspicious websites, or sharing confidential information with unauthorized personnel. Enforcing use policies is essential for keeping company networks and data secure. By ensuring that all employees abide by the same set of rules, businesses can greatly reduce their risk of a data breach or other malicious attack. 5. Utilize cloud storage Cloud storage provides an effective way to store business data securely off-site. Data stored in the cloud is encrypted and kept safe from physical damage or theft. It also eliminates the need for large servers and other physical infrastructure, reducing both costs and the potential risk of data breaches. Additionally, cloud storage allows employees to access their data from any device, anytime and anywhere | Data Breach Malware Guideline Cloud | ★★★ | |
 |
2023-03-15 09:44:16 | Évolution inquiétante des outils pirates (lien direct) | En février 2022, les experts en sécurité de l'information ont détecté l'arrivée du banquier pirate Xenomorph. Armé pour usurper, par superposition, les applications de 56 banques, le malware a rapidement été propagé grâce à des droppers publiés sur Google Play. | Malware Threat | ★★★ | |
 |
2023-03-15 08:40:31 | Un nouveau code pirate pour distributeurs de billets de banque ! (lien direct) | La découverte d'un nouveau malware nommé FiXS met à mal la sécurité de distributeurs de billets de banque. Ce logiciel malveillant cible les guichets automatiques de billets en Amérique latine, notamment les banques mexicaines depuis le début du mois de février 2023.... | Malware Threat | ★★ | |
 |
2023-03-15 03:43:54 | What are Rootkits? How to prevent them (lien direct) | A Rootkit is a malicious program composed of malware that is created to provide prolonged root-level or privileged-level access to a computer. It remains hidden in the computer system while maintaining control of the system remotely. Rootkits have the ability to steal data, eavesdrop, change system configurations, create permanent backdoors, deactivate other security defensive programs, and conceal other types of malware. They spread through phishing emails, infected shared folders, executable documents, and pirated software or software on infected websites. Different types of Rootkits. 1... | Malware General Information | ★★ | |
|
2023-03-14 18:17:20 | New Android Vishing Malware Impersonates Leading Financial Institutions to Target Victims in South Korea (lien direct) | New Android Vishing Malware Impersonates Leading Financial Institutions to Target Victims in South Korea - Malware Update / affiche | Malware Guideline | ★★ | |
|
2023-03-14 17:39:15 | Beware of Fake Calls! It\'s not really your bank calling. Check Point Research draws attention to a new Android Malware (lien direct) | >Highlights: CPR alerts on an Android Trojan named “FakeCalls”, a voice phishing malware Malware can masquerade incoming calls as coming form known legitimate financial organizations, aiming to gain the victim's trust and extract personal and financial data “FakeCalls” malware targets the South Korean market, faking calls from over 20 leading financial organizations Background When malware… | Malware Guideline | ★★★ | |
 |
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-03-14 17:32:00 | GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks (lien direct) | A new Golang-based malware dubbed GoBruteforcer has been found targeting web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet. "GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range," Palo Alto Networks Unit 42 researchers said. "The threat actor | Malware Threat | ★★★ | |
|
2023-03-14 15:54:30 | Emotet, QSnatch Malware Dominate Malicious DNS Traffic (lien direct) | An analysis of trillions of DNS requests shows a shocking amount of malicious traffic inside enterprise networks, with threats using DNS as a sort of malicious Autobahn. | Malware | ★★★★ | |
|
2023-03-14 15:29:20 | South Korean Android Banking Menace – FakeCalls (lien direct) | >Research by: Bohdan Melnykov, Raman Ladutska When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be […] | Malware | ★★ | |
 |
2023-03-14 14:50:00 | Les données DNS montrent qu'une organisation sur 10 a un trafic de logiciels malveillants sur leurs réseaux [DNS data shows one in 10 organizations have malware traffic on their networks] (lien direct) | Le rapport Akamai souligne à quel point les menaces de logiciels malveillants restent généralisées, notant les dangers des menaces spécifiques à l'infrastructure DNS.
Akamai report highlights how widespread malware threats remain, noting the dangers of threats specific to DNS infrastructure. |
Malware | ★★★ | |
|
2023-03-14 14:11:00 | Hackers target South Asian government entities with KamiKakaBot malware (lien direct) |
Suspected government-backed hackers are attacking military and government organizations in South Asia with malware called KamiKakaBot that is designed to steal sensitive information. Researchers from Amsterdam-based cybersecurity firm EclecticIQ [attributed](https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries#A1) the attacks to the advanced persistent threat (APT) group Dark Pink. The group's previous victims include military, government, religious and non-profit organizations in Cambodia, Indonesia, |
Malware Threat | ★★ | |
 |
2023-03-14 13:00:00 | CyberheistNews Vol 13 #11 [Heads Up] Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears (lien direct) |
CyberheistNews Vol 13 #11 | March 14th, 2023
[Heads Up] Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears
Robert Lemos at DARKReading just reported on a worrying trend. The title said it all, and the news is that more than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information. Yikes.
I'm giving you a short extract of the story and the link to the whole article is below.
"Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.
"In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential info, client data, source code, or regulated information to the LLM.
"In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.
"And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.
"'There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out [remains to be seen] - I think, we're in pregame; we're not even in the first inning.'"
Your employees need to be stepped through new-school security awareness training so that they understand the risks of doing things like this.
Blog post with links:https://blog.knowbe4.com/employees-are-feeding-sensitive-biz-data-to-chatgpt-raising-security-fears
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blockl |
Ransomware Data Breach Spam Malware Threat Guideline Medical | ChatGPT ChatGPT | ★★ |
|
2023-03-14 11:49:15 | Le développeur de NetWire arrêté (lien direct) | En Croatie, le développeur de NetWire RAT, Mario Žanko, a été arrêté et l’infrastructure du malware a été saisie par les autorités. Mario Žanko, 40 ans, est un informaticien recherché par le FBI depuis des années. Il faut dire aussi que son logiciel pas comme les autres a permis d’orchestrer des dizaines de milliers de … Continue reading Le développeur de NetWire arrêté | Malware | ★★★ | |
|
2023-03-13 23:31:00 | Mallox Ransomware Being Distributed in Korea (lien direct) | AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the Mallox ransomware during the team’s monitoring. As covered before, Mallox, which targets vulnerable MS-SQL servers, has historically been distributed at a consistently high rate based on AhnLab’s statistics. The malware disguised as a program related to DirectPlay is a file built in .NET which, as shown in Figure 3, connects to a certain address, downloads additional malware, and runs it in the memory. If this address cannot... | Ransomware Malware | ★★★ | |
|
2023-03-13 21:52:00 | 200-300% Increase in AI-Generated YouTube Videos to Spread Stealer Malware (lien direct) | Pas de details / No more details | Malware | ★★★ | |
 |
2023-03-13 20:44:03 | New Hiatus malware campaign targets routers (lien direct) | >A new malware dubbed HiatusRAT infects routers to spy on its targets, mostly in Europe and in the U.S. Learn which router models are primarily targeted and how to protect from this security threat. | Malware | ★★ | |
|
2023-03-13 18:38:00 | Hike in AI-Created YouTube Videos Loaded With Malware (lien direct) | AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more. | Malware | ★★ | |
|
2023-03-13 17:46:14 | Persistance à long terme d\'un malware chinois sur des dipositifs SonicWall, l\'importance du monitoring en continue (lien direct) | Persistance à long terme d'un malware chinois sur des dipositifs SonicWall, l'importance du monitoring en continue Mandiant, en partenariat avec SonicWall Product Security and Incident Response Team (PSIRT), a identifié une campagne chinoise suspecte qui consiste à maintenir une présence à long terme en exécutant un logiciel malveillant sur une application SonicWall Secure Mobile Access (SMA) qui n'a pas été patchée. - Malwares | Malware | ★★ | |
|
2023-03-13 17:17:00 | Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware (lien direct) | Threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar. "The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users," | Malware Threat | ★★ | |
|
2023-03-13 11:45:00 | KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets (lien direct) | The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot. Dark Pink, also called Saaiwc, was first profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate | Malware Threat | ★★★ | |
|
2023-03-13 10:00:00 | Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. "Why are you here if you cannot decrypt our data?" This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond. Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents. In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an "undesirable event" is determined by each company's own interpretation and perspective. For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat. There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders. Incident response stages While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals. SANS identifies six stages of incident response: Preparation Identification Containment Eradication Recovery Lessons learned It is important to note that the external response team is not immediately involved in this process. Preparation Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas: Inventory networks Build subnets correctly Use correct security controls and tools Hire the right people All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy. Each attack has its own dwell time - the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to fin | Spam Malware Vulnerability Threat Guideline | ★★★ | |
|
2023-03-13 00:49:37 | CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) (lien direct) | AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 APT Attack Being Distributed as Windows Help File (*.chm) –... | Malware | ★★★ | |
 |
2023-03-12 00:03:36 | List of clean mutexes and mutants (lien direct) | A few years ago I released a list of ‘bad’ mutexes/mutants. That list was generated from my malware sandbox reports. I thought that it may be good to revisit the […] | Malware | ★★★★ | |
|
2023-03-11 19:02:00 | BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (lien direct) | The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom. BATLOADER, as the name suggests, is a loader that's responsible for | Malware | ChatGPT | ★★ |
|
2023-03-10 21:01:30 | BlackLotus Secure Boot Bypass Malware Set to Ramp Up (lien direct) | BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity. | Malware Vulnerability | ★★★ |
To see everything:
