What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-03-26 14:39:15 | Alerte de menace: les conséquences de la violation Anydesk Threat Alert: The Anydesk Breach Aftermath (lien direct) |
Cybearason Problèmes de menace Alertes pour informer les clients de l'émergence des menaces impactantes, y compris les vulnérabilités critiques.Les alertes de menaces de cyberéasie résument ces menaces et fournissent des recommandations pratiques pour se protéger contre elles.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them. |
Vulnerability Threat | ★★★ | |
 |
2024-03-26 13:00:38 | La nouvelle vulnérabilité GoFetch dans les puces M d'Apple \\ permet une fuite de clés secrètes sur des ordinateurs compromis New GoFetch Vulnerability in Apple\\'s M Chips Allows Secret Keys Leak on Compromised Computers (lien direct) |
La vulnérabilité GoFetch, qui affecte la série de puces M d'Apple \\, permet à un attaquant de voler des clés secrètes du Mac dans certaines conditions.Lisez des conseils sur l'atténuation de la menace de sécurité de GoFetch.
The GoFetch vulnerability, which affects Apple\'s M series of chips, allows an attacker to steal secret keys from the Mac under certain conditions. Read tips on mitigating the GoFetch security threat. |
Vulnerability Threat | ★★ | |
 |
2024-03-26 11:08:16 | Sur les systèmes de vote sécurisés On Secure Voting Systems (lien direct) |
Andrew Appel Shepherd a Commentaire public & # 8212; Signé par vingt experts en cybersécurité électorale, y compris moi-même & # 8212; sur les meilleures pratiques pour les appareils de marquage des bulletins de vote et la tabulation de vote.Il a été écrit pour la législature de Pennsylvanie, mais il est de nature générale. .
du résumé de l'exécutif:
Nous pensons qu'aucun système n'est parfait, chacun ayant des compromis.Les bulletins de vote à la main et à la main enlèvent l'incertitude introduite par l'utilisation de machines électroniques et la capacité des mauvais acteurs à exploiter les vulnérabilités électroniques pour modifier à distance les résultats.Cependant, une partie des électeurs marquent à tort les bulletins de vote en papier d'une manière qui ne sera pas comptée dans la façon dont l'électeur voulait, ou qui annule même le bulletin de vote.Les comptages à main retardent la déclaration en temps opportun des résultats et introduisent la possibilité d'erreur humaine, de biais ou d'interprétation erronée ...
Andrew Appel shepherded a public comment—signed by twenty election cybersecurity experts, including myself—on best practices for ballot marking devices and vote tabulation. It was written for the Pennsylvania legislature, but it’s general in nature. From the executive summary: We believe that no system is perfect, with each having trade-offs. Hand-marked and hand-counted ballots remove the uncertainty introduced by use of electronic machinery and the ability of bad actors to exploit electronic vulnerabilities to remotely alter the results. However, some portion of voters mistakenly mark paper ballots in a manner that will not be counted in the way the voter intended, or which even voids the ballot. Hand-counts delay timely reporting of results, and introduce the possibility for human error, bias, or misinterpretation... |
Vulnerability Threat | ★★★ | |
 |
2024-03-26 10:00:00 | L'importance croissante du CAASM dans la stratégie de cybersécurité de l'entreprise The Growing Importance of CAASM in Company Cybersecurity Strategy (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The recent years\' events, including the proliferation of ransomware, the pandemic, and political tensions, have fast-tracked the development of both offensive and defensive tools in the cyber domain. Cybersecurity concepts that were nascent a few years ago are now being refined, demonstrating the practical benefits of modern digital risk management strategies. Gartner analysts have highlighted the expansion of the attack surface as a significant risk for corporate cyber environments in the upcoming years. The most vulnerable entities include IoT devices, cloud apps, open-source systems, and complex software supply chains. There is an increasing demand for concepts like Cyber Asset Attack Surface Management (CAASM), External Attack Surface Management (EASM), and Cloud Security Posture Management (CSPM) in corporate security frameworks. This trend is also documented in Gartner\'s "hype" chart. Let\'s discuss the concept of CAASM, which is centered on identifying and managing all digital assets within an organization, whether they are internal or external. This approach aims to provide a comprehensive view and control over the organization\'s cyber environment, enhancing security measures and management practices. What Is CAASM CAASM assists IT departments in achieving end-to-end visibility of a company\'s cyber assets. This strategy creates a fuller understanding of the actual state of the infrastructure, enabling the security team to respond promptly to existing threats and potential future ones. CAASM-based products and solutions integrate with a broad array of data sources and security tools. CAASM gathers and aggregates data and analyzes perimeter traffic, providing a continuous, multi-dimensional view of the entire attack surface. Having access to current asset data enables information security officers to visualize the infrastructure and address security gaps promptly. They can prioritize the protection of assets and develop a unified perspective on the organization\'s actual security posture. This sets the stage for proactive risk management strategies. Exploring CAASM\'s Core Functions The CAASM approach equips security professionals with a variety of tools necessary for effectively managing an organization\'s attack surface and addressing risks. Asset Discovery A lack of visibility into all of an organization\'s assets heightens the risk of cyberattacks. Cyber Asset Attack Surface Management products automatically detect and catalog every component of a company\'s digital infrastructure, encompassing local, cloud, and various remote systems, including shadow IT. A company employing CAASM gains a clear overview of all its deployed web applications, servers, network devices, and cloud services. CAASM facilitates a comprehensive inventory of the devices, applications, networks, and users constituting the company\'s attack surface. Vulnerability Detection It is important to understand the risks each asset poses, such as missing the latest security updates or opportunities to access sensitive data. CAASM systems integrate asset data, helping security teams identify misconfigurations, vulnerabilities, and oth | Ransomware Tool Vulnerability Threat Prediction Cloud | ★★★ | |
 |
2024-03-26 07:00:00 | L'Afrique aborde les campagnes de désinformation en ligne au cours de l'année électorale majeure Africa Tackles Online Disinformation Campaigns During Major Election Year (lien direct) |
Les campagnes de cyber-disinformation ciblant l'Afrique ont décollé en 2024, alors que 18 nations se préparent à organiser des élections, et les efforts de cybersécurité sont essentiels pour apprivoiser la menace.
Cyber-disinformation campaigns targeting Africa have taken off in 2024, as 18 nations prepare to hold elections, and cybersecurity efforts are key to taming the threat. |
Threat | ★★ | |
 |
2024-03-26 06:00:09 | Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM (lien direct) | Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information. Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations. How did the new attack happen? Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails. The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking. The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections. However, the attackers\' objective was clear-to capture the details of the challenge/response transaction and the NTLM hashes of the user\'s Windows machine, which include the user\'s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password. Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack. What was the attackers\' intent? As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies\' networks more deeply. As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577\'s activities is to go well beyond the initial account or system compromise. What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: Usernames Passwords Session hashes Domain names Computer names More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023. If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program. The impacts on businesses This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group\'s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns. This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authenti | Malware Threat Patching | ★★★ | |
|
2024-03-26 06:00:09 | ProofPoint révèle la technique PIVOT par un groupe d'attaquant TA577: Cibler Windows NTLM Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM (lien direct) |
Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information. Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations. How did the new attack happen? Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails. The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking. The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections. However, the attackers\' objective was clear-to capture the details of the challenge/response transaction and the NTLM hashes of the user\'s Windows machine, which include the user\'s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password. Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack. What was the attackers\' intent? As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies\' networks more deeply. As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577\'s activities is to go well beyond the initial account or system compromise. What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: Usernames Passwords Session hashes Domain names Computer names More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023. If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program. The impacts on businesses This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group\'s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns. This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authenti | Malware Threat Patching | ★★★ | |
 |
2024-03-25 23:00:00 | Éric Leblond, Stamus Networks : Le NDR est un outil incourtanble (lien direct) | Lors du Forum InCyber, Stamus Networks présentera Stamus Security Platform(SSP) une solution NDR qui utilise une inspection approfondie des paquets pour découvrir les menaces graves et les activités non autorisées qui se cachent dans les réseaux de nos entreprises clientes. Éric Leblond, Chief Technology Officer (CTO) de Stamus Networks estime que le NDR est un outil incourtanble. Global Security Mag : Quelle sera votre actualité lors du Forum InCyber 2024 ? Éric Leblond : Bien que (...) - Interviews / evenement_milieu, INCYBER 2024 | Threat | ★★ | |
|
2024-03-25 21:20:40 | Des pirates chinois parrainés par l'État chargés, des sanctions perçues par nous Chinese State-Sponsored Hackers Charged, Sanctions Levied by US (lien direct) |
Les États-Unis et le Royaume-Uni facturent à sept ressortissants chinois pour avoir fonctionné dans le cadre du groupe de menaces APT31.
The US and the UK charge seven Chinese nationals for operating as part of threat group APT31. |
Threat | APT 31 | ★★★ |
 |
2024-03-25 17:28:00 | Hackers Hijack Github Comptes dans l'attaque de la chaîne d'approvisionnement affectant Top -g et autres Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (lien direct) |
Les adversaires non identifiés ont orchestré une campagne d'attaque sophistiquée qui a eu un impact sur plusieurs développeurs individuels ainsi que le compte de l'organisation GitHub associé à TOP.GG, un site de découverte de bot Discord.
"Les acteurs de la menace ont utilisé plusieurs TTPs dans cette attaque, y compris le rachat de compte via des cookies de navigateur volés, contribuant du code malveillant avec des commits vérifiés, en configurant une coutume
Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. "The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom |
Threat | ★★★ | |
|
2024-03-25 17:07:00 | Leçon clé du piratage de pulvérisation de mot de passe de Microsoft \\: sécuriser chaque compte Key Lesson from Microsoft\\'s Password Spray Hack: Secure Every Account (lien direct) |
En janvier 2024, Microsoft a découvert qu'ils étaient les & nbsp; victime d'un hack & nbsp; orchestré par des pirates de blizzard de Midnight à l'état russe (parfois connu sous le nom de Nobelium).Le détail préoccupant de cette affaire est la facilité avec laquelle il était facile de violer le géant du logiciel.Ce n'était pas un hack hautement technique qui a exploité une vulnérabilité zéro-jour & # 8211;Les pirates ont utilisé une simple attaque par pulvérisation de mot de passe pour prendre le contrôle de
In January 2024, Microsoft discovered they\'d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn\'t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of |
Hack Vulnerability Threat Technical | ★★ | |
 |
2024-03-25 17:00:00 | Statistiques de Netkope Threat Labs pour février 2024 Netskope Threat Labs Stats for February 2024 (lien direct) |
> Netskope Threat Labs publie un article de blog de résumé mensuel des principales menaces que nous suivons sur la plate-forme NetSkope.Cet article vise à fournir une intelligence stratégique et exploitable sur les menaces actives contre les utilisateurs d'entreprise du monde entier.Résumé OneDrive et Github étaient en haut de la liste des applications cloud top utilisées pour les téléchargements de logiciels malveillants, montrant un [& # 8230;]
>Netskope Threat Labs publishes a monthly summary blog post of the top threats we track on the Netskope platform. This post aims to provide strategic, actionable intelligence on active threats against enterprise users worldwide. Summary OneDrive and GitHub were on the top of the list of top cloud apps used for malware downloads, showing a […] |
Malware Threat Cloud | ★★ | |
 |
2024-03-25 15:49:15 | Venant dans une ville près de chez vous, il est rouge que Red Canary en direct! Coming to a city near you, it\\'s Red Canary Live! (lien direct) |
Rejoignez-nous en personne pour apprendre à comprendre, détecter et répondre aux menaces identifiées dans notre sixième rapport annuel de détection des menaces.
Join us in person to learn how to understand, detect, and respond to threats identified in our sixth annual Threat Detection Report. |
Threat | ★★ | |
 |
2024-03-25 14:56:27 | 25 mars & # 8211;Rapport de renseignement sur les menaces 25th March – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes de cyber-recherche pour la semaine du 25 mars, veuillez télécharger notre bulletin de menace_ingence.Les principales attaques et violations la société de technologie japonaise Fujitsu ont découvert des logiciels malveillants sur ses ordinateurs de travail, risquant l'exposition des données des clients.La société, une société informatique de premier plan, a détecté un accès non autorisé qui a potentiellement permis aux informations personnelles et clients d'être [& # 8230;]
>For the latest discoveries in cyber research for the week of 25th March, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Japanese tech company Fujitsu discovered malware on its work computers, risking exposure of customer data. The company, a leading IT firm, detected unauthorized access that potentially allowed personal and customer information to be […] |
Malware Threat | ★★ | |
 |
2024-03-25 13:28:48 | Faits saillants hebdomadaires, 25 mars 2024 Weekly OSINT Highlights, 25 March 2024 (lien direct) |
La semaine dernière, les rapports OSINT de \\ présentent une gamme de cyber-menaces, des campagnes d'espionnage parrainées par l'État russe par Secret Blizzard à l'infosteller malware comme Formbook et le lecteur Adobe Infosaler, démontrant l'adaptabilité et la persistance entre les acteurs de la menace.Des tactiques trompeuses telles que la typosquat et la distribution de faux logiciels sont utilisées pour le camouflage des activités et ciblent des groupes d'utilisateurs spécifiques, comme on le voit dans le cas du ciblage chinois des moteurs de recherche.De plus, le malvertising basé sur la recherche, notamment avec le malware FakeBat, met en évidence l'abus de sites Web légitimes et de certificats numériques pour échapper aux mesures de sécurité.Dans l'ensemble, ces tendances soulignent la nécessité de mesures de cybersécurité robustes et de l'intelligence continue des menaces pour atténuer efficacement les menaces en évolution. 1. ** [Campagne d'espionnage de Turla] (https://security.microsoft.com/intel-explorer/articles/bf6723e9?): ** Le groupe d'espionnage russe Turla, également connu sous le nom de Blizzard secret par Microsoft, orchestraciblant une ONG européenne, employant des tactiques comme le vol d'information et l'infiltration du réseau.Les activités post-compromises de Turla \\ impliquent le déploiement d'implants comme Tinyturla-ng et la reconnaissance de la reconnaissance, la démonstration de persistance et de furtivité dans leurs opérations. 2. ** [Linux Server RCE Attack] (https://security.microsoft.com/intel-explorer/articles/9b8f807f?): ** Cybereason Security Services rapporte un incident impliquant un serveur Linux exploité via une exécution de code distante (RCE) Vulnérabilité dans Apache ActiveMQ, facilitant le déploiement de VADes charges utiles malveillantes comme Mirai Botnet, Hellokitty Ransomware et Coinminers.Attaquer les méthodologiesClude l'automatisation et les séances interactives via les coquilles inversées de Netcat, mettant en évidence le divers arsenal des acteurs de la menace et leurs tactiques adaptables. 3. ** [Formbook InfoSteller Malware] (https://security.microsoft.com/intel-explorer/articles/7b321c6c?): ** Formbook, un logiciel malveillant infoséaler, présente des capacités avancées comme le suivi de la touche et la capture de l'écran, pendant l'évasion de l'évasion, comme le suivi des touches de touche et la capture d'écran, pendant l'évadisation, toutDétection par des techniques d'obscurcissement et de chiffrement.Les cybercriminels distribuent Formbook par courrier électronique, avec des cas d'utilisation notés lors des conflits géopolitiques, soulignant sa flexibilité et sa menace persistante. 4. ** [Ciblage de moteurs de recherche chinois] (https://security.microsoft.com/intel-explorer/articles/5a806c77?): ** Kaspersky découvre une menace ciblant les utilisateurs chinois via des versions modifiées de rédacteurs de texte populaires distribués via le type typosquattinget d'autres techniques trompeuses, soulignant les acteurs de la menace \\ 'efforts pour imiter les ressources légitimes à des fins malveillantes. 5. ** [Phantomblu Malware Campaign] (https://security.microsoft.com/intel-explorer/articles/356f4d44?): ** Perception Point révèle la campagne Phantomblu ciblant les organisations américaines avec le rat Netsupport, l'utilisation de la campagne avancée AdvanceLes tactiques d'évasion comme la manipulation des modèles OLE et l'ingénierie sociale pour compromettre efficacement les systèmes, présentant une évolution des stratégies de livraison de logiciels malveillants mélangeant l'évasion et l'ingénierie sociale. 6. ** [Surge malvertising basé sur la recherche] (https://security.microsoft.com/intel-explorer/articles/7cc81ecb?): ** MalwareBytes rapporte une augmentation des incidents malvertisons basés sur la recherche, impliquant notamment le malware FakeBat malveillant FakeBat.Distribué par le biais des installateurs de MSIX avec le code PowerShell obsc | Ransomware Spam Malware Tool Vulnerability Threat | ★★★ | |
|
2024-03-25 13:07:00 | Muddywater lié à l'Iran déploie Atera pour la surveillance dans les attaques de phishing Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks (lien direct) |
L'acteur de menace affilié à l'Iran a suivi comme & nbsp; muddywater & nbsp; (aka mango sandstorm ou TA450) a été lié à une nouvelle campagne de phishing en mars 2024 qui vise à fournir une solution de surveillance et de gestion à distance légitime (RMM) appelée Atera.
L'activité, qui a eu lieu du 7 mars à la semaine du 11 mars, a ciblé des entités israéliennes couvrant la fabrication mondiale, la technologie et
The Iran-affiliated threat actor tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera. The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and |
Threat | ★★ | |
 |
2024-03-25 12:00:00 | Les cyberattaques conscientes du nuage augmentent 110% alors que les groupes de menaces aiguisent leurs compétences d'attaque Cloud-Conscious Cyber Attacks Spike 110% as Threat Groups Sharpen their Attack Skills (lien direct) |
Les nouvelles données montrent une expertise accrue dans la mise en œuvre et l'exploitation des environnements cloud.
New data shows increased expertise in leveraging and exploiting cloud environments. |
Threat Cloud | ★★★ | |
|
2024-03-25 10:00:00 | Décodage des implications de cybersécurité de l'avancement rapide de l'AI \\ Decoding the Cybersecurity Implications of AI\\'s Rapid Advancement (lien direct) |
The genius at the heart of AI—its ability to sift through mountains of data, actually spot a needle in a haystack, and act on threats before they blossom into full-scale emergencies—it’s undeniable. However, here’s the rub—every part of that impressive arsenal? It’s also up for grabs by the other side, and can (and will) arm them to launch attacks of unprecedented sophistication and elusiveness, the likes of which we’ve thankfully never seen up to now. How do we wield this impressive technology to fortify our defenses, while preventing it from falling into the wrong hands? Can such a thing even be accomplished? Join me below as we take a closer look at how AI’s rapid rise is changing the landscape of cybersecurity. AI as a Defense Tool AI is a reliable navigator for charting the digital deluge—it has the ability to handle vast quantities of information rapidly on a level that no human could ever hope to match. It doesn’t take a huge leap to come to the conclusion that those capabilities can very easily be leveraged for defense. Automated Threat Detection Think of AI as the ever-watchful eye, tirelessly scanning the horizon for signs of trouble in the vast sea of data. Its capability to detect threats with speed and precision beyond human ken is our first line of defense against the shadows that lurk in the network traffic, camouflaged in ordinary user behavior, or embedded within the seemingly benign activities of countless applications. AI isn’t just about spotting trouble; it’s about understanding it. Through machine learning, it constructs models that learn from the DNA of malware, enabling it to recognize new variants that bear the hallmarks of known threats. This is akin to recognizing an enemy’s tactics, even if their strategy evolves. All of what I’ve said also here applies to incident response—with AI’s ability to automatically meet threats head-on making a holistic cybersecurity posture both easier to achieve and less resource-intensive for organizations of all sizes. Predictive Analytics By understanding the patterns and techniques used in previous breaches, AI models can predict where and how cybercriminals might strike next. This foresight enables organizations to reinforce their defenses before an attack occurs, transforming cybersecurity from a reactive discipline into a proactive strategy that helps prevent breaches rather than merely responding to them. The sophistication of predictive analytics lies in its use of diverse data sources, including threat intelligence feeds, anomaly detection reports, and global cybersecurity trends. This comprehensive view allows AI systems to identify correlations and causations that might elude human analysts. Phishing Detection and Email Filtering AI has stepped up as a pivotal ally in the ongoing skirmish against phishing and other forms of social engineering attacks, which too often lay the groundwork for more invasive security breaches. Through meticulous analysis of email content, context, and even the | Spam Tool Vulnerability Threat Prediction Technical | Deloitte | ★★ |
 |
2024-03-25 06:58:00 | La démocratie de la Grande-Bretagne sous la menace des cyberattaquants chinois, avertit le gouvernement Britain\\'s democracy under threat from Chinese cyber attackers, government warns (lien direct) |
Pas de details / No more details | Threat | ★★★ | |
|
2024-03-25 06:00:56 | DNS pendante: nettoyage de printemps pour protéger contre le risque d'identification Dangling DNS: Spring Cleaning to Protect Against Impersonation Risk (lien direct) |
It is well-established that email is the number one threat vector for cyberattacks. It\'s a go-to for many bad actors because they don\'t need to be highly skilled to initiate an email-based attack. Nor do they need to do elaborate work upfront. Their success hinges on their ability to be convincing. Targets must believe that they are interacting with a trusted source if they\'re going to voluntarily hand over sensitive data, provide their authentication credentials, make a wire transfer or install malware. That\'s why a critical part of any company\'s security posture is using protocols and policies that reduce impersonation risk. And a major step in this direction is to enable and enforce email authentication methods across all your domains. These include: Sender Policy Framework (SPF). This is a published authoritative list of approved sending IP addresses. It can help recipient email systems confirm that an email is coming from a legitimate source and is not impersonating a person or entity through spoofing. DomainKeys Identified Mail (DKIM). This email authentication method stamps a digital signature to outgoing emails. It helps recipient email systems verify, with proper alignment, that the email was sent by the domain it claims to be from and that it hasn\'t been altered in transit. Domain-based Message Authentication, Reporting, and Conformance (DMARC). This email authentication protocol builds on SPF and DKIM by allowing senders to set policies for handling emails that fail these authentication checks. If you don\'t maintain your systems, bad actors can exploit out-of-date information and nullify your email authentication efforts. In this blog, we will highlight a key bad actor impersonation tactic to inspire you to regularly spring clean your records moving forward. The tactic in focus: “dangling DNS” Dangling DNS refers to a misconfiguration in your email-related domain name system (DNS) records. A reference domain or subdomain is left pointing to a domain that no longer exists or is not under the control of the original domain owner. The term “dangling" implies that the DNS entry is pointing to something that is hanging without proper support. In this case, it is a domain that has expired. Bad actors have gotten wise to the fact that these expired domains create a crack in your defense that they can exploit. The risk of subdomain takeover If a subdomain is left pointing to an external service that the domain owner no longer controls, an attacker can register that domain to gain control of any DNS records that are pointed toward it. So, when they initiate their impersonation-based attack, they have the added benefit of passing email authentication! Using SPF records with all your sending infrastructure listed, rather than hidden behind an SPF macro, also discloses sensitive data about your company\'s infrastructure. Attackers can use this data to plan and execute targeted attacks. Actions you can take to reduce risk To mitigate the risks associated with dangling DNS records, domain owners must review their email-related DNS configurations regularly. It is especially important when you decommission or change services. Here are some actions that can help you to reduce your risk exposure. Regularly review and remove unused DNS records You should promptly remove DNS records that point to deprecated or unused services: SPF records. Review and minimize the entries that are posted within your SPF record. Review every “Include” and “Reference”, especially for third parties and expired domains, or if domains change owners. Access to SPF telemetry data can help simplify your investigations. DKIM selector records. Review CNAMEd DKIM selector records that point to third parties for expired domains, or if domains change owners. DMARC policy records. Review CNAMEd DMARC records that point to third parties for expired domains, or if domains change owners. MX records. Review MX records for your domains to see if any old entries are still inc | Malware Threat Cloud | ★★★ | |
 |
2024-03-25 03:55:55 | Les services de cybersécurité gérés sécurissent des environnements modernes Managed Cybersecurity Services Secure Modern Environments (lien direct) |
À une époque caractérisée par une transformation et une interconnexion numériques implacables, la cybersécurité est devenue un champ de bataille complexe et dynamique.Les entreprises, les gouvernements et les individus se retrouvent enfermés dans une lutte perpétuelle contre un flot incessant de menaces en évolution.Des syndicats de cybercrimins sophistiqués aux pirates parrainés par l'État et aux acteurs de menaces opportunistes, nos adversaires sont aussi divers qu'ils sont déterminés.Alors que la technologie progresse et que la société repose de plus en plus sur les infrastructures numériques, la surface d'attaque se développe, offrant aux mauvais acteurs de nombreux points d'entrée ...
In an era characterized by relentless digital transformation and interconnectedness, cybersecurity has evolved into a complex and dynamic battleground. Businesses, governments, and individuals find themselves locked in a perpetual struggle against a relentless flood of evolving threats. From sophisticated cybercriminal syndicates to state-sponsored hackers and opportunistic threat actors, our adversaries are as diverse as they are determined. As technology advances and society increasingly relies on digital infrastructure, the attack surface expands, providing bad actors with many entry points... |
Threat | ★★ | |
|
2024-03-25 03:28:07 | L'évolution de la cyberisoire pour perturber au-delà du marché Siem et XDR Cybereason\\'s evolution to disrupt beyond SIEM and XDR market (lien direct) |
Aujourd'hui, les entreprises accélèrent pour investir dans la numérisation pour rester en avance sur la concurrence.Ils rencontrent de plus en plus un paysage en évolution des menaces et des défis de sécurité complexes - avec plus de charges de travail dans des nuages multiples, plus de main-d'œuvre dans des environnements hybrides et des appareils plus intelligents liés dans les opérations critiques de la mission.Ce parcours de transformation est exacerbé par une augmentation exponentielle des ressources de calcul, des volumes de données et des outils de sécurité, ce qui fait augmenter le coût du stockage, de la gestion et de l'analyse des données à des fins de sécurité.
Today enterprises are accelerating to invest into digitalization to stay ahead of competition. They are increasingly encountering an evolving threat landscape and complex security challenges - with more workloads in multi clouds, more workforces in hybrid environments, and more intelligent devices connected in mission critical operations. This transformation journey is exacerbated by exponential increase in compute resources, data volumes and security tooling, driving up the cost of storing, managing and analyzing the data for security purposes. |
Threat | ★★ | |
|
2024-03-25 02:32:03 | La cyber-menace imminente dans l'immobilier The Looming Cyber Threat in Real Estate (lien direct) |
Dans notre monde interconnecté, l'industrie immobilière a adopté la technologie pour révolutionner ses opérations, améliorer les expériences des clients et rationaliser les processus métier.Pourtant, bien que cette évolution technologique ait apporté d'immenses avantages au secteur immobilier, il a également attiré l'attention des acteurs néfastes désireux d'exploiter les vulnérabilités.Les transactions de grande valeur survenant quotidiennement, le secteur immobilier est devenu une cible convaincante pour les attaquants qui espèrent profiter de ces opportunités.De plus, la pandémie a alimenté une transition presque du jour au lendemain vers un travail à distance et ...
In our interconnected world, the real estate industry has embraced technology to revolutionize its operations, enhance customer experiences, and streamline business processes. Yet, while this technological evolution has brought immense benefits to the property sector, it has also attracted the attention of nefarious actors keen on exploiting vulnerabilities. With high-value transactions occurring daily, the real estate sector has become a compelling target for attackers hoping to cash in on these opportunities. In addition, the pandemic fueled an almost overnight transition to remote work and... |
Vulnerability Threat | ★★ | |
 |
2024-03-24 18:37:11 | Quelque 300 000 IPS vulnérables à cette boucle DOS Attaque Some 300,000 IPs vulnerable to this Loop DoS attack (lien direct) |
facile à exploiter, pas encore exploité, pas largement corrigé & # 8211;Choisissez trois jusqu'à 300 000 serveurs ou appareils sur Internet public sont considérés comme vulnérables en ce moment à la technique de déni de service en boucle récemment divulguée qui fonctionne contre certains services au niveau de l'application basés sur UDP.… | Threat | ★★ | |
|
2024-03-24 11:08:00 | Kimsuky de Kimsuky, en coréen, les déplacements pour les fichiers HTML compilés dans les cyberattaques en cours N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks (lien direct) |
L'acteur de menace lié à la Corée du Nord connue sous le nom de & NBSP; Kimsuky & nbsp; (aka Black Banshee, Emerald Sleet ou Springtail) a été observé en déplacement de ses tactiques, en levant des fichiers HTML compilés compilés (CHM) en tant que vecteurs pour offrir des logiciels malinés pour la récolte des données sensibles.
Kimsuky, actif depuis au moins 2012, est connu pour cibler des entités situées en Corée du Sud ainsi qu'en Amérique du Nord, en Asie et en Europe.
Selon
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According |
Malware Threat | APT 43 | ★★★ |
 |
2024-03-22 17:44:37 | Parti politique allemand ciblé par le groupe lié à la SVR dans la campagne de espionnage, dit Mandiant German political party targeted by SVR-linked group in spearphishing campaign, Mandiant says (lien direct) |
> Le groupe a peut-être cherché des informations sur le changement de sentiments européens sur l'Ukraine, suggèrent les analystes de menaces.
>The group may have been seeking insights on shifting European sentiments on Ukraine, threat analysts suggest. |
Threat | ★★★★ | |
|
2024-03-22 16:58:00 | Le groupe lié à la Chine viole les réseaux via ConnectWise, F5 Flaws du logiciel F5 China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws (lien direct) |
Un cluster de menace lié à la Chine a mis à profit les défauts de sécurité dans ConnectWise Screenconnect et F5 Big-IP pour offrir des logiciels malveillants personnalisés capables de fournir des délais supplémentaires sur les hôtes Linux compromis dans le cadre d'une campagne "agressive".
Maniant appartenant à Google est & nbsp; suivi & nbsp; l'activité sous son surnom non catégorisé & nbsp; unc5174 & nbsp; (aka uteus ou uetus), le décrivant comme un "ancien
A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an "aggressive" campaign. Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a "former |
Malware Threat | ★★ | |
 |
2024-03-22 11:00:00 | APT29 utilise Wineloader pour cibler les partis politiques allemands APT29 Uses WINELOADER to Target German Political Parties (lien direct) |
Résumé exécutif fin février, l'APT29 a utilisé une nouvelle variante de porte dérobée suivie publiquement comme wineloader pour cibler les fêtes politiques allemandes avecun leurre sur le thème de la CDU. & nbsp; & nbsp; C'est la première fois que nous voyons ce cluster APT29 cible des partis politiques, indiquant une zone émergente émergenteFocus opérationnel au-delà du ciblage typique des missions diplomatiques. basée sur la responsabilité du SVR \\ de collecter l'intelligence politique et cette cluster APT29 \\ 'sModèles de ciblage historiques, nous jugeons cette activité pour présenter une large menace pour les partis politiques européens et autres occidentaux de tous les politiques
Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political |
Threat | APT 29 | ★★ |
|
2024-03-22 08:36:00 | Les pirates russes ciblent les télécommunications ukrainiennes avec des logiciels malveillants améliorés \\ 'acide \\' Russian Hackers Target Ukrainian Telecoms with Upgraded \\'AcidPour\\' Malware (lien direct) |
Les data essuyant les logiciels malveillants appelés & nbsp; acidpour & nbsp; peuvent avoir été déployés dans des attaques ciblant quatre fournisseurs de télécommunications en Ukraine, les nouvelles découvertes de Sentinélone montrent.
La société de cybersécurité a également confirmé les liens entre les logiciels malveillants et Acidrain, en le liant à des grappes d'activités de menace associées aux renseignements militaires russes.
"Les capacités élargies de l'acide lui permettraient de mieux
The data wiping malware called AcidPour may have been deployed in attacks targeting four telecom providers in Ukraine, new findings from SentinelOne show. The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence. "AcidPour\'s expanded capabilities would enable it to better |
Malware Threat | ★★ | |
|
2024-03-22 06:00:42 | La solution centrée sur l'homme à un problème centré sur l'homme défiant vos données critiques The Human-Centric Solution to a Human-Centric Problem-Defending Your Critical Data (lien direct) |
This cybersecurity lore is well on its way to becoming cliché. But like most clichés, it\'s true: Data doesn\'t leave your organization on its own. People let your data out. They either take it with them, or they leave the door open for someone else to help themselves. In this environment, where cybercriminals are less inclined to target software vulnerabilities and far more focused on our identities, the perimeter as we once knew it has disappeared. Today, our people are the perimeter-wherever they are, on-premises or in the cloud, and whatever systems, devices and credentials they use to access our data. Needless to say, if cyberattacks are targeted at our people (or rather, their identities), then our cyber defenses must be targeted, too. But with large and often remote workforces accessing our networks across various endpoints, this is increasingly challenging. To protect our people-and, in turn, our businesses-we need a deep understanding of who is accessing our data as well as how, when, where and why. It\'s only when we have all this information that we can begin to place protections where they are needed most, educate users on the risks they face and fight threat actors on the new frontier of our identities. Tackling insider threats As if defending a new, more fluid perimeter wasn\'t difficult enough, the increased focus on our identities presents another problem. Our people are already within our traditional defenses. So, to protect against malicious, compromised or careless users who are enabling data loss, we need to defend from the inside out. Email remains the number one entry point for common and advanced threats, so any effective defense starts in the inbox. Our people must understand the importance of strong credentials, the risk of password reuse and sharing, and the dangers posed by phishing emails, malicious links and bogus attachments. In our research for the 2024 State of the Phish report, Proofpoint found that security professionals in Europe and the Middle East rated password reuse as the riskiest behavior-and the second-most common behavior among end users. Email protection tools can assist here, too, by filtering malicious messages before they reach the inbox. That helps to mitigate the compromised employee use case. However, security teams must always assume that threats will get through these lines of defense, even with detection rates above 99% being the norm. And when they do, additional layers of security are needed to stop them in their tracks. Advanced enterprise data loss prevention (DLP) and insider threat management (ITM) tools provide this additional layer. By analyzing content, behavior and threat telemetry, these tools highlight anomalous or suspicious behavior that can lead to data loss. Careless users were the most cited cause of data loss in our inaugural 2024 Data Loss Landscape report. To handle this use case you might want to interrupt their careless behavior with a security prompt. For example, suppose an employee attempts to send confidential files in a plain text email. A simple pop-up advising them to reconsider their action could prevent this data from being exposed. A complete log of the incident is also captured, which can add real-world context to security awareness training. Another action that a careless user may perform is to send an email to the wrong recipient. According to our research, 1 in 3 users misdirected one or two emails to the wrong recipient. In the event of a malicious insider, intelligent DLP and ITM tools will spot and alert security teams to any high-risk behaviors. This could be a user who downloads an unauthorized app to a corporate machine or renames files to hide their intentions and cover their tracks. As for leavers-who remain one of the primary reasons for insider-driven data loss-security teams can take a more proactive approach. By focusing on these high-risk employees, you can build an evidential picture of intent. With the right tools in place, you can capture activity l | Tool Vulnerability Threat Cloud | ★★ | |
|
2024-03-22 00:00:00 | APT29 Uses WINELOADER to Target German Political Parties (lien direct) | Written by: Luke Jenkins, Dan Black
Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER. Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations. Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1). The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”. ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”. WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru. The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). |
Malware Threat Cloud Technical | APT 29 | ★★★ |
|
2024-03-21 22:32:49 | L'équipe Tesla Hack gagne 200 000 $ et une nouvelle voiture Tesla Hack Team Wins $200K and a New Car (lien direct) |
Zero Day Initiative a accordé un total de 732 000 $ aux chercheurs qui ont trouvé 19 vulnérabilités uniques de cybersécurité au cours du premier jour de PWN2OWN.
Zero Day Initiative awarded a total of $732,000 to researchers who found 19 unique cybersecurity vulnerabilities during the first day of Pwn2Own. |
Hack Vulnerability Threat | ★★ | |
|
2024-03-21 21:33:00 | Les pirates de Russie utilisant TinyTurla-NG pour violer les systèmes européens de l'ONG \\ Russia Hackers Using TinyTurla-NG to Breach European NGO\\'s Systems (lien direct) |
L'acteur de menace lié à la Russie connue sous le nom de Turla a infecté plusieurs systèmes appartenant à une organisation européenne non gouvernementale (ONG) sans nom afin de déployer une porte dérobée appelée & nbsp; tinyturla-ng.
"Les attaquants ont compromis le premier système, établi de la persistance et ajouté des exclusions aux produits antivirus fonctionnant sur ces paramètres dans le cadre de leurs actions préliminaires post-compromis", Cisco
The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG. "The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions," Cisco |
Threat | ★★ | |
 |
2024-03-21 20:38:56 | Hacker du gouvernement chinois exploitant ScreenConnect, F5 Bugs pour attaquer les entités de défense et gouvernementales Chinese government hacker exploiting ScreenConnect, F5 bugs to attack defense and government entities (lien direct) |
Un pirate serait lié à la République de Chine du peuple a exploité deux vulnérabilités populaires pour attaquer les entrepreneurs de la défense américaine, les entités et les institutions gouvernementales du Royaume-Uni en Asie. & NBSP;Un nouveau rapport de la société de sécurité appartenant à Google Mandiant a mis en lumière le travail d'un acteur de menace qu'ils appellent UNC5174.Les chercheurs pensent que l'UNC5174 est un ancien membre
A hacker allegedly connected to the People\'s Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia. A new report from Google-owned security firm Mandiant spotlighted the work of a threat actor they call UNC5174. The researchers believe UNC5174 is a former member |
Vulnerability Threat | ★★★ | |
|
2024-03-21 20:17:15 | Beware of the Messengers, Exploiting ActiveMQ Vulnerability (lien direct) | #### Description
Cybereason Security Services a publié un rapport d'analyse des menaces sur un incident impliquant un serveur Linux qui a vu des exécutions de shell malveillant à partir d'un processus Java exécutant Apache ActiveMQ.Le service ActiveMQ est un courtier de messages open source utilisé pour rejeter les communications à partir de serveurs séparés exécutant différents composants et / ou écrits dans différentes langues.L'activité est fortement évaluée pour avoir mis à profit une vulnérabilité à distance d'exécution de code (RCE) CVE-2023-46604.
Les exécutions de shell observées incluent les tentatives de téléchargement des charges utiles supplémentaires telles que les exécutables de MiraiBotnet, Hellokitty Ransomware, Sparkrat Executables et Coinminers, y compris XMRIG.Les méthodologies de déploiementemployez principalement l'automatisation;Cependant, une étape initiale dépend d'une session interactive via des coquilles inversées NetCAT.
> [Consultez la rédaction de Microsoft \\ sur CVE-2023-46604 - Apache ActiveMQ ici.] (Https://sip.security.microsoft.com/intel-profiles/cve-2023-46604)
#### URL de référence (s)
1. https://www.cybereason.com/blog/beware-of-the-messengers-expoiting-activemq-vulnerabilité
#### Date de publication
13 mars 2024
#### Auteurs)
Équipe de services de sécurité de la cyberéasie
#### Description Cybereason Security Services has issued a Threat Analysis Report on an incident involving a Linux server that saw malicious shell executions from a Java process running Apache ActiveMQ. The ActiveMQ service is an open-source message broker used to bridge communications from separate servers running different components and/or written in different languages. The activity is strongly assessed to have leveraged a Remote Code Execution (RCE) vulnerability CVE-2023-46604. The observed shell executions include attempts to download additional payloads such as executables of Mirai Botnet, HelloKitty Ransomware, SparkRAT executables, and coinminers including XMRig. The deployment methodologies mainly employ automation; however, one initial foothold is dependent on an interactive session via Netcat reverse shells. > [Check out Microsoft\'s write-up on CVE-2023-46604 - Apache ActiveMQ here.](https://sip.security.microsoft.com/intel-profiles/CVE-2023-46604) #### Reference URL(s) 1. https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability #### Publication Date March 13, 2024 #### Author(s) Cybereason Security Services Team |
Ransomware Vulnerability Threat | ★★ | |
|
2024-03-21 19:56:00 | Plus de 800 packages NPM trouvés avec des écarts, 18 exploitables à \\ 'manifester la confusion \\' Over 800 npm Packages Found with Discrepancies, 18 Exploitable to \\'Manifest Confusion\\' (lien direct) |
De nouvelles recherches ont découvert plus de 800 packages dans le registre NPM qui ont des écarts de leurs entrées de registre, dont 18 ont été trouvés pour exploiter une technique appelée & nbsp; manifeste confusion.
Les résultats proviennent de la société de cybersécurité JFROG, qui a déclaré que la question pourrait être exploitée par les acteurs de la menace pour inciter les développeurs à exécuter un code malveillant.
"C'est une menace réelle depuis
New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion. The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code. "It\'s an actual threat since |
Threat | ★★★ | |
|
2024-03-21 18:18:00 | AndroxGH0st malware cible les applications Laravel pour voler des informations d'identification cloud AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials (lien direct) |
Les chercheurs en cybersécurité ont fait la lumière sur un outil appelé & nbsp; androxgh0st & nbsp; qui a utilisé pour cibler les applications Laravel et voler des données sensibles.
"Il fonctionne en numérisant et en supprimant des informations importantes à partir des fichiers .env, en révélant les détails de connexion liés à AWS et Twilio", a déclaré le chercheur de Juniper Threat Labs Kashinath T Pattan & NBSP;
"Classé comme un cracker SMTP, il exploite SMTP
Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that\'s used to target Laravel applications and steal sensitive data. "It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio," Juniper Threat Labs researcher Kashinath T Pattan said. "Classified as an SMTP cracker, it exploits SMTP |
Malware Tool Threat Cloud | ★★ | |
 |
2024-03-21 16:54:15 | CrowdStrike améliore les capacités de détection et de réponse des nuages (CDR) pour protéger le pipeline CI / CD CrowdStrike Enhances Cloud Detection and Response (CDR) Capabilities to Protect CI/CD Pipeline (lien direct) |
L'augmentation de l'adoption du cloud a été rencontrée par une augmentation correspondante des menaces de cybersécurité.Les intrusions de nuages ont augmenté par un échec de 75% en 2023, les cas soucieux du cloud augmentant de 110%.Au milieu de cette surtension, les adversaires ECRIME sont devenus les principaux acteurs de la menace ciblant le cloud, représentant 84% des intrusions soucieuses du nuage attribuées aux adversaires.Pour les grandes entreprises qui [& # 8230;]
The increase in cloud adoption has been met with a corresponding rise in cybersecurity threats. Cloud intrusions escalated by a staggering 75% in 2023, with cloud-conscious cases increasing by 110%. Amid this surge, eCrime adversaries have become the top threat actors targeting the cloud, accounting for 84% of adversary-attributed cloud-conscious intrusions. For large enterprises that […] |
Threat Cloud | ★★★ | |
 |
2024-03-21 13:52:48 | MIWIC2024: Rebecca Taylor, Manager des connaissances sur le renseignement des menaces chez SecureWorks MIWIC2024: Rebecca Taylor, Threat Intelligence Knowledge Manager at Secureworks (lien direct) |
Organisé par Eskenzi PR en partenariat médiatique avec le gourou de la sécurité informatique, les femmes les plus inspirantes des Cyber Awards visent à faire la lumière sur les femmes remarquables de notre industrie.Ce qui suit est une caractéristique sur l'une des 20 meilleures femmes de 2024 sélectionnées par un groupe de juges estimé.Présenté dans un format Q & # 38;
Le post miwic2024: Rebecca Taylor, Manager des connaissances sur le renseignement des menaces chez SecureWorks est apparu pour la première fois sur gourou de la sécurité informatique .
Organised by Eskenzi PR in media partnership with the IT Security Guru, the Most Inspiring Women in Cyber Awards aim to shed light on the remarkable women in our industry. The following is a feature on one of 2024\'s Top 20 women selected by an esteemed panel of judges. Presented in a Q&A format, the nominee\'s answers are […] The post MIWIC2024: Rebecca Taylor, Threat Intelligence Knowledge Manager at Secureworks first appeared on IT Security Guru. |
Threat | ★★ | |
 |
2024-03-21 13:30:00 | Les dirigeants de la sécurité reconnaissent les lacunes de sécurité de l'API malgré une menace imminente Security Leaders Acknowledge API Security Gaps Despite Looming Threat (lien direct) |
La plupart des décideurs ont connu des problèmes de sécurité des API au cours de la dernière année, mais beaucoup n'ont pas investi dans une stratégie de sécurité API robuste, révèle rapidement
Most decision-makers have experienced API security problems over the past year, yet many haven\'t invested in a robust API security strategy, Fastly reveals |
Threat | ★★ | |
|
2024-03-21 13:00:07 | Faire du sport de sport: la cyber-menace croissante pour les événements sportifs mondiaux en 2024 Making Sport of Sports: The Growing Cyber Threat to Global Sports Events in 2024 (lien direct) |
> Alors que le calendrier sportif mondial transforme ses pages aux Jeux olympiques attendus à Paris et à la Coupe Euro 2024 en Allemagne, une ombre inquiétante menace de ternir ces lunettes.La tendance des cyberattaques contre les événements sportives a considérablement augmenté, avec une augmentation de 20 fois les attaques contre les Jeux olympiques de 2012 à 2021, aboutissant à des attaques stupéfiantes de 4,4 milliards pendant les Jeux de Tokyo.De même, la Coupe du monde 2022 a connu un afflux de courriels de phishing, soulignant une marée croissante de cyber-menaces auxquelles le monde du sport doit affronter.Une enquête menée par le Centre national de cybersécurité du Royaume-Uni [& # 8230;]
>As the global sports calendar turns its pages to the eagerly awaited Olympic Games in Paris and the EURO 2024 Cup in Germany, an ominous shadow threatens to tarnish these spectacles. The trend of cyber attacks on sports events has escalated dramatically, with a 20-fold increase in attacks on the Olympics from 2012 to 2021, culminating in a staggering 4.4 billion attacks during the Tokyo games. Similarly, the 2022 World Cup witnessed an influx of phishing emails, underscoring a rising tide of cyber threats that the sports world must confront. A survey conducted by the UK’s National Cyber Security Centre […] |
Threat Prediction | ★★★ | |
 |
2024-03-21 13:00:00 | Comment j'ai commencé: négociateur de ransomware How I got started: Ransomware negotiator (lien direct) |
> Les rôles spécialisés dans la cybersécurité prolifèrent, ce qui n'est pas surprenant étant donné le paysage des menaces évolutives et l'impact dévastateur des ransomwares sur de nombreuses entreprises.Parmi ces rôles, les négociateurs de ransomwares deviennent de plus en plus cruciaux.Ces négociateurs opèrent sur les lignes de front de la cyber-défense, s'engageant directement avec les cybercriminels pour atténuer l'impact des ransomwares [& # 8230;]
>Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses. Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware […] |
Ransomware Threat | ★★★ | |
|
2024-03-21 09:30:00 | Les chercheurs en sécurité gagnent deuxième Tesla à PWN2OWN Security Researchers Win Second Tesla At Pwn2Own (lien direct) |
L'équipe Synacktiv a remporté sa deuxième voiture Tesla pour avoir trouvé l'un des 19 bugs zéro jour le premier jour de PWN2OWN VANCOUVER
The Synacktiv team won its second Tesla car for finding one of 19 zero-day bugs on the first day of Pwn2Own Vancouver |
Vulnerability Threat | ★★ | |
|
2024-03-21 09:25:00 | Ivanti libère une solution urgente pour la vulnérabilité critique de la sentinelle critique Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (lien direct) |
Ivanti a divulgué les détails d'un défaut à l'exécution de code à distance critique ayant un impact sur la sentinelle autonome, exhortant les clients à appliquer immédiatement les correctifs pour rester protégé contre les cyber-menaces potentielles.
Suivi comme & nbsp; CVE-2023-41724, la vulnérabilité comporte un score CVSS de 9,6.
"Un acteur de menace non authentifié peut exécuter des commandes arbitraires sur le système d'exploitation sous-jacent de l'appareil
Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6. "An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance |
Vulnerability Threat | ★★★ | |
|
2024-03-21 09:00:00 | Rendre l'accès - Les courtiers d'accès initiaux exploitent F5 Big-IP (CVE-2023-46747) et ScreenConnect Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) |
Au cours d'une enquête d'intrusion fin octobre 2023, Mandiant a observé une nouvelle exploitation n-day de & nbsp; CVE-2023-46747 Interface utilisateur de gestion du trafic Big-IP F5.De plus, en février 2024, nous avons observé l'exploitation de ConnectWise Screenconnect CVE-2024-1709 par le même acteur.Ce mélange d'outillage personnalisé et du cadre SuperShell exploité dans ces incidents est évalué avec une confiance modérée pour être unique pour une menace de la République de Chine (PRC), unc5174. Mandiant évalue UNC5174 (censé utiliser le personnage "Uteus") est un ancien membre de la Chine
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174.Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese |
Threat | ★★ | |
|
2024-03-21 07:53:21 | Mémoire de sécurité: TA450 utilise des liens intégrés dans les pièces jointes PDF dans la dernière campagne Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign (lien direct) |
Ce qui s'est passé Les chercheurs de ProofPoint ont récemment observé une nouvelle activité par l'acteur de menace aligné par l'Iran TA450 (également connu sous le nom de Muddywater, Mango Sandstorm et Static Kitten), dans lequel le groupe a utilisé un leurre d'ingénierie social lié aux salaires pour cibler les employés israéliens dans de grandes organisations multinationales.TA450 est connu pour cibler les entités israéliennes, en particulier depuis au moins octobre 2023 avec le début de la guerre des Israël-Hamas et cela se poursuit qui se concentre sur les sociétés mondiales de fabrication, de technologie et de sécurité de l'information. Dans la campagne de phishing, qui a commencé le 7 mars et s'est poursuivie tout au long de la semaine du 11 mars 2024, TA450 a envoyé des e-mails avec des pièces jointes PDF qui contenaient des liens malveillants.Bien que cette méthode ne soit pas étrangère à TA450, l'acteur de menace s'est récemment appuyé sur des liens malveillants directement dans les corps de messagerie électronique au lieu d'ajouter cette étape supplémentaire.Les chercheurs de ProofPoint ont observé que les mêmes cibles reçoivent plusieurs e-mails de phishing avec des pièces jointes PDF qui avaient des liens intégrés légèrement différents.Les liens étaient vers une variété de sites de partage de fichiers, notamment EGnyte, OneHub, Sync et Terabox.Les e-mails ont également utilisé un compte .il d'expéditeur probable compromis, ce qui est conforme à l'activité récente de cette menace. Comme le montre les figures 1 et 2, si une cible ouvrait la pièce jointe et cliquait sur le lien inclus, il conduirait au téléchargement d'une archive zip contenant un MSI compressé qui installerait finalement AteraAgent, logiciel d'administration à distance connue pour être abusépar TA450. Figure 1. Attachement PDF ouvert avec un lien malveillant (Traduction machine: Titre du document: Signon de paie; Body of PDF: Bonjour, à partir de maintenant, recevez votre bordereau de paie via le logiciel suivant). Figure 2. Zip Archive via OneHub qui mène au téléchargement du logiciel d'administration à distance. Attribution Les chercheurs de ProofPoint attribuent cette campagne à TA450 sur la base de tactiques, techniques et procédures connues de TA450, ciblage de la campagne et analyse de logiciels malveillants.En janvier 2022, les États-Unis ont cyber-commandant ce groupe au ministère de l'Iran \\ du renseignement et de la sécurité. Pourquoi est-ce important Cette activité est remarquable pour plusieurs raisons, notamment qu'elle marque un tour des tactiques de Ta450 \\.Bien que cette campagne ne soit pas la première instance observée de TA450 en utilisant des pièces jointes avec des liens malveillants dans le cadre de la chaîne d'attaque de l'acteur de menace, il est la première fois que les chercheurs ont observé que TA450 tentative de livrer une URL malveillante dans une attachement PDF plutôt plutôtque lier directement le fichier dans un e-mail.De plus, cette campagne est la première fois que Proofpoint a observé TA450 à l'aide d'un compte de messagerie d'expéditeur qui correspond au contenu de leurre.Par exemple, cette campagne a utilisé un compte de messagerie de salaire [@] co [.] Il, qui est aligné sur les différentes lignes d'objet sur le thème de la rémunération. Enfin, cette activité continue la tendance de Ta450 \\ de tirer parti des leurres de langue hébraïque et de compromis compromis. Signatures de menace émergente (ET) Sid Nom de règle 2051743 ET ouvre la requête DNS au domaine de partage de fichiers (EGNYTE .com) 2051745 ET Open 2051745 - DNS Query to File Share Domain (Sync .Com) 2051749 ET ouvre la requête DNS au domaine de partage de fichiers (Terabox .com) 2051750 ET Open Domaine de partage de fichiers observé (Terabox .com dans TLS SNI) 2051746 ET Open Domaine de partage de fichiers observé (EGNYTE .com dans TLS SNI) 2051748 ET Open Domaine de partage de fichiers observé (Sync .com d | Malware Threat Prediction | ★★★ | |
 |
2024-03-21 00:00:00 | Épisode 22: L'effectif mon Amygdala!La psychologie derrière la cybersécurité EPISODE 22: Hands Off My Amygdala! The Psychology Behind Cybersecurity (lien direct) |
Welcome to Compromising Positions! The tech podcast that asks non-cybersecurity professionals what we in the industry can do to make their lives easier and help make our organisations more prepared to face ever-changing human-centric cyber threats! This week we are joined by Bec McKeown, a chartered psychologist with extensive experience in carrying out applied research for organisations including the UK Ministry of Defence and the founder and director of Mind Science, an independent organisation that works with cybersecurity professionalsIn this episode, Hands Off My Amygdala! The Psychology Behind Cybersecurity, we are going to hear about Bec\'s varied and interesting career in advising people in highly stressful situations to be reflective and not reactive, and how they cannot only learn from their actions but become masters of them. This episode is a smorgasbord of psychological concepts that will make you think twice about how you normally run your security awareness programme and but also your tabletop exercise too. And crucially, learn why people act the way they do during an actual cybersecurity incident. Key Takeaways:The curse of knowledge: Understanding what it\'s like to not understand cybersecurity from a technical perspective can be an advantage in helping you communicate better. By putting yourself in the shoes of the listener, you can convey complex ideas in a way that is easy to understand and relatableZero trust: While zero trust may make sense from a technical standpoint, it can lead to frustration and workarounds when it hinders employees. Theory Y suggests that people given more agency and autonomy are likely to work well, if not harder, than when constantly surveilled.Just culture: Accepting that mistakes will be made and analysing the steps that lead to that mistake happening with a view of learning how to avoid it without blame can improve the learning culture. Most people don\'t come to work to be malicious, if a mistake happens it is due to other factors like stress or bad processes.Microlearning: Nobody wants to sit in training for three hours! Microlearning helps by breaking up information into bite-sized chunks that are easy to digest. It\'s also important to account for different learning styles and provide information in various formats.Amygdala hijacking: Cybercriminals leverage amygdala hijacking, which occurs when the amygdala activates the fight-or-flight response when there is no serious threat to a person\'s safety. It\'s essential to recognize the contextual cue that led you to act that way and develop strategies to deal with it before it happens.Links to everything we discussed in this episode can be found in the show notes and if you liked the show, please do leave us a review. Follow us on all good podcasting platforms and via our YouTube channel, and don\'t forget to share on LinkedIn and in your teams.It really helps us spread the word and get high-quality | Threat Technical | ★★ | |
|
2024-03-21 00:00:00 | Bringing Access Back - Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect (lien direct) | Written by: Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, Austin Larsen
During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People\'s Republic of China (PRC) threat actor, UNC5174. Mandiant assesses UNC5174 (believed to use the persona "Uteus") is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China\'s Ministry of State Security (MSS) focused on executing access operations. UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, UK government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation. In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada. Targeting and Timeline UNC5174 has been linked to widespread aggressive targeting and intrusions of Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and UK government organizations during October and November 2023, as well as in February 2024. The actor appears primarily focused on executing access operations. Mandiant observed UNC5174 exploiting various vulnerabilities during this time. ConnectWise ScreenConnect Vulnerability CVE-2024-1709 F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability CVE-2023-46747 Atlassian Confluence CVE-2023-22518 Linux Kernel Exploit CVE-2022-0185 Zyxel Firewall OS Command Injection Vulnerability CVE-2022-30525 Investigations revealed several instances of UNC5174 infrastructure, exposing the attackers\' bash command history. This history detailed artifacts of extensive reconnaissance, web application fuzzing, and aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions. Additionally, key strategic targets like think tanks in the U.S. and Taiwan were identified; however, Mandiant does not have significant evidence to determine successful exploitation of these targets. 
Figure 1: UNC5174 global targeting map
Initial Disclosure of CVE-2023-46747
On Oct. 25, 2023, Praetorian published an advisory and proof-of-concept (PoC) for a zero-day (0-day) vulnerabil |
Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-03-20 20:05:33 | Les éditeurs de texte infecté chargent la porte dérobée dans macOS Infected Text Editors Load Backdoor into MacOS (lien direct) |
#### Description
Les chercheurs de Kaspersky ont découvert une nouvelle menace qui cible les utilisateurs chinois de l'un des moteurs de recherche les plus populaires en Chine.La menace implique des versions modifiées des éditeurs de texte populaires qui ont été distribués dans le système.Dans le premier cas, la ressource malveillante est apparue dans la section publicitaire, tandis que dans le deuxième cas, il est apparu en haut des résultats de la recherche.Les attaquants ont utilisé la typosquat et d'autres techniques pour rendre leurs ressources aussi similaires que possible aux sites Web officiels des programmes populaires.
#### URL de référence (s)
1. https://securelist.com/trojanisé-Text-Editor-apps/112167/
#### Date de publication
13 mars 2024
#### Auteurs)
Sergey Puzan
#### Description Kaspersky researchers have discovered a new threat that targets Chinese users of one of the most popular search engines in China. The threat involves modified versions of popular text editors that were distributed in the system. In the first case, the malicious resource appeared in the advertisement section, while in the second case, it appeared at the top of the search results. The attackers used typosquatting and other techniques to make their resources look as similar as possible to the official websites of popular programs. #### Reference URL(s) 1. https://securelist.com/trojanized-text-editor-apps/112167/ #### Publication Date March 13, 2024 #### Author(s) Sergey Puzan |
Threat | ★★★ | |
|
2024-03-20 17:00:00 | CISA avertit les chefs d'infrastructure critiques de Volt Typhoon CISA Warns Critical Infrastructure Leaders of Volt Typhoon (lien direct) |
L'agence a publié une fiche d'information sur l'acteur de menace, soulignant l'importance du cyber-risque en tant que préoccupation commerciale principale
The agency has issued a fact sheet about the threat actor, emphasizing the importance of cyber-risk as a core business concern |
Threat | Guam | ★★★ |
To see everything:
Our RSS (filtrered)
