What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-11-09 09:07:00 | OceanLotus APT Group Unfolds New Tactic in Cyber Espionage Campaign (lien direct) | The group has begun using compromised websites to profile and target entities of interest to the Vietnamese government, Volexity says. | APT 32 | ||
 |
2017-11-08 16:16:00 | Hacker Wannabes Fooled by Backdoored IP Scanner (lien direct) | Wannabe hackers looking to create their very own Reaper botnet might have gotten more than they asked when they downloaded an IP scanner over the past few weeks. [...] | Cloud | APT 37 | |
 |
2017-11-07 13:36:51 | Vietnamese APT32 group is one of the most advanced APTs in the threat landscape (lien direct) | >According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated. Researchers at Volexity has been tracking the threat actor since […] | APT 32 | ||
 |
2017-11-03 12:39:20 | RickRolled by none other than IoTReaper (lien direct) | IoT_Reaper overview IoT_Reaper, or the Reaper in short, is a Linux bot targeting embedded devices like webcams and home router boxes. Reaper is somewhat loosely based on the Mirai source code, but instead of using a set of admin credentials, the Reaper tries to exploit device HTTP control interfaces. It uses a range of vulnerabilities […] |
Cloud | APT 37 | |
 |
2017-10-30 12:55:31 | Researchers Downplay Size of Reaper IoT Botnet (lien direct) | The Mirai-like "Reaper" botnet that began infecting Internet of Things (IoT) devices in late September has only ensnared up to 20,000 bots so far, according to estimates from Arbor Networks. | Cloud | APT 37 | |
 |
2017-10-30 12:33:00 | Fear the Reaper? Experts reassess the botnet\'s size and firepower (lien direct) | Security researchers now say the botnet could be only as big as 28,000 infected devices, but warn that the figure could balloon in size at any given time. | APT 37 | ||
 |
2017-10-27 20:39:21 | Fear the Reaper, or Reaper Madness? (lien direct) | Last week we looked at reports from China and Israel about a new "Internet of Things" malware strain called "Reaper" that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the "Reaper Madness," saying the actual number of IoT devices infected with Reaper right now is much smaller. Arbor Networks said it believes the current actual size of the Reaper botnet fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time. | Cloud | APT 37 | |
 |
2017-10-26 14:15:38 | eSentire Security Advisory: Reaper IoT Botnet (lien direct) | The ISBuzz Post: This Post eSentire Security Advisory: Reaper IoT Botnet | Cloud | APT 37 | |
 |
2017-10-25 23:00:16 | Future attaque ? Le petit frère de Miraim, Reaper, collecte ses objets connectés (lien direct) | >Reaper, un nouveau botnet visant des objets connectés, emmagasinerai des informations pour une future attaque. Reaper, une... Cet article Future attaque ? Le petit frère de Miraim, Reaper, collecte ses objets connectés est diffusé par Data Security Breach. | Cloud | APT 37 | |
 |
2017-10-25 18:33:18 | Hackers Prepping IOTroop Botnet with Exploits (lien direct) | Researchers warn that hackers have weaponized a vulnerability that could be used in an IOTroop (or Reaper) attack, bringing the likelihood of an attack one step closer. | Cloud | APT 37 | |
 |
2017-10-24 16:14:49 | Reaper IoT botnet could be more devastating than Mirai (lien direct) |  Think the Mirai botnet which launched a DDoS attack that knocked major websites offline last year was bad?
It's possible that you ain't seen nothing yet.
|
Cloud | APT 37 | |
|
2017-10-24 12:46:37 | After quietly infecting a million devices, Reaper botnet set to be worse than Mirai (lien direct) | Reaper is on track to become one of the largest botnets recorded in recent years - and yet nobody seems to know what it will do or when. But researchers say the damage could be bigger than last year's cyberattack. | Cloud | APT 37 | |
|
2017-10-23 19:42:42 | Reaper: Calm Before the IoT Security Storm? (lien direct) | It's been just over a year since the world witnessed some of the world's top online Web sites being taken down for much of the day by "Mirai," a zombie malware strain that enslaved "Internet of Things" (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware -- variously named "Reaper" and "IoTroop" -- that spreads via security holes in IoT software and hardware. And there are indications that over a million organizations may be affected already. Reaper isn't attacking anyone yet. For the moment it is apparently content to gather gloom to itself from the darkest reaches of the Internet. But if history is any teacher, we are likely enjoying a period of false calm before another humbling IoT attack wave breaks. | Cloud | APT 37 | |
 |
2017-10-21 00:49:26 | New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet (lien direct) | Just a year after Mirai-biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks-completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.
Dubbed 'IoT_reaper,' first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits
|
Cloud | APT 37 | |
 |
2017-10-20 13:00:00 | Things I Hearted this Week 20th October 2017 (lien direct) |
Another week has passed, and more things continue to catch our attention. So lets just jump right in
Child safety smartwatches
When you’re marketing a ‘smart’ device as a safety device, you better be sure you can secure it.
But it appears that manufacturers of child safety smartwatches didn’t get the memo. The fact that attackers can track, eavesdrop, or communicate with the wearers should be of concern to all parents. The data is also transmitted and stored without encryption – similar to how other toys have stored data in the past, only to be breached.
It’s irresponsible and puts children’s safety directly at risk.
Child safety smartwatches ‘easy’ to hack, watchdog says | BBC
_in_China_(girl).jpg)
Third of business directors have never heard of GDPR
With GDPR around the corner, and the feeling that you cannot escape the acronym wherever you go; it is quite concerning to learn that a third of business directors haven’t heard of it.
While one can understand if the general public is not aware of the upcoming regulation; it is incumbent upon company directors to be aware of increased responsibilities due to GDPR.
GDPR is not just another technical or security requirement, but is based in fundamental privacy rights of citizens and with potentially harsh fines. Despite many months to prepare, it would appear as if GDPR may still catch many companies by surprise.
Third of IoD Members Have Never Heard of GDPR | Infosecurity Magazine
Ghosts of vulnerabilities past
It looks like Microsoft’s bug tracking database was infiltrated back in 2013. The company kept the news quiet and moved on.
It’s pretty worrying what someone with all that information could have / would have done. How many exploits were made possible because some bad guy somewhere found some vulnerabilities they could exploit?
A good reminder that companies should take a hard look at their assets and their value. Not just value in terms of direct business, but the potential impact on customers.
Microsoft responded quietly after detecting secret database hack in 2013 | Reuters
Microsoft never disclosed 2013 hack of secret vulnerability database | ars technica
Microsoft’s bug tracker was hacked in 2013 but it didn’t tell anyone about it | Silicon Angle
Unmasking the ransomware kingpins
This is a great read by Elie Bursztein on exposing the cybercriminal groups that dominate the ransomware underworld. It’s the third party in a trilogy of blogs – I probably can’t do it justice so it’s best you go check it out: Unmasking the ransomware kingpins
A Stick Figure Guide to the Advanced Encryption Standard (AES)
This is an old post – like really old from 2009. But I only came across it recently and found it to be real |
APT33 APT 33 | ||
|
2017-10-20 09:30:39 | A Gigantic IoT Botnet Has Grown in the Shadows in the Past Month (lien direct) | Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper (Reaper for this article), researchers estimate its current size at nearly two million infected devices. [...] | Cloud | APT 37 | |
|
2017-10-18 07:04:09 | BAE Systems report links Taiwan heist to North Korean LAZARUS APT (lien direct) | >Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group. The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] | APT 38 | ||
|
2017-10-17 13:00:00 | Newly Discovered Iranian APT Group Brings State-sponsored Cyber Espionage into Focus (lien direct) | State-sponsored cyber espionage has been rising steadily in recent years. Whether it’s high-profile attacks such as North Korea’s hack of Sony in 2014, China’s alleged hack of the US’s Office of Personnel Management in 2015, or Russia’s alleged hack of the Democratic National Committee in 2016, the stories are mounting. Iran has also been in the cyber espionage news, with major suspected attacks ranging from the Las Vegas Sands attack in 2014 to the DDOS attack on numerous US banks in 2016. Beyond these high-profile attacks, there are also countless examples of low-profile attacks. While these attacks don’t make the major headlines, they may actually be more relevant to your organization. In this blog, we zero in on this lesser-publicized activity, focusing on a recently discovered Iranian hacker group, dubbed APT33, the tools they have developed, and how AlienVault can help you detect this activity in your environment. What is state-sponsored cyber espionage and what are the typical goals? First, a quick primer on state-sponsored cyber espionage. State-sponsored cyber espionage is the act of obtaining secrets and information from individuals, competitors, rivals, groups, governments, and enemies, without the permission and knowledge of the holder of the information, usually for economic, political, or military advantage. The goals of these state-sponsored groups or individuals range from basic theft or sabotage to collecting military and diplomatic information to enabling domestic organizations to compete on a global economic level. Why should you care? Should you be concerned about state-sponsored cyber hacks? In a word, yes. And, it’s really the low-profile attacks from state-sponsored hackers that should be most concerning. This is because the tools and methods that these hackers develop and utilize can be leveraged by other nefarious hackers against your organization. You need to be alerted to and protected against these tools. Who is APT33? This leads us to Iranian group Advanced Persistent Threat 33 (APT33), a group recently chronicled by security firm FireEye. FireEye assessed that APT33 works at the behest of the Iranian government, and they attribute to APT33 many breaches of Saudi Arabian, South Korean, and US organizations ranging from the aviation sector to the energy sector. The primary goals of APT33 appear to be to enhance Iran’s domestic aviation capabilities or to support Iran’s military decision making against Saudi Arabia. Notably, FireEye has found signs of APT33 activity in some of its own clients' networks, but suspects the APT33 intrusions have been on a wider scale. APT33 has unveiled new tools, including a new backdoor. APT33 has developed numerous tools, including a new backdoor called TURNEDUP. TURNEDUP is capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information. FireEye found that APT33 has also leveraged Dropshot, a drop | Guideline | APT33 APT 33 | |
|
2017-10-17 07:50:25 | North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist (lien direct) | Evidence suggests the infamous Lazarus Group, a hacking crew believed to be operating out of North Korea, is behind the recent hack on the Far Eastern International Bank (FEIB) in Taiwan. [...] | Medical | APT 38 | |
 |
2017-10-16 22:32:36 | Taiwan Heist: Lazarus Tools and Ransomware (lien direct) | Written by Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James WongBACKGROUNDReports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank's system connected to the SWIFT network and used this to perform the transfers. In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called 'Hermes' which may have been used as a distraction or cover-up for the security team whilst the heist was occurring. The timeline below provides an overview of the key events: 01 October 2017  Malware compiled containing admin credentials for the FEIB network. 03 October 2017  Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017  Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017  |
Medical | Wannacry APT 38 | |
 |
2017-10-12 16:00:27 | Labs report: summer ushers in unprecedented season of breaches (lien direct) |
In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams.
Categories:
Malwarebytes news
Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods
(Read more...)
|
Equifax APT 32 | ||
|
2017-10-10 13:38:53 | Iran-linked OilRig hacked group use a new Trojan in Middle East Attacks (lien direct) | >The Iran-Linked cyberespionage group OilRig has been using a new Trojan in attacks aimed at targets in the Middle East. Experts from Palo Alto Networks spotted a new campaign launched by the notorious APT group OilRig against an organization within the government of the United Arab Emirates (UAE). The OilRig hacker group is an Iran-linked APT that has been around since at least […] | APT 34 | ||
 |
2017-09-24 17:34:21 | Révélation sur le Groupe de Hackers Iranien APT33 (lien direct) | Le groupe APT33 a ciblé les secteurs de l'énergie et de l'aéronautique. Découverte de leurs activités et leurs techniques. La société FireEye vient de publier une étude sur les pirates informatiques d’APT33. Des pirates qui planeraient du côté de l’Iran. Des " black hackers " qui mènent ... | APT33 APT 33 | ||
 |
2017-09-22 17:56:58 | PODCAST: Cyphort helps companies translate an ocean of network logs into actionable intelligence (lien direct) | By Byron V. Acohido More companies are deploying cyber defenses to alert employees when possible threats to data and networks are detected. That's a good thing. What's not so good is that these tools and components can raise alarms so often, a company's tech team is in a constant state of high alert. I had […] | APT 32 | ||
|
2017-09-22 13:00:00 | Things I hearted this week - September 22 (lien direct) | It’s been another hectic week in the world of Infosec / IT security / Cyber Security (choose as appropriate). So let’s jump straight into it. APT 33 Iran is building up its cyber capabilities and the emergence of a group of hackers, dubbed APT33, has given rise to concerns the nation's cyberwarfare units are looking to launch destructive attacks on critical infrastructure, energy and military bodies. Meet APT33: A Gnarly Iranian Hacker Crew Threatening Destruction |Forbes Threat data, IOCs and information on APT33, aka greenbug | OTX Data breaches and Class action lawsuits Should individuals whose data has been breached have the right to sue companies? It’s a tricky question, and one that the courts are seemingly having trouble on deciding on. Recently, a judge dismissed two consolidated class actions by more than 21m federal employees who had information breached by the Office of Personnel Management (OPM). The Judge concluded that the federal employees could not establish their threshold right to sue in federal court because they had not shown they faced imminent risk of identity theft, even though nearly two dozen of those named in the class actions claimed their confidential information has already been misused. Hopefully things will change going forward. The problem with identity theft is that it’s not time-dependant. An attacker could hoard details for a long period before committing a crime. And even when an identity is stolen, it is difficult to tie back to where the breach occurred. OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal | Dark Reading OPM Says Gov't Workers' Data Breach Suit Fails | Law360 In the long run, class actions may not be the best way to redress data breaches | Reuters Somewhat related, My three years in identity theft hell | Bloomberg The Ghost of Windows XP As the lyrics go, “They stab it with their steely knives, but they just can’t kill the beast.” In this case, the beast seems to be Win XP, which, despite being woefully outdated, continues to make its presence felt. The latest announcement being that a fifth of the Manchester police department are running Win XP. Manchester police still relies on Windows XP | BBC Manchester Police are using Windows XP on one in five computers | V3 When insurance goes too far Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner's policy. She says they have been low risk clients so she didn't think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, wh | Guideline | CCleaner APT33 APT 33 | |
|
2017-09-21 17:54:36 | Iranian APT33 Targets US Firms with Destructive Malware (lien direct) | APT33 targets petrochemical, aerospace and energy sector firms based in U.S., Saudi Arabia and South Korea with destructive malware linked to StoneDrill. | APT33 APT 33 | ||
 |
2017-09-21 09:31:03 | Iranian hacking group APT33 creators of destructive malware (lien direct) | Advanced Persistent Threat 33, an Iranian hacking group, has been linked to a series of breaches of companies in the aerospace, defense, and petrochemical industries in countries as wide-ranging as Saudi Arabia, South Korea, and the US. View Full Story ORIGINAL SOURCE: Wired | APT33 APT 33 | ★★★★★ | |
 |
2017-09-21 06:57:39 | FireEye révèle les activités du groupe iranien APT33 (lien direct) |  FireEye, le spécialiste de la sécurité des réseaux basée sur l'intelligence, annonce les détails d'un groupe de "hackers" iranien aux capacités potentiellement destructrices, qu'il a baptisé APT33. Ce groupe a déjà ciblé les secteurs de l'énergie et de l'aéronautique. |
APT33 APT 33 | ||
|
2017-09-21 06:25:15 | (Déjà vu) Iranian cyber spies APT33 target aerospace and energy organizations (lien direct) | The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea. According to security firm FireEye, a cyber espionage group linked to the Iranian Government, dubbed APT33, has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea. The APT33 group has […] | APT33 APT 33 | ||
|
2017-09-20 11:53:19 | APT33: Researchers Expose Iranian Hacking Group Linked to Destructive Malware (lien direct) | Security researchers have recently uncovered a cyber espionage group targeting aerospace, defence and energy organisations in the United States, Saudi Arabia and South Korea.
According to the latest research published Wednesday by US security firm FireEye, an Iranian hacking group that it calls Advanced Persistent Threat 33 (or APT33) has been targeting critical infrastructure, energy and
|
APT33 APT 33 | ||
 |
2017-09-20 09:00:00 | Aperçu du cyber-espionnage iranien: APT33 cible les secteurs de l'aérospatiale et de l'énergie et a des liens avec des logiciels malveillants destructeurs Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware (lien direct) |
Lorsque vous discutez des groupes de pirates suspects du Moyen-Orient avec des capacités destructrices, beaucoup pensent automatiquement à la Groupe iranien présumé qui utilisait auparavant Shamoon & # 8211;AKA distrtrack & # 8211;pour cibler les organisations dans le golfe Persique.Cependant, au cours des dernières années, nous avons suivi un groupe iranien suspect séparé et moins largement connu avec des capacités destructrices potentielles, que nous appelons APT33.Notre analyse révèle que l'APT33 est un groupe capable qui a effectué des opérations de cyber-espionnage depuis au moins 2013. Nous évaluons les œuvres APT33 à la demande du gouvernement iranien.
récent
When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. Recent |
Malware | APT33 APT 33 APT 33 | ★★★★ |
|
2017-09-19 10:47:28 | DigitalOcean Warns of Vulnerability Affecting Cloud Users (lien direct) | DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well. | APT 32 | ||
 |
2017-08-23 13:14:19 | NBlog August 23 - Information Security outreach (lien direct) |  Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond. Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions, assist, guide, and generally build the credibility and information Security's brand. Doing so has the potential to:Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used, rather than being ignored, feared and shunned (the "No Department");Improve understanding on all sides, such as identifying business initiatives, issues, concerns and demands for Information Security involvement, at an early enough stage to be able to specify, plan, resource and deliver the work at a sensible pace rather than at the last possible moment with next to no available resources; also knowing when to back-off, leaving the business to its own devices if there are other more pressing demands, including situations where accepting information risks is necessary or appropriate for various business reasons;Encourage and facilitate collaboration, cooperation and alignment around common goals;Improve the productivity and effectiveness of Information Security by being more customer-oriented - always a concern with ivory-tower expert functions staffed by professionals who think they (OK, we!) know best;Improve the management and treatment of information risks as a whole through better information security, supporting key business objectives such as being able to exploit business opportunities that would otherwise be too risky, while complying with applicable laws and regulations. |
Cloud | APT 37 | |
 |
2017-08-23 11:04:28 | California City Stops Online Utility Bill Payment System amid Breach Fears (lien direct) | A California city has temporarily shut down its online utility bill payment system amid fears that the portal suffered a breach. On 22 August 2017, the City Manager’s Office of Oceanside, CA announced a possible security incident affecting its online bill payment system that residents can use to pay their utility (water, sewer, and trash) […]… Read More | APT 32 | ||
|
2017-08-17 13:00:00 | The Upgraded AlienVault OTX API & Ways to Score Swag! (lien direct) | We've made a number of improvements to the depth of data in OTX recently, which are now available via the free API tool. Some of the API functions now include: Malware anti-virus and sandbox reports (example) A Whois API, including reverse whois and reverse SSL (example) View IP addresses that our telemetry indicates a specific network signature has fired on (example) The HTTP contents of a domain or URL (example), as well as finding all pages that link to it (example) Passive DNS history (example) Find malware samples that talk to a domain or ip (example) Retrieve malware samples by anti-virus detection (example) Lists of malicious URLs on domains (example) Download all indicators from users that you subscribe to (example) Find pulses based on the adversary, industry or keywords that interest you (example) What could you build? This depth of data could be used for countless things, but here are a couple of examples the API could used for: Actor Tracking Let’s say you want to get daily updates on an attacker that has targeted your sector before. With the new API, you will get a daily email on name servers they use, domain registration emails they use, and servers that have fired network alerts for their malware. Malicious File Alerting Another common task is when you want to know if files that pass your network or mail gateway (either at the MX or Inbox) are malicious. You can easily extract these files, then check them against OTX to see if they are malicious. Examples Our Python SDK page includes some simple examples of using the API, such as: Storing a feed of malicious indicators on OTX Telling if a Domain, IP, File hash or URL is malicious | Cloud | APT 37 | |
|
2017-08-16 16:55:51 | North Korean Cyberspies Target US Defense Contractors Following Nuclear Threats (lien direct) | The North Korean cyber-espionage group known as the Lazarus Group has been busy hacking US defense contractors, according to a report published on Monday by security research firm Palo Alto Networks. [...] | Medical | APT 38 | |
|
2017-08-16 13:00:00 | GlobeImposter Ransomware on the Rise (lien direct) |
Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time.
If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0.
Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection.
GlobeImposter Ransomware at a Glace
Distribution Method: Malicious email attachment (MalSpam)
Type: Trojan
Target: Windows systems
Variants: many (see below)
How GlobeImposter Works
The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file.
Sample email subject lines include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950
Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised.
Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time.
You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here.
GlobeImposter Variants on the Rise
What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file e |
NotPetya Wannacry APT 32 | ||
|
2017-08-14 14:51:02 | North Korea-Linked Hackers Target U.S. Defense Contractors (lien direct) | The North Korea-linked cyber espionage group known as Lazarus is believed to be behind attacks targeting individuals involved with United States defense contractors, Palo Alto Networks reported on Monday. | APT 38 | ||
|
2017-07-27 14:57:39 | Iranian Cyberspy Groups Share Malware Code (lien direct) | Two cyberspy groups believed to be operating out of Iran, tracked by security firms as OilRig and Greenbug, have apparently shared malware code, according to researchers at Palo Alto Networks. | APT 34 | ||
|
2017-07-27 14:00:36 | APT Group Uses Catfish Technique To Ensnare Victims (lien direct) | APT Cobalt Gypsy or OilRig, used a fake persona called "Mia Ash" to ensnare tech-savvy workers in the oil and gas industry into downloading PupyRAT malware. | APT 34 | ||
 |
2017-07-27 12:00:20 | OilRig uses ISMDoor variant; Possibly Linked to Greenbug Threat Group (lien direct) | New research from Unit 42: OilRig uses ISMDoor variant; possibly linked to Greenbug threat group. | APT 34 | ||
|
2017-06-29 13:00:00 | Data Carving in Incident Response - Steps Toward Learning More Advanced DFIR Topics (lien direct) |
Introduction
I have been in information security since March 2010, when I got out of the Navy after navigating nuclear submarines for almost 7 years. Little did I know that with this change of career, I was about to be in for the ride of my life.
I have been steadily progressing as a "blue teamer" or enterprise defender this whole time and have undertaken learning one of (what I believe to be) the most difficult blue team trades: reverse engineering malware. The purpose of this blog is to allow readers to follow along if they want to get into the trade as well as to force me to take actual notes periodically.
Background: The Beginning
To understand my background, here is a graphic showing my career progression:
I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well.
I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'."
As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience.
Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta.
Background: 2013 to Mid-2017
When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things.
As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner.
As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my |
Wannacry APT 32 | ||
|
2017-06-24 11:00:10 | (Déjà vu) Palo Alto Networks News of the Week – June 24, 2017 (lien direct) | Did you miss any of this week's Palo Alto Networks action? Don't worry – we've rounded up our top news and views right here: This week Unit 42 shared two new pieces of research Decline in Rig Exploit Kit The New and Improved macOS Backdoor from OceanLotus We helped you get to the bottom of cloud security in this week's Cyberpedia post. Learn more about the new cloud-based Palo Alto Networks Logging Service. The Cybersecurity Canon has a new book review: Artificial Intelligence: A Modern Approach We shared this infographic … | APT 32 | ||
|
2017-06-22 17:00:15 | The New and Improved macOS Backdoor from OceanLotus (lien direct) | Unit 42 discovers a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date. | APT 32 | ||
 |
2017-06-21 11:47:47 | WannaCryptor attack \'may have come from Lazarus group\' (lien direct) | Experts in the UK and the US have reportedly claimed that the recent global WannaCryptor ransomware attack was initiated by the North Korean Lazarus Group. | Medical | Wannacry APT 38 | |
|
2017-06-19 08:15:46 | Hidden Cobra And DeltaCharlie: An Explainer (lien direct) | The ISBuzz Post: This Post Hidden Cobra And DeltaCharlie: An Explainer | Medical | APT 38 | |
|
2017-06-16 16:00:31 | Threatpost News Wrap, June 16, 2017 (lien direct) | Mike Mimoso and Chris Brook discuss the news of the week, including Microsoft's XP patches, Hidden Cobra, a Nigerian BEC campaign, MacRansom, and more. | Medical | APT 38 | |
|
2017-06-14 17:55:58 | US Blames North Korean \'Hidden Cobra\' Group For Cyber Attacks Since 2009 (lien direct) | The ISBuzz Post: This Post US Blames North Korean ‘Hidden Cobra’ Group For Cyber Attacks Since 2009 | Medical | APT 38 | |
|
2017-06-14 17:17:21 | DHS, FBI Warn of North Korea \'Hidden Cobra\' Strikes Against US Assets (lien direct) | DHS and the FBI warned that North Korean attackers are targeting U.S. businesses with malware- and botnet-related attacks that are part of concerted effort dubbed "Hidden Cobra." | Medical | APT 38 | |
 |
2017-06-14 14:22:31 | US indicts North Korea for host of cyberattacks, expects more to come (lien direct) | A North Korean entity called Hidden Cobra was behind a series of cyberattacks in the US using sophisticated tools and targeting a diverse group of entities. | Medical | APT 38 |
To see everything:
Our RSS (filtrered)
