What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-08 16:33:27 | Yubico a publié ses importants conseils de cybersécurité pour 2024 Yubico released its important cybersecurity tips for 2024 (lien direct) |
Yubico a publié ses importants conseils de cybersécurité pour 2024,
-
opinion
Yubico released its important cybersecurity tips for 2024, - Opinion |
Threat | ★★★★ | |
 |
2024-01-08 16:00:00 | Le logiciel de fissure trompeuse répartit la variante Lumma sur YouTube Deceptive Cracked Software Spreads Lumma Variant on YouTube (lien direct) |
Fortiguard Labs a découvert un groupe de menaces à l'aide de canaux YouTube pour répandre le chargeur .NET privé pour Lumma Stealer 4.0.Apprendre encore plus.
FortiGuard Labs uncovered a threat group using YouTube channels to spread Private .NET loader for Lumma Stealer 4.0. Learn more. |
Threat | ★★★ | |
 |
2024-01-08 15:08:06 | Cyber Siege: la menace croissante pour les soins de santé américains Cyber Siege: The Growing Threat to the US Healthcare (lien direct) |
> La semaine dernière, le secteur américain de la santé a été confronté à une augmentation des cyberattaques, marquant un trouble ...
>Last week, the US healthcare sector faced a surge in cyber attacks, marking a troubling... |
Threat | ★★★ | |
 |
2024-01-08 14:31:00 | Webinaire & # 8211;Tirez parti de la sécurité zéro fiducie pour minimiser votre surface d'attaque Webinar – Leverage Zero Trust Security to Minimize Your Attack Surface (lien direct) |
L'expansion numérique augmente inévitablement la surface d'attaque externe, ce qui vous rend sensible aux cyber-états.Les acteurs de la menace exploitent de plus en plus les vulnérabilités résultant des logiciels et des infrastructures exposés à Internet;Cela comprend ironiquement les outils de sécurité, en particulier les pare-feu et les VPN, qui donnent aux attaquants un accès direct au réseau pour exécuter leurs attaques.En fait, & nbsp; Gartner &
Digital expansion inevitably increases the external attack surface, making you susceptible to cyberthreats. Threat actors increasingly exploit the vulnerabilities stemming from software and infrastructure exposed to the internet; this ironically includes security tools, particularly firewalls and VPNs, which give attackers direct network access to execute their attacks. In fact, Gartner& |
Threat Tool Vulnerability | ★★ | |
 |
2024-01-08 13:17:15 | 8 janvier & # 8211;Rapport de renseignement sur les menaces 8th January – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes en cyberLes meilleures attaques et violations après Ransomware Gang Inc ont réclamé une attaque contre Xerox, la filiale de la société, Xerox Business Solution (XBS), a confirmé avoir subi une cyberattaque.Le porte-parole de Xerox a déclaré que bien que les données personnelles de XBS puissent avoir été [& # 8230;]
>For the latest discoveries in cyber research for the week of 1st January, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES After ransomware gang INC claimed an attack on Xerox, the company\'s subsidiary, Xerox Business Solution (XBS), confirmed having suffered a cyber-attack. Xerox spokesperson said that although personal data from XBS may have been […] |
Threat Ransomware | ★★ | |
|
2024-01-08 11:11:45 | MasterCard Data Fuite, nouveau ransomware entièrement indétectable, fuite de code source de voleur insaisissable, et plus Mastercard Data Leak, New Fully Undetectable Ransomware, Elusive Stealer Source Code Leak, and More (lien direct) |
Dans les découvertes récentes dans le paysage du cyber-menace, l'équipe Web Socradar Dark a identifié ...
In recent discoveries across the cyber threat landscape, the SOCRadar Dark Web Team has identified... |
Threat Ransomware | ★★ | |
 |
2024-01-08 11:00:00 | Le siège de botnet: comment votre grille-pain pourrait renverser une société The Botnet siege: How your toaster could topple a corporation (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In addition to the overt signs of cyber threats we\'ve become conditioned to recognize, like ransomware emails and strange login requests, malicious actors are now utilizing another way to achieve their nefarious purposes — by using your everyday devices. These hidden dangers are known as botnets. Unbeknownst to most, our everyday devices, from toasters to smart fridges, can unwittingly be enlisted as footsoldiers in a digital army with the potential to bring down even corporate giants. This insidious force operates in silence, escaping the notice of even the most vigilant users. A recent report by Nokia shows that criminals are now using these devices more to orchestrate their attacks. In fact, cyber attacks targeting IoT devices are expected to double by 2025, further muddying the already murky waters. Let us go to the battlements of this siege, and we’ll tackle the topic in more depth. What is a botnet? Derived from the words “robot” and "network.", a botnet refers to a group of devices that have been infected with malicious software. Once infected, these devices are controlled remotely by a central server and are often used to carry out malicious activities such as cyber attacks, espionage, financial fraud, spam email campaigns, stealing sensitive information, or simply the further propagation of malware. How does a botnet attack work? A botnet attack begins with the infection of individual devices. Cybercriminals use various tactics to compromise these devices, such as sending malicious emails, exploiting software vulnerabilities, or tricking users into downloading malware. Everyday tech is notoriously prone to intrusion. The initial stages of building a botnet are often achieved with deceptively simple yet elegant tactics. Recently, a major US energy company fell prey to one such attack, owing to hundreds of phishing emails. By using QR code generators, the attacks combined two seemingly benign elements into a campaign that hit manufacturing, insurance, technology, and financial services companies, apart from the aforementioned energy companies. This new attack vector is now being referred to as Quishing — and unfortunately, it’s only going to become more prevalent. Once a device has been compromised, it becomes part of the botnet. The cybercriminal gains control over these infected devices, which are then ready to follow the attacker\'s commands. The attacker is then able to operate the botnet from a central command-and-control server to launch various types of attacks. Common ones include: Distributed denial-of-service (DDoS). The botnet floods a target website or server with overwhelming traffic, causing it to become inaccessible to legitimate users. Spam emails. Bots can be used to send out massive volumes of spam emails, often containing phishing scams or malware. Data theft. Botnets can steal sensitive information, such as login credentials or personal data, from the infected devices. Propagation. S | Threat Ransomware Spam Malware Vulnerability | ★★ | |
|
2024-01-08 10:29:00 | Le cyber-braquage de la Corée du Nord: les pirates de RPDC ont volé 600 millions de dollars en crypto-monnaie en 2023 North Korea\\'s Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023 (lien direct) |
Les acteurs de la menace affiliés à la République de Corée du peuple démocrate (également connu sous le nom de Corée du Nord) ont pillé au moins 600 millions de dollars en crypto-monnaie en 2023.
La RPDC "était responsable de près d'un tiers de tous les fonds volés dans des attaques cryptographiques l'année dernière, malgré une réduction de 30% par rapport au transport de 850 millions USD en 2022", la société d'analyse de la blockchain Trm Labs & NBSP; a déclaré & nbsp; la semaine dernière.
"Hacks
Threat actors affiliated with the Democratic People\'s Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023. The DPRK "was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022," blockchain analytics firm TRM Labs said last week. "Hacks |
Threat Studies | ★★ | |
 |
2024-01-08 06:00:19 | ProofPoint reconnu en 2023 Gartner & Reg;Guide du marché pour les solutions de gestion des risques d'initiés Proofpoint Recognized in 2023 Gartner® Market Guide for Insider Risk Management Solutions (lien direct) |
It\'s easy to understand why insider threats are one of the top cybersecurity challenges for security leaders. The shift to remote and hybrid work combined with data growth and cloud adoption has meant it\'s easier than ever for insiders to lose or steal data. Legacy systems simply don\'t provide the visibility into user behavior that\'s needed to detect and prevent insider threats. With so much potential for brand and financial damage, insider threats are now an issue for the C-suite. As a result, businesses are on the lookout for tools that can help them to better manage these threats. To help businesses understand what to look for, Gartner has recently released Market Guide for Insider Risk Management Solutions. In this report, Gartner explores what security and risk leaders should look for in an insider risk management (IRM) solution. It also provides guidance on how to implement a formal IRM program. Let\'s dive into some of its highlights. Must-have capabilities for IRM tools Gartner states that IRM “refers to the use of technical solutions to solve a fundamentally human problem.” And it defines IRM as “a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts in the organization.” Gartner identifies three distinct types of users-careless, malicious and compromised. That, we feel, is in line with our view at Proofpoint. And the 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users. In its Market Guide, Gartner identifies the mandatory capabilities of enterprise IRM platforms: Orchestration with other cybersecurity tooling Monitoring of employee activity and assimilating into a behavior-based risk model Dashboarding and alerting of high-risk activity Orchestration and initiation of intervention workflows This is the third consecutive year that Proofpoint is a Representative Vendor in the Market Guide. Proofpoint was an early and established leader in the market for IRM solutions. Our platform: Integrates with a broad ecosystem of cybersecurity tools. Our API-driven architecture means it\'s easy for you to feed alerts into your security tools. That includes security information and event management (SIEM) as well as SOAR and service management platforms, such as Splunk and ServiceNow. That, in turn, helps you gain a complete picture of potential threats. Provides a single lightweight agent with a dual purpose. With Proofpoint, you get the benefit of data loss prevention (DLP) and ITM in a single solution. This helps you protect against data loss and get deep visibility into user activities. With one agent, you can monitor everyday users. That includes low-risk and regular business users, risky users, such as departing employees, privileged users and targeted users. Offers one centralized dashboard. This saves you time and effort by allowing you to monitor users, correlate alerts and triage investigations from one place. You no longer need to waste your time switching between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards. Includes tools to organize and streamline tasks. Proofpoint ITM lets you change the status of events with ease, streamline workflows and better collaborate with team members. Plus, you can add tags to help group and organize your alerts and work with more efficiency. DLP and IRM are converging In its latest Market Guide, Gartner says: “Data loss prevention (DLP) and insider risk strategies are increasingly converging into a unified solution. The convergence is driven by the recognition that preventing data loss and managing insider risks are interconnected goals.” A legacy approach relies on tracking data activity. But that approach is no longer sufficient because the modern way of working is more complex. Employees and third parties have access to more data than ever before. And ex | Threat Cloud Tool Technical | ★★★ | |
 |
2024-01-08 02:14:07 | Comment réduire votre surface d'attaque How to Reduce Your Attack Surface (lien direct) |
Qu'est-ce qu'une surface d'attaque?Une surface d'attaque est le nombre total de canaux, de voies ou de zones que les acteurs peuvent utiliser pour obtenir un accès non autorisé aux réseaux.Le résultat est qu'ils peuvent obtenir des informations privées ou effectuer une cyberattaque.Une surface d'attaque comprend les actifs organisationnels qu'un acteur de menace peut exploiter pour obtenir un accès non autorisé.Les surfaces d'attaque comprennent des systèmes directement impliqués dans les opérations critiques de mission, ainsi que celles qui fournissent des services périphériques ou l'accès à des données importantes.La réduction de la surface d'attaque de votre organisation est essentielle pour protéger ...
What is an Attack Surface? An attack surface is the total number of channels, pathways, or areas that threat actors can utilize to gain unauthorized access to networks. The result is that they can obtain private information or carry out a cyber-attack. An attack surface comprises the organizational assets a threat actor can exploit to gain unauthorized access. Attack surfaces include systems that are directly involved in mission-critical operations, as well as those that provide peripheral services or access to important data. Reducing your organization\'s attack surface is essential to protect... |
Threat | ★★★ | |
 |
2024-01-08 00:00:00 | Trend Micro \\'s Bug Bounty Program ZDI 2023 Performance Trend Micro\\'s Bug Bounty Program ZDI 2023 Performance (lien direct) |
Trend Micro \'s Bog Bounty Program Initiative Zero Day 2023 Performance donne un aperçu du monde de la chasse aux menaces et de la prévention des risques de cyber-risque
Trend Micro\'s bug bounty program Zero Day Initiative 2023 performance gives a glimpse inside the world of threat-hunting and cyber risk prevention |
Threat Prediction | ★★★ | |
 |
2024-01-07 07:33:58 | Importance croissante de la visibilité des actifs OT dans la résilience de la cybersécurité à travers les infrastructures critiques Rising significance of OT asset visibility in cybersecurity resilience across critical infrastructure (lien direct) |
> Les organisations d'infrastructures critiques sont confrontées à un paysage croissant de menace de cybersécurité et d'attaque.Pour y remédier, ils doivent établir ...
>Critical infrastructure organizations face an increasing cybersecurity threat and attack landscape. To address this, they need to establish... |
Threat Industrial | ★★ | |
|
2024-01-06 13:49:00 | La campagne de cyber-espionnage des tortues de mer cible les entreprises néerlandaises et de télécommunications Sea Turtle Cyber Espionage Campaign Targets Dutch IT and Telecom Companies (lien direct) |
Les télécommunications, les médias, les prestataires de services Internet (FAI), les fournisseurs de services et les sites Web kurdes ont été ciblés dans le cadre d'un nouvel acteur de cyber-espionnage entrepris par un TÜ RKIYE-NEXUS MENEAC CAME COMMANDE CONNANT sous le nom de & NBSP;Tortue de mer.
"L'infrastructure des cibles était sensible aux attaques de la chaîne d'approvisionnement et de l'île, que le groupe d'attaque
Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle. "The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group |
Threat | ★ | |
 |
2024-01-05 21:54:33 | Après hôpital de cancer paralysant avec des ransomwares, les crimes menacent de SWAT des patients After crippling cancer hospital with ransomware, crims threaten to swat patients (lien direct) |
Rappelez-vous le bon vieux temps où les escrocs des ransomwares ont promis de ne pas infecter les centres médicaux? Les extorqueurs menacent maintenant de SWAT Hospital Patients - appelant des menaces de bombe ou d'autres faux rapports à la police si fortement armés montrent que les flics armés montrentchez les victimes \\ 'Homes - Si les centres médicaux ne paient pas les escrocs \' ransom.…
Remember the good old days when ransomware crooks vowed not to infect medical centers? Extortionists are now threatening to swat hospital patients - calling in bomb threats or other bogus reports to the police so heavily armed cops show up at victims\' homes - if the medical centers don\'t pay the crooks\' ransom demands.… |
Threat Ransomware Medical | ★★★★ | |
 |
2024-01-05 21:14:02 | Bandook - A Persistent Threat That Keeps Evolving (lien direct) | #### Description
Bandook est un cheval de Troie à distance qui a été développé en permanence depuis 2007 et a été utilisé dans diverses campagnes par différents acteurs de menace au fil des ans.
Fortiguard Labs a identifié une nouvelle variante bandook distribuée via un fichier PDF en octobre dernier.Ce fichier PDF contient une URL raccourcie qui télécharge un fichier .7Z protégé par mot de passe.Une fois que la victime a extrait le malware avec le mot de passe dans le fichier PDF, le malware injecte sa charge utile dans MSInfo32.exe.Le composant d'injecteur décrypte la charge utile dans la table des ressources et l'injecte dans MSInfo32.exe.
Avant l'injection, une clé de registre est créée pour contrôler le comportement de la charge utile.Le nom de clé est le PID de MSInfo32.exe, et la valeur contient le code de contrôle de la charge utile.Une fois exécuté avec n'importe quel argument, Bandook crée une clé de registre contenant un autre code de contrôle qui permet à sa charge utile d'établir de la persistance, puis il injecte la charge utile dans un nouveau processus de MSInfo32.exe.La charge utile initialise les chaînes pour les noms clés des registres, drapeaux, API, etc. Après cela, il utilise le PID du MSInfo32.exe injecté pour trouver la clé de registre, puis décode et analyse la valeur clé pour effectuer la tâche spécifiée par lacode de contrôle.La variante que nous avons trouvée en octobre 2023 a deux codes de contrôle supplémentaires, mais son injecteur ne crée pas de registres pour eux.On demande à la charge utile de charger FCD.DLL, qui est téléchargé par un autre processus injecté et appelle la fonction d'initiation de FCD.DLL \\.L'autre mécanisme établit la persistance et exécute la copie de Bandook \\.Ces codes de contrôle inutilisés ont été supprimés de variantes encore plus récentes.
#### URL de référence (s)
1. https://www.fortinet.com/blog/thereat-research/bandook-persistent-thereat-that-keeps-volving
#### Date de publication
5 janvier 2024
#### Auteurs)
Pei Han Liao
#### Description Bandook is a remote access trojan that has been continuously developed since 2007 and has been used in various campaigns by different threat actors over the years. FortiGuard Labs identified a new Bandook variant being distributed via a PDF file this past October. This PDF file contains a shortened URL that downloads a password-protected .7z file. After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe. The injector component decrypts the payload in the resource table and injects it into msinfo32.exe. Before the injection, a registry key is created to control the behavior of the payload. The key name is the PID of msinfo32.exe, and the value contains the control code for the payload. Once executed with any argument, Bandook creates a registry key containing another control code that enables its payload to establish persistence, and it then injects the payload into a new process of msinfo32.exe. The payload initializes strings for the key names of registries, flags, APIs, etc. After this, it uses the PID of the injected msinfo32.exe to find the registry key and then decodes and parses the key value to perform the task specified by the control code. The variant we found in October 2023 has two additional control codes, but its injector doesn\'t create registries for them. One asks the payload to load fcd.dll, which is downloaded by another injected process and calls fcd.dll\'s Init function. The other mechanism establishes persistence and executes Bandook\'s copy. These unused control codes have been removed from even newer variants. #### Reference URL(s) 1. https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving #### Publication Date January 5, 2024 #### Author(s) Pei Han Liao |
Threat Malware | ★★★ | |
|
2024-01-05 21:05:00 | Spectralblur: nouvelle menace de porte dérobée macOS des pirates nord-coréens SpectralBlur: New macOS Backdoor Threat from North Korean Hackers (lien direct) |
Les chercheurs en cybersécurité ont découvert une nouvelle porte dérobée Apple MacOS appelée & nbsp; Spectralblur & nbsp; qui chevauche une famille de logiciels malveillants connue qui a été attribuée aux acteurs de la menace nord-coréenne.
«SpectralBlur est une porte dérobée modérément capable qui peut télécharger / télécharger des fichiers, exécuter un shell, mettre à jour sa configuration, supprimer des fichiers, hiberner ou dormir, en fonction des commandes émises à partir du [
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [ |
Threat Malware | ★★★ | |
|
2024-01-05 19:28:09 | Oncle Sam paiera vos grandes idées pour mettre fin à la fraude à la voix de l'IA Uncle Sam will pay for your big ideas to end AI voice-cloning fraud (lien direct) |
L'avènement de l'IA génératif a rendu l'attaque beaucoup plus omniprésente La Federal Trade Commission (FTC) promet une récompense de 25 000 $ pour la meilleure solution pour lutter contre la menace croissante du clonage vocal de l'IA.…
The advent of generative AI has made the attack far more pervasive The Federal Trade Commission (FTC) is promising a $25,000 reward for the best solution to combat the growing threat of AI voice cloning.… |
Threat | ★★★ | |
 |
2024-01-05 19:19:00 | Le groupe de menaces syriennes colporte un argent destructeur Syrian Threat Group Peddles Destructive SilverRAT (lien direct) |
Les développeurs du Moyen-Orient prétendent construire une nouvelle version de l'outil d'attaque à télécommande antivirus.
The Middle Eastern developers claim to be building a new version of the antivirus-bypassing remote access Trojan (RAT) attack tool. |
Threat Tool | ★★ | |
|
2024-01-05 15:31:00 | Orange Espagne fait face à BGP Traffic Rijack après un compte mûr piraté par des logiciels malveillants Orange Spain Faces BGP Traffic Hijack After RIPE Account Hacked by Malware (lien direct) |
L'opérateur de réseau mobile Orange Espagne a subi une panne d'Internet pendant plusieurs heures le 3 janvier après qu'un acteur de menace a utilisé des informations d'identification administratrices capturées au moyen d'un malware de voleur pour détourner le trafic du protocole Border Gateway (BGP).
"Le compte orange dans le centre de coordination du réseau IP (mûr) a subi un accès inapproprié qui a affecté la navigation de certains de nos clients", le
Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol (BGP) traffic. "The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers," the |
Threat Malware Mobile | ★★★ | |
|
2024-01-05 12:57:00 | Les pirates russes ont eu un accès secret au géant des télécommunications de l'Ukraine \\ pendant des mois Russian Hackers Had Covert Access to Ukraine\\'s Telecom Giant for Months (lien direct) |
Les autorités ukrainiennes de cybersécurité ont révélé que l'acteur de menace parrainé par l'État russe connu sous le nom de & nbsp; Sandworm & nbsp; était à l'intérieur des systèmes de l'opérateur de télécommunications Kyivstar au moins depuis mai 2023.
Le développement était & nbsp; pour la première fois & nbsp; par Reuters.
Le & nbsp; incident, décrit comme une «puissante attaque de pirates», a d'abord été révélé le mois dernier, éliminant l'accès aux services mobiles et Internet
Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar\'s systems at least since May 2023. The development was first reported by Reuters. The incident, described as a "powerful hacker attack," first came to light last month, knocking out access to mobile and internet services |
Threat Mobile | ★★★ | |
|
2024-01-05 11:00:00 | Chardeur asyncrat: obscurcissement, DGA, leurres et Govno AsyncRAT loader: Obfuscation, DGAs, decoys and Govno (lien direct) |
Executive summary
AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent in their intentions.
Key takeaways:
The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the US.
The loader uses a fair amount of obfuscation and anti-sandboxing techniques to elude automatic detections.
As part of the obfuscation, the attacker also uses a lot of variable’s names and values, which are randomly generated to harden pivot/detection by strings.
DGA domains are recycled every week and decoy redirections when a VM is identified to avoid analysis by researchers.
The ongoing registration of new and active domains indicates this campaign is still active.
There is an OTX pulse with more information.
Analysis
AsyncRAT is an open-source remote access tool released in 2019 and is still available in Github. As with any remote access tool, it can be leveraged as a Remote Access Trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include: Keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.
Since it was initially released, this RAT has shown up in several campaigns with numerous alterations due to its open-sourced nature, even used by the APT Earth Berberoka as reported by TrendMicro.
In early September, AT&T Alien Labs observed a spike in phishing emails, targeting specific individuals in certain companies. The gif attachment led to a svg file, which also led to a download of a highly obfuscated JavaScript file, followed by other obfuscated PowerShell scripts and a final execution of an AsyncRAT client. This peculiarity was also reported by some users in X (formerly Twitter), like reecDeep and Igal Lytzki. Certain patterns in the code allowed us to pivot and look for more samples in this campaign, resulting in samples going back to February 2023. The registration of domains and subsequent AsyncRAT samples is still being observed at the time of writing this blog.
Figure1: Number of samples observed by Alien Labs in this campaign.
The modus operandi of the loader involves several stages which are further obfuscated by a Command and Control (C&C) server checking if the victim could be a sandbox prior to deploying the main AsyncRAT payload. In particular, when the C&C server doesn’t rely on the parameters sent, usually after stage 2, or when it is not expecting requests on a particular domain at that time, the C&C redirects to a benign page.
Figure 2. Execution flow.
During the whole campaign, JavaScript files have been delivered to targete |
Threat Malware Tool Technical | ★★ | |
|
2024-01-05 06:00:31 | 2023 Année en revue: versions de contenu axées sur les menaces pour la sensibilisation à la sécurité 2023 Year in Review: Threat-Driven Content Releases for Security Awareness (lien direct) |
As a new year approaches, it is natural to reflect on recent accomplishments. At Proofpoint, we are reflecting on our work to deliver security awareness content and updated features in line with our ongoing goal to drive behavior change. Proofpoint Security Awareness integrates our rich threat intelligence, which means it taps into current and emerging attacks. Our threat analysts surface threat trends, such as artificial intelligence (AI)-enhanced vishing, malicious QR codes and remote IT support scams. And then we work quickly to release new training features and awareness material to ensure inform security administrators and educate employees about ever-evolving attacks. In 2023, our content releases focused on three areas: Delivering a threat-driven program Improving how security awareness administrators work Enhancing how people learn Let\'s review the past year and explore how Proofpoint used content releases to respond to the changing threat landscape. Image from AI Chatbot Threats training (play video). Quick turnaround for threat trends Proofpoint Security Awareness alerts customers to threats in two powerful ways-Threat Alerts and Attack Spotlights. It also continuously trains employees with threat-driven training modules. Threat Alerts These weekly releases focus on a specific and current ongoing attack. They explain what the threat is and who it might target. And they describe a specific lure, if applicable. Each alert is linked to activity that our threat analysts see happening in the wild. We recommend applicable training like simulated phishing and awareness material and include suggested email messaging. In 2023, we released Threat Alerts on: IRS-themed phishing lures for tax season (February, March, April) AI-enhanced vishing calls that impersonate loved ones (March) Malicious QR codes for credential phishing (May, August) Telephone-oriented attack delivery (TOAD) using a Geek Squad PDF lure (July, October) Charity donation scams around the Israel-Palestine crisis (October) Christmas party lures for credential phishing (November) Attack Spotlights These monthly releases cast a wider lens on attack types. They focus on a time-based or reoccurring threat that is expected to trend, typically related to holidays, travel seasons or shopping events. Each spotlight is released a month in advance with a campaign plan, awareness material and training modules, and is available in 12 core languages. In 2023, Proofpoint published these Attack Spotlight campaigns: Smishing with package delivery lures (February) Business email compromise (BEC) phishing with requests for quotations (RFQs) (April) LinkedIn phishing lures (May) Amazon phishing lures (June) Remote IT support scams (September) Gift card scams (December) Image from Attack Spotlight video (play video). Threat modules These training videos are relevant to the changing threat landscape. They are inspired by our threat intelligence and our team\'s threat landscape research. These micro-learning modules are grounded in learning science principles that are designed to drive behavior change. Each module has a concise and specific learning objective. The delivery of content is tailored to individual factors such as a person\'s role, learning style, vulnerability level and preferred language. In 2023, we covered these topics in our new threat training modules: Data loss protection AI chatbot threats Amazon phishing scams Cryptocurrency investment scams QR code dangers Multifactor authentication (MFA) Image from Threat Module video (play video). Staying ahead of generative AI attacks AI-powered systems are promoted as tools to help us work faster, and they are transforming businesses and industries. This wide-reaching access can create security risks from potential data breaches to concerns over user privacy. Your employees need to be aware of the limitations and risks of using AI-powered tools, especiall | Threat Ransomware Cloud Studies Tool Prediction Vulnerability | ★★★★ | |
|
2024-01-05 01:27:00 | Groupe de menaces utilisant une tactique de transfert de données rares dans une nouvelle campagne de remcosrat Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign (lien direct) |
L'UNC-0050 vise les agences gouvernementales en Ukraine dans ce qui semble être une opération de collecte de renseignements à motivation politique.
UNC-0050 is targeting government agencies in Ukraine in what appears to be a politically motivated intelligence-gathering operation. |
Threat | ★★ | |
|
2024-01-04 22:13:12 | UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (lien direct) | #### Description
Le groupe de menaces UAC-0050 s'est avéré utiliser une stratégie avancée qui permet un canal de transfert de données plus clandestin, contournant efficacement les mécanismes de détection utilisés par la détection et la réponse des terminaux (EDR) et les systèmes antivirus.
L'arme de choix du groupe est Remcosrat, un logiciel malveillant notoire pour la surveillance et le contrôle à distance, qui a été à l'avant-garde de son arsenal d'espionnage.Cependant, dans leur dernière tournure opérationnelle, le groupe UAC-0050 a intégré une méthode de tuyau pour la communication interprodique, présentant leur adaptabilité avancée.Le vecteur d'attaque initial n'a pas encore été identifié, bien que des indications penchent vers le phishing ou les e-mails de spam.Le fichier LNK est chargé de lancer le téléchargement d'un fichier HTA.Dans ce fichier HTA se trouve unLe script VBS qui, lors de l'exécution, déclenche un script PowerShell.Ce script PowerShell s'efforce de télécharger un malveillantPayload (word_update.exe) à partir d'un serveur.Lors du lancement, word_update.exe exécute CMD.exe et partage des données malveillantes via un tuyau.Par conséquent, cela conduit au lancement d'Explorer.exe avec le remcosrat malveillant résidant à la mémoire d'Explorer.exe.
La version REMCOS identifiée est 4.9.2 Pro, et elle a recueilli avec succès des informations sur la victime, y compris le nom de l'ordinateur et le nom d'utilisateur.Le remcosrat supprime les cookies et les données de connexion des navigateurs suivants: Internet Explorer, Firefox et Chrome.
#### URL de référence (s)
1. https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method
#### Date de publication
4 janvier 2024
#### Auteurs)
Recherche de menace de monture
#### Description The UAC-0050 threat group has been found to be using an advanced strategy that allows for a more clandestine data transfer channel, effectively circumventing detection mechanisms employed by Endpoint Detection and Response (EDR) and antivirus systems. The group\'s weapon of choice is RemcosRAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal. However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication, showcasing their advanced adaptability. The initial attack vector is yet to be pinpointed, though indications lean towards phishing or spam emails. The LNK file is responsible for initiating the download of an HTA file. Within this HTA file lies a VBS script that, upon execution, triggers a PowerShell script. This PowerShell script endeavors to download a malicious payload (word_update.exe) from a server. Upon launching, word_update.exe executes cmd.exe and shares malicious data through a pipe. Consequently, it leads to the launch of explorer.exe with the malicious RemcosRAT residing in the memory of explorer.exe. The Remcos version identified is 4.9.2 Pro, and it has successfully gathered information about the victim, including the computer name and username. RemcosRAT removes cookies and login data from the following browsers: Internet Explorer, Firefox, and Chrome. #### Reference URL(s) 1. https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method #### Publication Date January 4, 2024 #### Author(s) Uptycs Threat Research |
Threat Spam Malware | ★★ | |
 |
2024-01-04 20:13:46 | Plus de 11 millions de serveurs SSH vulnérables à l'attaque de Terrapin Over 11 Million SSH Servers Vulnerable To Terrapin Attack (lien direct) |
Les chercheurs en sécurité de l'Allemagne \'s Ruhr University Bochum il y a deux semaines ont découvert une vulnérabilité dans le protocole de réseau cryptographique Secure Shell (SSH) qui permet à un attaquant de rétrograder la sécurité de la connexion \\ exécutée par le protocole.
appelé terrapin ( cve-2023-48795 , score CVSS 5.9), cet exploit est une attaque de troncature préfixe, où certains paquets cryptés au début de la chaîne SSH peuvent être supprimés sans que le client ou le serveur le remarque.
Ceci est accompli pendant le processus de poignée de main dans lequel les numéros de séquence sont manipulés lors de l'établissement d'une connexion SSH et des messages échangés entre le client et le serveur sont alors spécifiquement supprimés.
Pour effectuer une attaque de terrapine, les attaquants doivent être dans une position adversaire dans le milieu (également abrégé en AITM et connu sous le nom d'homme dans le milieu ou du MITM) à la couche de réseau pour intercepter et modifier leÉchange de poignées de main et la connexion doit être sécurisée par Chacha20-Poly1305 ou CBC avec Encrypt-then-mac.
& # 8220; L'attaque peut être effectuée dans la pratique, permettant à un attaquant de rétrograder la sécurité de la connexion en tronquant le message de négociation d'extension (RFC8308) à partir de la transcription, & # 8221;Les chercheurs expliquée dans leur papier.
& # 8220; La troncature peut conduire à l'utilisation d'algorithmes d'authentification du client moins sécurisés et à la désactivation des contre-mesures spécifiques contre les attaques de synchronisation de Keystroke dans OpenSSH 9.5. & # 8221;
Maintenant, un récent scan par la plate-forme de surveillance de la menace de sécurité ShadowServer Warnsqu'il y a près de 11 millions d'adresses IP exposant un serveur SSH vulnérable aux attaques Terrapin.
Près d'un tiers de ces adresses, 3,3 millions, ont été identifiés aux États-Unis, suivis par la Chine (1,3 million), l'Allemagne (1 million), la Russie (700 000), Singapour (390 000) et le Japon (380 000).
Cela représente environ 52% de toutes les adresses IPv4 et IPv6 analysées par le système de surveillance de la Fondation ShadowServer. .
Bien que tous les 11 millions de serveurs SSH (par IP unique) soient immédiatement risqués d'être attaqués compte tenu des conditions de l'attaque de Terrapin, cela laisse encore de nombreuses possibilités pour que les cybercriminels exploitent.
Les chercheurs de Bochum de l'Université Ruhr ont fourni un scanner de vulnérabilité sur le Référentiel GitHub Pour les utilisateurs de Linux, Windows et MacOS qui souhaitent vérifier si leur client ou serveur SSH est vulnérable à Terrapin.
Security researchers at Germany\'s Ruhr University Bochum two weeks ago discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that allows an attacker to downgrade the connection\'s security executed by the protocol. Called Terrapin (CVE-2023-48795, CVSS score 5.9), this exploit is a prefix truncation attack, where some encrypted packets at the beginning of the SSH channel can be deleted without the cl |
Threat Vulnerability | ★★★ | |
 |
2024-01-04 15:00:00 | Utilisation de mots de passe plus forts parmi les top 2024 Résolutions numériques Using Stronger Passwords Among Top 2024 Digital Resolutions (lien direct) |
Mesures de sécurité Top enquête annuelle sur les résolutions numériques de Kaspersky \\
Security measures top Kaspersky\'s annual digital resolutions survey |
Threat | ★★★ | |
|
2024-01-04 14:32:00 | \\ 'Cyber Toufan \\' Hacktivistes a divulgué plus de 100 orgs israéliens en un mois \\'Cyber Toufan\\' Hacktivists Leaked 100-Plus Israeli Orgs in One Month (lien direct) |
Un nouvel acteur de menace vient de conclure un mois et demi de deux fuites majeures par jour.Vient maintenant la phase deux: attaques de suivi.
A new threat actor just concluded a month and a half of two major leaks per day. Now comes phase two: follow-on attacks. |
Threat | ★★ | |
|
2024-01-04 14:25:00 | Groupe UAC-0050 utilisant de nouvelles tactiques de phishing pour distribuer Remcos Rat UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT (lien direct) |
L'acteur de menace connu sous le nom de UAC-0050 tire parti des attaques de phishing pour distribuer Remcos Rat en utilisant de nouvelles stratégies pour échapper à la détection des logiciels de sécurité.
"L'arme de choix du groupe est Remcos Rat, un logiciel malveillant notoire pour la surveillance et le contrôle à distance, qui a été à l'avant-garde de son arsenal d'espionnage", les chercheurs en sécurité Uptycs Karthick Kumar et Shilpesh Trivedi & nbsp; a dit & nbsp; in in
The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. "The group\'s weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthick Kumar and Shilpesh Trivedi said in |
Threat Malware | ★★★ | |
 |
2024-01-04 12:11:49 | New iPhone Exploit utilise quatre jours zéro New iPhone Exploit Uses Four Zero-Days (lien direct) |
Kaspersky Researchers sont des détails & # 8220; une attaque qui sur quatre ans en arrière des dizaines, sinon des milliers d'iPhones, dont beaucoup appartenaient à des employés de la société de sécurité basée à Moscou, Kaspersky. & # 8221;Il est un exploit en clic zéro qui utilise quatre jours zéro-jours d'iPhone.
Le nouveau détail le plus intrigant est le ciblage de la fonctionnalité matérielle avant-monnale, qui s'est avérée cruciale de la campagne de triangulation de l'opération.Une journée zéro dans la fonction a permis aux attaquants de contourner les avancés protection de mémoire matérielle Conçu pour protéger l'intégrité du système d'appareils même après qu'un attaquant a acquis la possibilité de falsifier la mémoire du noyau sous-jacent.Sur la plupart des autres plateformes, une fois que les attaquants exploitent avec succès une vulnérabilité du noyau, ils ont le contrôle total du système compromis ...
Kaspersky researchers are detailing “an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky.” It’s a zero-click exploit that makes use of four iPhone zero-days. The most intriguing new detail is the targeting of the heretofore-unknown hardware feature, which proved to be pivotal to the Operation Triangulation campaign. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel. On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system... |
Threat Mobile Vulnerability | ★★★★ | |
|
2024-01-04 11:00:00 | VR et AR: risques de sécurité potentiels à préparer VR and AR: Potential security risks to be prepared for (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Virtual reality (VR) and augmented reality (AR) technologies capture everyone’s imagination with use cases and an unlimited potential for future implementations. While these concepts have been around for decades, they continue to be buzzwords with a fascinating flavor of science fiction. The truth is that the VR and AR combination is close to mainstream adoption these days, with plenty of examples of successful projects creating ripples in ecommerce, entertainment, and many other industries. According to Statista, the global virtual reality and augmented reality market is worth $32.1 billion in 2023, and analysts predict it will exceed $58 billion by 2028. These appear to be conservative estimates, with another study forecasting growth up to a whopping $252 billion in the next four years. Whereas these technologies aren’t susceptible to major malicious exploitation at this point, their skyrocketing popularity might encourage threat actors to come up with viable attack vectors in the near future. This article highlights some of the current security and privacy concerns that stem from the rising adoption of VR and AR technologies. 1. Eye tracking Many people consider eye tracking in VR to be truly revolutionary. The logic of such a perspective is clear: this tech enhances the accuracy of virtual interaction and takes the user experience to a new level by helping interpret people’s emotions. It is also believed to give the security of VR systems a boost because eye scanning can refine biometric verification in the login workflows. As useful as it is, glance tracking could also expose users to hidden monitoring and other privacy risks. For example, VR game makers may be tempted to embed advertisements in their products, similar to how sponsored information is shown in mobile games. If this is the case, eye tracking would be a perfect instrument for advertisers to figure out which ads draw your attention and which ones you ignore. As per analysts’ findings, 95% of decisions to buy a product occur in the subconscious mind. By snooping on a user’s visual response, marketers may be able to derive conclusions regarding their preferences and dislikes. The flip side is that such a technology could potentially play into unscrupulous parties’ hands as a powerful surveillance instrument. 2. Blackmail and harassment Adult entertainment is one of the most popular areas of the virtual reality industry. According to a relevant study, the VR adult content market will see a staggering rise from $716 million in 2021 to $19 billion in 2026. Cybercriminals may try to cash in on this hype by engaging in what’s known as “sextortion”. The idea is to deceive users into thinking that the malefactors have some embarrassing evidence of their private pastimes and instruct them to send money in exchange for not disclosing this information. In some cases, the scammers may even include a valid password for one of the user’s web accounts so that the blackmail message appears true. Bear in mind that they obtained these authentication details from a large-scale data breach that occurred in the past. While these emails contain | Threat Data Breach Hack Tool Prediction Mobile | ★★★ | |
|
2024-01-04 09:25:22 | Cryptocurrency Wallet CEO perd 125 000 $ dans une arnaque de drainage de portefeuille Cryptocurrency wallet CEO loses $125,000 in wallet-draining scam (lien direct) |
Tout le monde peut être arnaqué.Si vous pensez que vous êtes en quelque sorte à l'abri de la viciation, alors, à mon avis, vous êtes une cible privilégiée pour être arnaqué.Personne n'est trop grand, trop intelligent, trop averti de la sécurité pour éviter d'être dupé parce que c'est le seul humain pour faire une erreur et foutre.Et cela semble certainement être le cas avec Bill Lou.Bill Lou est le PDG et co-fondateur de Nest Wallet, un portefeuille de crypto-monnaie qui fait des allégations audacieuses pour "révolutionner la sécurité du portefeuille".Lou a appris que n'importe qui peut être arnaqué, et dans son cas, cela a été une expérience d'apprentissage coûteuse - à hauteur de 52 Steth (approximativement nous ...
Anyone can get scammed . If you think you\'re somehow immune to being scammed, then, in my opinion, you\'re a prime target for being scammed. No one is too big, too clever, too security-savvy to avoid being duped because it\'s only human to make a mistake and screw up. And that certainly seems to be the case with Bill Lou. Bill Lou is the CEO and co-founder of Nest Wallet, a cryptocurrency wallet that makes bold claims to "revolutionise wallet security." Lou has learnt that anyone can be scammed, and in his case, it\'s been a costly learning experience - to the tune of 52 stETH (approximately US... |
Threat | ★★★ | |
|
2024-01-04 06:00:10 | Cybersecurity Stop of the Month: MFA Manipulation (lien direct) | This blog post is part of a monthly series exploring the ever-evolving tactics of today\'s cybercriminals. Cybersecurity Stop of the Month focuses on the critical first three steps in the attack chain in the context of email threats. The series is designed to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have covered the following types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion In this post, we examine an attack technique called multifactor (MFA) manipulation. This malicious post-compromise attack poses a significant threat to cloud platforms. We cover the typical attack sequence to help you understand how it works. And we dive deeper into how Proofpoint account takeover capabilities detected and prevented one of these threats for our customer. Background MFA manipulation is an advanced technique where bad actors introduce their own MFA method into a compromised cloud account. These attackers are used after a cloud account takeover attack, or ATO. ATOs are an insidious threat that are alarmingly common. Recent research by Proofpoint threat analysts found that in 2023 almost all businesses (96%) were targeted by cloud-based attacks. What\'s more, a whopping 60% were successfully compromised and had at least one account taken over. MFA manipulation attacks can work several ways with bad actors having multiple options for getting around MFA. One way is to use an adversary-in-the-middle (AiTM) attack. This is where the bad actor inserts a proxy server between the victim and the website that they\'re trying to log into. Doing so enables them to steal that user\'s password as well as the session cookie. There\'s no indication to the user that they\'ve been attacked-it just seems like they\'ve logged into their account as usual. However, the attackers have what they need to establish persistence, which means they can maintain access even if the stolen MFA credentials are revoked or deemed invalid. The scenario Recently, Proofpoint intercepted a series of MFA manipulation attacks on a large real estate company. In one case, the bad actors used an AiTM attack to steal the credentials of the firm\'s financial controller as well as the session cookie. Once they did that, they logged into that user\'s business account and generated 27 unauthorized access activities. The threat: How did the attack happen? Here is a closer look at how this MFA manipulation attack played out: 1. Bad actors used the native “My Sign-Ins” app to add their own MFA methods to compromise Microsoft 365 accounts. We observed that the attackers registered their own authenticator app with notification and code. They made this move right after they gained access to the hijacked account as part of an automated attack flow execution. This, in turn, allowed them to secure their foothold within the targeted cloud environment. The typical MFA manipulation flow using Microsoft\'s “My Sign-Ins” app. 2. After the compromise, the attackers demonstrated a sophisticated approach. They combined MFA manipulation with OAuth application abuse. With OAuth abuse, an attacker authorizes and/or uses a third-party app to steal data, spread malware or execute other malicious activities. Attackers also use the abused app to maintain persistent access to specific resources even after their initial access to a compromised account has been cut off. 3. The attackers authorized the seemingly benign application, “PERFECTDATA SOFTWARE,” to gain persistent access to the user\'s account and the systems, as well as the resources and applications that the user could access. The permissions the attackers requested for this app included: | Threat Malware Cloud Tool Vulnerability | ★★★ | |
 |
2024-01-03 23:00:00 | Google Security Company Mandiant travaillant pour résoudre X rachat du compte Google security firm Mandiant working to resolve X account takeover (lien direct) |
La société de cybersécurité appartenant à Google Mandiant a déclaré qu'elle examinait un incident où son compte X a été repris par quelqu'un partageant des liens vers une plate-forme de crypto-monnaie.Mercredi après-midi vers 15h30 HNE, le compte de Mandiant \\ sur la plate-forme de médias sociaux a tweeté des liens vers une entreprise appelée Phantom, qui offre aux clients un portefeuille pour
The Google-owned cybersecurity firm Mandiant said it is looking into an incident where its X account was taken over by someone sharing links to a cryptocurrency platform. On Wednesday afternoon around 3:30 pm EST, Mandiant\'s account on the social media platform tweeted out links to a company called Phantom, which offers customers a wallet for |
Threat | ★★★ | |
|
2024-01-03 21:00:00 | Apache Erp Zero-Day souligne les dangers des correctifs incomplets Apache ERP Zero-Day Underscores Dangers of Incomplete Patches (lien direct) |
Apache a corrigé une vulnérabilité dans son cadre OfBiz Enterprise Resource Planning (ERP) le mois dernier, mais les attaquants et les chercheurs ont trouvé un moyen de contourner le patch.
Apache fixed a vulnerability in its OfBiz enterprise resource planning (ERP) framework last month, but attackers and researchers found a way around the patch. |
Threat Vulnerability | ★★★ | |
|
2024-01-03 19:16:54 | APT28: de l'attaque initiale à la création de menaces à un contrôleur de domaine en une heure APT28: From Initial Attack to Creating Threats to a Domain Controller in an Hour (lien direct) |
#### Description
Entre le 15 et 25 décembre, 2023, une série de cyberattaques a été identifiée impliquant la distribution des e-mails contenant des liens vers des «documents» présumés parmi les organisations gouvernementales.
Cliquer sur ces liens a entraîné une infection des logiciels malveillants.L'enquête a révélé que les liens ont redirigé les victimes vers un site Web où un téléchargement basé sur JavaScript a lancé un fichier de raccourci.L'ouverture de ce fichier a déclenché une commande PowerShell pour télécharger et exécuter un document de leurre, un interprète Python et un fichier Masepie classifié nommé client.py.Par la suite, divers outils, notamment OpenSSH, Steelhook PowerShell Scripts et la porte dérobée OceanMap ont été téléchargés, avec des outils supplémentaires comme Impacket et SMBEXEC créés pour la reconnaissance du réseau et le mouvement latéral.Les tactiques globales, les techniques et les outils utilisés ont indiqué le groupe APT28.Notamment, la stratégie d'attaque a indiqué un plan plus large pour compromettre l'ensemble du système d'information et de communication de l'organisation, mettant l'accent sur la menace potentielle pour l'ensemble du réseau.Des attaques similaires ont également été signalées contre des organisations polonaises.
#### URL de référence (s)
1. https://cert.gov.ua/article/6276894
#### Date de publication
3 janvier 2024
#### Auteurs)
Certificat
#### Description Between December 15-25, 2023, a series of cyberattacks were identified involving the distribution of emails containing links to purported "documents" among government organizations. Clicking on these links resulted in malware infecting computers. Investigation revealed that the links redirected victims to a website where a JavaScript-based download initiated a shortcut file. Opening this file triggered a PowerShell command to download and execute a decoy document, a Python interpreter, and a classified MASEPIE file named Client.py. Subsequently, various tools including OPENSSH, STEELHOOK PowerShell scripts, and the OCEANMAP backdoor were downloaded, with additional tools like IMPACKET and SMBEXEC created for network reconnaissance and lateral movement. The overall tactics, techniques, and tools used pointed to the APT28 group. Notably, the attack strategy indicated a broader plan to compromise the entire organization\'s information and communication system, emphasizing the potential threat to the entire network. Similar attacks were also reported against Polish organizations. #### Reference URL(s) 1. https://cert.gov.ua/article/6276894 #### Publication Date January 3, 2024 #### Author(s) CERT-UA |
Threat Malware Tool | APT 28 | ★★★★ |
|
2024-01-03 18:46:00 | MALWORED Utilisation de Google Multilogin Exploit pour maintenir l'accès malgré la réinitialisation du mot de passe Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset (lien direct) |
Les informations sur le vol de malwares profitent activement d'un point de terminaison Google Oauth sans papiers nommé Multilogin pour détourner les sessions utilisateur et permettent un accès continu aux services Google même après une réinitialisation de mot de passe.
Selon CloudSek, le & nbsp; Critical Exploit & NBSP; facilite la persistance de la session et la génération de cookies, permettant aux acteurs de menace de maintenir l'accès à une session valide dans un
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset. According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an |
Threat Malware | ★★ | |
|
2024-01-03 16:12:00 | SMTP Tasseling: un nouveau défaut permet aux attaquants contourner la sécurité et les e-mails de parodie SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails (lien direct) |
Une nouvelle technique d'exploitation appelée la contrebande de transfert de courrier simple (SMTP) peut être armée par les acteurs de la menace pour envoyer des e-mails usurpés avec de fausses adresses de l'expéditeur tout en contournant les mesures de sécurité.
"Les acteurs de la menace peuvent abuser des serveurs SMTP vulnérables dans le monde
A new exploitation technique called Simple Mail Transfer Protocol (SMTP) smuggling can be weaponized by threat actors to send spoofed emails with fake sender addresses while bypassing security measures. "Threat actors could abuse vulnerable SMTP servers worldwide to send malicious emails from arbitrary email addresses, allowing targeted phishing attacks," Timo Longin, a senior security |
Threat | ★★★ | |
|
2024-01-03 14:00:00 | Faux et volés comptes d'or inonde le web sombre Fake and Stolen X Gold Accounts Flood Dark Web (lien direct) |
Cloudsek a exploré certaines des techniques que les acteurs de menace ont utilisé pour forger ou voler des comptes d'or depuis que l'entreprise d'Elon Musk \\ a introduit son nouveau programme de comptes vérifié
CloudSEK explored some of the techniques threat actors have been using to forge or steal X Gold accounts since Elon Musk\'s firm introduced its new verified accounts program |
Threat | ★★★ | |
 |
2024-01-03 13:23:43 | Nouvelles infects de porte dérobée Xamalicious 25 applications Android, affecte 327 000 appareils New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices (lien direct) |
>By Waqas
Despite Google\'s proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices globally.
This is a post from HackRead.com Read the original post: New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices
>By Waqas Despite Google\'s proactive removal of these apps, the threat persists through third-party markets, compromising over 327,000 devices globally. This is a post from HackRead.com Read the original post: New Xamalicious Backdoor Infects 25 Android Apps, Affects 327K Devices |
Threat Mobile | ★★★ | |
|
2024-01-03 13:13:43 | Affiner les tests de pénétration avec l'intelligence cyber-menace Sharpen Penetration Testing with Cyber Threat Intelligence (lien direct) |
> Nous espérons que nos lecteurs sont compétents avec les chiffres.Laissez plonger dans certaines statistiques.En 2022, ...
>We hope our readers are proficient with figures. Let’s dive into some statistics. In 2022,... |
Threat | ★★ | |
|
2024-01-03 11:00:00 | Décodage du piratage éthique: une exploration complète des pratiques de chapeau blanc Decoding ethical hacking: A comprehensive exploration of white hat practices (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In era of digital devices, where the specter of data breaches and cyber threats looms large, the role of ethical hackers, colloquially known as white hat hackers, has become paramount. This article embarks on an in-depth journey into the realm of ethical hacking, illuminating its profound significance in identifying vulnerabilities and fortifying the intricate tapestry of overall cybersecurity. Ethical hacking, at its core, entails authorized and legal endeavors to infiltrate computer systems, networks, or applications. The primary objective is to unveil vulnerabilities. Diverging from their malevolent counterparts, ethical hackers leverage their skills to fortify security rather than exploit weaknesses. The strategic importance of ethical hacking: Proactive defense: Ethical hacking adopts a proactive stance, aiming to unearth and neutralize potential threats before malicious actors can exploit them. Vulnerability assessment: Systematic assessments conducted by ethical hackers pinpoint weaknesses in systems, networks, and applications, enabling organizations to address vulnerabilities in a timely manner. Compliance and risk management: Ethical hacking aligns seamlessly with regulatory compliance requirements, facilitating effective risk management. This ensures organizations adhere to industry standards and safeguard sensitive information. The crucial role of ethical hackers 1. Identifying vulnerabilities: Ethical hackers employ an array of techniques, including penetration testing, code review, and network analysis, to uncover vulnerabilities. By replicating the tactics of malicious hackers, they unveil potential entry points and weaknesses susceptible to exploitation. 2. Penetration testing: A cornerstone of ethical hacking, penetration testing involves simulating real-world cyber-attacks to evaluate the security posture of a system. This practice assesses how well an organization\'s defenses can withstand various threats. 3. Code Review: Analyzing source code for security flaws is fundamental. Ethical hackers scrutinize the codebase to identify vulnerabilities such as injection flaws, buffer overflows, and insecure dependencies. Navigating the ethical hacking process 1. Planning: Ethical hacking commences with meticulous planning. The ethical hacker collaborates with the organization to define the scope, goals, and methodologies of the assessment. 2. Reconnaissance: Gathering information about the target system is a critical phase. Ethical hackers employ both passive and active reconnaissance techniques to understand the environment they are assessing. 3. Scanning: The scanning phase involves identifying live hosts, open ports, and services on a network. Tools like Nmap and Nessus are commonly employed to assess the target\'s attack surface comprehensively. 4. Gaining access: Ethical hackers attempt to exploit identified vulnerabilities, gaining access to systems or sensitive data. This phase provides organizations insights into the potential impact of a suc | Threat Tool Vulnerability | ★★★ | |
|
2024-01-03 02:50:11 | La cybercriminalité va-t-elle empirer? Is Cybercrime Only Going to Get Worse? (lien direct) |
Au tournant du millénaire, peu de gens s'inquiétaient de la cybercriminalité.L'accord du Vendredi Saint venait de entrer en vigueur, les États-Unis ont expulsé un diplomate russe pour espionnage, et la menace du bug Y2K se profile.Iloveyou, le ver informatique qui a catapulté la cybercriminalité dans la conscience du public, était encore dans cinq mois.Aujourd'hui, les choses ne pourraient pas être plus différentes.En 2001, six personnes ont été victimes de la cybercriminalité par heure.D'ici 2022, ce nombre était passé à 97, soit une augmentation de 1517%.À cette époque, les attaques Solarwinds, Colonial Pipeline et Wannacry ont établi une cybercriminalité comme potentiellement ...
At the turn of the millennium, few people were worried about cybercrime. The Good Friday Agreement had just come into effect, the US expelled a Russian diplomat for spying, and the threat of the Y2K bug loomed. ILOVEYOU , the computer worm that catapulted cybercrime into the public consciousness, was still five months away. Today, things couldn\'t be more different. In 2001, six people fell victim to cybercrime an hour. By 2022, that number had risen to 97, an increase of 1517% . At that time, the SolarWinds, Colonial Pipeline, and WannaCry attacks established cybercrime as a potentially... |
Threat Threat | Wannacry | ★★★ |
|
2024-01-02 23:46:43 | Détection de la reconnaissance interne dans les environnements de domaine en utilisant EDR Detection of Internal Reconnaissance in Domain Environments Using EDR (lien direct) |
Alors que les acteurs de la menace peuvent augmenter les bénéfices en installant des co -miners ouUn logiciel malveillant de porte dérobée ou de rat pour prendre le contrôle du système infecté.Les infostelleurs sont utilisés dans le but de voler des informations sur les utilisateurs dans le système, mais parfois, ils sont utilisés pour obtenir des données qui peuvent être utilisées pour prendre le contrôle du système cible afin d'installer finalement des co -miners ou des ransomwares.Cela peut ne pas être important si l'attaque cible ...
While threat actors can raise a profit by installing CoinMiners or ransomware strains after initial access, they often first install a backdoor or RAT malware to seize control over the infected system. Infostealers are used for the purpose of stealing user information in the system, but sometimes, they are used to obtain data that can be utilized in gaining control over the target system to ultimately install CoinMiners or ransomware. This may not be of significance if the attack target... |
Threat Ransomware Malware | ★★★ | |
|
2024-01-02 21:20:00 | L'Ukraine dit que la Russie a piraté des caméras Web pour espionner des cibles à Kyiv Ukraine says Russia hacked web cameras to spy on targets in Kyiv (lien direct) |
Les agents de sécurité de l'Ukraine \\ ont déclaré avoir éliminé deux caméras de surveillance en ligne qui auraient été piratées par la Russie pour espionner les forces aériennes de défense et les infrastructures critiques dans la capitale de l'Ukraine \\, Kiev.Les caméras ont été installées sur des bâtiments résidentiels de Kiev et ont été initialement utilisés par les résidents pour surveiller les environs et le parking.Après piratage
Ukraine\'s security officers said they took down two online surveillance cameras that were allegedly hacked by Russia to spy on air defense forces and critical infrastructure in Ukraine\'s capital, Kyiv. The cameras were installed on residential buildings in Kyiv and were initially used by residents to monitor the surrounding area and parking lot. After hacking |
Threat Tool | ★★★ | |
|
2024-01-02 18:23:54 | Essai d'invité: Tirer parti de DevSecops pour apaiser les cyber-risques dans un paysage de menace grouillant GUEST ESSAY: Leveraging DevSecOps to quell cyber risks in a teeming threat landscape (lien direct) |
Dans le paysage numérique d'aujourd'hui, les organisations sont confrontées à de nombreux défis lorsqu'il s'agit d'atténuer les cyber-risques.
lié: comment l'IA transforme les devops
 L'évolution constantede la technologie, une connectivité accrue et des cybermenaces sophistiquées posent des défis importants pour les organisations de toutes tailles & # 8230;(Plus…)
In today’s digital landscape, organizations face numerous challenges when it comes to mitigating cyber risks. Related: How AI is transforming DevOps  The constant evolution of technology, increased connectivity, and sophisticated cyber threats pose significant challenges to organizations of all sizes … (more…) |
Threat | ★★ | |
 |
2024-01-02 18:16:59 | Utilisation de la correction de Veracode pour résoudre un défaut d'injection SQL Using Veracode Fix to Remediate an SQL Injection Flaw (lien direct) |
Introduction
Dans cette première dans une série d'articles visant à résoudre les défauts communs à l'aide de Veracode Fix & # 8211;Veracode \'s Ai Security Remediation Assistant, nous examinerons la recherche et la réparation de l'un des types de défauts les plus courants et les plus persistants & # 8211;Une attaque d'injection SQL.
Une attaque d'injection SQL est un exploit malveillant où un attaquant injecte du code SQL non autorisé dans les champs d'entrée d'une application Web, visant à manipuler la base de données de l'application \\.En manipulant les paramètres d'entrée, les attaquants peuvent inciter l'application à exécuter des commandes SQL non désirées.Cela peut entraîner un accès non autorisé, une récupération des données, une modification ou même une suppression.Les attaques réussies d'injection SQL compromettent l'intégrité des données et la confidentialité, posant de graves risques de sécurité.
Exemple de code et d'analyse
Soit \\ une faiblesse dans le code source de l'application Verademo délibérément vulnérable (et disponible librement), en particulier le fichier source userController.java trouvé dans le référentiel d'application dans…
Introduction In this first in a series of articles looking at how to remediate common flaws using Veracode Fix – Veracode\'s AI security remediation assistant, we will look at finding and fixing one of the most common and persistent flaw types – an SQL injection attack. An SQL injection attack is a malicious exploit where an attacker injects unauthorized SQL code into input fields of a web application, aiming to manipulate the application\'s database. By manipulating input parameters, attackers can trick the application into executing unintended SQL commands. This can lead to unauthorized access, data retrieval, modification, or even deletion. Successful SQL injection attacks compromise data integrity and confidentiality, posing serious security risks. Example Code and Analysis Let\'s look at a weakness in the source code of the deliberately vulnerable (and freely available) Verademo application, specifically the UserController.java source file found in the application repository in… |
Threat | ★★ | |
|
2024-01-02 12:04:42 | Analyse Vistial Tikkok TikTok Editorial Analysis (lien direct) |
tiktok semble être Inscripture des choses dans les intérêtsdu Parti communiste chinois.(Il s'agit d'une analyse sérieuse, et la méthodologie semble solide.)
CONCLUSION: Des différences substantielles dans les ratios de hashtag augmentent
Préoccupations concernant l'impartialité de Tiktok
Compte tenu de la recherche ci-dessus, nous évaluons une forte possibilité que le contenu sur Tiktok soit soit amplifié ou supprimé en fonction de son alignement sur les intérêts du gouvernement chinois.Les recherches futures devraient viser à une analyse plus complète pour déterminer l'influence potentielle de Tiktok sur les récits publics populaires.Cette recherche devrait déterminer si et comment Tiktok pourrait être utilisé pour faire avancer les objectifs nationaux / régionaux ou internationaux du gouvernement chinois ...
TikTok seems to be skewing things in the interests of the Chinese Communist Party. (This is a serious analysis, and the methodology looks sound.) Conclusion: Substantial Differences in Hashtag Ratios Raise Concerns about TikTok’s Impartiality Given the research above, we assess a strong possibility that content on TikTok is either amplified or suppressed based on its alignment with the interests of the Chinese Government. Future research should aim towards a more comprehensive analysis to determine the potential influence of TikTok on popular public narratives. This research should determine if and how TikTok might be utilized for furthering national/regional or international objectives of the Chinese Government... |
Threat | ★★★ | |
|
2024-01-02 11:16:26 | Les pirates attaquent les services de déchets nucléaires de l'UK \\ via LinkedIn Hackers Attack UK\\'s Nuclear Waste Services Through LinkedIn (lien direct) |
par deeba ahmed
Les utilisateurs de LinkedIn, en particulier les employés qui gèrent les pages pour les grandes entreprises, doivent rester vigilants car la plate-forme est devenue une cible lucrative pour les cybercriminels et les pirates soutenus par l'État.
Ceci est un article de HackRead.com Lire le post original: Les pirates attaquent les services de déchets nucléaires du Royaume-Uni via LinkedIn
By Deeba Ahmed LinkedIn users, especially employees managing pages for large corporations, must remain vigilant as the platform has become a lucrative target for cybercriminals and state-backed hackers. This is a post from HackRead.com Read the original post: Hackers Attack UK’s Nuclear Waste Services Through LinkedIn |
Threat | ★★★★ | |
|
2024-01-02 11:08:18 | Etude Zscaler : 86 % des cyberattaques transitent par des canaux chiffrés, et l\'industrie manufacturière est la plus ciblée (lien direct) | Etude Zscaler : 86 % des cyberattaques transitent par des canaux chiffrés, et l'industrie manufacturière est la plus ciblée Principaux constats : Les menaces via HTTPS sont en hausse de 24 % sur un an dans le cloud de Zscaler, soit près de 30 milliards de menaces bloquées. Les logiciels malveillants et les contenus malveillants chiffrés représentent une menace majeure, à l'origine de 78 % des attaques observées. L'industrie manufacturière a été le secteur le plus ciblé, et a subi 32 % des attaques chiffrées, alors que plus de 2,1 milliards de transactions liées à l'IA/au ML ont été traitées. Les exploits de navigateur et les sites de logiciels espions sont en hausse de 297 % et 290 % sur un an. - Investigations | Threat Cloud Studies | ★★★★ | |
|
2024-01-02 08:41:00 | 6 Exigences d'assurance cybersécurité Votre entreprise doit être prête à répondre 6 Cybersecurity Insurance Requirements Your Business Should Be Ready To Meet (lien direct) |
Every year, more companies are finding out firsthand how damaging a cyberattack can be. Research for the 2023 State of the Phish report from Proofpoint found that 30% of companies that were successfully attacked experienced a direct monetary loss. That\'s an increase of 76% year over year. And costs for these attacks are rising. IBM reports that the global average cost of a data breach went up by 15% over the last three years, hitting $4.45 million in 2023. Concerns about costs and risks mean that more companies than ever are buying cyber insurance. A World Economic Forum survey found that 71% of organizations have cyber insurance. And Allied Market Research projects that the global cyber insurance market, which is currently valued at $12.5 billion, will reach $116.7 billion by 2032. Investing in cyber insurance for your business can be a wise strategy. For one, it helps you to transfer some of the financial risks of a cybersecurity event to your insurance provider. But the cyber insurance landscape is changing. You should know that getting the coverage you want might be a challenge, and you will need to meet an array of cybersecurity insurance requirements. In this blog post, we\'ll cover six of the most common requirements you\'ll likely need to fulfill. What is cyber insurance-and what does it cover? But first, let\'s take a closer look at what cyber insurance is and why it is important. Also known as cyber liability insurance, this relatively new type of insurance helps to protect businesses and individuals from the negative impacts of cybersecurity events. It generally covers: Loss of data and the associated recovery Loss of revenue due to business interruption Loss of transferred funds from cyberattacks, like business email compromise (BEC) and phishing Loss of funds from ransomware and extortion Many policies also cover the aftermath and follow-up events associated with a data breach. This includes the costs associated with identifying and notifying victims, credit monitoring for victims and forensics expertise, to name a few. Why is cyber insurance important? For many companies, cyber insurance is an essential part of their risk management strategy. It covers many costs related to cyber events, such as legal expenses and fees for compliance violations. Depending on the policy, it might also cover: Ransomware attacks. If your business is hit with a ransomware attack, you may face demands for payment to unlock your systems. Or you may need to pay a ransom to prevent the release of sensitive data. In certain cases, cyber insurance can help cover ransom payments. Incident response and recovery. Cybersecurity insurance can help with the cost of investments you may need to make after an attack. For example, you may need to hire experts, conduct forensic investigations, and implement tools and measures to prevent future attacks. Business disruption. This may include lost revenue during downtime. This coverage can help your business stay afloat financially and continue operating in the wake of a cyber event. Want more details on the benefits of cyber insurance? Download the Proofpoint presentation, “Cyber Insurance: Facts, Figures and Policy Fundamentals.” Examples of common cyber insurance requirements As noted earlier, getting coverage is more complicated than it used to be. Because security breaches are so costly and cybercrime is so common, many insurers have become more stringent in their underwriting processes. Some have lowered caps for payouts and narrowed their coverage offerings as well. This means that the requirements your business may be expected to meet will be fairly complex. Every provider will likely conduct a risk assessment to determine if you qualify for cyber insurance. The process will help them to determine how much coverage they can offer you, and what you\'ll need to pay for it. The risk assessment might be as quick and simple as a questionnaire or as complex and time-consuming as a third-party audit. Here are six examples | Threat Ransomware Data Breach Tool | ★★★ |
To see everything:
Our RSS (filtrered)
