What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-23 12:09:42 | Les canaux latéraux sont communs Side Channels Are Common (lien direct) |
Recherche vraiment intéressante: & # 8220; prêtez-moi votre oreille: canaux latéraux physiques à distance passifs sur PC . & # 8221;
Résumé:
Nous montrons que les capteurs intégrés dans les PC de produits de base, tels que les microphones, capturent par inadvertance la fuite électromagnétique du canal latéral à partir du calcul continu.De plus, ces informations sont souvent véhiculées par des canaux supposés-benons tels que les enregistrements audio et les applications de voix sur IP courantes, même après compression avec perte.
Ainsi, nous montrons, il est possible de mener des attaques de canaux latéraux physiques sur le calcul par analyse à distance et purement passive des canaux couramment partagés.Ces attaques ne nécessitent ni proximité physique (qui pourrait être atténuée par la distance et le blindage), ni la possibilité d'exécuter du code sur la cible ou de configurer son matériel.Par conséquent, nous soutenons que les canaux latéraux physiques sur les PC ne peuvent plus être exclus des modèles de menaces à distance à distance ...
Really interesting research: “Lend Me Your Ear: Passive Remote Physical Side Channels on PCs.” Abstract: We show that built-in sensors in commodity PCs, such as microphones, inadvertently capture electromagnetic side-channel leakage from ongoing computation. Moreover, this information is often conveyed by supposedly-benign channels such as audio recordings and common Voice-over-IP applications, even after lossy compression. Thus, we show, it is possible to conduct physical side-channel attacks on computation by remote and purely passive analysis of commonly-shared channels. These attacks require neither physical proximity (which could be mitigated by distance and shielding), nor the ability to run code on the target or configure its hardware. Consequently, we argue, physical side channels on PCs can no longer be excluded from remote-attack threat models... |
Threat Conference | ★★★★ | |
 |
2024-01-23 11:00:00 | La montée des ransomwares: stratégies de prévention The rise of ransomware: Strategies for prevention (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The exponential rise of ransomware attacks in recent times has become a critical concern for organizations across various industries. Ransomware, a malicious software that encrypts data and demands a ransom for its release, can wreak havoc on an organization\'s operations, finances, and reputation. This comprehensive guide delves into the intricate landscape of ransomware, exploring sophisticated attack vectors, common vulnerabilities, and providing detailed strategies for prevention. Ransomware is a type of malicious software designed to deny access to a computer system or data until a sum of money is paid. It often gains unauthorized access through exploiting vulnerabilities or employing social engineering tactics like phishing emails and malicious attachments. Over the years, ransomware attacks have evolved from indiscriminate campaigns to highly targeted and sophisticated operations. Notorious strains such as WannaCry, Ryuk, and Maze have demonstrated the devastating impact of these attacks on organizations worldwide. Common vulnerabilities exploited Outdated software and patch management: Ransomware often exploits vulnerabilities in outdated software. Robust patch management is crucial for closing these security gaps. Social engineering and phishing: Human error remains a significant factor in ransomware attacks. Employees need comprehensive training to recognize and avoid phishing attempts. Weak authentication practices: Inadequate password policies and the absence of multi-factor authentication create entry points for threat actors. Poorly configured remote desktop protocol (RDP): RDP misconfigurations can provide a direct path for ransomware to infiltrate a network. Comprehensive prevention strategies Regular software updates and patch management: Implement a proactive approach to software updates and patch vulnerabilities promptly. Employee training and awareness: Conduct regular cybersecurity training sessions to educate employees about the dangers of phishing and best practices for online security. Multi-factor authentication (MFA): Enforce MFA to add an additional layer of security, mitigating the risk of unauthorized access. Network segmentation: Divide networks into segments to contain the spread of ransomware in case of a breach. Data backup and recovery: Establish regular backups of critical data and ensure that recovery processes are tested and reliable. Post-infection recovery plans: The aftermath of a ransomware attack can be chaotic and detrimental to an organization\'s operations. Developing a robust post-infection recovery plan is essential to minimize damage, restore functionality, and ensure a swift return to normalcy. This detailed guide outlines the key components of an effective recovery plan tailored for organizations recovering from a ransomware incident. Key components of post-infection recovery plans: Incident response team activation: Swift action: Activate the incident response team immediately upo | Ransomware Data Breach Vulnerability Threat | ★★ | |
 |
2024-01-23 10:22:49 | New Apple Zero-Day dans WebKit a reçu un correctif (CVE-2024-23222) New Apple Zero-Day in WebKit Received a Fix (CVE-2024-23222) (lien direct) |
> Apple a publié des mises à jour de sécurité pour aborder la première vulnérabilité des 2024 jours affectant ses produits ....
>Apple has issued security updates to address the first 2024 zero-day vulnerability affecting its products.... |
Vulnerability Threat | ★★ | |
 |
2024-01-23 10:21:41 | Cybersécurité : 5 risques à suivre en 2024, selon Hiscox (lien direct) | Cybersécurité : 5 risques à suivre en 2024, selon Hiscox. le Rapport Hiscox 2023 sur la gestion des cyber-risques, tandis qu'avec la croissance de modèles tels que ChatGPT, facilitant la rédaction d'emails de phishing convaincants, les employés se sont plus que jamais retrouvés en première ligne - Points de Vue | Threat Prediction | ChatGPT | ★★★★ |
 |
2024-01-23 07:00:00 | Apple émet un patch pour un jour zéro critique dans les iPhones, Mac - Mettez à jour maintenant Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now (lien direct) |
Apple a publié lundi des mises à jour de sécurité pour iOS, iPados, macOS, TVOS et SAFARI Web Browser pour aborder une faille zéro-jour qui a subi une exploitation active dans la nature.
Le problème, suivi comme CVE-2024-23222, est un bug de confusion de type qui pourrait être exploité par un acteur de menace pour obtenir une exécution de code arbitraire lors du traitement du contenu Web fabriqué avec malveillance.Le géant de la technologie a dit le problème
Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild. The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem |
Vulnerability Threat | ★★ | |
|
2024-01-22 22:17:00 | Les pirates nord-coréens ont armé de fausses recherches pour livrer la porte dérobée Rokrat North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor (lien direct) |
Les organisations médiatiques et les experts de haut niveau des affaires nord-coréennes ont été à la fin d'une nouvelle campagne orchestrée par un acteur de menace connu sous le nom de & nbsp; Scarcruft & nbsp; en décembre 2023.
"Scarcruft a expérimenté de nouvelles chaînes d'infection, notamment l'utilisation d'un rapport de recherche sur les menaces techniques comme leurre, ciblant probablement les consommateurs d'intelligence des menaces comme la cybersécurité
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity |
Threat Technical | ★★★ | |
 |
2024-01-22 22:08:00 | Les espions chinois ont exploité le bug de VMware critique pendant près de 2 ans Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years (lien direct) |
Même les clients VMware les plus prudents peuvent avoir besoin de revenir en arrière et de vérifier qu'ils n'étaient pas compromis par un exploit zero-jour pour CVE-2023-34048.
Even the most careful VMware customers may need to go back and double check that they weren\'t compromised by a zero-day exploit for CVE-2023-34048. |
Vulnerability Threat | ★★★ | |
|
2024-01-22 21:58:00 | Microsoft est victime de la blizzard \\ 'Midnight Blizzard \\' à minuit \\ ' Microsoft Falls Victim to Russia-Backed \\'Midnight Blizzard\\' Cyberattack (lien direct) |
L'acteur de menace parrainé par l'État russe Nobelium a utilisé une attaque de base de mot de passe pour briser les comptes de messagerie d'entreprise Microsoft, y compris pour les dirigeants.
Russian state-sponsored threat actor Nobelium used a basic password-spray attack to breach Microsoft corporate email accounts, including for execs. |
Threat | ★★★ | |
 |
2024-01-22 21:03:51 | Nouvel An, nouvelles embauches, nouveaux appareils: coup de pied de l'année avec la sécurité des points finaux New Year, New Hires, New Devices: Kick Start the Year with Endpoint Security (lien direct) |
> Alors que nous accueillons la nouvelle année, les entreprises du monde entier se préparent à la croissance et à l'expansion.Plongez \\ dans certains des menaces que les appareils mobiles peuvent faire face et explorer comment la défense des menaces mobiles de Zimperium (MTD) peut aider les entreprises à protéger votre entreprise.
>As we welcome the new year, businesses around the world are gearing up for growth and expansion. Let\'s dive into some of the threats mobile devices can face and explore how Zimperium Mobile Threat Defense (MTD) can help enterprises protect your enterprise. |
Threat Mobile | ★★ | |
 |
2024-01-22 20:39:42 | Livraison de logiciels malveillants de l'installateur MSIX à la hausse MSIX Installer Malware Delivery on the Rise (lien direct) |
#### Description
À partir de juillet 2023, Red Canary a commencé à enquêter sur une série d'attaques par des adversaires tirant parti des fichiers MSIX pour fournir des logiciels malveillants.MSIX est un format d'installation de packages d'applications Windows que les équipes et les développeurs informatiques utilisent de plus en plus pour fournir des applications Windows au sein des entreprises.
Les adversaires de chaque intrusion semblaient utiliser une publicité malveillante ou un empoisonnement SEO pour attirer les victimes, qui pensaient qu'ils téléchargeaient des logiciels légitimes tels que Grammarly, Microsoft Teams, Notion et Zoom.Les victimes s'étendent sur plusieurs industries, ce qui suggère que les attaques de l'adversaire sont opportunistes plutôt que ciblées.
#### URL de référence (s)
1. https://redcanary.com/blog/msix-installers/
#### Date de publication
16 janvier 2024
#### Auteurs)
Tony Lambert
#### Description Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary\'s attacks are opportunistic rather than targeted. #### Reference URL(s) 1. https://redcanary.com/blog/msix-installers/ #### Publication Date January 16, 2024 #### Author(s) Tony Lambert |
Malware Threat | ★★ | |
|
2024-01-22 20:30:00 | Les attaquants de Scarcruft de la Corée du Nord se préparent à cibler les pros de la cybersécurité North Korea\\'s ScarCruft Attackers Gear Up to Target Cybersecurity Pros (lien direct) |
Sur la base de nouvelles routines d'infection par l'APT, elle cherche à récolter des renseignements sur les menaces afin d'améliorer la sécurité opérationnelle et la furtivité.
Based on fresh infection routines the APT is testing, it\'s looking to harvest threat intelligence in order to improve operational security and stealth. |
Threat | APT 37 | ★★★ |
 |
2024-01-22 19:36:23 | Statistiques de laboratoire de menace de netskope pour décembre 2023 Netskope Threat Labs Stats for December 2023 (lien direct) |
>Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide. Summary A high number of Sliver framework payloads were found in the month of December. Sliver is […]
>Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide. Summary A high number of Sliver framework payloads were found in the month of December. Sliver is […] |
Threat | ★★ | |
|
2024-01-22 17:31:00 | Israël, République tchèque renforce le cyber-partenariat au milieu de la guerre du Hamas Israel, Czech Republic Reinforce Cyber Partnership Amid Hamas War (lien direct) |
L'accord pour permettre le partage futur de l'information et de l'expérience fait partie d'une série d'accords de renseignement sur les menaces inter-pays qu'Israël signe, alors que les attaques liées à la guerre augmentent.
The agreement to enable future sharing of information and experience is part of a spate of inter-country threat intelligence agreements that Israel is signing, as war-related attacks ramp up. |
Threat | ★★★ | |
 |
2024-01-22 14:27:31 | Kaspersky anticipe les principales menaces cyber ciblant les enfants en 2024 (lien direct) | >Avec la généralisation de l’accès des enfants aux smartphones et aux tablettes, ces derniers interagissent de plus en plus tôt avec le monde numérique et la technologie. Il devient donc impératif que les parents restent au fait des dernières menaces de cybersécurité visant les enfants, afin de mieux les protéger contre d’éventuels dangers. Les experts […] The post Kaspersky anticipe les principales menaces cyber ciblant les enfants en 2024 first appeared on UnderNews. | Threat | ★★★ | |
 |
2024-01-22 14:09:19 | 22 janvier & # 8211;Rapport de renseignement sur les menaces 22nd January – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes en cyberLes meilleures attaques et violation de Microsoft ont révélé qu'ils ont détecté une attaque contre leurs systèmes par l'acteur parrainé par l'État russe connu sous le nom de Midnight Blizzard (alias Nobelium).L'acteur de menace a utilisé une attaque en pulvérisation de mot de passe pour compromettre un test de non-production hérité [& # 8230;]
>For the latest discoveries in cyber research for the week of 22nd January, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Microsoft disclosed that they detected an attack against their systems by Russian state-sponsored actor known as Midnight Blizzard (aka Nobelium). The threat actor used a password spray attack to compromise a legacy non-production test […] |
Threat | ★★ | |
|
2024-01-22 11:56:00 | Ventes de la base de données Trello, Exploits Ivanti Zero-Day, Phantom Loader, US et Australia Credit Cards Sales of Trello Database, Ivanti Zero-Day Exploits, Phantom Loader, US and Australia Credit Cards (lien direct) |
Dans Socradar Dark Web Team & # 8217; s les dernières découvertes, de leur surveillance d'une semaine du Dark Web, ...
In SOCRadar Dark Web Team’s latest findings, from their week-long monitoring of the dark web,... |
Vulnerability Threat | ★★★ | |
 |
2024-01-22 10:15:00 | La directive d'urgence de la CISA exige une action sur Ivanti Zero-Days CISA Emergency Directive Demands Action on Ivanti Zero-Days (lien direct) |
L'agence de sécurité américaine CISA ordonne à toutes les agences fédérales civiles de prendre des mesures immédiates pour atténuer deux défauts de zéro-jour Ivanti
US security agency CISA orders all civilian federal agencies to take immediate steps to mitigate two Ivanti zero-day flaws |
Vulnerability Threat | ★★★ | |
|
2024-01-22 09:10:00 | Apache ActiveMQ Flaw exploité dans les nouvelles attaques de coquille Web Godzilla Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks (lien direct) |
Les chercheurs en cybersécurité mettent en garde contre une "augmentation notable" de l'activité des acteurs de menace exploitant activement un défaut désormais par paire dans Apache ActiveMQ pour délivrer le shell Web Godzilla sur des hôtes compromis.
"Les shells Web sont cachés dans un format binaire inconnu et sont conçus pour échapper à la sécurité et aux scanners basés sur la signature", a déclaré Trustwave & NBSP;"Notamment, malgré le fichier inconnu du binaire
Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. "The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners," Trustwave said. "Notably, despite the binary\'s unknown file |
Threat | ★★★ | |
 |
2024-01-22 06:00:26 | Types de menaces et d'attaques d'identité que vous devez être consciente Types of Identity Threats and Attacks You Should Be Aware Of (lien direct) |
It\'s easy to understand why today\'s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user\'s valid credentials, they don\'t have to worry about finding creative ways to break into an environment. They are already in. Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it\'s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach. To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay. Types of identity-based attacks and methods Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats. 1. Credential stuffing Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites. Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites. 2. Password spraying Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames. Password spraying isn\'t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here\'s how this identity attack usually unfolds: The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means. They then select a small set of commonly used or easily guessable passwords. Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success. Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks. 3. Phishing Here\'s a classic and very effective tactic that\'s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker\'s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data. Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective. 4. Social engineering Social engineering is more of an ingredient in an identity attack. It\'s all about the deception and manipulation of users, and it\'s a feature in | Malware Vulnerability Threat Patching Technical | ★★ | |
|
2024-01-20 15:53:00 | Les pirates chinois ont silencieusement armé le vmware zéro jour pendant 2 ans Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years (lien direct) |
Un groupe avancé de cyber-espionnage China-Nexus précédemment lié à l'exploitation des défauts de sécurité dans les appareils VMware et Fortinet a été lié à l'abus d'une vulnérabilité critique dans VMware vCenter Server en tant que zéro-jour depuis la fin de 2021.
"UNC3886 a des antécédents d'utilisation des vulnérabilités zéro jour pour terminer leur mission sans être détectée, et ce dernier exemple plus loin
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further |
Vulnerability Threat | ★★★★ | |
|
2024-01-20 10:01:00 | La CISA émet une directive d'urgence aux agences fédérales sur les exploits Ivanti Zero-Day CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits (lien direct) |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) Produits.
Le développement est intervenu après la & nbsp; vulnérabilités & nbsp; & # 8211;une contournement d'authentification
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass |
Vulnerability Threat | ★★★ | |
|
2024-01-20 08:41:00 | Les meilleurs e-mails de Microsoft \\ sont des e-mails violés dans une attaque apt sophistiquée liée à la Russie Microsoft\\'s Top Execs\\' Emails Breached in Sophisticated Russia-Linked APT Attack (lien direct) |
Vendredi, Microsoft a révélé que c'était l'objectif d'une attaque d'État-nation contre ses systèmes d'entreprise qui a entraîné le vol de courriels et de pièces jointes de cadres supérieurs et d'autres personnes des services de cybersécurité et juridiques de la société.
Le fabricant de Windows a attribué l'attaque à un groupe de menace persistante avancée russe (APT) qu'il suit comme & nbsp; Midnight Blizzard & nbsp; (anciennement
Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company\'s cybersecurity and legal departments. The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly |
Threat | ★★ | |
|
2024-01-20 07:46:00 | Alerte de phishing de la facture: TA866 déploie un logiciel malveillant Wasabiseed & Capethotter Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware (lien direct) |
L'acteur de menace a suivi comme & nbsp; TA866 & nbsp; a refait surface après une interruption de neuf mois avec une nouvelle campagne de phishing en grand volume pour livrer des familles de logiciels malveillants connues telles que Wasabseed et Capshotter.
La campagne, observée plus tôt ce mois-ci et bloquée par Proofpoint le 11 janvier 2024, a consisté à envoyer des milliers d'e-mails sur le thème des factures ciblant l'Amérique du Nord portant des fichiers PDF leurres.
"Les PDF
The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter. The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files. "The PDFs |
Malware Threat | ★★ | |
|
2024-01-19 21:05:18 | Le groupe de menaces russes Coldriver étend son ciblage des responsables occidentaux pour inclure l'utilisation de logiciels malveillants Russian Threat Group COLDRIVER Expands its Targeting of Western Officials to Include the Use of Malware (lien direct) |
#### Description
Le groupe de menaces russes Coldriver, également connu sous le nom de UNC4057, Star Blizzard et Callisto, a élargi son ciblage des responsables occidentaux pour inclure l'utilisation de logiciels malveillants.Le groupe s'est concentré sur les activités de phishing des conférences contre des personnes de haut niveau dans les ONG, les anciens officiers de renseignement et militaire et les gouvernements de l'OTAN.Coldriver a utilisé des comptes d'identité pour établir un rapport avec la cible, augmentant la probabilité du succès de la campagne de phishing \\, et finit par envoyer un lien ou un document de phishing contenant un lien.
Coldriver a été observé en envoyant des cibles des documents PDF bénins à partir de comptes d'identité, présentant ces documents comme un nouveau éditorial ou un autre type d'article que le compte d'identité cherche à publier, demandant des commentaires de la cible.Lorsque l'utilisateur ouvre le PDF bénin, le texte apparaît crypté.Si l'objectif répond qu'ils ne peuvent pas lire le document chiffré, le compte d'identité Coldriver répond par un lien, généralement hébergé sur un site de stockage cloud, à un utilitaire de «décryptage» à l'utilisation de la cible.Cet utilitaire de décryptage, tout en affichant un document de leurre, est en fait une porte dérobée, suivie en tant que SPICA, donnant à Coldriver l'accès à la machine de la victime.
#### URL de référence (s)
1. https://blog.google/thereat-analysis-group/google-tag-coldriver-russian-phishing-malware/
#### Date de publication
18 janvier 2024
#### Auteurs)
Wesley Shields
#### Description Russian threat group COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto, has expanded its targeting of Western officials to include the use of malware. The group has been focused on credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments. COLDRIVER has been using impersonation accounts to establish a rapport with the target, increasing the likelihood of the phishing campaign\'s success, and eventually sends a phishing link or document containing a link. COLDRIVER has been observed sending targets benign PDF documents from impersonation accounts, presenting these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim\'s machine. #### Reference URL(s) 1. https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/ #### Publication Date January 18, 2024 #### Author(s) Wesley Shields |
Malware Threat Cloud | ★★ | |
|
2024-01-19 19:00:00 | Troisième vulnérabilité ivanti exploitée dans la nature, rapporte CISA Third Ivanti Vulnerability Exploited in the Wild, CISA Reports (lien direct) |
Bien que les rapports indiquent que ce dernier bogue d'Ivanti est exploité, il n'est pas clair exactement comment les acteurs de la menace l'utilisent.
Though reports say this latest Ivanti bug is being exploited, it\'s unclear exactly how threat actors are using it. |
Vulnerability Threat | ★★★ | |
|
2024-01-19 18:18:00 | Les experts mettent en garde contre la porte dérobée macOS cachée dans les versions piratées de logiciels populaires Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software (lien direct) |
Des applications piratées ciblant les utilisateurs d'Apple MacOS ont été observées contenant une porte dérobée capable d'accorder des attaquants à distance aux machines infectées.
"Ces applications sont hébergées sur des sites de piratage chinois afin de gagner des victimes", a déclaré les chercheurs de Lamf Threat Labs Ferdous Saljooki et Jaron Bradley & NBSP.
"Une fois explosé, le malware téléchargea et exécutera plusieurs charges utiles
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. "These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said. "Once detonated, the malware will download and execute multiple payloads |
Malware Threat | ★★★ | |
 |
2024-01-19 17:30:00 | Le groupe d'espionnage chinois UNC3886 a trouvé l'exploitation du CVE-2023-34048 depuis la fin 2021 Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 (lien direct) |
Bien que signalé et corrigé publiquement en octobre 2023, la sécurité des produits Mandiant et VMware a trouvé unc3886 , un groupe d'espionnage China-Nexus très avancé, a exploité CVE-2023-34048 jusqu'à la fin 2021. Ces résultats proviennent de la recherche continue de Maniant \\ de Les nouveaux chemins d'attaque utilisés par unc3886 , qui se concentre historiquement sur les technologies qui ne sont pas en mesure de les déployer par EDR.UNC3886 a une expérience en utilisant des vulnérabilités zéro-jours pour terminer leur mission sans être détectée, et ce dernier exemple démontre en outre leurs capacités. Lorsque vous couvrez
While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.These findings stem from Mandiant\'s continued research of the novel attack paths used by UNC3886, which historically focuses on technologies that are unable to have EDR deployed to them. UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities. When covering |
Vulnerability Threat | ★★★★ | |
|
2024-01-19 12:22:43 | Cyber Assurance à l'ère du ransomware: protection ou provocation? Cyber Insurance in the Age of Ransomware: Protection or Provocation? (lien direct) |
> Les entreprises sont de plus en plus confrontées à la menace de la cybercriminalité, en particulier des ransomwares.Ce logiciel malveillant verrouille les utilisateurs ...
>Businesses are increasingly facing the threat of cybercrime, particularly ransomware. This malicious software locks users... |
Ransomware Threat | ★★ | |
 |
2024-01-19 00:00:00 | Microsoft Actions après attaque par l'acteur de l'État national Midnight Blizzard Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard (lien direct) |
L'équipe de sécurité de Microsoft a détecté une attaque de l'État-nation contre nos systèmes d'entreprise le 12 janvier 2024 et a immédiatement activé notre processus de réponse pour enquêter, perturber l'activité malveillante, atténuer l'attaque et refuser à l'acteur de menace accès.Microsoft a identifié l'acteur de menace comme étant Midnight Blizzard, l'acteur russe parrainé par l'État également connu sous le nom de Nobelium.
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. |
Threat | ★★ | |
|
2024-01-18 23:00:00 | L'IA donne aux défenseurs l'avantage de la défense des entreprises AI Gives Defenders the Advantage in Enterprise Defense (lien direct) |
Un panel de CISO a reconnu que l'intelligence artificielle a renforcé les capacités des acteurs de la menace, mais les défenseurs des entreprises bénéficient en fait davantage de la technologie.
A panel of CISOs acknowledged that artificial intelligence has boosted the capabilities of threat actors, but enterprise defenders are actually benefiting more from the technology. |
Threat | ★★★ | |
|
2024-01-18 22:46:00 | Les acteurs de la menace s'associent pour une augmentation des e-mails de phishing après les vacances Threat Actors Team Up for Post-Holiday Phishing Email Surge (lien direct) |
Tout comme vous et moi, les cyberattaques sont revenus des vacances d'hiver et ont immédiatement commencé à envoyer des milliers d'e-mails.
Just like you and me, cyberattackers returned from winter break and immediately started sending thousands of emails. |
Threat | ★★★ | |
|
2024-01-18 22:01:00 | Nouveau docker malware vole le processeur pour la crypto et le trafic de faux site Web New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic (lien direct) |
Les services vulnérables Docker sont ciblés par une nouvelle campagne dans laquelle les acteurs de la menace déploient un mineur de crypto-monnaie XMRIG ainsi que le logiciel du téléspectateur 9HITS dans le cadre d'une stratégie de monétisation à plusieurs volets.
"Il s'agit du premier cas documenté de logiciels malveillants déploiement de l'application 9HITS en tant que charge utile", a déclaré Cado, la société de sécurité cloud, ajoutant que le développement est un signe que les adversaires sont
Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy. "This is the first documented case of malware deploying the 9Hits application as a payload," cloud security firm Cado said, adding the development is a sign that adversaries are |
Malware Threat Cloud | ★★ | |
|
2024-01-18 20:19:00 | Les pirates russes Coldriver se développent au-delà du phishing avec des logiciels malveillants personnalisés Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware (lien direct) |
L'acteur de menace lié à la Russie connue sous le nom de Coldriver a été observé, a fait évoluer son métier pour aller au-delà de la récolte d'identification pour livrer ses tout premiers logiciels malveillants personnalisés écrits dans le langage de programmation de la rouille.
Le groupe d'analyse des menaces de Google (TAG), qui a partagé les détails de la dernière activité, a déclaré que les chaînes d'attaque exploitent les PDF en tant que documents de leurre pour déclencher la séquence d'infection.Les leurres sont
The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language. Google\'s Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are |
Malware Threat | ★★★ | |
 |
2024-01-18 18:55:27 | Ivanti Connect Secure VPN Exploitation: Nouvelles observations Ivanti Connect Secure VPN Exploitation: New Observations (lien direct) |
> Le 15 janvier 2024, la volexité a détaillé l'exploitation généralisée des vulnérabilités VPN sécurisées Ivanti Connect CVE-2024-21887 et CVE-2023-46805.Dans ce billet de blog, la volexité a détaillé un numérisation et une exploitation plus larges par des acteurs de menace utilisant des exploits toujours non publiques pour compromettre de nombreux appareils.Le lendemain, le 16 janvier 2023, le code de preuve de concept pour l'exploit a été rendu public par Rapid7.Par la suite, la volexité a observé une augmentation des attaques de divers acteurs de menace contre les appareils VPN sécurisés Ivanti Connect à partir du même jour.De plus, la volexité a poursuivi son enquête sur l'activité menée par UTA0178 et fait quelques découvertes notables.Le premier se rapporte à la volet de Web GiftedVisitor pour laquelle la volexité a scanné, ce qui a conduit à la découverte initiale de plus de 1 700 dispositifs VPN Secure Ivanti compromis.Le 16 janvier 2024, Volexity a effectué un nouveau scan pour cette porte dérobée et a trouvé 368 appropriés supplémentaires sur les appareils VPN Secure Ivanti compromis, apportant le nombre total de systèmes infectés par [& # 8230;]
>On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2023, proof-of-concept code for the exploit was made public by Rapid7. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day. Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by […] |
Vulnerability Threat | ★★★ | |
 |
2024-01-18 18:44:20 | AndroxGH0st malware botnet vole AWS, les informations d'identification Microsoft et plus Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More (lien direct) |
Le botnet malware AndroxGH0st est utilisé pour l'identification et l'exploitation des victimes dans les réseaux ciblés, ainsi que pour la collecte des informations d'identification.Lisez les conseils du FBI / CISA \\ pour protéger contre cette menace malveillante.
The Androxgh0st malware botnet is used for victim identification and exploitation in targeted networks, as well as credentials collection. Read the FBI/CISA\'s tips for protecting against this malware threat. |
Malware Threat | ★★ | |
|
2024-01-18 15:15:00 | \\ 'chaes \\' Le code d'infostealer contient des notes d'amour de chasse à la menace cachée \\'Chaes\\' Infostealer Code Contains Hidden Threat Hunter Love Notes (lien direct) |
L'analyse de l'infostaler malware version 4.1 comprend un art ASCII caché et un cri remerciant des chercheurs en cybersécurité.
Analysis of the infostealer malware version 4.1 includes hidden ASCII art and a shout-out thanking cybersecurity researchers. |
Malware Threat | ★★ | |
 |
2024-01-18 15:00:00 | Google: des pirates d'État russes déploient des logiciels malveillants dans des attaques d'espionnage à travers l'Europe Google: Russian state hackers deploying malware in espionage attacks around Europe (lien direct) |
Les pirates d'État russes tentent de plus en plus de déployer des délais sur les appareils des cibles dans les pays de l'OTAN et l'Ukraine, selon Nouvelles recherches du groupe d'analyse des menaces de Google \\.Les chercheurs ont constaté que les tactiques des pirates du Centre 18, une unité au sein du Federal Security Service (FSB) de Russie, ont évolué ces derniers mois à des derniers mois
Russian state hackers are increasingly attempting to deploy backdoors on the devices of targets in NATO countries and Ukraine, according to new research from Google\'s Threat Analysis Group. The researchers found that the tactics of hackers from Center 18, a unit within Russia\'s Federal Security Service (FSB), have evolved in recent months to more sophisticated |
Malware Threat | ★★ | |
|
2024-01-18 14:21:27 | Fortra: 81% des professionnels de la sécurité identifient le phishing comme la principale menace en 2024 Fortra: 81% of Security Professionals Identify Phishing as the Top Threat in 2024 (lien direct) |
81% des professionnels de la sécurité identifient le phishing comme la principale menace en 2024
L'enquête de l'État de cybersécurité de Fortra 2024 découvre les principaux défis et opportunités de sécurité pour les organisations cette année
-
rapports spéciaux
81% of Security Professionals Identify Phishing as the Top Threat in 2024 The 2024 Fortra State of Cybersecurity Survey uncovers the key security challenges and opportunities for organizations this year - Special Reports |
Threat | ★★★ | |
 |
2024-01-18 14:06:53 | L'APT russe connu pour les attaques de phishing développe également des logiciels malveillants, prévient Google Russian APT Known for Phishing Attacks Is Also Developing Malware, Google Warns (lien direct) |
> Le groupe de menaces russes Colriver a développé SPICA, un malware qui lui permet de compromettre les systèmes et de voler des informations.
>Russian threat group ColdRiver has developed Spica, a malware that enables it to compromise systems and steal information. |
Malware Threat | ★★★ | |
 |
2024-01-18 14:00:11 | Google Tag: Kremlin Cyber Spies se déplace dans les logiciels malveillants avec une porte dérobée personnalisée Google TAG: Kremlin cyber spies move into malware with a custom backdoor (lien direct) |
Les menaces que les chasseurs croient que Coldriver utilise SPICA depuis au moins novembre 2022 Les cyberespaces russes liées au Federal Security Service (FSB) du Kremlin \\ passent au-delà de leurs bouffonneries de phishing et ont développé et développées habituelles et ont développé et développéUne porte dérobée personnalisée qu'ils ont commencé à livrer par e-mail dès le novembre 2022, selon le groupe d'analyse des menaces de Google.…
The threat hunters believe COLDRIVER has used SPICA since at least November 2022 Russian cyberspies linked to the Kremlin\'s Federal Security Service (FSB) are moving beyond their usual credential phishing antics and have developed a custom backdoor that they started delivering via email as far back as November 2022, according to Google\'s Threat Analysis Group.… |
Malware Threat | ★★ | |
|
2024-01-18 11:00:00 | Quatre tendances de cybersécurité que vous devriez connaître pour 2024 Four cybersecurity trends you should know for 2024 (lien direct) |
This is part three of a three-part series written by AT&T Cybersecurity evangelist Theresa Lanowitz. It’s intended to be future-looking, provocative, and encourage discussion. The author wants to assure you that no generative AI was used in any part of this blog. Part one: Unusual, thought-provoking predictions for cybersecurity in 2024 Part two: Cybersecurity operations in 2024: The SOC of the future While there are many big things to prepare for in 2024 (see first two posts), some important smaller things don’t get the same attention. Yet, these things are good to know and probably won’t come as a huge surprise. Because they, too, are evolving, it’s important not to take your eye off the ball. Compliance creates a new code of conduct and a new need for compliance logic. Compliance and governance are often overlooked when developing software because a different part of the business typically owns those responsibilities. That is all about to change. Cybersecurity policies (internal and external, including new regulations) need to move upstream in the software development lifecycle and need compliance logic built in to simplify the process. Software is designed to work globally; however, the world is becoming more segmented and parsed. Regulations are being created at country, regional, and municipal levels. To be realistic, the only way to handle compliance is via automation. To avoid the constant forking of software, compliance logic will need to be a part of modern applications. Compliance logic will allow software to function globally but adjust based on code sets that address geographic locations and corresponding regulations. In 2024, expect compliance logic to become a part of the larger conversation regarding compliance, governance, regulation, and policy. This will require cross-functional collaboration across IT, security, legal, line of business, finance, and other organizational stakeholders. MFA gets physical. Multi-factor authentication (MFA) is a way of life. The benefits far outweigh the slight inconvenience imposed. Think about why MFA is so critical. MFA helps with authorization and authentication for mission-critical and safety-critical work. It prevents unauthorized access to critical information. MFA is an easy-to-implement step for good cyber hygiene. Our current way of thinking about MFA is generally based on three things: something you know, a passcode; something you have, a device; and something you are, a fingerprint, your face, etc. Now, let’s take this a step further and look at how the something you are part of MFA can improve safety. Today, MFA routinely accepts fingerprints, facial recognition, or retina scans. That’s just the beginning. MFA can go a step further in helping with business outcomes; here’s how. Biometric and behavioral MFA can help with identifying the veracity of an individual as well as the fitness to perform a function. For example, a surgeon can access the hospital, restricted areas, and the operating room through MFA verifications. But, once in the operating room, how is it determined that the surgeon is fit to perform the surgical task? Behavioral MFA will soon be in play to ensure the surgeon is fit by adding another layer of something you are. Behavioral MFA will determine fitness for a task by identifying things such as entering a series of numbers on a keypad, handwriting on a tablet, or voice analysis. The goal is to compare current behavior with past behavior to ensur | Tool Threat Prediction | ★★★ | |
|
2024-01-18 09:46:00 | Les pirates iraniens se masquent en tant que journalistes pour espionner les experts de la guerre Israel-Hamas Iranian Hackers Masquerade as Journalists to Spy on Israel-Hamas War Experts (lien direct) |
Des individus de haut niveau travaillant sur les affaires du Moyen-Orient dans les universités et les organisations de recherche en Belgique, en France, Gaza, Israël, au Royaume-Uni et aux États-Unis ont été ciblées par un groupe de cyber-espionnage iranien appelé & nbsp; Mind Sandstorm & nbsp; depuis novembre 2023.
L'acteur de menace "a utilisé des leurres de phishing sur mesure pour tenter d'ingénierie socialement des cibles dans le téléchargement de fichiers malveillants", le
High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mind Sandstorm since November 2023. The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the |
Threat | ★★ | |
|
2024-01-18 09:30:00 | NCSC construit une nouvelle communauté de suivi des menaces «Cyber League» NCSC Builds New “Cyber League” Threat Tracking Community (lien direct) |
Le National Cyber Security Center du Royaume-Uni a lancé une cyber ligue pour surveiller les cyber-menaces émergentes
The UK\'s National Cyber Security Centre has launched a Cyber League to monitor emerging cyber-threats |
Threat | ★★ | |
 |
2024-01-18 08:00:31 | Le FBI et la CISA émettent des conseils sur AndroxGH0st malware et botnet menace pour les réseaux FBI and CISA issue advisory on Androxgh0st malware and botnet threat to networks (lien direct) |
> Le Federal Bureau of Investigation (FBI) et la Cybersecurity and Infrastructure Security Agency (CISA) ont publié mardi un ...
>The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday a... |
Malware Threat | ★★ | |
 |
2024-01-18 07:10:53 | MIMO COINMINER ET MIMUS RANSOMWALIES installées via des attaques de vulnérabilité Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks (lien direct) |
Ahnlab Security Intelligence Center (ASEC) a récemment observé les circonstances d'un acteur de menace de Coinmin appelé MIMO exploitant diverses vulnérabilités àinstaller des logiciels malveillants.MIMO, également surnommé HEZB, a été retrouvé pour la première fois lorsqu'ils ont installé des co -miners grâce à une exploitation de vulnérabilité Log4Shell en mars 2022. Jusqu'à présent, tous les cas d'attaque impliquaient l'installation de XMRIG Coinmin, appelé MIMO Miner Bot dans l'étape finale.Cependant, il y avait d'autres cas pertinents où le même acteur de menace a installé Mimus Ransomware, Proxyware et Reverse Shell ...
AhnLab SEcurity intelligence Center (ASEC) recently observed circumstances of a CoinMiner threat actor called Mimo exploiting various vulnerabilities to install malware. Mimo, also dubbed Hezb, was first found when they installed CoinMiners through a Log4Shell vulnerability exploitation in March 2022. Up until now, all of the attack cases involved the installation of XMRig CoinMiner called Mimo Miner Bot in the final stage. However, there were other pertinent cases where the same threat actor installed Mimus ransomware, proxyware, and reverse shell... |
Ransomware Malware Vulnerability Threat | ★★★ | |
|
2024-01-18 05:00:52 | Mémoire de sécurité: TA866 revient avec une grande campagne de messagerie Security Brief: TA866 Returns with a Large Email Campaign (lien direct) |
What happened Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as “Document_[10 digits].pdf” and various subjects such as “Project achievements”. The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset. Screenshot of an email with an attached PDF. If the user clicked on the OneDrive URL inside the PDF, they were: Served a JavaScript file hosted on OneDrive. The JavaScript, if run by the user, downloaded and ran an MSI file. The MSI file executed an embedded WasabiSeed VBS script. The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown. Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2. Attack chain summary: Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter). The attack chain was similar to the last documented email campaign using this custom toolset observed by Proofpoint on March 20, 2023. The similarities helped with attribution. Specifically, TA571 spam service was similarly used, the WasabiSeed downloader remained almost the same, and the Screenshotter scripts and components remained almost the same. (Analyst Note: While Proofpoint did not initially associate the delivery TTPs with TA571 in our first publication on TA866, subsequent analysis attributed the malspam delivery of the 2023 campaigns to TA571, and subsequent post-exploitation activity to TA866.) One of the biggest changes in this campaign from the last observed activity was the use of a PDF attachment containing a OneDrive link, which was completely new. Previous campaigns used macro-enabled Publisher attachments or 404 TDS URLs directly in the email body. Screenshot of “TermServ.vbs” WasabiSeed script whose purpose is to execute an infinite loop, reaching out to C2 server and attempting to download and run an MSI file (empty lines were removed from this script for readability). Screenshot of “app.js”, one of the components of Screenshotter. This file runs “snap.exe”, a copy of legitimate IrfanView executable, (also included inside the MSI) to save a desktop screenshot as “gs.jpg”. Screenshot of “index.js”, another Screenshotter component. This code is responsible for uploading the desktop screenshot ”gs.jpg” to the C2 server. Attribution There are two threat actors involved in the observed campaign. Proofpoint tracks the distribution service used to deliver the malicious PDF as belonging to a threat actor known as TA571. TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers. Proofpoint tracks the post-exploitation tools, specifically the JavaScript, MSI with WasabiSeed components, and MSI with Screenshotter components as belonging to TA866. TA866 is a threat actor previously documented by Proofpoint and colleagues in [1][2] and [3]. TA866 is known to engage in both crimeware and cyberespionage activity. This specific campaign appears financially motivated. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools, and ability and connections to purchase tools and services from other actors. Why it matters The following are notable characteristics of TA866\'s return to email threat data: TA866 email campaigns have been missing from the landscape for over nine months (although there are indications that the actor was meanwhile | Spam Malware Tool Threat | ★★ | |
 |
2024-01-18 00:00:00 | Protéger la sécurité de votre réseau contre la menace Ivanti Zero-Day Protecting Your Network Security from Ivanti Zero-Day Threat (lien direct) |
La vulnérabilité négligée avec des impacts réels
The overlooked vulnerability with real impacts |
Vulnerability Threat | ★★ | |
|
2024-01-17 21:58:17 | Avant de pointe: cibles suspectées APT Ivanti Connect Secure VPN dans une nouvelle exploitation zéro-jour |Mandiant Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation | Mandiant (lien direct) |
#### Description
Le 10 janvier 2024, Ivanti a révélé deux vulnérabilités, CVE-2023-46805 et CVE-2024-21887, impactant Ivanti Connect Secure VPN («CS», anciennement Secure Secure) et Ivanti Policy Secure («PS»).Une exploitation réussie pourrait entraîner un contournement d'authentification et une injection de commandement, entraînant un autre compromis en aval d'un réseau de victimes.Mandiant a identifié l'exploitation zéro-jour de ces vulnérabilités à l'état sauvage dès décembre 2023 par un acteur présumé de menace d'espionnage, actuellement suivi de l'UNC5221.
Mandiant partage les détails de cinq familles de logiciels malveillants associés à l'exploitation des appareils CS et PS.Ces familles permettent aux acteurs de la menace de contourner l'authentification et de fournir un accès de porte dérobée à ces appareils.
#### URL de référence (s)
1. https://www.mandiant.com/resourceS / Blog / suspecté-APT-Targets-Ivanti-Zero-Day
#### Date de publication
17 janvier 2024
#### Auteurs)
Tyler McLellan
John Wolfram
Gabby Rconcone
Matt Lin
Robert Wallace
Dimiter Andonov
#### Description On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221. Mandiant is sharing details of five malware families associated with the exploitation of CS and PS devices. These families allow the threat actors to circumvent authentication and provide backdoor access to these devices. #### Reference URL(s) 1. https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day #### Publication Date January 17, 2024 #### Author(s) Tyler Mclellan John Wolfram Gabby Roncone Matt Lin Robert Wallace Dimiter Andonov |
Malware Vulnerability Threat | ★★★★ | |
|
2024-01-17 21:15:00 | Google Chrome Zero-Day Bug attaqué, permet l'injection de code Google Chrome Zero-Day Bug Under Attack, Allows Code Injection (lien direct) |
Le premier bogue chromé zéro de 2024 ajoute à une liste croissante de vulnérabilités activement exploitées trouvées dans le chrome et d'autres technologies de navigateur.
The first Chrome zero-day bug of 2024 adds to a growing list of actively exploited vulnerabilities found in Chromium and other browser technologies. |
Vulnerability Threat | ★★★ | |
|
2024-01-17 21:00:08 | Anneaux de voleur atomique dans la nouvelle année avec une version mise à jour Atomic Stealer Rings in the New Year with Updated Version (lien direct) |
#### Description
Les utilisateurs de Mac doivent être conscients d'une campagne de distribution active via des publicités malveillantes fournissant un voleur atomique.La dernière itération du malware a ajouté le chiffrement et l'obscurcissement de son code.Le malware a été distribué via des campagnes de malvertisation et des sites compromis.En janvier 2024, une campagne de malvertising a été identifiée à l'aide de publicités Google Search pour attirer les victimes via un site Web de leurre imitant Slack.Les acteurs de la menace tirent parti des modèles de suivi pour filtrer le trafic et l'ouvrir à travers quelques redirectes avant de charger la page de destination.Le fichier DMG malveillant contient des instructions pour les utilisateurs pour ouvrir le fichier ainsi qu'une fenêtre de boîte de dialogue leur demandant de saisir le mot de passe de leur système.Cela permettra au voleur atomique de collecter des mots de passe et d'autres fichiers sensibles qui sont généralement liés à l'accès.Les voleurs continuent d'être une menace supérieure pour les utilisateurs de Mac, et il est important de télécharger des logiciels à partir de sites de confiance.
#### URL de référence (s)
1. https://www.malwarebytes.com/blog/thereat-intelligence/2024/01/atomic-staleer-rings-in-the-new-year-with-updated-version
#### Date de publication
10 janvier 2024
#### Auteurs)
MalwareBytes Mende Intelligence Team
J & eacute; r & ocirc; moi segura
#### Description Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware added encryption and obfuscation of its code. he malware was distributed via malvertising campaigns and compromised sites. In January 2024, a malvertising campaign was identified using Google search ads to lure victims via a decoy website impersonating Slack. The threat actors are leveraging tracking templates to filter traffic and route it through a few redirects before loading the landing page. The malicious DMG file contains instructions for users to open the file as well as a dialog window asking them to enter their system password. This will allow Atomic Stealer to collect passwords and other sensitive files that are typically access-restricted. Stealers continue to be a top threat for Mac users, and it is important to download software from trusted locations. #### Reference URL(s) 1. https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version #### Publication Date January 10, 2024 #### Author(s) Malwarebytes Threat Intelligence Team Jérôme Segura |
Malware Threat | ★★★ |
To see everything:
