What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-06-04 06:35:01 | North Korea-Linked Covellite APT group stopped targeting organizations in the U.S. (lien direct) | A North Korea-linked APT group, tracked by experts at industrial cybersecurity firm Dragos as Covellite, has stopped targeting US organizations. Anyway, the group, that is believed to be linked to the notorious Lazarus APT group, is continuing to target organizations in Europe and East Asia. The group has been around at least since 2017 and is still active, […] | Covellite APT 38 | ||
|
2018-06-01 06:33:04 | North Korea-linked Andariel APT Group exploited an ActiveX Zero-Day in recent attacks (lien direct) | A North Korea-linked APT group, tracked as Andariel Group, leveraged an ActiveX zero-day vulnerability in targeted attacks against South Korean entities. According to a report published by South Korean cyber-security firm AhnLab, the Andariel Group is a division of the dreaded Lazarus APT Group, it already exploited ActiveX vulnerabilities in past attacks The attackers exploited at […] | APT 38 | ||
 |
2018-05-31 10:11:03 | North Korea-Linked Group Stops Targeting U.S. (lien direct) | A threat actor linked to North Korea's Lazarus Group has stopped targeting organizations in the United States, but remains active in Europe and East Asia. | Medical | APT 38 | |
|
2018-05-30 18:30:05 | US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra (lien direct) | The Department of Homeland Security (DHS) and the FBI issued a joint Technical alert on two strain on malware, the Joanap backdoor Trojan and Brambul Server Message Block worm, associated with the HIDDEN COBRA North Korea-linked APT group. The US-CERT alert reads: “Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators […] | Medical | APT 38 | |
 |
2018-05-30 14:59:01 | Hidden Cobra Strikes Again with Custom RAT, SMB Malware (lien direct) | The North Korean-sponsored actors are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files. | APT 38 | ||
|
2018-05-30 10:44:00 | U.S. Attributes Two More Malware Families to North Korea (lien direct) | The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra. | Medical | APT 38 | |
 |
2018-05-30 07:42:05 | FBI issues alert over two new malware linked to Hidden Cobra hackers (lien direct) | The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.
Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace,
|
Medical | APT 38 | |
 |
2018-05-03 13:48:02 | La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus (lien direct) | Les pirates informatiques du groupe Lazarus, annonçaient comme Nord-Coréens, auraient perdu un de leur serveur saisi par... L'article La Thaïlande saisi un serveur exploité les pirates Nord-Coréens Lazarus est apparu en premier sur Data Security Breach. | APT 38 | ||
 |
2018-04-30 12:25:04 | Thailand seizes server linked to North Korean attack gang (lien direct) | A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT. Thailand’s infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret. View full ... | Medical | APT 38 | ★★ |
|
2018-04-30 08:06:04 | Op GhostSecret – ThaiCERT seized a server used by North Korea Hidden Cobra APT group in the Sony Picture hack (lien direct) | The Thai authorities with the support of the ThaiCERT and security first McAfee have seized a server used by North Korean Hidden Cobra APT as part of the Op GhostSecret campaign. The Thai authorities with the support of the ThaiCERT have seized a server used by North Korean hackers in the attack against Sony Picture. […] | Medical | APT 38 | |
|
2018-04-27 15:58:03 | ThaiCERT Seizes Hidden Cobra Server Linked to GhostSecret, Sony Attacks (lien direct) | It's analyzing the server, operated by the North Korea-sponsored APT, which was used to control the global GhostSecret espionage campaign affecting 17 countries. | APT 38 | ||
 |
2018-04-25 04:01:02 | (Déjà vu) Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide (lien direct) | 
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, …
|
Medical | APT 38 | |
|
2018-04-25 04:01:02 | (Déjà vu) Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries (lien direct) | 
McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive …
|
Medical | APT 38 | |
|
2018-04-05 09:22:01 | North Korea-Linked Lazarus APT suspected for online Casino assault (lien direct) | The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets. The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] | Medical | APT 38 | |
|
2018-04-04 17:40:00 | North Korean Hackers Behind Online Casino Attack: Report (lien direct) | >The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says. The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank. Said to be the most serious threat against banks, the group has shown increased interest in | Medical | APT 38 | |
 |
2018-04-03 13:00:03 | Lazarus KillDisks Central American casino (lien direct) | >The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets. | Medical | APT 38 | |
 |
2018-03-29 22:25:24 | WannaCry after one year (lien direct) | In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago.It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry.Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit).Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour.However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely.We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop.Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading.Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti | Medical | Wannacry APT 38 | |
 |
2018-03-16 13:00:00 | Things I hearted this week 16th March 2018 (lien direct) |
Last weekend, my daughter and I finally got around to watching Wonder Woman. We quite enjoyed it. There was a part in which Chris Pine’s character said, “My father told me once, he said, "If you see something wrong happening in the world, you can either do nothing, or you can do something". And I already tried nothing."
So, I turned to my daughter and asked, "When you're older will you say awesome quotes and attribute them to your dad so I'll appear all knowing and wise?"
She replied, "Yeah, I'll say 'my father told me if you see something wrong you can either do nothing, or send memes'".
Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes.
Operation Bayonet
This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market.
As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction!
Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired
How many devices are misconfigured… or not configured?
I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways.
Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe?
How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner
Hacking encrypted phones
Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users.
Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard
Hidden Cobra on Turkish Banks
Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.
|
Medical | Equifax APT 38 | |
|
2018-03-10 06:53:00 | North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware (lien direct) | McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey. North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system. Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted […] | Medical | APT 38 | |
|
2018-03-09 17:22:01 | New North Korea-linked Cyberattacks Target Financial Institutions (lien direct) | New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network. | Medical | APT 38 | |
|
2018-03-08 14:00:03 | Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant (lien direct) | 
This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales. On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra's Bankshot malware implant surfacing in the Turkish financial …
|
Medical | APT 38 | ★★★ |
 |
2018-02-28 10:09:00 | Cryptocurrency-Mining Malware: 2018\'s New Menace? (lien direct) |  Will cryptocurrency-mining malware be the new ransomware? The popularity and increasing real-world significance of cryptocurrencies are also drawing cybercriminal attention - so much so that it appears to keep pace with ransomware's infamy in the threat landscape. In fact, cryptocurrency mining was the most detected network event in devices connected to home routers in 2017.
What started out in mid-2011 as an afterthought to main payloads such as worms and backdoors has evolved into such an effective way to profit that even cyberespionage and ransomware operators, and organized hacking groups are joining the bandwagon.
Post from: Trendlabs Security Intelligence Blog - by Trend Micro
Cryptocurrency-Mining Malware: 2018's New Menace?
|
APT 38 | ||
|
2018-02-15 14:00:00 | North Korean Cyber-Attacks and Collateral Damage (lien direct) |
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.
Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.
Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.
North Korean Software
As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:
Below are the details of these two files, nnr60.exe and hana80.exe:
Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using |
NotPetya Wannacry Yahoo APT 38 | ||
 |
2018-02-13 18:45:01 | Hidden Cobra, un malveillant made un Corée du Nord (lien direct) | Le FBI et le DHS viennent de publier un document concernant Hidden Cobra. Un logiciel d’espionnage qui serait la création de pirates informatiques officiant pour la Corée du Nord. Le site Data Security Breach revient sur une alerte lancée par le Department of Homeland Security (DHS) et le Fédé... Cet article Hidden Cobra, un malveillant made un Corée du Nord est apparu en premier sur ZATAZ. | Medical | APT 38 | |
|
2018-02-13 18:27:03 | Opération de la Corée du nord baptisée HIDDEN COBRA (lien direct) | HIDDEN COBRA, une attaque informatique signée par des pirates informatiques de la Corée du Nord selon les... Cet article Opération de la Corée du nord baptisée HIDDEN COBRA est diffusé par Data Security Breach. | Medical | APT 38 | |
|
2018-01-30 13:40:00 | OTX Trends Part 3 - Threat Actors (lien direct) |
By Javvad Malik and Chris Doman
This is the third of a three part series on trends identified by AlienVault in 2017.
Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.
Which threat actors should I be most concerned about?
Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation.
Which threat actors are most active?
The following graph describes the number of vendor reports for each threat actor over the past two years by quarter:
For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy.
Caveats
There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report.
Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017.
The global targeted threat landscape
There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily?
Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison.
Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights:
A rough chart of the activity and capability of notable threat actors in the last year
Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”.
A review of the most reported on threat actors
The threat actor referenced i |
APT 38 APT 28 APT 10 APT 3 APT 1 APT 34 | ||
|
2018-01-25 19:26:13 | A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions (lien direct) | >Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions. Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions. The activity of the Lazarus Group surged in 2014 and 2015, its […] | Medical | APT 38 | |
|
2018-01-25 15:01:52 | North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools (lien direct) | Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports. | Medical | APT 38 | |
|
2018-01-24 13:56:18 | Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More (lien direct) | We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL.A) that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More | APT 38 | ||
|
2018-01-08 14:00:00 | A North Korean Monero Cryptocurrency Miner (lien direct) | AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig. It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero. The Installer executes Xmrig with the following command: "-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)" The installer passes xmrig the following arguments: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University. The password, KJU, is a possible reference to Kim Jong-un Why was this application created? The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors - on most networks. It may be that: The application is designed to be run within another network, such as that of the university itself; The address used to resolve but no longer does; or The usage of a North Korean server is a prank to trick security researchers. It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of | Wannacry Bithumb APT 38 | ||
|
2017-12-24 15:36:28 | Financially motivated attacks reveal the interests of the Lazarus APT Group (lien direct) | >Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group's arsenal of tools, implants, and exploits is extensive and under constant development. Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that […] | APT 38 | ||
 |
2017-12-22 09:12:21 | Lazarus – La Corée du Nord en a t\'elle après les bitcoins ? (lien direct) |  Depuis qu'il a été établi que le groupe de cybercriminels Lazarus est étroitement lié au régime de Pyongyang, les chercheurs tentent de percer leurs objectifs d'attaques. Le Bitcoin semble en faire parti, et l'arsenal des pirates serait à la hauteur. |
APT 38 | ||
 |
2017-12-22 07:41:43 | Les hackers nord-coréens veulent dérober vos bitcoins et vos données bancaires (lien direct) | Le groupe de pirates Lazarus, qui serait une émanation du régime de Pyongyang, s'est doté d'un arsenal permettant de dérober les portefeuilles bitcoins sur les PC des particuliers et siphonner les données de cartes bancaires sur les terminaux de paiement.  |
APT 38 | ||
|
2017-12-21 22:39:44 | North Korean Hackers Targeting Individuals: Report (lien direct) | North Korean state-sponsored hacking group Lazarus has started targeting individuals and organizations directly, instead of focusing exclusively on spying on financial institutions, Proofpoint reports. | APT 38 | ||
|
2017-12-20 12:18:46 | WannaCry et Corée du Nord : Qui est Lazarus et quelles sont ses motivations ? (lien direct) |  Alors que la Corée du Nord est accusée d'être directement responsable de l'attaque informatique qui a contaminé plus de 300 000 ordinateurs dans le monde en mai dernier, Proofpoint vient de publier les conclusions de ses dernières recherches mettant en lumière les activités du groupe Lazarus, l'organisation nord-coréenne pointée du doigt dans plusieurs cyberattaques majeures, dont WannaCry. |
Wannacry APT 38 | ||
|
2017-12-20 05:18:48 | Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals (lien direct) | The North Korean hacking group has turned greedy.
Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million
|
Medical | APT 38 | |
|
2017-12-15 21:04:37 | Lazarus APT Group targets a London cryptocurrency company (lien direct) | >Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company. The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks […] | Medical | APT 38 | |
|
2017-12-15 14:00:00 | Things I Hearted This Week 15th December 2017 (lien direct) |
Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news.
Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago.
But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.”
So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits
Mirai Mirai on the wall
I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.”
It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty.
The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard
Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity
Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo
Bug Laundering Bounties
Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom.
Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email.
The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)?
Leaked email shows HBO negotiating with hackers | Calgary Herald
Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today
Uber used bug bounty program to launder blackmail payment to hacker | ars Technica
Inside a low budget consumer hardware espionage implant
I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.
|
Guideline Medical Cloud | Uber APT 38 APT 37 | |
|
2017-11-22 07:45:40 | Lazarus APT uses an Android app to target Samsung users in the South Korea (lien direct) | >The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea. The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT. The activity of the Lazarus APT Group surged in 2014 and 2015, its […] | Medical | APT 38 | |
|
2017-11-21 09:59:48 | North Korean Hackers Target Android Users in South (lien direct) | At least two cybersecurity firms have noticed that the notorious Lazarus threat group, which many experts have linked to North Korea, has been using a new piece of Android malware to target smartphone users in South Korea. | APT 38 | ||
 |
2017-11-20 13:40:00 | North Korea\'s Lazarus Group Evolves Tactics, Goes Mobile (lien direct) | The group believed to be behind the Sony breach and attacks on the SWIFT network pivots from targeted to mass attacks. | APT 38 | ||
|
2017-11-20 12:00:03 | Android Malware Appears Linked to Lazarus Cybercrime Group (lien direct) | 
The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research …
|
APT 38 | ★★★★★ | |
 |
2017-11-15 17:21:07 | US Government Warns of Hidden Cobra North Korea Cyber Threat (lien direct) | A Department of Homeland Security (DHS) Alert released on Tuesday warns the public about a campaign of hacking by the government of North Korea it has code-named “Hidden Cobra.” DHS joined the FBI for a joint Technical Alert about the campaign and its use of a piece of malicious software dubbed FallChill, a remote access trojan (RAT)...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/493009316/0/thesecurityledger -->» | Medical | APT 38 | |
 |
2017-11-15 11:14:56 | US Government issues alert about North Korean "Hidden Cobra" cyber attacks (lien direct) |  The FBI and US Department of Homeland Security have issued an alert that hackers have targeted the aerospace industry, financial services and critical infrastructure with a remote access trojan (RAT) to further exploit vulnerable networks.
|
Medical | APT 38 | |
|
2017-11-15 08:52:11 | US DHS and FBI share reports on FALLCHILL and Volgmer malware used by North Korean Hidden Cobra APT (lien direct) | >US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government. The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group). […] | Medical | APT 38 | |
|
2017-10-18 07:04:09 | BAE Systems report links Taiwan heist to North Korean LAZARUS APT (lien direct) | >Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group. The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] | APT 38 | ||
 |
2017-10-17 07:50:25 | North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist (lien direct) | Evidence suggests the infamous Lazarus Group, a hacking crew believed to be operating out of North Korea, is behind the recent hack on the Far Eastern International Bank (FEIB) in Taiwan. [...] | Medical | APT 38 | |
 |
2017-10-16 22:32:36 | Taiwan Heist: Lazarus Tools and Ransomware (lien direct) | Written by Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James WongBACKGROUNDReports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank's system connected to the SWIFT network and used this to perform the transfers. In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called 'Hermes' which may have been used as a distraction or cover-up for the security team whilst the heist was occurring. The timeline below provides an overview of the key events: 01 October 2017  Malware compiled containing admin credentials for the FEIB network. 03 October 2017  Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017  Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017  |
Medical | Wannacry APT 38 | |
|
2017-08-16 16:55:51 | North Korean Cyberspies Target US Defense Contractors Following Nuclear Threats (lien direct) | The North Korean cyber-espionage group known as the Lazarus Group has been busy hacking US defense contractors, according to a report published on Monday by security research firm Palo Alto Networks. [...] | Medical | APT 38 | |
|
2017-08-14 14:51:02 | North Korea-Linked Hackers Target U.S. Defense Contractors (lien direct) | The North Korea-linked cyber espionage group known as Lazarus is believed to be behind attacks targeting individuals involved with United States defense contractors, Palo Alto Networks reported on Monday. | APT 38 |
To see everything:
Our RSS (filtrered)
