What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-06-25 21:14:40 | Resurgence de Strelastealer: suivi d'un voleur d'identification axé sur JavaScript ciblant l'Europe StrelaStealer Resurgence: Tracking a JavaScript-Driven Credential Stealer Targeting Europe (lien direct) |
#### Targeted Geolocations - Poland - Spain - Italy - Germany ## Snapshot The SonicWall Capture Labs threat research team has been monitoring an increase in the spread of StrelaStealer, an information stealer (infostealer) malware that first emerged in 2022. Read Microsoft\'s write-up on information stealers [here](https://security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6). ## Description In mid-June, there was a notable surge in JavaScript spreading StrelaStealer, which targets Outlook and Thunderbird email credentials. StrelaStealer\'s infection chain remains similar to previous versions but now includes checks to avoid infecting Russian systems. Its targets are primarily in Poland, Spain, Italy, and Germany. The initial infection vector is an obfuscated JavaScript file sent via email in archive files. This file drops a copy in the user\'s directory with a random name and then executes a batch file to check the system language, excluding Russian users by detecting the OSLanguage code "1049". If non-Russian, a base64-encoded PE file is dropped, decoded, and a DLL is created and executed using regsvr32.exe. The DLL\'s obfuscated code decrypts the actual PE file and injects it into the current process. The stealer dynamically loads necessary APIs and checks the keyboard layout to determine the system\'s geographic location. It targets languages such as Spanish, Basque, Polish, Catalan, Italian, and German. The malware starts its stealing functionality with Mozilla Thunderbird, looking for specific files and sending data to a designated IP address. It also targets Outlook by retrieving information from specific registry keys and sending this data to the same IP. ## Additional Analysis OSINT reporting about StrelaStealer indicates that its operators tend to initiate large-scale campaigns targeting organizations in specific geographic regions or countries. Initially, the malware primarily targeted Spanish-speaking users, but has since evolved to target users speaking English and other European languages. According to Palo Alto Network\'s 2024 [report](https://unit42.paloaltonetworks.com/strelastealer-campaign/) on StrelaStealer, the malware\'s main goal, to steal email login data from email clients, has not changed. However, the malware\'s infection chain and packer have been modified to evade detection and make analysis more difficult. ## Detections/Hunting Queries Microsoft Defender Antivirus detects threat components as the following malware: - *[Trojan:JS/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/StrelaStealer!MSR&threatId=-2147061639)* - *[Trojan:Win64/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/StrelaStealer.GPAX!MTB&threatId=-2147056969)* - *[Trojan:Win32/StrelaStealer](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/StrelaStealer.ASS!MTB&threatId=-2147054947)* ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly a | Ransomware Spam Malware Tool Threat | ||
 |
2024-06-25 14:15:59 | Utilisation d\'outils d\'IA personnels dans un cadre professionnel : attention aux risques pour la sécurité des données (lien direct) | L'un des plus grands dangers est que les utilisateurs cherchent constamment à optimiser leur productivité, souvent en recourant à des outils non validés par l'entreprise, ce qui augmente les risques de vol ou de mauvaise utilisation des données. | Tool | ||
 |
2024-06-25 12:50:11 | CISA met en garde contre un éventuel vol de données des installations chimiques en raison d'une violation de son outil CSAT CISA warns of possible data theft from Chemical facilities due to a breach in its CSAT tool (lien direct) |
CISA met en garde contre le vol de données possible à partir des installations chimiques en raison d'une violation de son outil CSAT
-
mise à jour malveillant
CISA warns of possible data theft from Chemical facilities due to a breach in its CSAT tool - Malware Update |
Tool | ||
 |
2024-06-25 10:00:00 | Le rôle de la cybersécurité dans la construction et la fabrication modernes The Role of Cybersecurity in Modern Construction and Manufacturing (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Cybersecurity and threat preparedness may be at the forefront of your mind, and you may have protections in place against more common threats. Yet, as these threats continue to evolve, vigilance and adaptation are crucial for construction and manufacturing organizations. Cybercriminals have gotten both more prolific and more creative. 2023 saw a record-breaking spike in cyberattacks, with well over 300 million victims falling prey to data breaches, and the average corporate data breach cost 4.45 million dollars. In an industry where reputation is everything, a single breach could sink your ship in more ways than one. As we proceed, we’ll unpack the many ways that a cyberattack could impact your ability to turn a profit, making you aware of vulnerabilities that exist within your organization’s structure. Then we’ll provide you with practical suggestions to patch these vulnerabilities, insulating you from outside threats and keeping you on track to remain profitable. Computer Vision and Vulnerabilities As you use new technologies to support your existing processes, you must be aware of vulnerabilities that new systems can create. If you’ve looked into leveraging recent tech advancements in your field, you’re probably familiar with computer vision technology. Computer vision technology uses data gathered from physical images, importing them into the digital realm and unlocking a variety of potential benefits. Takeoff software and AI-powered planning systems streamline the project liftoff process by, simplifying cost estimation, identifying and correcting blueprint errors, and even advancing sustainability goals. While these systems can be leveraged to optimize a wide variety of processes, they also shift the balance of project planning from human input to automated computing processes. This in turn puts you more at risk for being a victim of a cyberattack. Malefactors can access automated systems through a wide variety of channels. Whether they break into your network via access to an IoT-connected device that someone misplaced in the workspace, or secret malicious code into the data sources your devices consume to function, increasing your use of technology also increases their windows of opportunity. As these systems increase in scope and importance, leaving windows like these open increases the risk of potentially profitable projects turning belly up. Process Disruption However, cybercriminals don’t need you to use newfangled technology solutions to cause havoc throughout your processes. Cybercriminals already have a tried-and-true playbook that they’ve been using on your competitors for years, and to great effect. Some of the ways cyberthreats can fracture manufacturers’ processes include: ● Ransomware: If a cybercriminal gains access to mission-critical data, they can then lock that data behind a ransomware program. Ransomware holds company d | Ransomware Malware Tool Vulnerability Threat Patching | ||
 |
2024-06-25 06:00:45 | Email mal réalisé: un problème commun et coûteux qui est facile à résoudre Misdirected Email: A Common and Costly Issue That\\'s Easy to Fix (lien direct) |
Sensitive data loss has long been an issue for organizations of all sizes, leaving them exposed to compliance and reputation risks. From phishing and ransomware to advanced threats, there is a long and growing list of ways that sensitive information can find itself outside your defenses. That said, it never really “finds itself” there. It ends up there incidentally, or intentionally-and usually, by employees. So much so that two-thirds of chief information security officers (CISOs) surveyed for our 2024 State of the Phish report said their business has experienced data loss due to an insider. Once again, there are many ways this can happen. Even today\'s most security-oblivious users likely understand that weak passwords and errant clicks or downloads pose a risk. However, another prevalent factor behind data loss does not garner the same level of focus. It may surprise many to learn that misdirected emails-legitimate messages sent to incorrect recipients-are the number one General Data Protection Regulation (GDPR)-related cyber incident reported to the U.K.\'s Information Commissioner\'s Office (ICO). Misdirected email happens all the time-and it\'s difficult to stop with traditional tools. These errors are not usually flagged by standard rule-based data loss prevention (DLP) products. That leaves users solely responsible for ensuring that their emails are always sent to the intended recipients. Unfortunately, this human line of defense is not fully equipped for the task. Why doesn\'t traditional DLP solve misdelivery? Traditional rule based DLP tools do what they do very well. Such tools remain a critical part of any effective cyber defense when it comes to protecting sensitive data. However, they have a major shortcoming in that they only check messaging against predefined risks. Traditional DLP can identify whether: Recipients are on deny lists The content contains Social Security numbers or patient identifiers (RegEx patterns) Attached documents have classification tags; for example, if an admin has tagged a document as “sensitive” Assuming your email passes these checks, it is deemed safe to send. A misdirected email to a legitimate (albeit incorrect) recipient would not raise any red flags. A rule-based system would determine that this type of email is good to go. But based on Verizon\'s Data Breach Investigations Report (DBIR) data, which shows that email misdelivery is prevalent across all industries, we know that it\'s not. An adaptive, artificial intelligence (AI)-powered DLP solution goes much further. It doesn\'t just look for common predefined risks. Rather, it analyzes all aspects of an email for anything that looks anomalous. So, on top of checking for common red flags, it can detect abnormal groupings of recipients and flag sensitive words, phrases or content that are not ordinarily shared with the intended recipients-whether in the body of the message or in any attachments. The solution will then determine whether an email is safe to send. Overview showing how Tessian automatically detects what rule-based DLP misses. Should it detect a potential mistake or sensitive data loss incident, Proofpoint Adaptive Email DLP will intervene to question the accuracy of the recipient, offer a brief explanation of the potential issue and ask whether the sender wishes to proceed or cancel. Error message: Is this the correct recipient message? Put simply, traditional DLP cannot stop incidents like these because they can\'t be predefined. But Adaptive Email DLP can avert potential disasters in real time with simple, on-screen prompts for users so that they can correct any mistakes. With a complete timeline of each incident-what was being sent, who it was being sent to and why it was stopped-security teams get actionable insight into common mistakes and intentional attempts to misdirect company data to personal or | Ransomware Data Breach Tool | ||
 |
2024-06-25 00:00:00 | WatchGuard lance la solution ThreatSync+ NDR assistée par l\'IA, pour renforcer la détection et la réponse globales aux cybermenaces (lien direct) | Paris, le 25 juin 2024. WatchGuard® Technologies, l\'un des leaders mondiaux de la cybersécurité unifiée, annonce le lancement de ThreatSync+ NDR et de WatchGuard Compliance Reporting. ThreatSync+ NDR est une solution adaptée aux entreprises de toute taille, qui disposent d\'équipes informatiques réduites ou de ressources limitées en matière de cybersécurité. Premier produit de la nouvelle gamme ThreatSync+, ThreatSync+ NDR automatise et simplifie le monitoring continu, ainsi que la détection des menaces et la prise de mesures correctives à l\'aide d\'un moteur de détection avancé basé sur l\'IA. La solution se fraye un chemin à travers les milliards de flux du réseau pour mettre en évidence les risques et les menaces exploitables, avec rapidité et efficacité. Cette solution XDR ouverte offre une visibilité sur le trafic réseau est-ouest et nord-sud qui n\'était auparavant accessible qu\'aux grandes entreprises disposant des ressources nécessaires pour gérer leur propre SOC (centre d\'opérations de sécurité). L\'IA moderne pour une détection et une réponse améliorées aux menaces ThreatSync+ NDR utilise un moteur d\'IA avancé reposant sur une approche de réseau neuronal à double couche, une technologie clé issue de l\'acquisition de CyGlass par WatchGuard en 2023. Le moteur d\'IA de ThreatSync+ corrèle et présente les anomalies sous forme d\'incidents classés par risque et par ordre de priorité. Les fournisseurs de services managés (MSP) et les professionnels de la sécurité informatique disposent ainsi d\'un tableau de bord intuitif indiquant l\'emplacement de l\'incident, les appareils, les utilisateurs et la chronologie, ce qui leur permet de se concentrer sur les menaces les plus critiques, de passer en revue les directives de mitigation et, en fin de compte, de mieux protéger leurs organisations. Gilles Macchioni, Directeur Technique Régional d\'OCI Informatique et Digital. explique : " WatchGuard ThreatSync+ NDR fournit une couche de protection avancée supplémentaire qui était auparavant hors de portée. Auparavant, la mise en œuvre du NDR était difficile en raison de sa complexité et des coûts d\'exploitation élevés qu\'il entraînait. Étant donné que l\'architecture de WatchGuard basée dans le Cloud ne nous oblige pas à installer ou à gérer du matériel complémentaire, nous pouvons déployer ThreatSync+ NDR pour nos clients rapidement, aisément et de manière rentable. Grâce à la protection avancée et abordable basée sur l\'IA proposée par WatchGuard ThreatSync+NDR, nous pouvons désormais offrir à nos clients une protection accrue tout en créant des opportunités de croissance significatives pour notre entreprise ". ThreatSync+ NDR en action ThreatSync+ NDR surveille les attaques à mesure qu\'elles surviennent sur le réseau et excelle dans la détection des attaques qui ont échappé aux défenses périmétriques, notamment les ransomwares, les vulnérabilités et les attaques touchant la supply chain. Les attaquants ne peuvent pas déceler ThreatSync+ NDR car la solution utilise l\'IA pour rechercher les actions des attaquants dissimulées dans le trafic du réseau. Par ailleurs, les attaquants ne peuvent pas se cacher de ThreatSync+, car ils doivent utiliser le réseau pour étendre leur attaque. Cela signifie que le NDR est le seul à pouvoir détecter les différentes étapes d\'une attaque, notamment les appels de commande et de contrôle, les mo | Tool Threat Cloud | ||
|
2024-06-24 21:29:22 | RedJuliett parrainé par l'État chinois s'intensifie le cyber-espionnage taïwanais via l'exploitation du périmètre du réseau Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation (lien direct) |
#### Targeted Geolocations - Taiwan #### Targeted Industries - Government Agencies & Services - Diplomacy/International Relations - Information Technology - Education - Higher Education ## Snapshot Recorded Future\'s Insikt Group identified cyber-espionage activities conducted by RedJuliett, tracked by Microsoft as [Flax Typhoon](https://security.microsoft.com/intel-profiles/1d86849881abbb395d908d2739d9ad57e901d557fa8c25e0b3fd281e13764ff0), targeting government, academic, technology, and diplomatic organizations in Taiwan. ## Description Researchers have identified that RedJuliett has compromised 24 organizations, including government entities in Taiwan, Laos, Kenya, and Rwanda. They have also conducted network reconnaissance and exploitation attempts against over 70 academic, government, think tank, and technology organizations in Taiwan, as well as a number of de facto embassies on the island. RedJuliett\'s exploitation techniques involve creating SoftEther VPN bridges or clients within victim networks. They use Acunetix Web Application Security Scanners for reconnaissance and exploit attempts, focusing on SQL injection and directory traversal attacks against web and SQL applications. After gaining access, they employ open-source web shells and exploit privilege escalation vulnerabilities in the Linux operating system. Their infrastructure management involves SoftEther VPN, utilizing both threat actor-controlled leased servers and compromised infrastructure from Taiwanese universities. These activities align with Beijing\'s strategic goals to gather intelligence on Taiwan\'s economic policies, trade, and diplomatic relations. Additionally, the group has targeted critical technology companies, underscoring the sector\'s significance to Chinese state-sponsored threat actors. ## Microsoft Analysis Active since 2021, Flax Typhoon is a nation-state activity group based in China. The group is known to primarily target government, education, critical manufacturing, and information technology organizations in Taiwan. Flax Typhoon typically conducts espionage, data theft, and credential access. Microsoft has [previously reported](https://security.microsoft.com/intel-explorer/articles/3a50641d) on Flax Typhoon leveraging SoftEther VPN and living-off-the-land (LOTL) techniques to gain initial access and maintain persistince within Taiwanese victim networks. LOTL techniques leverage trusted tools and processes to bypass security detections. ## Recommendations ### Defending against Flax Typhoon attacks - Keep public-facing servers up to date to defend against malicious activity. As prime targets for threat actors, public-facing servers need additional monitoring and security. User input validation, file integrity monitoring, behavioral monitoring, and web application firewalls can all help to better secure these servers. - Monitor the Windows registry for unauthorized changes. The [Audit Registry](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-registry) feature allows administrators to generate events when specific registry keys are modified. Such policies can detect registry changes that undermine the security of a system, like those made by Flax Typhoon. - Use network monitoring and intrusion detection systems to identify unusual or unauthorized network traffic. If an organization does not use RDP for a specific business purpose, any RDP traffic should be considered unauthorized and generate alerts. - Ensure that Windows systems are kept updated with the latest security patches. - Mitigate the risk of compromised valid accounts by enforcing strong multifactor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. [Passwordless sign-in methods](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless) (for example, Windows Hello, FID | Tool Vulnerability Threat | ||
 |
2024-06-24 19:22:00 | Vulnérabilité critique RCE découverte dans l'outil d'infrastructure de l'ICLAMA Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool (lien direct) |
Les chercheurs en cybersécurité ont détaillé une faille de sécurité désormais paires affectant la plate-forme d'infrastructure de l'intelligence artificielle open-source (IA) d'Ollla qui pourrait être exploitée pour réaliser l'exécution du code distant.
Suivi sous le nom de CVE-2024-37032, la vulnérabilité a été nommée Problama par la société de sécurité cloud Wiz.Après la divulgation responsable le 5 mai 2024, le problème a été résolu en version
Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. Following responsible disclosure on May 5, 2024, the issue was addressed in version |
Tool Vulnerability Cloud | ||
 |
2024-06-24 16:53:18 | Installations chimiques averties d'un éventuel vol de données dans la violation de la CISA CSAT Chemical facilities warned of possible data theft in CISA CSAT breach (lien direct) |
La CISA avertit que son environnement d'outil d'évaluation de la sécurité chimique (CSAT) a été violé en janvier après que les pirates ont déployé un webshell sur son appareil Ivanti, exposant potentiellement des évaluations et des plans de sécurité sensibles.[...]
CISA is warning that its Chemical Security Assessment Tool (CSAT) environment was breached in January after hackers deployed a webshell on its Ivanti device, potentially exposing sensitive security assessments and plans. [...] |
Tool | ||
 |
2024-06-24 14:59:36 | Symantec avertit la campagne d'espionnage par le renseignement chinois ciblant les opérateurs de télécommunications asiatiques Symantec warns of espionage campaign by Chinese Intelligence targeting Asian telecom operators (lien direct) |
Les chercheurs de l'équipe Hunter de Symantec \\ ont émis une alerte sur une vaste campagne d'espionnage en utilisant des outils liés à ...
Researchers from Symantec\'s Threat Hunter Team issued an alert over an extensive espionage campaign using tools related to... |
Tool Threat | ||
|
2024-06-24 14:46:29 | La nouvelle plate-forme PHAAS permet aux attaquants de contourner l'authentification à deux facteurs New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication (lien direct) |
#### Targeted Geolocations - Eastern Europe - Northern Europe - Southern Europe - Western Europe - Middle East - Central America and the Caribbean - North America - South America #### Targeted Industries - Financial Services ## Snapshot EclecticIQ analysts discovered phishing campaigns targeting financial institutions using QR codes embedded in PDF attachments to direct victims to phishing URLs. ## Description The attacks were facilitated by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which operates through Telegram bots. ONNX Store includes a two-factor authentication (2FA) bypass mechanism that intercepts 2FA requests, increasing the success rate of Business Email Compromise (BEC) attacks. The phishing pages mimic Microsoft 365 login interfaces, tricking targets into entering their authentication details. Analysts believe with high confidence that ONNX Store is likely a rebranded version of the Caffeine phishing kit, discovered by Mandiant in 2022, based on overlapping infrastructure and Telegram advertisements. The Arabic-speaking threat actor MRxC0DER is thought to be the developer and maintainer of Caffeine, and likely provides client support for ONNX Store. ONNX Store offers various services via Telegram bots, including phishing templates, webmail services, and bulletproof hosting. It leverages Cloudflare to delay takedown processes and evade detection, using features like CAPTCHA and IP proxying to protect malicious sites. ONNX Store distributes PDF documents with embedded QR codes that direct victims to phishing pages, often impersonating reputable services like Adobe or Microsoft 365. These QR codes are difficult for organizations to detect, especially on mobile devices. Most phishing campaigns target financial institutions in the EMEA and AMER regions, including banks and credit unions. The phishing kit uses encrypted JavaScript to evade detection and captures 2FA tokens in real-time, relaying them to attackers. ONNX Store also provides bulletproof hosting, allowing cybercriminals to operate without shutdown risks. The broader implications of these phishing toolkits include aiding credential theft and ransomware attacks. ## Microsoft Analysis ## Detections/Hunting Queries EclecticIQ identified two YARA Rules that can be used to identifiy potentially malicious domains or PDF Files from the ONNX Store. HUNT\_CRIME\_ONNX\_PHISHING\_URL is designed to identify specific patterns associated with malicious domains that utilize ONNX Store API such as default error messages and Telegram support links. | rule HUNT\_CRIME\_ONNX\_PHISHING\_URL { meta: description = "Searches for default ONNX Store API error" author = "Arda Buyukkaya" date = "2024-05-23" hash = "77e03c77a2bdbc09d5279fa316a35db0" strings: $contact\_link = "https://t.me/ONNXIT" $support\_message = "Please contact ONNX SUPPORT" $expired\_api = "Your API has been expired" condition: all of them } | | --- | MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR is designed to detect potenetioally malcioius QR codes with PDF files. | rule MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR { meta: description = "Detects potentially malicious PDFs based on structural patterns" author = "Arda Buyukkaya" date = "2024-05-17" hash = "0250a5ba26791e7ffddb4b294d486479" strings: $pdf = "%PDF-" $magic\_classic = "%!FontType1-1." $magic\_font = /obj\s\*]\*\/Subtype\s\*\/Type1/ $magic\_font2 = /obj\s\* | Ransomware Tool Threat Mobile | ||
 |
2024-06-24 14:24:06 | Ce qu\'il faut savoir sur les totems d\'affichage dynamique d\'intérieur (lien direct) | Dans un monde où la communication visuelle prend de plus en plus d'importance, les totems d'affichage dynamique d'intérieur se révèlent être des outils indispensables pour capter l'attention et transmettre efficacement des messages. | Tool | ||
|
2024-06-24 14:16:35 | Sécurité centrée sur l'homme dans l'écosystème de cybersécurité et la stratégie Better Together de Pointpoint \\ Human Centric Security in the Cybersecurity Ecosystem and Proofpoint\\'s Better Together Strategy (lien direct) |
In my previous blog, I detailed how Proofpoint has redefined email security, a central pillar of what Gartner has termed Human-Centric Security, one of their three strategic priorities for CISOs in 2024 and 2025. Now I\'d like to give you an idea of how we think human-centric security fits with the rest of the modern security stack and how the current trend toward more comprehensive security solution architectures is influencing our strategic direction. The Third Era It\'s worthwhile to start with a bit of history. In our view, we\'ve entered the third major evolution of cybersecurity. In the earliest period, the perimeter was established, and basic controls were put in place. The technologies were fewer and less capable, but the consequences of security failures were nowhere near as severe as they are now. In the second era, the perimeter largely dissolved and the rapid adoption of new technologies during the heyday of digital transformation led to a massive proliferation of point security solutions, cropping up nearly as fast as the tools they were meant to secure. Unfortunately, the cost of the security engineering, operational integration, and alert response required for these tools to be effective often outweighed the risk mitigation they provided. Now we\'ve arrived a phase where the security architectures of the future are finally taking shape. They share several key characteristics: they\'re highly integrated, cloud-deployed, and align to what security teams really need to protect: their infrastructure, the apps that run on it, the data that powers those applications, and of course the humans that simultaneously constitute their organization\'s greatest asset and biggest risk. The Pillars of a Modern Security Architecture To protect the spectrum between infrastructure and people, five key control planes have emerged. The first of those components is the network, where controls have moved past the classic confines of the firewall, proxy, VPN, and other network devices to the cloud-based consolidated services that make up the modern Secure Access Services Edge (SASE). Secondly, endpoint and server protection evolved into first Endpoint Detection and Response (EDR) and then XDR as servers were increasingly replaced by cloud workloads. That of course leaves the human element, to which I\'ll return shortly, and the two cross-architecture layers: the operational processes, increasingly automated, that drive the controls and respond to the alerts they generate, and the identity fabric, both human and machine, that ties everything together. These architectures are powerful on their own, and their effectiveness compounds when they\'re well integrated. Attackers have often exploited the gaps between poorly implemented and monitored security controls to pass from a compromise of a person\'s credentials through the network to the administrative privileges that make ransomware so disruptive. Frustrating adversaries becomes much more achievable when well-integrated security controls reinforce each other, providing not just defense in depth but also defense in breadth. For example, an attacker\'s job is much harder when the malicious attachment they use to try and target a person is blocked and analyzed, with the resulting intelligence shared across SASE and XDR. Human-Centric Security and the Ecosystem With the rise of these modern security architectures, our controls for protecting networks, endpoints, and infrastructure have evolved, becoming more comprehensive, adaptive, and effective. With over 90% of breaches involving the human element, Proofpoint\'s human-centric security platform uniquely does the same for people and integrates with the key leaders across the other five components of the modern security stack. In pioneering human-centric security, we\'ve brought together previously disconnected functionality to accomplish two critical goals. The first is helping organizations protect their people from targeted attacks, impersonation, and supplier risk, along with making their people more resilien | Ransomware Tool Threat Prediction Cloud | ||
|
2024-06-24 12:48:47 | Faits saillants hebdomadaires OSINT, 24 juin 2024 Weekly OSINT Highlights, 24 June 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a persistent focus on sophisticated cyber espionage and ransomware campaigns by state-sponsored threat actors and advanced cybercriminal groups. Key trends include the exploitation of known vulnerabilities in network devices and hypervisors by Chinese groups like Velvet Ant and UNC3886, leveraging custom malware for long-term access and data theft. Meanwhile, actors active in the Middle Eastern and South Asian such as Arid Viper and UTA0137 continue to target adversaries with trojanized apps and Linux malware, respectively. Additionally, innovative social engineering techniques, like those used by TA571 and ClearFake, highlight the evolving methods threat actors employ to deliver diverse payloads, including ransomware and information stealers. The consistent targeting of critical infrastructure, government entities, and high-value enterprises underscores the need for robust, multi-layered cybersecurity defenses to mitigate these sophisticated and persistent threats. ## Description 1. **[Arid Viper Espionage Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/19d9cd7d)**: ESET researchers uncovered Arid Viper\'s espionage campaigns targeting Android users in Egypt and Palestine. The campaigns distribute trojanized apps through dedicated websites, focusing on user data espionage with their AridSpy malware, a sophisticated multistage Android spyware. 2. **[Velvet Ant Exploits F5 BIG-IP](https://sip.security.microsoft.com/intel-explorer/articles/e232b93d)**: Sygnia analysts revealed that the Chinese cyberespionage group Velvet Ant exploited vulnerabilities in F5 BIG-IP appliances to deploy malware like PlugX, enabling long-term access and data theft. These incidents emphasize the threat posed by persistent threat groups exploiting network device vulnerabilities. 3. **[UNC3886 Targets Hypervisors](https://sip.security.microsoft.com/intel-explorer/articles/faed9cc0)**: Google Cloud reported that Mandiant investigated UNC3886, a suspected Chinese cyberespionage group, targeting hypervisors with sophisticated malware and exploiting vulnerabilities in FortiOS and VMware technologies. The group utilized rootkits and custom malware for persistence and command and control. 4. **[UTA0137 Cyber-Espionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/bc2b5c55)**: Volexity identified Pakistan-based UTA0137 targeting Indian government entities with DISGOMOJI malware, which uses Discord for command and control. The campaign targets Linux systems, employing various persistence mechanisms and exploiting vulnerabilities like DirtyPipe for privilege escalation. 5. **[Proofpoint Highlights Copy-Paste Attacks](https://sip.security.microsoft.com/intel-explorer/articles/c75089e9)**: Proofpoint researchers reported that threat actors, including TA571 and ClearFake, are using techniques that prompt users to copy and paste malicious PowerShell scripts. These campaigns deliver various malware, including DarkGate and NetSupport, through clever social engineering tactics that trick users into compromising their systems. 6. **[Shinra and Limpopo Ransomware](https://sip.security.microsoft.com/intel-explorer/articles/b7a96cbd)**: FortiGuard Labs identified the emergence of Shinra and Limpopo ransomware strains in early 2024. Shinra ransomware exfiltrates data before encryption, while Limpopo targets ESXi environments, affecting multiple countries and causing significant disruptions. 7. **[CVE-2024-4577 Vulnerability Exploits](https://sip.security.microsoft.com/intel-explorer/articles/8635c515)**: Cyble Global Sensor Intelligence detected multiple scanning attempts exploiting CVE-2024-4577, a vulnerability in Windows affecting PHP installations. Threat actors are using this flaw to deploy ransomware and malware, emphasizing the urgent need for organizations to upgrade PHP versions to mitigate risks. 8. **[SmallTiger Malware Targets South Korea](https://sip.security.microsoft.com/intel-explorer/articles/3f29a6c8)**: The AhnLab Securi | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | APT-C-23 | |
|
2024-06-24 10:34:00 | Multiples acteurs de menace déploient un rat Rafel open source pour cibler les appareils Android Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices (lien direct) |
Les acteurs de menaces multiples, y compris les groupes de cyber-espionnage, utilisent un outil d'administration à distance Android open source appelé Rafel Rat pour atteindre leurs objectifs opérationnels en le faisant passer pour Instagram, WhatsApp et diverses applications de commerce électronique et antivirus.
"Il offre aux acteurs malveillants une boîte à outils puissante pour l'administration et le contrôle à distance, permettant une gamme d'activités malveillantes
Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities |
Tool Threat Mobile | ||
|
2024-06-24 10:00:00 | COMMERCIAL BUSINESS COMPROMISSE (BEC): Suivi des affaires d'un acteur de menace \\ Business Email Compromise (BEC): Tracking a Threat Actor\\'s Funny Business (lien direct) |
Executive Summary
In a recent LevelBlue incident response engagement, an analyst in our managed detection and response (MDR) security operations center (SOC) responded to an alarm that was triggered by a suspicious email/inbox rule. The rule aimed to conceal responses to an internal phishing attempt from the account user, so the attacker could solicit funds from the company\'s users. According to a report by the Cybersecurity and Infrastructure Security Agency (CISA), “Email systems are the preferred attack vector for malicious phishing campaigns. Recent reporting shows 32 percent of breaches involve phishing attacks.”
What are inbox/email rules? These are automated instructions set up within an email client to manage incoming emails based on specified criteria. They can perform various actions such as moving emails to specific folders, marking them as read, forwarding them to other addresses, or even deleting them. While email rules are designed to streamline email management and improve user productivity, they can also be exploited by malicious actors. Why are they a powerful tool for attackers? They allow for the automation of malicious activities with minimal manual intervention. The MITRE ATT&CK framework classifies these techniques under ID: T1564.008 (Hide Artifacts: Email Rules) and ID: T1114 (Email Collection). By setting up rules to hide, forward, or delete specific emails, attackers can effectively manage their intrusion and avoid detection.
During the triage of the alarm, the analyst analyzed various artifacts and event logs to understand the extent of the compromise. They examined email logs and account activity to identify the initial point of entry and the methods used by the attacker. Their rapid detection of the suspicious rule and subsequent analysis of the user activity logs was crucial in uncovering the attacker’s strategy and preventing further damage.
Introduction
In this incident, the attacker used an email rule to hide responses to an internal phishing email, ensuring that the compromised user would remain unaware of the ongoing malicious activity. This approach aligns with tactics seen in the MITRE ATT&CK framework, where attackers use email rules to hide evidence of their activities and maintain persistence (T1564.008). This allows them to maintain control over compromised accounts for longer periods, increasing the potential for data exfiltration and other malicious actions.
Investigation
The Alarm
The SOC analyst received an alarm from a Microsoft Exchange data source indicating that a suspicious inbox rule had been created. They examined the event that activated the alarm and quickly discerned from the rule parameters that this was case of business email compromise (BEC).
Figure 1: Alarm for suspicious inbox rule
Below, you can see the email parameters included within the newly created inbox rule, which was later identified to be created by the malicious actor who compromised the user’s account.
Figure 2: Snippet of the raw log showing the created rule parameters
Each parameter’s function is as follows:
AlwaysDeleteOutlookRulesBlob: False – Indicates that the rule blob (a data structure used to store rules) is not set to be deleted automatically, allowing the rule to remain active and persistent
Force: False – Suggests that the rule was not forcibly applied, which might imply that the attacker wanted to avoid drawing attention by making the c |
Tool Threat | ||
|
2024-06-24 09:56:44 | L'outil d'évaluation de la sécurité chimique de CISA \\ frappé par la cyberattaque, documents sensibles potentiellement exposés CISA\\'s Chemical Security Assessment Tool hit by cyberattack, sensitive documents potentially exposed (lien direct) |
L'Agence américaine de sécurité de la cybersécurité et de l'infrastructure & # 8217; s (CISA) outil d'évaluation de la sécurité chimique (CSAT) a connu une violation de cybersécurité par ...
The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) experienced a cybersecurity breach by... |
Tool | ||
 |
2024-06-24 03:00:36 | Règlement sur la sécurité IoT: une liste de contrôle de conformité & # 8211;Partie 1 IoT Security Regulations: A Compliance Checklist – Part 1 (lien direct) |
L'Internet des objets (IoT) fait référence au réseau mondial d'appareils physiques connectés à Internet, capable de collecter et de partager des données.Les appareils IoT vont des articles ménagers quotidiens aux outils industriels sophistiqués.En intégrant les capteurs et le matériel de communication, l'IoT comble l'écart entre les mondes physiques et numériques, permettant des environnements où les appareils intelligents fonctionnent de manière interconnectée et autonome.La croissance de l'IoT \\ est tirée par la disponibilité croissante de la puissance et de la connectivité de calcul abordables, des progrès de l'analyse des données et de l'intelligence artificielle, et le coût ...
The Internet of Things (IoT) refers to the global network of physical devices connected to the internet, capable of collecting and sharing data. IoT devices range from everyday household items to sophisticated industrial tools. By integrating sensors and communication hardware, IoT bridges the gap between the physical and digital worlds, enabling environments where smart devices operate interconnectedly and autonomously. IoT\'s growth is driven by the increasing availability of affordable computing power and connectivity, advances in data analytics and artificial intelligence, and the cost... |
Tool Industrial | ||
 |
2024-06-24 02:14:10 | Snowflake Breach Balles de neige alors que de plus en plus de victimes, Perps, se manifestent Snowflake breach snowballs as more victims, perps, come forward (lien direct) |
Aussi: les outils internes d'Apple divulgués qui n'étaient pas \\ 't;Les pirates de pirates de télévision condamnés;et certaines vulnes critiques aussi infosec en bref La boule de difficulté descendante à Snowflake continue de croître, avec plus de victimes & # 8211;et même l'un des intrus présumés & # 8211;se manifester la semaine dernière.…
Also: The leaked Apple internal tools that weren\'t; TV pirate pirates convicted; and some critical vulns, too Infosec in brief The descending ball of trouble over at Snowflake keeps growing larger, with more victims – and even one of the alleged intruders – coming forward last week.… |
Tool | ||
|
2024-06-22 18:38:53 | Nouvelle campagne NetSupport livrée via des packages MSIX New NetSupport Campaign Delivered Through MSIX Packages (lien direct) |
## Instantané Xavier Mertens a identifié une nouvelle campagne NetSupport qui offre un client NetSupport malveillant via des packages MSIX.Les attaquants tirent parti de cette technique pour communiquer avec des ordinateurs infectés sans avoir besoin de développer leur propre infrastructure de commandement et de contrôle (C2). ## Description Le fichier MALICIET MSIX contient tous les composants pour télécharger et installer le client NetSupport, y compris une version portable 7ZIP utilisée pour déballer le client.Le script dans le fichier ouvre d'abord un navigateur pour afficher la page de téléchargement Chrome, vérifie alors si l'ordinateur fait partie d'un domaine Microsoft avant d'installer le client.Le client NetSupport est double compressé et le fichier de configuration révèle l'adresse IP du serveur C2, qui est en baisse pour le moment.Cette campagne représente une méthode à faible coût pour que les attaquants compromettent davantage de victimes. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - Trojan: Win32 / Seheq ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [Microsoft Defender SmartScreen] (https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen?ocid=magicti_ta_learndoc), qui identifie)et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites contenant des exploits et des logiciels malveillants hôte. - Allumez [Protection du réseau] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide& ;ocid=Magicti_TA_LearnDdoc) pour bloquerConnexions avec des domaines malveillants et des adresses IP. - Éduquer les utilisateurs à utiliser le navigateur URL du navigateur pour valider cela en cliquant sur un lien dans les résultats de recherche, ils sont arrivés dans un domaine légitime attendu. - Éduquer les utilisateurs à vérifier que le logiciel installé devrait être publié par un éditeur légitime. - Allumez [Protection en cas de nuage] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antvirus?View = O365 Worldwide & ocid = magicti_ta_learndoc) dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre rapidement les outils et techniques d'attaquant en évolution.Les protections d'apprentissage automatique basées sur le cloud bloquent la plupart des variantes nouvelles et inconnues. - Exécutez [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=O365-Worldwide & ocid = magicti_ta_learndoc) afin que Microsoft Defender pour le point final puisse bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Activer [Investigation and Remediation] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide& ;ocid=magicti_ta_learndoc) en mode automatisé complet en mode automatisé;Pour permettre à Microsoft Defender for Endpoint de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Allumez [Tamper Protection] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=O365 worldwide & ocid = magicti_ta_learndoc) pour empêcher les attaquants d'empêcher les ser | Malware Tool Threat | ||
 |
2024-06-21 13:30:00 | Installations chimiques avertis d'une éventuelle exfiltration des données après une violation de la CISA Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach (lien direct) |
La CISA a informé les installations chimiques que son outil d'évaluation de la sécurité chimique (CSAT) était infiltré par un acteur malveillant et les données sensibles potentiellement exfiltrées
CISA has informed chemical facilities that its Chemical Security Assessment Tool (CSAT) was infiltrated by a malicious actor, and potentially exfiltrated sensitive data |
Tool | ||
 |
2024-06-21 13:00:00 | Comment l'IA génératrice élargit la surface d'attaque des menaces d'initié How generative AI Is expanding the insider threat attack surface (lien direct) |
> À mesure que l'adoption de l'IA générative (Genai) monte, il en va de même pour le risque de menaces d'initiés.Cela exerce encore plus de pression sur les entreprises pour repenser les politiques de sécurité et de confidentialité.En quelques années seulement, l'intelligence artificielle (IA) a radicalement changé le monde du travail.61% des travailleurs du savoir utilisent désormais Genai Tools & # 8212;particulièrement openai & # 8217; s [& # 8230;]
>As the adoption of generative AI (GenAI) soars, so too does the risk of insider threats. This puts even more pressure on businesses to rethink security and confidentiality policies. In just a few years, artificial intelligence (AI) has radically changed the world of work. 61% of knowledge workers now use GenAI tools — particularly OpenAI’s […] |
Tool Threat | ||
 |
2024-06-21 09:13:00 | Les détecteurs de l'IA peuvent-ils nous sauver de Chatgpt?J'ai essayé 6 outils en ligne pour découvrir Can AI detectors save us from ChatGPT? I tried 6 online tools to find out (lien direct) |
Avec l'arrivée soudaine de Chatgpt, les éducateurs et les éditeurs sont confrontés à une poussée inquiétante de soumissions de contenu automatisées.Nous regardons le problème et ce qui peut être fait à ce sujet.
With the sudden arrival of ChatGPT, educators and editors face a worrying surge of automated content submissions. We look at the problem and what can be done about it. |
Tool | ChatGPT | ★★ |
|
2024-06-20 16:19:00 | Surcharge d'outils: pourquoi les MSP se noient toujours avec d'innombrables outils de cybersécurité en 2024 Tool Overload: Why MSPs Are Still Drowning with Countless Cybersecurity Tools in 2024 (lien direct) |
Points forts
Paysage des outils complexes: explorez le large éventail d'outils de cybersécurité utilisés par les MSP, mettant en évidence le défi commun de la gestion de plusieurs systèmes qui peuvent chevaucher les fonctionnalités mais manquer d'intégration.systèmes, ainsi que le coût élevé et la complexité du maintien
Highlights Complex Tool Landscape: Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration.Top Cybersecurity Challenges: Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining |
Tool | ★★★ | |
 |
2024-06-20 15:15:55 | Cyber Assaut de décennie sur les télécommunications asiatiques a été retracée aux pirates d'État chinois Decade-Long Cyber Assault on Asian Telecoms Traced to Chinese State Hackers (lien direct) |
> Une campagne d'espionnage de plusieurs années a ciblé les entreprises de télécommunications en Asie avec des outils associés aux groupes chinois.
>A years-long espionage campaign has targeted telecoms companies in Asia with tools associated with Chinese groups. |
Tool | ★★★ | |
 |
2024-06-20 14:04:21 | Disponible maintenant: Veracode Scan pour les ides de jetbrains Available Now: Veracode Scan for JetBrains IDEs (lien direct) |
Veracode SCAN pour le code VS a été l'un des grands succès de l'Expo Floor lors de la conférence de sécurité RSA en mai de cette année.Les gens ont aimé l'intégration de Veracode Static, Veracode SCA et Veracode Fix en une seule extension, donnant aux développeurs les outils pour scanner leur code et résoudre les problèmes avec l'assistance en IA pendant qu'ils développent activement du code.
Ce qu'ils ont demandé, c'était plus d'assistance IDE, et nous sommes donc ravis d'annoncer la disponibilité de Veracode Sast, Veracode SCA et Veracode Fix en trois ides de JetBrains:
Intellij
Pycharme
Ryder
L'installation est simple, recherchez simplement le Veracode Scan à partir de la boîte de dialogue des plugins et l'installation.Si vous n'avez pas les informations d'identification de l'API Veracode, vous devrez les générer et configurer un fichier d'identification ou définir des variables d'environnement.
Une fois que vous avez fait cela, vous serez prêt à commencer à scanner votre code pour des défauts, à analyser votre logiciel tiers pour des vulnérabilités, puis à résoudre les problèmes avec le correctif Veracode.
Laissez \\ jeter un coup d'œil rapidement…
Veracode Scan for VS Code was one of the big hits on the expo floor at the RSA Security conference in May this year. People liked the integration of Veracode Static, Veracode SCA, and Veracode Fix into a single extension, giving developers the tools to scan their code and resolve problems with AI assistance while they are actively developing code. What they asked for was more IDE support, and so we\'re pleased to announce the availability of Veracode SAST, Veracode SCA, and Veracode Fix in three IDEs from JetBrains: IntelliJ Pycharm Ryder Installation is simple, simply search for Veracode Scan from the Plugins dialog and install. If you don\'t have Veracode API credentials, you will need to generate them and configure a credentials file or set environment variables. Once you\'ve done that, you will be ready to start scanning your code for flaws, analyzing your third-party software for vulnerabilities, and then remediating problems with Veracode Fix. Let\'s take a quick look at… |
Tool Vulnerability Conference | ||
 |
2024-06-20 12:00:06 | Augmentez votre qualité de vie avec un centre MSP sécurisé et un centre MSP sécurisé Up your Quality of Life with Secure MSP Hub and Secure MSP Center (lien direct) |
Toute la technologie MSP qui nous entoure est destinée à augmenter notre productivité grâce aux outils et à l'automatisation afin que notre qualité de vie puisse être améliorée.La réalité peut être différente 
All the MSP technology around us is meant to increase our productivity through tools and automation so that our quality of life can be improved. The reality can be different |
Tool | ★★★ | |
 |
2024-06-20 10:17:52 | Opérations de SoC axées sur l'efficacité Efficiency driven SOC operations (lien direct) |
> Dans mon article précédent, j'ai donné un aperçu de la transformation actuelle du marché de la cybersécurité, marquée par des acquisitions et des fusions majeures parmi les acteurs clés, et comment les joueurs de la nouvelle génération affectent profondément les modèles SOC et MSSP.Nous continuons cette série d'articles avec une plongée profonde dans ce que ces nouveaux outils signifient pour les SOC et [& # 8230;]
la Publication Suivante opérations de SoC axées sur l'efficacité est un article de ssekoia.io blog .
>In my previous article, I gave an overview of the current transformation of the cybersecurity market, marked by major acquisitions and mergers among key players, and how new generation players profoundly affect SOC and MSSP models. We continue this series of articles with a deep dive into what these new tools mean for SOCs and, […] La publication suivante Efficiency driven SOC operations est un article de Sekoia.io Blog. |
Tool | ★★★ | |
 |
2024-06-20 10:00:14 | Projet Nap-temps: évaluation des capacités de sécurité offensive des modèles de gros langues Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models (lien direct) |
Posted by Sergei Glazunov and Mark Brand, Google Project Zero IntroductionAt Project Zero, we constantly seek to expand the scope and effectiveness of our vulnerability research. Though much of our work still relies on traditional methods like manual source code audits and reverse engineering, we\'re always looking for new approaches. As the code comprehension and general reasoning ability of Large Language Models (LLMs) has improved, we have been exploring how these models can reproduce the systematic approach of a human security researcher when identifying and demonstrating security vulnerabilities. We hope that in the future, this can close some of the blind spots of current automated vulnerability discovery approaches, and enable automated detection of "unfuzzable" vulnerabilities. Earlier this year, Meta released CyberSecEval 2 (Bhatt et al., 2024), which includes new LLM benchmarks for discovering and exploiting memory safety issues. The authors presented the following conclusion: Another theme is that none of the LLMs do very well on these challenges. For each challenge, scoring a 1.0 means the challenge has been passed, with any lower score meaning the LLM only partially succeeded. The average scores of all LLMs over all tests suggests that LLMs have a ways to go before performing well on this benchmark, and aren’t likely to disrupt cyber exploitation attack and defense in their present states. We find that, by refining the testing methodology to take advantage of modern LLM capabilities, significantly better performance in vulnerability discovery can be achieved. To facilitate effective evaluation of LLMs for vulnerability discovery, we propose below a set of guiding principles. We\'ve implemented these principles in our LLM-powered vulnerability research framework, which increased CyberSecEval2 benchmark performance by up to 20x from the original paper. This approach achieves new top scores of 1.00 on the “Buffer Overflow" tests (from 0.05) and 0.76 on the "Advanced Memory Corruption" tests (from 0.24). We have included a full example trajectory/log in Appendix A. While we have shown that principled agent design can greatly improve the performance of general-purpose LLMs on challenges in the security domain, it\'s the opinion of the Project Zero team that substantial progress is still needed before these tools can have a meaningful impact on the daily work of security researchers. | Tool Vulnerability Threat | ★★ | |
|
2024-06-20 10:00:00 | Les meilleurs serveurs proxy pour la multi-contrat The Best Proxy Servers for Multi-Accounting (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Business owners are increasingly recognizing its positive impact on business growth. Many marketing and sales strategies use different accounts on a single platform. However, despite its effectiveness in business, not all platforms allow multi-accounting. That’s where residential proxy comes in as an effective solution for multi-accounting. What Proxy Server is the Best for Multi-Accounting? There are several types of proxy servers. You can divide them into datacenter servers, residential servers, or a mix of both. Below, we look at these types and see which is better for this marketing tactic. 1. Datacenter An online datacenter generates and stores the IP addresses of datacenter proxies. As such, they are cloud-generated IPs and often more detectable than residential ones. These proxies aren’t affiliated with any ISP (Internet Server Provider). However, they still provide complete IP authenticity and anonymity. Remember that datacenter IPs are generally part of a large IP pool. Unless they\'re dedicated servers, several users can access them. 2. Residential Residential proxies differ from datacenter ones on a fundamental level, as they source their IPs from ISPs. The IP address a residential server uses belongs to an actual device. As such, it’s more authentic-looking than datacenter-generated ones. This increases its security, geo-targeting abilities, and anonymity. It’s often the better choice for multi-accounting because it better mimics a real user’s behavior. 3. Rotating Rotating proxies are a sub-type of proxy that generates a new IP address for every new connection. You can also set it to generate new IPs within a specific timeframe. Residential rotating proxies are the best option for creating several accounts, as they help avoid IP bans. Its IP rotation lets you manage different accounts from a single device by changing the IP address. As such, it’s our first choice for when you need to manage various logins on platforms. Benefits of Creating Multiple Accounts You might wonder why you need to create multiple logins for one platform. Before we discuss why proxies will benefit you, let’s discuss the advantages of multi-accounting. ● Increased Brand Exposure Managing multiple social media accounts can increase your brand exposure. By liking, sharing, and reposting your content, you spread it further than a single account can. These operations mean you can better engage with clients and create logins dedicated to specific aspects of your brand. ● Improved Customer Stickiness Clients are more loyal to brands that treat them better. By interacting more with clients and facilitating quick sales, you can build trust in the brand. Multiple e-commerce and social media logins ensure you can always complete a sale. ● Branch Out Your Market Share With different logins, you can create accounts geared towards several markets. This helps you grow your market share by releasing various products and services to specific customers. It also enhances your geo-targeted marketing campaigns to become more effective and far-reaching. ● Boosts Marketing Efforts Boosting your marketing efforts will optimize the | Tool | ★★★ | |
 |
2024-06-19 10:50:09 | Intelbroker Hacker revendique la violation d'Apple, vole le code source pour les outils internes IntelBroker Hacker Claims Apple Breach, Steals Source Code for Internal Tools (lien direct) |
Notorious Hacker Intelbroker prétend avoir violé Apple, volant le code source pour les outils internes.Découvrez la violation présumée et l'histoire d'Intelbroker de cibler les grandes entreprises et les entités gouvernementales.
Notorious hacker IntelBroker claims to have breached Apple, stealing source code for internal tools. Learn about the alleged breach and IntelBroker\'s history of targeting major companies and government entities. |
Tool | ★★ | |
|
2024-06-19 03:28:35 | Où la sécurité commence dans vos projets de sécurité Where Security Starts in Your Security Projects (lien direct) |
La mise en œuvre réussie de nouveaux outils et processus dépend non seulement de la technologie elle-même, mais de la gestion méticuleuse de projet.De garantir un accès sécurisé à l'infrastructure sous-jacente, un nouvel outil sera mis en œuvre lors de la définition d'objectifs clairs et de la compréhension de l'empreinte de sécurité du service.Même les premières étapes de votre déploiement peuvent être importantes à long terme.Obtenir toutes les pièces dès le début permet de vous assurer que vous pouvez profiter des avantages d'un déploiement réussi beaucoup plus rapide et plus facile que ceux qui pourraient trébucher aux premières étapes.Définir des objectifs clairs ...
The successful implementation of new tools and processes hinges not just on the technology itself but on meticulous project management. From ensuring secure access to the underlying infrastructure, a new tool will be implemented upon defining clear goals and understanding the security footprint of the service. Even the earliest steps of your rollout can be important in the long run. Getting all the parts right from the onset helps to ensure that you can reap the benefits of a successful deployment far faster and easier than those who might stumble at the initial stages. Defining Clear Goals... |
Tool | ★★★ | |
|
2024-06-18 20:33:27 | From Clipboard to Compromise: A PowerShell Self-Pwn (lien direct) | ## Instantané Les chercheurs de ProofPoint ont identifié une technique qui ordonne aux utilisateurs de copier et de coller des scripts PowerShell malveillants pour infecter leurs ordinateurs par des logiciels malveillants.Des acteurs de menace, dont TA571 et les acteurs derrière le cluster d'activités Clearfake, utilisent cette méthode pour fournir des logiciels malveillants, notamment Darkgate, Matanbuchus, Netsupport et divers voleurs d'informations. ## Description Proofpoint a observé cette technique dans plusieurs campagnes récentes impliquant plusieurs acteurs de menace, y compris ceux qui sont derrière Clearfake et l'acteur de menace TA571, connu pour la distribution des spams menant à des logiciels malveillants et à des infections au ransomware.La chaîne d'attaque nécessite une interaction importante des utilisateurs pour réussir, mais l'ingénierie sociale est suffisamment intelligente pour présenter à quelqu'un ce qui ressemble à un vrai problème et une solution simultanément, ce qui peut inciter un utilisateur à prendre des mesures sans considérer le risque. La campagne Clearfake est un faux cluster d'activités de mise à jour du navigateur qui compromet les sites Web légitimes avec un HTML et un JavaScript malveillants.Le script initial a ensuite chargé un deuxième script à partir d'un domaine qui a utilisé Keitaro TDS pour le filtrage.Si ce deuxième script se chargeait et passait divers chèques, et si la victime continuait de parcourir le site Web, il a été présenté avec une fausse superposition d'avertissement sur le site Web compromis.Cet avertissement leur a demandé d'installer un "certificat racine" pour afficher correctement le site Web. La campagne TA571 comprenait plus de 100 000 messages et ciblé des milliers d'organisations dans le monde.Les e-mails contenaient une pièce jointe HTML qui affichait une page ressemblant à Microsoft Word.La page a également affiché un message d'erreur qui disait l'extension «\\» word en ligne \\ 'n'est pas installée »et a présenté deux options pour continuer:« comment réparer »et« automatique ». Les charges utiles observées comprennent Darkgate, Matanbuchus, Netsupport, Amadey Loader, XMRIG et Lummma Stealer.Les acteurs de la menace expérimentent activement différentes méthodes pour améliorer l'efficacité et trouver plus de voies d'infection pour compromettre un plus grand nombre de systèmes. ## Analyse Microsoft Ces dernières années, Microsoft a suivi le risque croissant que les infostateurs présentent à la sécurité des entreprises.Les infostateurs sont des logiciels malveillants de marchandises utilisés pour voler des informations à un appareil cible et l'envoyer à l'acteur de menace.La popularité de cette classe de logiciels malveillants a conduit à l'émergence d'un écosystème d'infosteller et à une nouvelle classe d'acteurs de menace qui a exploité ces capacités pour mener leurs attaques.Les infostelleurs sont annoncés comme un logiciel malveillant en tant que service (MAAS) offrant & # 8211;Un modèle d'entreprise où les développeurs louent la charge utile de l'infostealer aux distributeurs moyennant des frais. Les voleurs d'informations sont polyvalents et peuvent être distribués sous diverses formes, notamment par le biais de campagnes par e-mail de phishing, de malvertising et de logiciels, de jeux et d'outils maladucs.En règle générale, une fois que l'utilisateur télécharge et lance la charge utile malveillante, il établit des connexions de commande et de contrôle (C2) avec des domaines suspects.Une fois infecté, l'infostaler tente de collecter et finalement exfilter les informations du système, y compris les fichiers, les navigateurs, les appareils et les applications orientés sur Internet aux serveurs C2.En savoir plus [ici sur l'analyse des infostelleurs de Microsoft \\] (https://security.microsoft.com/intel-profileS / 2296D491EA381B532B24F2575F9418D4B6723C17B8A1F507D20C2140A75D16D6). - [darkgate] (https://securit | Ransomware Spam Malware Tool Threat | ★★★★ | |
|
2024-06-18 18:22:59 | Ransomware Roundup _ Shinra et Limpopo Ransomware Ransomware Roundup _ Shinra and Limpopo Ransomware (lien direct) |
#### Géolocations ciblées - Israël - Pologne - Russie - Royaume-Uni - États-Unis ## Instantané Fortiguard Labs Researcha identifié le ransomware Shinra et Limpopo dans leur rapport Ransomware Roundup.Les souches de ransomware de Shinra et Limpopo, émergeant au début de 2024, présentent des techniques avancées et ont ciblé plusieurs pays, provoquant des perturbations importantes en cryptant des fichiers et en exigeant des rançons. ## Description Le ransomware de Shinra, vu pour la première fois en avril 2024, exfiltre les données de la victime avant de chiffrer les fichiers et de supprimer des copies fantômes de volume.Il affecte les victimes en Israël, en Pologne, en Russie, au Royaume-Uni et aux États-Unis, met fin aux processus et aux services, modifie le papier peint de bureau et évite de crypter des fichiers et des répertoires spécifiques. Les ransomwares limpopo, liés aux ransomwares Socotra, ciblent les environnements ESXi et ont été soumis pour scanning en février 2024. Le vecteur d'infection pour les ransomwares limpopo est inconnu, mais il affecte plusieurs pays et crypte des fichiers avec des extensions spécifiques, ajoutant une prolongation ".limpopo" ".aux fichiers de liste blanche.Il laisse tomber une note de rançon exigeant la coopération et fournit un lien pour d'autres instructions. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menaceComme les logiciels malveillants suivants: - Ransom: Linux / Babuk - Ransom: win64 / akira - rançon: win32 / conti - Trojan: Linux / Filecoder ## ReCommensions Microsoft recommande les atténuations suivantes pour réduire l'impact des menaces de ransomware. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc)Dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une énorme majorité de variantes nouvelles et inconnues. - Allumez [Protection Tamper] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=Magicti_TA_LearnDoc).Empêcher les attaquants d'empêcher les services de sécurité. - Exécutez [Détection et réponse de point de terminaison (EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_TA_Learndoc), de sorte que celaLe défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque l'antivirus Microsoft Defender fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants détectés après la lutte. - Activer [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=Magicti_TA_Learndoc) en mode automatisé complet pour permettre au défenseur de terminer l'action immédiatement sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate sur l'action immédiate surAlertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Les clients de Microsoft Defender peuvent activer [Règles de réduction de la surface d'attaque] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=Magicti_TA_LearnDoc) pour prévenir les techniques d'attaque communes utilisées utilisées utiliséDans les attaques de ransomwares.Les règles de réduction de la surface d'attaque sont des pa | Ransomware Malware Tool Threat | ★★★ | |
|
2024-06-18 15:11:00 | De nouveaux cibles malwares cibles exposées Docker API pour l'exploitation de crypto-monnaie New Malware Targets Exposed Docker APIs for Cryptocurrency Mining (lien direct) |
Les chercheurs en cybersécurité ont découvert une nouvelle campagne de logiciels malveillants qui cible les points de terminaison publiquement exposés de l'API dans le but de livrer des mineurs de crypto-monnaie et d'autres charges utiles.
Parmi les outils déployés est un outil d'accès à distance qui est capable de télécharger et d'exécuter plus de programmes malveillants ainsi qu'un utilitaire pour propager les logiciels malveillants via SSH, Cloud Analytics Platform Datadog
Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that\'s capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog |
Malware Tool Cloud | ★★★ | |
 |
2024-06-18 14:00:00 | Couchée et secrète: Découvrir les opérations d'espionnage UNC3886 Cloaked and Covert: Uncovering UNC3886 Espionage Operations (lien direct) |
Written by: Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi
Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer |
Malware Tool Vulnerability Threat Cloud Technical | APT 41 | ★★★ |
|
2024-06-18 11:03:00 | LevelBlue Labs découvre un nouveau chargeur très évasif ciblant les organisations chinoises LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations (lien direct) |
Executive Summary LevelBlue Labs recently discovered a new highly evasive loader that is being delivered to specific targets through phishing attachments. A loader is a type of malware used to load second-stage payload malware onto a victim’s system. Due to the lack of previous samples observed in the wild, LevelBlue Labs has named this malware “SquidLoader,” given its clear efforts at decoy and evasion. After analysis of the sample LevelBlue Labs retrieved, we uncovered several techniques SquidLoader is using to avoid being statically or dynamically analyzed. LevelBlue Labs first observed SquidLoader in campaigns in late April 2024, and we predict it had been active for at least a month prior. The second-stage payload malware that SquidLoader delivered in our sample is a Cobalt Strike sample, which had been modified to harden it against static analysis. Based on SquidLoader’s configuration, LevelBlue Labs has assessed that this same unknown actor has been observed delivering sporadic campaigns during the last two years, mainly targeting Chinese-speaking victims. Despite studying a threat actor who seems to focus on a specific country, their techniques and tactics may be replicated, possibly against non-Chinese speaking organizations in the near future by other actors or malware creators who try to avoid detections. Loader Analysis In late April 2024, LevelBlue Labs observed a few executables potentially attached to phishing emails. One of the samples observed was ‘914b1b3180e7ec1980d0bafe6fa36daade752bb26aec572399d2f59436eaa635’ with a Chinese filename translating to “Huawei industrial-grade router related product introduction and excellent customer cases.” All the samples LevelBlue Labs observed were named for Chinese companies, such as: China Mobile Group Shaanxi Co Ltd, Jiaqi Intelligent Technology, or Yellow River Conservancy Technical Institute (YRCTI). All the samples had descriptive filenames aimed at luring employees to open them, and they carried an icon corresponding to a Word Document, while in fact being executable binaries. These samples are loaders that download and execute a shellcode payload via a GET HTTPS request to the /flag.jpg URI. These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis. The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected. Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware “SquidLoader”. Most of the samples LevelBlue Labs observed use a legitimate expired certificate to make the file look less suspicious. The invalid certificate (which expired on July 15, 2021) was issued to Hangzhou Infogo Tech Co., Ltd. It has the thumbprint “3F984B8706702DB13F26AE73BD4C591C5936344F” and serial number “02 0E B5 27 BA C0 10 99 59 3E 2E A9 02 E3 97 CB.” However, it is not the only invalid certificate used to sign the malicious samples. The command and control (C&C) servers SquidLoader uses employ a self-signed certificate. In the course of this investigation all the discovered C&C servers use a certificate with the following fields for both the issuer and the subject: Common Name: localhost Organizational Unit: group Organization: Company Locality: Nanjing State/Province: Jiangsu Country: CN When first executed, the SquidLoader duplicates to a predefined location (unless the loader is already present) and then restarts from the new location. In this case the target location was C:\BakFiles\install.exe. This action appears to be an intentional decoy, executing the loader with a non-suspicio | Malware Tool Threat Mobile Prediction Technical | ★★ | |
 |
2024-06-17 17:00:00 | Certaines compétences ne doivent pas être cédées à l'IA Some Skills Should Not Be Ceded to AI (lien direct) |
Les outils d'IA continuent d'essayer de retirer tous les emplois amusants.Voici quelques-unes des raisons pour lesquelles les gens de la cybersécurité (et autres) sautent les tricheurs d'écriture.
AI tools keep trying to take away all the fun jobs. Here are just a few of the reasons for cybersecurity folks (and others) to skip the writing cheats. |
Tool | ★★ | |
 |
2024-06-17 16:50:32 | Défendre votre surface d'attaque en constante évolution Defending your ever-changing attack surface (lien direct) |
Les éléments mêmes cruciaux pour une entreprise et la prospérité de l'entreprise sont également ses plus grandes vulnérabilités du point de vue de la cybersécurité.Les e-mails, les fichiers, les configurations de travail à distance / hybride et divers appareils et outils rationalisent les opérations commerciales, mais présentent également des risques de cybersécurité importants.Ces domaines, où les facteurs externes entrent en jeu, sont les moins sûrs, représentant les vulnérabilités de votre organisation & # 8217; s [& # 8230;]
Le post défendre votre surface d'attaque en constante évolution est apparu pour la première fois sur gourou de la sécurité informatique .
The very elements crucial for a business’s functionality and prosperity are also its greatest vulnerabilities from a cybersecurity standpoint. Emails, files, remote/hybrid work setups, and various devices and tools streamline business operations but also pose significant cybersecurity risks. These areas, where external factors come into play, are the least secure, representing vulnerabilities in your organisation’s […] The post Defending your ever-changing attack surface first appeared on IT Security Guru. |
Tool Vulnerability | ★★★ | |
|
2024-06-17 14:10:41 | Smalltiger Maleware utilisés dans les attaques contre les entreprises sud-coréennes (Kimsuky et Andariel) SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel) (lien direct) |
#### Targeted Geolocations - Korea ## Snapshot The AhnLab Security Intelligence Center (ASEC) has reported on a series of cyberattacks targeting South Korean businesses utilizing the SmallTiger malware. ## Description While the initial access method remains unidentified, SmallTiger is introduced during the lateral movement phase within the affected companies\' systems. Notably, the targets include South Korean defense contractors, automobile part manufacturers, and semiconductor manufacturers. Initially discovered in November 2023, the attacks showed characteristics of the "Kimsuky" group\'s tactics, but deviated by leveraging software updater programs for internal propagation. Moreover, the presence of DurianBeacon, previously associated with Andariel group attacks, was detected in the compromised systems. Subsequent attacks in February 2024 continued to employ SmallTiger, with variations observed in the malware\'s distribution methods and payloads. ASEC mentions additonal cases which include DurianBeacon attack utalizing MultiRDP Malware and Meterpreter in Novemner 2023, and another SmallTiger attack where the threat actor installed Mimikatz and ProcDump to hijack system credentials. ## Detections/Hunting Queries Microsoft Defender for Endpoint Alerts with the following titles in the security center can indicate threat activity on your network: - Mimikatz credential theft tool The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. - Malicious credential theft tool execution detected - Suspicious access to LSASS service ## Recommendations Microsoft recommends the following mitigations to reduce the impact of Information Stealer threats. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordle | Ransomware Spam Malware Tool Threat | ★★★ | |
|
2024-06-17 12:00:17 | Restez conforme: Cisco Secure Workload présente les rapports de pointe et basés sur la personne Stay Compliant: Cisco Secure Workload Introduces State-of-the-art, Persona-based Reporting (lien direct) |
Les outils de sécurité de travail traditionnels ne parviennent souvent pas à fournir des mesures adaptées aux besoins distincts des SECOPS, des administrateurs de réseau ou des cxos. | Tool | ★★ | |
|
2024-06-17 11:42:19 | Faits saillants hebdomadaires, 17 juin 2024 Weekly OSINT Highlights, 17 June 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a landscape of cyber threats involving diverse and sophisticated attack strategies by state-sponsored actors and cybercrime organizations. The reports showcase various attack vectors, including phishing campaigns, exploitation of cloud services, and use of malware such as RATs, ransomware, and infostealers. Key threat actors like UNC5537, Kimsuky, and Cosmic Leopard are targeting sectors ranging from cloud computing and aviation to military and government entities, often leveraging stolen credentials and exploiting software vulnerabilities. These incidents underscore the critical need for robust security practices, such as multi-factor authentication and regular credential updates, to defend against increasingly complex and targeted cyber threats. ## Description 1. **[Warmcookie Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/d5d815ce)**: Elastic Security Labs identified Warmcookie, a Windows malware distributed via fake job offer phishing campaigns. The malware establishes C2 communication to gather victim information, execute commands, and drop files, with the campaign ongoing and targeting users globally. 2. **[Snowflake Data Theft](https://sip.security.microsoft.com/intel-explorer/articles/3cb4b4ee)**: Mandiant uncovered UNC5537 targeting Snowflake customers to steal data and extort victims using stolen credentials from infostealer malware. The campaign highlights poor credential management and the absence of MFA, prompting Snowflake to issue security guidance. 3. **[IcedID, Cobalt Strike, and ALPHV Ransomware](https://sip.security.microsoft.com/intel-explorer/articles/b74a41ff)**: DFIR Report analyzed a cyber intrusion deploying IcedID via malicious emails, followed by Cobalt Strike for remote control and ALPHV ransomware for encryption. Attackers used various tools for persistence, reconnaissance, and data exfiltration, showcasing a complex multi-stage attack. 4. **[ValleyRAT Multi-Stage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/c599ee92)**: Zscaler ThreatLabz identified a campaign deploying an updated ValleyRAT by China-based threat actors, using phishing emails and HTTP File Server for malware delivery. The RAT includes advanced evasion techniques and enhanced data collection capabilities. 5. **[APT Attacks Using Cloud Services](https://sip.security.microsoft.com/intel-explorer/articles/bebf8696)**: AhnLab Security Intelligence Center reported APT attacks leveraging Google Drive, OneDrive, and Dropbox to distribute malware. Attackers use malicious scripts and RAT strains to collect user information and perform various malicious activities. 6. **[CoinMiner vs. Ransomware Conflict](https://sip.security.microsoft.com/intel-explorer/articles/58dd52ff)**: ASEC described an incident where a CoinMiner attacker\'s proxy server was compromised by a ransomware actor\'s RDP scan attack. The CoinMiner botnet infection through MS-SQL server vulnerabilities was disrupted by the ransomware attack, illustrating inter-threat actor conflicts. 7. **[Sticky Werewolf Campaign](https://sip.security.microsoft.com/intel-explorer/articles/e3b51ad8)**: Morphisec Labs discovered Sticky Werewolf targeting the aviation industry with phishing campaigns using LNK files. The group, with suspected geopolitical ties, employs CypherIT Loader/Crypter for payload delivery and anti-analysis measures. 8. **[Kimsuky\'s Espionage Campaign](https://sip.security.microsoft.com/intel-explorer/articles/ab73cf6f)**: BlackBerry identified North Korea\'s Kimsuky group targeting a Western European weapons manufacturer with spear-phishing emails containing malicious JavaScript. The campaign underscores the growing threat of cyber espionage in the military sector. 9. **[Operation Celestial Force](https://sip.security.microsoft.com/intel-explorer/articles/0dccc722)**: Cisco Talos reported Cosmic Leopard\'s espionage campaign using GravityRAT and HeavyLift, targeting Indian defense and government sectors. The campaign em | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | ★★ | |
|
2024-06-17 10:41:00 | Neuterat Malware cible les utilisateurs sud-coréens via un logiciel fissuré NiceRAT Malware Targets South Korean Users via Cracked Software (lien direct) |
Des acteurs de menace ont été observés en déploiement d'un malware appelé benerat pour coopt les appareils infectés dans un botnet.
Les attaques, qui ciblent les utilisateurs sud-coréens, sont conçues pour propager les logiciels malveillants sous le couvert de logiciels fissurés, tels que Microsoft Windows, ou des outils qui prétendent offrir une vérification de licence pour Microsoft Office.
"En raison de la nature des programmes de crack, le partage d'informations entre
Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet. The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office. "Due to the nature of crack programs, information sharing amongst |
Malware Tool Threat | ★★★ | |
|
2024-06-17 10:00:00 | Battre la chaleur et les cyber-menaces cet été Beat the Heat and Cyber Threats This Summer (lien direct) |
The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. Summer is a time for relaxation, travel, and spending quality moments with family and friends. However, it is also peak season for cybercriminals who exploit the vulnerabilities that arise during this period. Cyberattacks surge during the summer holiday season as businesses and individuals let their guard down. Many companies operate with reduced staff as employees take time off, leaving fewer eyes on critical systems and security measures. Cybersecurity teams, often stretched thin, may not be able to respond as swiftly to threats. Additionally, individuals on vacation might be more inclined to use unsecured networks, fall for enticing travel deals, or overlook phishing attempts amidst their holiday activities. The importance of staying vigilant and informed about common summer scams cannot be overstated. By understanding these threats and taking proactive steps to protect ourselves, we can enjoy our summer holidays without falling victim to these opportunistic attacks. The Surge in Summer Cyberattacks Summer sees a marked increase in cyberattacks, with statistics indicating a significant rise in incidents during this period. For instance, in June alone, cyberattacks globally surged by an alarming 60%. This increase can be attributed to several factors that make the summer season particularly attractive to cybercriminals. One primary reason is the reduction in staff across businesses as employees take their vacations. This often results in Security Operations Centers (SOCs) operating with minimal personnel, reducing the ability to monitor and respond to threats effectively. Additionally, with key cybersecurity professionals out of the office, the remaining team may struggle to maintain the same level of protection. Increased travel also plays an important role. Individuals on vacation are more likely to use unsecured networks, such as public Wi-Fi in airports, hotels, and cafes, which can expose them to cyber threats. Moreover, the general relaxation mindset that accompanies holiday activities often leads to a decrease in caution, making individuals more susceptible to scams and phishing attacks. The impact of this surge in cyberattacks is significant for both individuals and businesses. For individuals, it can mean the loss of personal information and financial assets. For businesses, these attacks can lead to data breaches, financial losses, and reputational damage. Therefore, it is crucial to remain vigilant and take preventive measures during the summer season to mitigate these risks. How to Recognize and Avoid Seasonal Cyber Threats As summer rolls around, cybercriminals ramp up their efforts to expose the relaxed and often less vigilant attitudes of individuals and businesses. Here are some of the most prevalent scams to watch out for during the summer season. Fake Travel Deals One of the most common summer scams involves fake travel deals. Cybercriminals create enticing offers for vacation packages, flights, and accommodations that seem too good to be true. These offers are often promoted through fake websites, social media ads, and phishing emails. Once victims enter their personal and financial information to book these deals, they quickly realize that the offers were fraudulent, and their information is compromised, leading to issues such as identity theft. | Malware Tool Vulnerability Threat Legislation | ★★ | |
|
2024-06-15 20:58:43 | Opération Celestial Force utilise des logiciels malveillants mobiles et de bureau pour cibler les entités indiennes Operation Celestial Force Employs Mobile and Desktop Malware to Target Indian Entities (lien direct) |
#### Géolocations ciblées
- Inde
#### Industries ciblées
- Base industrielle de la défense
- Informatique
- agences et services gouvernementaux
## Instantané
Les analystes de Cisco Talos ont découvert une campagne de logiciels malveillants en cours nommée "Opération Celestial Force", active depuis 2018.
## Description
Cette campagne utilise le [Gravityrat malware] (https://security.microsoft.com/intel-profiles/dca3dd26090d054493961c69bf11b73d52df30d713169853165fbb66a2eb7ba4) pour et un chargeur Windows.Ces infections sont gérées via un outil baptisé "GravityAdmin", qui peut gérer plusieurs campagnes simultanément.Talos attribue cette campagne à un groupe de menaces pakistanais qu'ils appellent «Cosmic Leopard», qui se concentre sur l'espionnage contre les entités indiennes, en particulier dans les secteurs de la défense et du gouvernement.
La campagne utilise deux vecteurs d'infection, l'ingénierie sociale et le phishing de lance pour accéder à ses cibles.Les messages de phishing de lance Spear Phishing se compose de messages envoyés à des cibles avec un langage pertinent et des maldocs qui contiennent des logiciels malveillants tels que GravityRat.
L'autre vecteur d'infection, gagnant en popularité dans cette opération, et maintenant une tactique de base des opérations de Cosmic Leopard \\ consiste à contacter des cibles sur les réseaux sociaux, à établir la confiance avec eux et à leur envoyer un lien malveillant pour télécharger les fenêtres des fenêtres- ou GravityRat basé sur Android ou le chargeur basé sur Windows, Heavylift.
Initialement identifié en 2018, GravityRat a été utilisé pour cibler les systèmes Windows.D'ici 2019, il s'est étendu pour inclure des appareils Android.Heavylift, introduit à peu près au même moment, est un chargeur utilisé pour déployer d'autres logiciels malveillants via l'ingénierie sociale.Talos rapporte une augmentation de l'utilisation des logiciels malveillants mobiles pour l'espionnage ces dernières années.
"GravityAdmin" supervise les appareils infectés à travers divers panneaux spécifiques à la campagne.Ces campagnes, comme «Sierra», «Québec» et «Foxtrot», se caractérisent par l'utilisation de malwares Windows et Android.Cosmic Leopard utilise des tactiques telles que le phishing de lance et l'ingénierie sociale, en contactant souvent des cibles via les médias sociaux pour distribuer des logiciels malveillants.
## Détections / requêtes de chasse
** antivirus **
Microsoft Defender Antivirus détecte les composants de menace comme le FOLlowing malware:
- Trojan: Win32 / Gravityrat
- Trojanspy: Androidos / Grvity.a! Mtb
- Trojanspy: macOS / grvityrat.a! Mtb
- Trojan: MSIL / Gravityrat
## Les références
[Opération Celestial Force utilise un mobileD Desktop malware pour cibler les entités indiennes.] (https://blog.talosintelligence.com/cosmic-leopard/) Cisco Talos (consulté le 2024-06-14)
#### Targeted Geolocations - India #### Targeted Industries - Defense Industrial Base - Information Technology - Government Agencies & Services ## Snapshot Analysts at Cisco Talos have uncovered an ongoing malware campaign named "Operation Celestial Force," active since 2018. ## Description This campaign employs the [GravityRAT malware](https://security.microsoft.com/intel-profiles/dca3dd26090d054493961c69bf11b73d52df30d713169853165fbb66a2eb7ba4) for Android and a Windows-based loader called "HeavyLift." These infections are managed through a tool dubbed "GravityAdmin," which can handle multiple campaigns simultaneously. Talos attributes this campaign to a Pakistani threat group they call "Cosmic Leopard," which focuses on espionage against Indian entities, especially in defense and government sectors. The campaign uses two infection vectors, social engineering and spear phishing to gain access to its targets. Spe |
Malware Tool Threat Mobile Industrial | ★★ | |
|
2024-06-15 20:49:27 | Les attaquants de ransomwares peuvent avoir utilisé la vulnérabilité d'escalade des privilèges comme zéro jour Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day (lien direct) |
## Instantané L'équipe Hunter de Symantec \\ a identifié des preuves suggérant que le groupe de cybercriminalité cardinal (suivi parMicrosoft as [Storm-1811] (https://security.microsoft.com/intel-profiles/0a78394b205d9b9d6cbcbd5f34053d7fc1912c3fa7418ffd0eabf1d00f677a2b)) peut avoira exploité la vulnérabilité du service de rapports d'erreur Windows récemment corrigé ([CVE-2024-26169] (https://security.microsoft.com/intel-explorer/cves/cve-2024-26169/)) en tant que zéro jour. ## Description L'outil d'exploit, déployé dans une récente tentative d'attaque de ransomware étudiée par Symantec, profite d'une vulnérabilité d'escalade de privilèges (CVE-2024-26169) pour créer une clé de registre permettant à l'exploit de démarrer un shell avec des privilèges administratifs.La variante de l'outil utilisé dans cette attaque avait un horodatage de compilation du 27 février 2024, plusieurs semaines avant le correctif de la vulnérabilité.Cela suggère qu'au moins un groupe a peut-être exploité la vulnérabilité comme un jour zéro. Les attaquants \\ 'tactiques, techniques et procédures (TTPS) ressemblaient étroitement à celles décrites dans un récent rapport Microsoft sur l'activité Black Basta] (https://www.microsoft.com/en-us/security/blog/2024/05/15 / ACCORTS D'ACCUPTEURS-MISSUSING-QUICK-ASSIST-IN-Social-Ingenering-Attacks-leading-to-ransomware /), indiquant un potentiel échoué [Black Basta] (https: //security.microsoft.com/intel-profiles/0146164ed5ffa131074fa7e985f779597d2522865baa088f25cd80c3d8d726) Attaque. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte ThrMangez les composants comme logiciels malveillants suivants: - Trojan: Win32 / Cerber - Trojan: win64 / cryptinject - [comportement: win32 / basta] (https://www.microsoft.com/wdsi/therets/malware-encyclopedia-description?name=behavior:win32/basta.b&Thereatid=-2147132479) - [ransom: win32 / basta] (https://www.microsoft.com/wdsi/therets/malware-encycopedia-dercription?name=ransom:win32/basta.aa& ;thereatid = -2147149077) - [Trojan: Win32 / Basta] (https://www.microsoft.com/wdsi/thereats/malware-encycopedia-dercription?name=trojan:win32/basta!bv& ;thereatid = -2147142676) ## Recommandations Appliquez ces atténuations pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Allumez [Protection en cloud-élivé] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=Magicti%3CEM% 3ETA% 3C / EM% 3ELEARNDOC) dans Microsoft Defender Antivirus ou l'équivalent pour que votre produit antivirus couvre rapidement les outils et techniques d'attaquant en évolution.Les protections d'apprentissage automatique basées sur le cloud bloquent une énorme majorité de variantes nouvelles et inconnues. - Allumez [Protection Tamper] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?ocid=Magicti%3CEM%3ETA% 3C / EM% 3ELEARNDOC) Caractéristiques pour empêcher les attaquants d'empêcher les services de sécurité. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/EDR-in-bloc-mode? OCID = magicti% 3cem% 3eta% 3c / em% 3elearndoc) pour que Microsoft Defender Fou un point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Activer [Protection réseau] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=Magicti%3CEM%3ETA%3C/EM%3ElearnDoc) pour prévenir les applications pour prévenir les applications pour prévenir les applications pour prévenir les applications pour | Ransomware Malware Tool Vulnerability Threat | ★★★ | |
|
2024-06-14 19:48:20 | Kimsuky nord-coréen fabricant d'armes d'attaque en Europe North Korean Kimsuky Attacking Arms Manufacturer In Europe (lien direct) |
#### Géolocations ciblées
- Europe de l'Ouest
#### Industries ciblées
- Fabrication critique
## Instantané
Un chercheur à la menace de Blackberry, Dmitry Melikov, a publié un article sur LinkedIn identifiant que le groupe nord-coréen parrainé par l'État Kimsuky a lancé une campagne de cyber-espionnage ciblant un fabricant d'armes d'Europe occidentale.
## Description
L'attaque a commencé par un e-mail de phisseur de lance contenant un fichier JavaScript malveillant, déguisé en document de description de travail légitime de General Dynamics.Lors de l'ouverture du fichier, le code JavaScript a décodé deux blocs de données Base64, exécutant une charge utile malveillante en arrière-plan.L'outil d'espionnage a fourni à l'attaquant des capacités telles que l'exfiltration d'informations, la capture de captures d'écran et l'établissement de connexions de socket.L'infrastructure C2 a révélé un chevauchement important avec les opérations connues de Kimsuky, conduisant à une évaluation de confiance élevée que Kimsuky est derrière cette campagne.
Cette attaque souligne les risques croissants et les implications géopolitiques potentielles de la cyber-guerre ciblant les industries militaires essentielles, soulignant la nécessité de mesures de cybersécurité accrue dans le secteur de la défense.Le groupe Kimsuky devrait continuer à cibler les entités militaires et aérospatiales dans le monde entier, nécessitant une vigilance et une surveillance continues.
## Les références
[Kimsuky cible un fabricant d'armes en Europe.] (Https://www.linkedin.com/pulse/kimsuky-targeting-arms-manufacturer-europe-dmitry-melikov-dquge/?trackingId=%2fgtbajkvumcz%2bfuihobxja%3d%3d) LinkedIn (consulté 2024-06-10)
[Kimsuky nord-coréen Attacking Arms fabricant en Europe.] (Https://gbhackers.com/north-korean-kimsuky-attacking/) gbhackers (consulté en 2024-06-10)
#### Targeted Geolocations - Western Europe #### Targeted Industries - Critical Manufacturing ## Snapshot A threat researcher at BlackBerry, Dmitry Melikov, posted an article on LinkedIn identifying that the North Korean state-sponsored group Kimsuky launched a cyber-espionage campaign targeting a Western European weapons manufacturer. ## Description The attack began with a spear-phishing email containing a malicious JavaScript file, disguised as a legitimate job description document from General Dynamics. Upon opening the file, the JavaScript code decoded two base64 data blocks, executing a malicious payload in the background. The espionage tool provided the attacker with capabilities such as exfiltrating information, capturing screenshots, and establishing socket connections. The C2 infrastructure revealed significant overlap with known Kimsuky operations, leading to a high-confidence assessment that Kimsuky is behind this campaign. This attack underscores the escalating risks and potential geopolitical implications of cyber warfare targeting essential military industries, highlighting the need for heightened cybersecurity measures in the defense sector. The Kimsuky group is expected to continue targeting military and aerospace-related entities worldwide, necessitating ongoing vigilance and monitoring. ## References [Kimsuky is targetting an arms manufacturer in Europe.](https://www.linkedin.com/pulse/kimsuky-targeting-arms-manufacturer-europe-dmitry-melikov-dquge/?trackingId=%2FGtBajKvuMCZ%2BFUIHObXjA%3D%3D) LinkedIn (accessed 2024-06-10) [North Korean Kimsuky Attacking Arms Manufacturer In Europe.](https://gbhackers.com/north-korean-kimsuky-attacking/) GBHackers (accessed 2024-06-10) |
Tool Threat | ★★★ | |
 |
2024-06-14 14:08:27 | Il est temps de vous mettre au défi dans le CTF Google 2024 Time to challenge yourself in the 2024 Google CTF (lien direct) |
Hlynur Gudmundsson, Software EngineerIt\'s Google CTF time! Install your tools, commit your scripts, and clear your schedule. The competition kicks off on June 21 2024 6:00 PM UTC and runs through June 23 2024 6:00 PM UTC. Registration is now open at goo.gle/ctf. Join the Google CTF (at goo.gle/ctf), a thrilling arena to showcase your technical prowess. The Google CTF consists of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. Participants can use obscure security knowledge to find exploits through bugs and creative misuse, and with each completed challenge your team will earn points and move up through the ranks. The top 8 teams of the Google CTF will qualify for our Hackceler8 competition taking place in Málaga, Spain later this year as a part of our larger Escal8 event. Hackceler8 is our experimental esport-style hacking game competition, custom-made to mix CTF and speedrunning. |
Tool Technical | ★★ | |
|
2024-06-14 12:26:14 | Tile de l'entreprise de tracker de localisation frappé par la violation de données, les pirates accèdent aux outils internes Location Tracker Firm Tile Hit by Data Breach, Hackers Access Internal Tools (lien direct) |
Des millions d'utilisateurs de carreaux \\ 'Données potentiellement exposées dans une violation de données.Les pirates ont accédé aux outils internes, mais aucune information financière ou données de localisation ne compromise.Soyez prudent des tentatives de phishing.
Millions of Tile users\' data potentially exposed in a data breach. Hackers accessed internal tools, but no financial info or location data compromised. Be cautious of phishing attempts. |
Data Breach Tool | ★★★ | |
|
2024-06-14 00:51:03 | New Warmcookie Windows Backdoor poussée via de fausses offres d'emploi New Warmcookie Windows backdoor pushed via fake job offers (lien direct) |
## Instantané Elastic Security Labs a identifié un nouveau logiciel malveillant Windows appelé "Warmcookie" distribué via de fausses campagnes de phishing pour compromettre les réseaux d'entreprise. ## Description Les e-mails de phishing contiennent des liens vers des pages de destination trompeuses, ce qui a incité les victimes à télécharger un fichier JavaScript obscurci qui exécute finalement la charge utile de chaleur.Une fois exécuté, Warmcookie établit une communication avec son serveur de commande et de contrôle (C2) et commence à collecter des informations sur les victimes, à capturer des captures d'écran, à exécuter des commandes arbitraires et à supprimer des fichiers sur des répertoires spécifiés.Warmcookie utilise diverses techniques telles que les calculs de somme de contrôle CRC32, le cryptage RC4 et la communication HTTP pour la commande et le contrôle. En juin 2024, la campagne est en cours et les acteurs de la menace créent de nouveaux domaines chaque semaine pour soutenir leurs opérations malveillantes, en utilisant une infrastructure compromise pour envoyer des e-mails de phishing.Selon Elastic Security Labs, Warmcookie gagne en popularité et est utilisé dans des campagnes ciblant les utilisateurs du monde entier. ## Détections / requêtes de chasse Microsoft Defender Antivirus détecte les composants de la menace comme le malware suivant: - [Trojan: Win64 / Midie] (HTTPS: //www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-decription? name = trojan: win64 / midie.gxz! mtb & menaced = -2147058392) ## Concernantfélicitations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Pilot et déploiement [méthodes d'authentification résistantes au phishing] (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods) pour les utilisateurs. - appliquer le MFA sur tous les comptes, supprimer les utilisateurs exclus de la MFA et strictement [exiger MFA] (https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-politique) de tous les appareils à tous les endroits à tout moment. - Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/en-us/defender-office-365/safe-links-about).Safe Links fournit une analyse et une réécriture des URL des e-mails entrants dans le flux de messagerie et une vérification du temps de clic des URL et des liens dans les e-mails, d'autres applications Microsoft 365 telles que des équipes et d'autres emplacements tels que SharePoint Online.La numérisation des liens sûrs se produit en plus de la [anti-spam] régulière (https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about) et [anti-malware] (https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about) Protection dans les e-mails entrants dans Microsoft Exchange Online Protection (EOP).La numérisation des liens sûrs peut aider à protéger votre organisation contre les liens malveillants utilisés dans le phishing et d'autres attaques. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [Microsoft Defender SmartScreen] (https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen), qui identifie et bloque les sites Web malveillants malveillants, y compris les sites de phishing, les sites d'arnaque et les sites qui hébergent des logiciels malveillants. - Allumez [Protection de livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/cloud-potection-microsoft-defender-asvirus) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus àCouvrir les outils et techniques d'attaque en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defe | Malware Tool Threat | ★★★ |
To see everything:
