What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
The_Hackers_News.webp 2023-11-21 12:28:00 Les pirates de Mustang Panda ciblent le gouvernement philippines au milieu des tensions de la mer de Chine méridionale
Mustang Panda Hackers Targets Philippines Government Amid South China Sea Tensions (lien direct)		 L'acteur de Mustang Panda lié à la Chine a été lié à une cyberattaque ciblant une entité gouvernementale philippine au milieu des tensions croissantes entre les deux pays au-dessus de la mer de Chine méridionale contestée. L'unité de Palo Alto Networks 42 a attribué le collectif adversaire à trois campagnes en août 2023, distinguant principalement des organisations du Pacifique Sud. "Les campagnes ont exploité un logiciel légitime
The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid rising tensions between the two countries over the disputed South China Sea. Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific. "The campaigns leveraged legitimate software		 APT 27 ★★★
DarkReading.webp 2023-11-20 21:06:00 Au milieu de l'accumulation militaire, la Chine déploie Mustang Panda aux Philippines
Amid Military Buildup, China Deploys Mustang Panda in the Philippines (lien direct)		 La Chine associe des attaques cyber et cinétiques dans le Pacifique Sud alors qu'elle continue de terminer le contrôle de la mer de Chine méridionale.
China pairs cyber and kinetic attacks in the South Pacific as it continues to wrangle control of the South China Sea.		 APT 27 ★★★
RecordedFuture.webp 2023-10-06 15:00:00 Les espions basés en Chine piratent les sociétés de semi-conducteurs en Asie de l'Est, indique le rapport
China-based spies are hacking East Asian semiconductor companies, report says (lien direct)		 Les pirates chinois soutenus par l'État ont ciblé l'industrie des semi-conducteurs en Asie de l'Est avec une nouvelle campagne d'espionnage, selon de nouvelles recherches.La société néerlandaise de cybersécurité Eclecticiq a attribué la campagne pour la Chine parce que les pirates ont utilisé le chargeur Hyperbro, qui est associé à un groupe soutenu par l'État étiqueté Budworm ou APT27 par des chercheurs.Budworm a été associé à
Chinese state-backed hackers have targeted the semiconductor industry in East Asia with a new espionage campaign, according to new research. The Dutch cybersecurity firm EclecticIQ attributed the campaign to China because the hackers used the HyperBro loader, which is associated with a state-backed group labeled Budworm or APT27 by researchers. Budworm has been associated with		 APT 27 ★★
InfoSecurityMag.webp 2023-09-28 16:30:00 Budworm Apt évolue le jeu d'outils, cible les télécommunications et le gouvernement
Budworm APT Evolves Toolset, Targets Telecoms and Government (lien direct)		 Symantec a expliqué que l'attaque a exploité une nouvelle variante de la porte dérobée Sysupdate de Budworm \\
Symantec explained that the attack leveraged a new variant of Budworm\'s SysUpdate backdoor		 APT 27 ★★
The_Hackers_News.webp 2023-09-28 15:43:00 Vormage de bourgeon lié à la Chine ciblant les télécommunications du Moyen-Orient et les agences gouvernementales asiatiques
China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies (lien direct)		 Les entités gouvernementales et de télécommunications ont été soumises à une nouvelle vague d'attaques par un acteur de menace lié à la Chine suivi comme bourgeon à l'aide d'un ensemble d'outils de logiciels malveillants mis à jour. Les intrusions, ciblant une organisation de télécommunications du Moyen-Orient et un gouvernement asiatique, ont eu lieu en août 2023, avec l'adversaire déploiement d'une version améliorée de sa boîte à outils Sysupdate, l'équipe de Hunter de Symantec Threat,
Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset. The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team,		 Malware Threat APT 27 ★★
RecordedFuture.webp 2023-09-28 14:30:00 Les pirates suspects de la Chine ciblent les télécommunications du Moyen-Orient, le gouvernement asiatique
Suspected China-based hackers target Middle Eastern telecom, Asian government (lien direct)		 Les pirates ont ciblé une organisation de télécommunications du Moyen-Orient et un gouvernement asiatique dans une récente opération d'espionnage, selon un rapport publié jeudi.Le groupe de piratage Budworm, également connu sous le nom d'émissaire Panda et APT27, est croyait que était basé en Chine.L'année dernière, il a attaqué la législature de l'État américain à l'aide d'un Vulnérabilité log4j .Dans son plus
Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday. The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked the U.S. state legislature using a Log4j vulnerability. In its most		 APT 27 ★★
bleepingcomputer.webp 2023-09-28 09:52:38 Budworm Hackers Target Telcos et Govt Orgs avec des logiciels malveillants personnalisés
Budworm hackers target telcos and govt orgs with custom malware (lien direct)		 Un groupe de piratage de cyber-espionnage chinois suivi en tant que bourgeon a été observé ciblant une entreprise de télécommunications au Moyen-Orient et une entité gouvernementale en Asie en utilisant une nouvelle variante de sa porte dérobée personnalisée \\ 'sysupdate \'.[...]
A Chinese cyber-espionage hacking group tracked as Budworm has been observed targeting a telecommunication firm in the Middle East and a government entity in Asia using a new variant of its custom \'SysUpdate\' backdoor. [...]		 Malware APT 27 ★★
The_Hackers_News.webp 2023-03-02 13:33:00 SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics (lien direct) The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering. Cybersecurity company Trend Micro said Malware Threat Prediction APT 27 ★★
bleepingcomputer.webp 2023-03-01 13:44:37 Iron Tiger hackers create Linux version of their custom malware (lien direct) The APT27 hacking group, aka "Iron Tiger," has prepared a new Linux version of its SysUpdate custom remote access malware, allowing the Chinese cyberespionage group to target more services used in the enterprise. [...] Malware APT 27 ★★★
TrendMicro.webp 2023-03-01 00:00:00 Iron Tiger\'s SysUpdate Reappears, Adds Linux Targeting (lien direct) We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems. Malware Threat APT 27
InfoSecurityMag.webp 2023-02-17 17:00:00 EU Cybersecurity Agency Warns Against Chinese APTs (lien direct) The document directly mentions APT27, APT30, APT31, Ke3chang, Gallium and Mustang Panda APT 30 APT 27 APT 15 APT 25 APT 31 ★★
Anomali.webp 2022-10-18 15:00:00 Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, Hacktivism, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Ransom Cartel Ransomware: A Possible Connection With REvil (published: October 14, 2022) Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys. Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - Ransomware Malware Tool Threat APT 27
SecurityAffairs.webp 2022-10-13 23:10:45 China-linked Budworm APT returns to target a US entity (lien direct) >The Budworm espionage group resurfaced targeting a U.S.-based organization for the first time, Symantec Threat Hunter team reported. The Budworm cyber espionage group (aka APT27, Bronze Union, Emissary Panda, Lucky Mouse, TG-3390, and Red Phoenix) is behind a series attacks conducted over the past six months against a number of high-profile targets, including the government of […] Threat APT 27
The_Hackers_News.webp 2022-10-13 15:38:00 Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization (lien direct) An advanced persistent threat (APT) actor known as Budworm targeted a U.S.-based entity for the first time in more than six years, according to latest research. The attack was aimed at an unnamed U.S. state legislature, the Symantec Threat Hunter team, part of Broadcom Software, said in a report shared with The Hacker News. Other intrusions mounted over the past six months were directed against Threat APT 27
InfoSecurityMag.webp 2022-10-13 15:00:00 Budworm Espionage Group Returns, Targets US State Legislature (lien direct) Budworm leveraged the Log4j vulnerabilities to compromise the Apache Tomcat service on servers APT 27
Anomali.webp 2022-09-13 15:00:00 Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | Ransomware Malware Tool Vulnerability Threat Guideline APT 27 APT 34
Anomali.webp 2022-08-23 17:35:00 Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Reservations Requested: TA558 Targets Hospitality and Travel (published: August 18, 2022) Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR). Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570 Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments (published: August 18, 2022) On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes. Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I Ransomware Malware Tool Threat APT 27
SecurityWeek.webp 2022-08-15 09:59:25 Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware (lien direct) China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports. Malware APT 27
SecurityAffairs.webp 2022-08-15 07:02:20 Iron Tiger APT is behind a supply chain attack that employed messaging app MiMi (lien direct) >China-linked threat actors Iron Tiger backdoored a version of the cross-platform messaging app MiMi to infect systems. Trend Micro researchers uncovered a new campaign conducted by a China-linked threat actor Iron Tiger that employed a  backdoored version of the cross-platform messaging app MiMi Chat App to infect Windows, Mac, and Linux systems. The Iron Tiger APT (aka Panda Emissary, […] Threat APT 27 ★★★★★
The_Hackers_News.webp 2022-08-13 05:41:16 Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux, macOS Users (lien direct) A pair of reports from cybersecurity firms SEKOIA and Trend Micro sheds light on a new campaign undertaken by a Chinese threat actor named Lucky Mouse that involves leveraging a trojanized version of a cross-platform messaging app to backdoor systems. Infection chains leverage a chat application called MiMi, with its installer files compromised to download and install HyperBro samples for the Threat APT 27 ★★
TrendMicro.webp 2022-08-12 00:00:00 Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (lien direct) We found APT group Iron Tiger's malware compromising chat application Mimi's servers in a supply chain attack. Malware APT 27
SecurityWeek.webp 2022-07-20 08:37:31 Belgium Says Chinese APTs Targeted Interior, Defense Ministries (lien direct) Belgium on Monday accused Chinese state-sponsored hackers of launching cyberattacks against its interior and defense ministries. Belgium noted in a statement that it has detected cyber intrusions from hacking groups tracked as APT27, APT30, APT31, and Gallium. APT 30 APT 27 APT 31
knowbe4.webp 2022-02-01 14:37:29 CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential (lien direct) CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential   Ransomware Malware Hack Tool Threat Guideline NotPetya NotPetya Wannacry Wannacry APT 27 APT 27
SecurityAffairs.webp 2022-01-26 20:44:27 German intelligence agency warns of China-linked APT27 targeting commercial organizations (lien direct) The BfV German domestic intelligence services warn of ongoing attacks carried out by the China-linked APT27 cyberespionage group. The Bun­des­amt für Ver­fas­sungs­schutz (BfV) federal domestic intelligence agency warns of ongoing attacks coordinated by the China-linked APT27 group. “The Federal Office for the Protection of the Constitution ( BfV ) has information about an ongoing cyber espionage campaign […] APT 27 APT 27 ★★★★
bleepingcomputer.webp 2022-01-26 08:00:00 German govt warns of APT27 hackers backdooring business networks (lien direct) The BfV German domestic intelligence services (short for Bun­des­amt für Ver­fas­sungs­schutz) warn of ongoing attacks coordinated by the APT27 Chinese-backed hacking group. [...] APT 27 APT 27
Anomali.webp 2021-11-16 17:34:00 Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (published: November 8, 2021) US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries. Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks. MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075 Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom (published: November 9, 2021) A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t Ransomware Data Breach Malware Tool Vulnerability Threat Medical APT 38 APT 27 APT 1
Anomali.webp 2021-10-05 18:28:00 Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now (published: October 1, 2021) Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations. Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program. Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day Hydra Malware Targets Customers of Germany's Second Largest Bank (published: October 1, 2021) A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts. Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using. Tags: Banking and Finance, EU, Hydra, trojan New APT ChamelGang Targets Russian Energy, Aviation Orgs (published: October 1, 2021) A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi Ransomware Malware Tool Vulnerability Threat Guideline Solardwinds Solardwinds APT 27
Anomali.webp 2021-08-17 17:56:00 Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Colonial Pipeline Reports Data Breach After May Ransomware Attack (published: August 16, 2021) Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide. Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP). MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA Indra — Hackers Behind Recent Attacks on Iran (published: August 14, 2021) Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019. Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline APT 27 APT 27
Anomali.webp 2021-08-10 17:39:00 Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct) The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Actively Exploited Bug Bypasses Authentication On Millions Of Routers (published: August 7, 2021) The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers. Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure. Tags: CVE-2021-20090, Mirai, China Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware (published: August 7, 2021) The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid. Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack. Tags: RansomEXX, Defray, Ransomware, Taiwan Millions of Senior Citizens' Personal Data Exposed By Misconfiguration (published: August 6, 2021) The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access. Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams. Tags: Data Leak, Phishing, North America, AWS Malware Vulnerability Threat Guideline APT 41 APT 41 APT 30 APT 27 APT 23
SecurityWeek.webp 2021-08-03 04:00:51 DeadRinger: A Three-Pronged Attack by Chinese Military Actors against Major Telcos (lien direct) Researchers have discovered three separate Chinese military affiliated advanced threat groups simultaneously targeting and compromising the same Southeast Asian telcos. The attack groups concerned are Soft Cell, Naikon, and a third group, possibly Emissary Panda (also known as APT27). Threat APT 30 APT 27
SecurityAffairs.webp 2021-04-06 13:15:40 Chinese Cycldek APT targets Vietnamese Military and Government in sophisticated attacks (lien direct) China-linked APT group Cycldek is behind an advanced cyberespionage campaign targeting entities in the government and military sector in Vietnam. China-linked APT group LuckyMouse (aka Cycldek, Goblin Panda, Hellsing, APT 27, and Conimes) is targeting government and military organizations in Vietnam with spear-phishing. The threat actors are sending out spear-phishing messages to compromise diplomatic targets in Southeast […] Threat APT 27
Kaspersky.webp 2021-01-05 15:26:12 Major Gaming Companies Hit with Ransomware Linked to APT27 (lien direct) Researchers say a recent attack targeting videogaming developers has 'strong links' to the infamous APT27 threat group. Ransomware Threat APT 27 APT 27
InfoSecurityMag.webp 2021-01-05 11:15:00 Chinese APT Group Linked to Ransomware Attacks (lien direct) APT27 pegged for financially motivated raids Ransomware APT 27 APT 27
SecurityWeek.webp 2021-01-05 04:59:54 Ransomware Attacks Linked to Chinese Cyberspies (lien direct) China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim's files. Ransomware Tool APT 27 APT 27
01net.webp 2021-01-05 03:34:00 Les hackers chinois se renflouent à coups de ransomware (lien direct) Connu pour ses activités de cyberespionnage, le groupe APT27 a profité du confinement en Chine pour s'orienter vers le ransomware. Ransomware APT 27 APT 27
SecurityAffairs.webp 2021-01-05 00:29:29 Experts linked ransomware attacks to China-linked APT27 (lien direct) Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group. Security researchers from security firms Profero and Security Joes investigated a series of ransomware attacks against multiple organizations and linked them to China-linked APT groups. The experts attribute the attacks to the Chinese cyberespionage group APT27 […] Ransomware APT 27 APT 27
TEAM_CYMRU_Blog.webp 2020-03-25 10:10:49 How the Iranian Cyber Security Agency Detects Emissary Panda Malware (lien direct) Other threat intelligence groups have previously publicised that the Chinese-attributed threat group, Emissary Panda (aka APT27, TG-3390, BRONZE UNION, Iron Tiger and LuckyMouse), have been targeting various sectors in the Middle East, including government organisations. On 15 December 2019, Iran’s Minister of Communications and Information Technology, Mohammad Javad Azari-Jahromi, announced that Iranian authorities had detected foreign spying malware on their government servers which they attributed... Continue Reading → Malware Threat APT 27
SecurityAffairs.webp 2020-03-19 08:36:55 Is APT27 Abusing COVID-19 To Attack People ?! (lien direct) Security researcher Marco Ramilli analyzed a new Coronavirus (COVID-19)-themed attack gathering evidence of the alleged involvement of an APT group. Scenario We are living hard time, many countries all around the world are hit by COVID-19 which happened to be a very dangerous disease. Unfortunately many deaths, thousands of infected people, few breathing equipment, stock […] APT 27
TechWorm.webp 2019-12-16 19:23:18 Iran claims it foiled highly organised state-sponsored cyberattack (lien direct) Iran recently foiled a massive “organized” cyberattack launched by a foreign government against the country's unspecified “electronic infrastructure”, official IRNA news agency reported last Wednesday. The cyberattack was “very big”, which was identified and foiled by Iran's “security shield”. The attack which had used the “well-known APT27” was repelled by the security shield known as […] APT 27
SecurityAffairs.webp 2019-05-30 08:48:03 (Déjà vu) Emissary Panda APT group hit Government Organizations in the Middle East (lien direct) Chinese Cyber-Spies Target Government Organizations in Middle East Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East. Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different […] APT 27
SecurityWeek.webp 2019-05-29 15:23:01 Chinese Cyber-Spies Target Government Organizations in Middle East (lien direct) Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say. APT 27
SecurityAffairs.webp 2019-03-01 19:17:03 Emissary Panda updated its weapons for attacks in the past 2 years (lien direct) Experts analyzed tools and intrusion methods used by theChina-linked cyber-espionage group Emissary Panda in attacks over the past 2 years. This morning I wrote about a large-scale cyber attack that hit the International Civil Aviation Organization (ICAO) in November 2016, Emissary Panda was suspected to be the culprit. Experts at Secureworks reports who investigated the […] APT 27
SecurityWeek.webp 2019-03-01 12:10:00 China\'s APT27 Hackers Use Array of Tools in Recent Attacks (lien direct) Over the past two years, China-linked cyber-espionage group Emissary Panda has used an array of tools and intrusion methods in attacks on political, technology, manufacturing, and humanitarian organizations, Secureworks reports.  APT 27
DarkReading.webp 2019-02-27 16:45:00 Persistent Attackers Rarely Use Bespoke Malware (lien direct) Study of the Bronze Union group-also known as APT27 or Emissary Panda-underscores how most advanced persistent threat (APT) groups now use administrative tools or slight variants of well-known tools. Malware Threat APT 27
Kaspersky.webp 2019-02-27 12:30:04 Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks (lien direct) The China-linked threat group has returned in 2018 using updated RATs to launch its attacks, including ZxShell, Gh0st RAT, and SysUpdate malware. Threat APT 27
SecurityAffairs.webp 2018-09-10 18:59:03 Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks (lien direct) Security experts observed the LuckyMouse APT group using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks. Security experts from Kaspersky have observed the LuckyMouse APT group (aka Emissary Panda, APT27 and Threat Group 3390) using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks. The APT group […] Threat APT 27 APT 1 ★★★
SecurityAffairs.webp 2018-07-23 09:08:04 CSE Malware ZLab – Chinese APT27 \'s long-term espionage campaign in Syria is still ongoing (lien direct) Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group. A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.   The folder was found on a compromised website at the following URL: hxxp://chatsecurelite.uk[.]to […] Malware APT 27
SecurityAffairs.webp 2018-06-14 06:23:04 China-linked Emissary Panda APT group targets National Data Center in Asia (lien direct) A China-linked APT group, LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, has targeted a national data center in Central Asia. The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide. In March 2018, security experts at Kaspersky Lab have observed an attack powered by the […] APT 27 APT 1
SecurityAffairs.webp 2018-02-02 22:16:10 Chinese Iron Tiger APT is back, a close look at the Operation PZChao (lien direct) >Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US. Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the […] APT 27
Last update at: 2024-05-10 09:08:22
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter