What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-11-10 14:11:03 | North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets (lien direct) |
By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.
Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware Cloud | APT 37 | |
 |
2021-11-10 12:08:04 | Lazarus hackers target researchers with trojanized IDA Pro (lien direct) | A North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with a trojanized pirated version of the popular IDA Pro reverse engineering application. [...] | Hack | APT 38 APT 28 | |
 |
2021-10-27 16:06:53 | North Korean Hackers Targeting IT Supply Chain: Kaspersky (lien direct) | The North Korea-linked state-sponsored hacking group Lazarus has started to target the IT supply chain in recent attacks, according to cybersecurity firm Kaspersky. | APT 38 APT 28 | ||
 |
2021-10-27 09:30:00 | North Korean Lazarus APT Targets Software Supply Chain (lien direct) | Prolific threat group take a leaf out of the SolarWinds campaign | Threat | APT 38 APT 28 | ★★★★ |
 |
2021-10-27 09:03:08 | North Korea-linked Lazarus APT targets the IT supply chain (lien direct) | North Korea-linked Lazarus APT group is extending its operations and started targeting the IT supply chain on new targets. North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns. The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. […] | Malware | APT 38 APT 28 | |
 |
2021-10-27 00:14:47 | Latest Report Uncovers Supply Chain Attacks by North Korean Hackers (lien direct) | Lazarus Group, the advanced persistent threat (APT) group attributed to the North Korean government, has been observed waging two separate supply chain attack campaigns as a means to gain a foothold into corporate networks and target a wide range of downstream entities.
The latest intelligence-gathering operation involved the use of MATA malware framework as well as backdoors dubbed BLINDINGCAN |
Malware Threat Medical | APT 38 APT 28 | |
 |
2021-10-26 19:30:37 | Lazarus Attackers Turn to the IT Supply Chain (lien direct) | Kaspersky researchers saw The North Korean state APT use a new variant of the BlindingCan RAT to breach a Latvian IT vendor and then a South Korean think tank. | APT 38 | ||
|
2021-10-26 13:23:54 | North Korean state hackers start targeting the IT supply chain (lien direct) | North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. [...] | APT 38 APT 28 | ||
 |
2021-10-26 11:00:00 | This Groundbreaking Simulator Generates a Huge Indoor Ocean (lien direct) | It's a 32,000-gallon concrete tank with a wind tunnel grafted on top. With it, researchers can study the seas-and climate change-like never before. | APT 32 | ||
|
2021-10-14 14:36:04 | A Telegram Bot Told Iranian Hackers When They Got a Hit (lien direct) | APT35 may not be the most dangerous group out there, but they've got a new phishing trick. | Conference | APT 35 | |
 |
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
 |
2021-10-07 11:15:07 | CVE-2021-32172 (lien direct) | Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin. | APT 33 | ||
|
2021-10-06 19:06:00 | Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) | Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2]
Technical Analysis
Scripts (/cmd/)
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
Binaries (/bin/)
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.
|
Malware Tool Threat | Uber APT 32 | |
|
2021-10-06 12:00:00 | Astronomers Get Ready to Probe Europa\'s Hidden Ocean for Life (lien direct) | Jupiter's most enigmatic moon, one of a few ocean worlds in the solar system, will be the target of upcoming missions by NASA and the European Space Agency. | APT 32 | ||
|
2021-09-23 05:01:25 | Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs (lien direct) | By Asheer Malhotra, Vanja Svajcer and Justin Thattil.
Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).This campaign distributes malicious documents and archives to deliver the Netwire...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ||
 |
2021-09-16 23:30:08 | Study confirms superior sound of a Stradivari is due to the varnish (lien direct) | Chemicals used to soak the wood include borax, zinc, copper, alum, and lime water. | Medical | APT 38 | |
|
2021-09-01 15:15:08 | CVE-2021-23427 (lien direct) | This affects all versions of package elFinder.NetCore. The ExtractAsync function within the FileSystem is vulnerable to arbitrary extraction due to insufficient validation. | APT 33 | ||
|
2021-09-01 15:15:08 | CVE-2021-23428 (lien direct) | This affects all versions of package elFinder.NetCore. The Path.Combine(...) method is used to create an absolute file path. Due to missing sanitation of the user input and a missing check of the generated path its possible to escape the Files directory via path traversal | APT 33 | ||
|
2021-08-24 17:11:00 | Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
(published: August 23, 2021)
Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks.
Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153
Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
(published: August 20, 2021)
A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several |
Ransomware Malware Tool Vulnerability Threat Patching Cloud | APT 37 | |
|
2021-08-19 20:19:04 | InkySquid State Actor Exploiting Known IE Bugs (lien direct) | The North Korea-linked APT group leverages known Internet Explorer vulns for watering-hole attacks. | APT 37 | ||
|
2021-08-19 06:47:34 | NK-linked InkySquid APT leverages IE exploits in recent attacks (lien direct) | North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper. Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group (aka ScarCruft, APT37, Group123, and Reaper) leverages two Internet Explorer exploits to deliver a custom backdoor in watering hole attacks aimed at the […] | Cloud | APT 37 | |
|
2021-08-18 01:33:33 | NK Hackers Deploy Browser Exploits on South Korean Sites to Spread Malware (lien direct) | A North Korean threat actor has been discovered taking advantage of two exploits in Internet Explorer to infect victims with a custom implant as part of a strategic web compromise (SWC) targeting a South Korean online newspaper.
Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the |
Malware Threat Cloud | APT 37 | |
|
2021-08-10 17:39:00 | Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Actively Exploited Bug Bypasses Authentication On Millions Of Routers
(published: August 7, 2021)
The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers.
Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure.
Tags: CVE-2021-20090, Mirai, China
Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware
(published: August 7, 2021)
The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid.
Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack.
Tags: RansomEXX, Defray, Ransomware, Taiwan
Millions of Senior Citizens' Personal Data Exposed By Misconfiguration
(published: August 6, 2021)
The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access.
Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams.
Tags: Data Leak, Phishing, North America, AWS
|
Malware Vulnerability Threat Guideline | APT 41 APT 41 APT 30 APT 27 APT 23 | |
|
2021-08-05 15:48:35 | Iran-Linked Hackers Expand Arsenal With New Android Backdoor (lien direct) | The Iran-linked hacking group named Charming Kitten has added a new Android backdoor to its arsenal and successfully compromised individuals associated with the Iranian reformist movement, according to security researchers with IBM's X-Force threat intelligence team. | Threat Conference | APT 35 APT 35 | |
|
2021-08-05 14:16:03 | Black Hat: Charming Kitten Leaves More Paw Prints (lien direct) | IBM X-Force detailed the custom-made "LittleLooter" data stealer and 4+ hours of ITG18 operator training videos revealed by an opsec goof. | APT 35 APT 35 | ||
|
2021-08-04 22:54:00 | #BHUSA: The 9 Lives of the Charming Kitten Nation-State Attacker (lien direct) | IBM X-Force researchers claim that Iranian nation-state attacker continues to be successful using the same tactics, year after year | APT 35 APT 35 | ★★★★★ | |
 |
2021-08-04 20:30:00 | ITG18: Operational Security Errors Continue to Plague Sizable Iranian Threat Group (lien direct) | This blog supplements a Black Hat USA 2021 talk given August 2021. IBM Security X-Force threat intelligence researchers continue to track the infrastructure and activity of a suspected Iranian threat group ITG18. This group’s tactics, techniques and procedures(TTPs) overlap with groups known as Charming Kitten, Phosphorus and TA453. Since our initial report on the group’s training […] | Threat Conference | APT 35 APT 35 | |
|
2021-08-04 15:25:01 | China-linked APT31 targets Russia for the first time (lien direct) | China-linked APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia. Researchers from Positive Technologies reported that China-linked APT31 group has been using a new piece of malware in a recent wave of attacks targeting Mongolia, Belarus, Canada, the United States, and Russia. Experts […] | Malware | APT 31 | |
|
2021-08-04 15:15:08 | CVE-2020-24826 (lien direct) | A vulnerability in the elf::section::as_strtab function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | Vulnerability | APT 33 | ★★★★★ |
|
2021-08-04 15:15:08 | CVE-2020-24827 (lien direct) | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | Vulnerability | APT 33 | ★★ |
|
2021-08-04 15:15:08 | CVE-2020-24825 (lien direct) | A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | Vulnerability | APT 33 | ★★★★★ |
|
2021-08-04 15:15:08 | CVE-2020-24824 (lien direct) | A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | APT 33 | ★★★★★ | |
|
2021-08-04 15:15:08 | CVE-2020-24823 (lien direct) | A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | Vulnerability | APT 33 | ★★★★★ |
|
2021-08-04 15:15:08 | CVE-2020-24821 (lien direct) | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | Vulnerability | APT 33 | ★★★★ |
|
2021-08-04 12:03:07 | Chinese Cyberspy Group APT31 Starts Targeting Russia (lien direct) | China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and - for the first time - Russia, according to enterprise cybersecurity firm Positive Technologies. | Malware | APT 31 | |
|
2021-08-04 03:28:13 | New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks (lien direct) | A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research.
The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the |
Threat | APT 31 | |
 |
2021-08-03 14:13:41 | Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) (lien direct) | Alors que l'ANSSI vient de rapporter qu'une campagne de cyberattaques menée par APT31, un groupe de hackers affilié à l'État chinois, est en cours sur des entités françaises, de son côté Cybereason vient de découvrir plusieurs campagnes de cyberattaques à des fins de cyberespionnage menées par des acteurs de la menace chinois et infiltrant d'importants opérateurs télécoms en Asie du Sud-Est. The post Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) first appeared on UnderNews. | APT 31 | ||
|
2021-08-03 04:00:51 | DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos (lien direct) | Researchers have discovered three separate Chinese military affiliated advanced threat groups simultaneously targeting and compromising the same Southeast Asian telcos. The attack groups concerned are Soft Cell, Naikon, and a third group, possibly Emissary Panda (also known as APT27). | Threat | APT 30 APT 27 | |
|
2021-07-31 10:10:28 | Attaques APT31 – réaction de Kaspersky (lien direct) | L'ANSSI (Agence nationale de la sécurité des systèmes d'information) a récemment alerté sur une campagne de cyberattaques menée par le groupe APT31 à l'encontre de routeurs en France. Les routeurs seraient utilisés en tant que relais d'anonymisation afin de réaliser des actions de reconnaissance et malveillantes. The post Attaques APT31 – réaction de Kaspersky first appeared on UnderNews. | APT 31 | ||
|
2021-07-31 09:53:50 | TA453 usurpe secrètement l\'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien (lien direct) | Alors qu'ils ciblaient en mars dernier les éminents chercheurs en médecine via des campagnes de phishing principalement aux États-Unis et en Israël, l'acteur malveillant TA453 affilié au gouvernement iranien, également connu sous les noms de CHARMING KITTEN et PHOSPHORUS, est de retour avec une nouvelle campagne de leurres par mail, détectée par les chercheurs Proofpoint. The post TA453 usurpe secrètement l'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien first appeared on UnderNews. | Conference | APT 35 APT 35 | |
 |
2021-07-29 10:00:46 | APT trends report Q2 2021 (lien direct) | This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc. | Threat | APT 29 APT 31 | |
|
2021-07-28 16:15:07 | CVE-2021-23415 (lien direct) | This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path. | APT 33 | ||
|
2021-07-27 15:00:00 | Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptojacking, Downloaders, Malspam, RATs, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Windows “PetitPotam” Network Attack – How to Protect Against It
(published: July 21, 2021)
Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack.
Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others.
Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle
APT31 Modus Operandi Attack Campaign Targeting France
(published: July 21, 2021)
The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496
Tags: APT, APT31, Judgment Panda, Zirconium, Home routers
StrongPity APT Group Deploys Android Malware for the First Time
(published: July 21, 2021)
Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r |
Malware Tool Vulnerability Threat | Uber APT 31 | |
|
2021-07-22 12:54:44 | China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns (lien direct) | The French National Agency for the Security of Information Systems (ANSSI) on Wednesday issued an alert to warn organizations that a threat group tracked as APT31 has been abusing compromised routers in its recent attacks. | Threat | APT 31 | |
|
2021-07-21 18:15:54 | France ANSSI agency warns of APT31 campaign against French organizations (lien direct) | French cyber-security agency ANSSI warned of an ongoing cyberespionage campaign aimed at French organizations carried out by China-linked APT31 group. The French national cyber-security agency ANSSI warned of ongoing attacks against a large number of French organizations conducted by the Chine-linked APT31 cyberespionage group. The state-sponsored hackers are hijacking home routers to set up a […] | APT 31 | ||
|
2021-07-21 10:13:53 | France warns of APT31 cyberspies targeting French organizations (lien direct) | The French national cyber-security agency today warned of an ongoing series of attacks against a large number of French organizations coordinated by the Chinese-backed APT31 cyberespionage group. [...] | APT 31 | ||
|
2021-07-20 15:00:00 | Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, APT, Espionage, Ransomware, Targeted Campaigns, DLL Side-Loading, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers
(published: July 19, 2021)
On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity.
Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210
Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China
NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists
(published: July 18, 2021)
Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho |
Ransomware Malware Tool Vulnerability Threat Studies Guideline Industrial | APT 41 APT 40 APT 28 APT 31 | |
|
2021-07-17 14:25:03 | Gus Grissom taught NASA a hard lesson: “You can hurt yourself in the ocean” (lien direct) | From the archives: Grissom's infamous (and impactful) ocean landing turns 60 this week. | APT 32 | ||
|
2021-07-16 07:14:51 | Talos Takes Ep: #61: SideCopy sounds so familiar, but I just can\'t put my finger on it... (lien direct) | By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Asheer Malhotra of Talos Outreach has spent the past few months tracking APTs all along the same line. APT 36, aka...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ★★ | |
 |
2021-07-14 22:29:21 | CHARMING KITTEN : des pirates venus d\'Iran (lien direct) | Baptisée " SpoofedScholars ", cette opération représente l'une des campagnes les plus sophistiquées de TA453. Les pirates se font passer pour d'importante institution universitaire. | APT 35 |
To see everything:
Our RSS (filtrered)
