What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-02-20 15:14:04 | North Korean Hacking Group APT37 Expands Targets (lien direct) | A lesser known hacker group believed to be working on behalf of the North Korean government has been expanding the scope and sophistication of its campaigns, according to a report published on Tuesday by FireEye. | APT 37 | ||
 |
2018-02-20 13:30:00 | APT37 (Reaper): l'acteur nord-coréen négligé APT37 (Reaper): The Overlooked North Korean Actor (lien direct) |
Le 2 février 2018, nous avons publié un Blog détaillant l'utilisation d'une vulnérabilité Adobe Flash Zero-Day (CVE-2018-4878) par un groupe de cyber-espionnage nord-coréen présumé que nous suivons maintenant comme APT37 (Reaper).
Notre analyse de l'activité récente d'APT37 \\ révèle que les opérations du groupe \\ se développent en portée et en sophistication, avec un ensemble d'outils qui comprend l'accès aux vulnérabilités zéro-jour et aux logiciels malveillants d'essuie-glace.Nous évaluons avec une grande confiance que cette activité est réalisée au nom du gouvernement nord-coréen compte tenu des artefacts de développement de logiciels malveillants et ciblant qui s'aligne sur l'État nord-coréen
On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Our analysis of APT37\'s recent activity reveals that the group\'s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state |
Malware Vulnerability | APT 37 APT 37 | ★★★★ |
 |
2018-02-15 14:00:00 | North Korean Cyber-Attacks and Collateral Damage (lien direct) |
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.
Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.
Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.
North Korean Software
As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:
Below are the details of these two files, nnr60.exe and hana80.exe:
Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using |
NotPetya Wannacry Yahoo APT 38 | ||
 |
2018-02-13 18:45:01 | Hidden Cobra, un malveillant made un Corée du Nord (lien direct) | Le FBI et le DHS viennent de publier un document concernant Hidden Cobra. Un logiciel d’espionnage qui serait la création de pirates informatiques officiant pour la Corée du Nord. Le site Data Security Breach revient sur une alerte lancée par le Department of Homeland Security (DHS) et le Fédé... Cet article Hidden Cobra, un malveillant made un Corée du Nord est apparu en premier sur ZATAZ. | Medical | APT 38 | |
 |
2018-02-13 18:27:03 | Opération de la Corée du nord baptisée HIDDEN COBRA (lien direct) | HIDDEN COBRA, une attaque informatique signée par des pirates informatiques de la Corée du Nord selon les... Cet article Opération de la Corée du nord baptisée HIDDEN COBRA est diffusé par Data Security Breach. | Medical | APT 38 | |
 |
2018-02-04 11:38:46 | Security Affairs newsletter Round 148 – News of the week (lien direct) | >A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Once again thank you! ·Â Â Â Â Â Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected ·Â Â Â Â Â Download URLs for two packages of the phpBB forum software were compromised ·Â Â Â Â Â Iran-linked APT OilRig target IIS Web Servers […] | APT 34 | ||
|
2018-01-30 13:40:00 | OTX Trends Part 3 - Threat Actors (lien direct) |
By Javvad Malik and Chris Doman
This is the third of a three part series on trends identified by AlienVault in 2017.
Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.
Which threat actors should I be most concerned about?
Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation.
Which threat actors are most active?
The following graph describes the number of vendor reports for each threat actor over the past two years by quarter:
For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy.
Caveats
There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report.
Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017.
The global targeted threat landscape
There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily?
Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison.
Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights:
A rough chart of the activity and capability of notable threat actors in the last year
Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”.
A review of the most reported on threat actors
The threat actor referenced i |
APT 38 APT 28 APT 10 APT 3 APT 1 APT 34 | ||
|
2018-01-28 10:51:00 | Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor (lien direct) | >The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and […] | APT 34 | ||
|
2018-01-26 12:35:16 | Iranian Hackers Target IIS Web Servers With New Backdoor (lien direct) | 
|
APT 34 | ||
|
2018-01-25 19:26:13 | A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions (lien direct) | >Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions. Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions. The activity of the Lazarus Group surged in 2014 and 2015, its […] | Medical | APT 38 | |
|
2018-01-25 15:01:52 | North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools (lien direct) | Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports. | Medical | APT 38 | |
 |
2018-01-24 13:56:18 | Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More (lien direct) | We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL.A) that uses a PowerShell script instead of its more traditional PE executable form. In this entry, we provide in-depth analysis of the malware, as well as a detailed examination of its remote controller. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More | APT 38 | ||
|
2018-01-23 14:00:00 | OTX Trends Part 2: Malware (lien direct) |
By Javvad Malik and Christopher Doman
This is the second of a three part series on trends identified by AlienVault.
Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors.
Which malware should I be most concerned about?
Most security incidents that a security team will respond to involve malware. We took a look at three sources of malware telemetry to help prioritise popular malware families:
Malware families AlienVault customers detect the most;
Which malware domains are observed the most frequently by Cisco’s Umbrella DNS; and
Malware families with the highest number of individual samples
Which malware families do our customers detect the most?
The following table describes the malware that we detected most frequently on our customers networks:
This table represents malware detected by AlienVault as it communicates across a network, in 2017. This data is biased towards families that we have named network detections for. That means this table is a good representation of malware that is actively running on networks, though it’s important to also review other statistics on malware that has been blocked from running.
The #1 ranked malware, njRat, is particularly popular in the Middle East. It’s a fairly simple .NET backdoor and Youtube is full of videos of how amateur users can deploy it. We often see it packed with a seemingly endless supply of custom packers to evade anti-virus. Whilst the vast bulk of njRat users are low-level criminals, it is also frequently used in targeted political attacks in the Middle East.
A Youtube guide for using njRat
The #2 ranked malware, NetWire, is primarily used by low-end criminals to steal banking details. Again, it is a freely available tool and has also been abused by targeted attackers too.
The top malware we saw for Linux was China ELF DDoS.
We saw little malware for Mac, though the adware MacKeeper was popular.
Which malware domains are observed the most frequently?
We matched known malicious domains from AlienVault OTX against Umbrella DNS’s record of the most visited domains by their customers.
From that we produced this table of the “most popular malicious domains”:
The column |
APT33 Wannacry APT 33 | ||
|
2018-01-16 14:00:00 | OTX Trends Part 1- Exploits (lien direct) |
By Javvad Malik and Christopher Doman
Introduction
Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform.
We have combined these two data-sets to help provide a blueprint for how to prioritise the response to varied threats. You can find the scripts we used to get this data from our free APIs on GitHub.
Executive Summary
Some of the standout findings from our data covering 2017 are:
The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery.
njRat malware variants were the most prevalent malware we saw persisting on networks.
Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech.
Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China.
OTX Trends: Exploits
This is the first of a three part series on the trends we identified in 2017:
Part 1 focuses on exploits
Part 2 will talk about the malware of concern and trends
Part 3 will discuss threat actors and patterns
Which exploits should I be most concerned about?
There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported. If you’re responsible for an organisation’s security, it’s important to know:
Which ones are the most important to patch quickly?
Which ones are being actively exploited in the wild?
What exploits are being reported in vendor reports?
The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX:
A CVE 2017-0199 sample used by criminals
This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights:
Effective exploits proliferate quickly
The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig).
It has also been heavily abused by criminal gangs such as some of those deploying Dridex.
|
APT 34 | ||
 |
2018-01-11 08:12:23 | Box Enki de Leroy Merlin : Bluetooth, EnOcean, LoRa, Wi-Fi, Zigbee et 433 MHz (lien direct) | L'enseigne spécialisée dans le bricolage propose déjà depuis plusieurs mois une application mobile éponyme (sur Android et iOS) permettant de contrôler des objets connectés de plusieurs marques. La soci...Lire la suite | APT 32 | ||
|
2018-01-08 14:00:00 | A North Korean Monero Cryptocurrency Miner (lien direct) | AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig. It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero. The Installer executes Xmrig with the following command: "-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)" The installer passes xmrig the following arguments: 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University. The password, KJU, is a possible reference to Kim Jong-un Why was this application created? The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors - on most networks. It may be that: The application is designed to be run within another network, such as that of the university itself; The address used to resolve but no longer does; or The usage of a North Korean server is a prank to trick security researchers. It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of | Wannacry Bithumb APT 38 | ||
 |
2018-01-02 16:00:31 | (Déjà vu) OceanLotus (lien direct) | > Type: Trojan Horse Platform: Mac OS X Last updated: 12/02/17 12:04 am Threat Level: High Description OceanLotus is a trojan horse. OceanLotus Threat Removal MacScan can detect and remove OceanLotus Trojan Horse from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan | APT 32 | ||
|
2017-12-24 15:36:28 | Financially motivated attacks reveal the interests of the Lazarus APT Group (lien direct) | >Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies, the group's arsenal of tools, implants, and exploits is extensive and under constant development. Researchers at security firm Proofpoint collected evidence of the significant interest of the Lazarus APT group in cryptocurrencies. The North Korea-Linked hackers launched several multistage attacks that […] | APT 38 | ||
 |
2017-12-22 09:12:21 | Lazarus – La Corée du Nord en a t\'elle après les bitcoins ? (lien direct) |  Depuis qu'il a été établi que le groupe de cybercriminels Lazarus est étroitement lié au régime de Pyongyang, les chercheurs tentent de percer leurs objectifs d'attaques. Le Bitcoin semble en faire parti, et l'arsenal des pirates serait à la hauteur. |
APT 38 | ||
 |
2017-12-22 07:41:43 | Les hackers nord-coréens veulent dérober vos bitcoins et vos données bancaires (lien direct) | Le groupe de pirates Lazarus, qui serait une émanation du régime de Pyongyang, s'est doté d'un arsenal permettant de dérober les portefeuilles bitcoins sur les PC des particuliers et siphonner les données de cartes bancaires sur les terminaux de paiement.  |
APT 38 | ||
|
2017-12-21 22:39:44 | North Korean Hackers Targeting Individuals: Report (lien direct) | North Korean state-sponsored hacking group Lazarus has started targeting individuals and organizations directly, instead of focusing exclusively on spying on financial institutions, Proofpoint reports. | APT 38 | ||
|
2017-12-20 12:18:46 | WannaCry et Corée du Nord : Qui est Lazarus et quelles sont ses motivations ? (lien direct) |  Alors que la Corée du Nord est accusée d'être directement responsable de l'attaque informatique qui a contaminé plus de 300 000 ordinateurs dans le monde en mai dernier, Proofpoint vient de publier les conclusions de ses dernières recherches mettant en lumière les activités du groupe Lazarus, l'organisation nord-coréenne pointée du doigt dans plusieurs cyberattaques majeures, dont WannaCry. |
Wannacry APT 38 | ||
 |
2017-12-20 05:18:48 | Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals (lien direct) | The North Korean hacking group has turned greedy.
Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.
Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million
|
Medical | APT 38 | |
|
2017-12-15 21:04:37 | Lazarus APT Group targets a London cryptocurrency company (lien direct) | >Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company. The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks […] | Medical | APT 38 | |
|
2017-12-15 14:00:00 | Things I Hearted This Week 15th December 2017 (lien direct) |
Continuing the trend from last week, I’ll continue trying to put a positive spin on the week’s security news.
Why? I hear you ask. Well, I’ve been mulling over the whole optimist thing, and glass half full analogy and it does work wonders. Side note, a tweet about half full / empty glasses and infosec took on a life of its own a few days ago.
But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.”
So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits
Mirai Mirai on the wall
I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.”
It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty.
The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard
Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity
Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo
Bug Laundering Bounties
Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom.
Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email.
The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)?
Leaked email shows HBO negotiating with hackers | Calgary Herald
Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today
Uber used bug bounty program to launder blackmail payment to hacker | ars Technica
Inside a low budget consumer hardware espionage implant
I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference.
|
Guideline Medical Cloud | Uber APT 38 APT 37 | |
|
2017-12-13 17:37:49 | Threat Modeling the Internet of Things: Modeling Reaper (lien direct) | What a timely way to end this series on Threat Modeling the Internet of Things (IoT). An advanced thingbot, nicknamed Reaper (or IoTroop), was recently discovered infecting hordes of IoT devices. Reaper ups the ante for IoT security. | Cloud | APT 37 | |
|
2017-12-12 07:55:49 | The OceanLotus MacOS Backdoor Transforms into HiddenLotus with a Slick UNICODE Trick (lien direct) | >Experts at Malwarebytes warns of a new variant of the macOS OceanLotus backdoor is using an innovative technique to avoid detection, A few years ago the bad actors realized they could use UNICODE characters that looked like English characters to lead unsuspecting victims to malicious websites. Now, they have figured out how to use a […] | Guideline | APT 32 | |
 |
2017-12-07 17:30:56 | Iranian Hacker Charged For HBO Breach Part Of Charming Kitten Group (lien direct) | The ISBuzz Post: This Post Iranian Hacker Charged For HBO Breach Part Of Charming Kitten Group | Conference | APT 35 | |
|
2017-12-07 17:00:00 | Nouvelle attaque ciblée au Moyen-Orient par APT34, un groupe de menaces iranien présumé, en utilisant le CVE-2017-11882 Exploiter New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit (lien direct) |
Moins d'une semaine après que Microsoft a publié un correctif pour CVE-2017-11882 Le 14 novembre 2017, Fireeye a observé un attaquant utilisant un exploit pour la vulnérabilité de Microsoft Office pour cibler une organisation gouvernementale au Moyen-Orient.Nous évaluons que cette activité a été réalisée par un groupe de menaces de cyber-espionnage iranien présumé, que nous appelons APT34, en utilisant une porte dérobée PowerShell personnalisée pour atteindre ses objectifs.
Nous pensons que l'APT34 est impliqué dans une opération de cyber-espionnage à long terme largement axé sur les efforts de reconnaissance au profit des intérêts iraniens de l'État-nation et est opérationnel depuis
Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at |
Vulnerability Threat | APT 34 APT 34 | ★★★★ |
|
2017-12-07 09:13:17 | HBO hacker linked to the Iranian Charming Kitten APT group (lien direct) | >A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten. Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef. The Newscaster group made the headlines […] | Conference | APT 35 | |
|
2017-12-06 13:49:19 | HBO Hacker Linked to Iranian Spy Group (lien direct) | A man accused by U.S. authorities of hacking into the systems of HBO and attempting to extort millions of dollars from the company has been linked by security researchers to an Iranian cyber espionage group tracked as Charming Kitten. | Conference | APT 35 | |
 |
2017-12-06 04:45:40 | HBO Hacker Was Part of Iran\'s "Charming Kitten" Elite Cyber-Espionage Unit (lien direct) | Behzad Mesri, the Iranian national the US has accused of hacking HBO this year, is part of an elite Iranian cyber-espionage unit known in infosec circles as Charming Kitten, according to a report released yesterday by Israeli firm ClearSky Cybersecurity. [...] | Conference | APT 35 | |
|
2017-11-28 06:22:11 | (Déjà vu) US indicts Chinese hackers belonging to APT3 for espionage on Siemens and Moody\'s (lien direct) | >US authorities have filed official charges against three Chinese hackers part of the elite cyber-espionage unit APT3. US authorities charged three China-based hackers for stealing sensitive information from US based companies, including Siemens AG, and accessing a high-profile email account at Moody's. The three Chinese citizens, Wu Yingzhuo, Dong Hao and Xia Lei, work for the Chinese cybersecurity company […] | APT 3 | ||
|
2017-11-22 07:45:40 | Lazarus APT uses an Android app to target Samsung users in the South Korea (lien direct) | >The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea. The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT. The activity of the Lazarus APT Group surged in 2014 and 2015, its […] | Medical | APT 38 | |
|
2017-11-21 09:59:48 | North Korean Hackers Target Android Users in South (lien direct) | At least two cybersecurity firms have noticed that the notorious Lazarus threat group, which many experts have linked to North Korea, has been using a new piece of Android malware to target smartphone users in South Korea. | APT 38 | ||
 |
2017-11-20 13:40:00 | North Korea\'s Lazarus Group Evolves Tactics, Goes Mobile (lien direct) | The group believed to be behind the Sony breach and attacks on the SWIFT network pivots from targeted to mass attacks. | APT 38 | ||
 |
2017-11-20 12:00:03 | Android Malware Appears Linked to Lazarus Cybercrime Group (lien direct) | 
The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research …
|
APT 38 | ★★★★★ | |
 |
2017-11-19 20:44:20 | North Korea\'s widening Net, pricing the Equifax Hack & Dark Markets in Turmoil (lien direct) | In this week’s podcast, after a string of reports about North Korea’s growing forays onto sensitive corporate networks, we speak with Adam Meyers of CrowdStrike about the widening net of North Korean offensive hacking and how the Hermit Kingdom is playing the part both of cyber criminal and nation-state actor. Also: we unpack the...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/495673822/0/thesecurityledger -->»
|
Cloud | Equifax APT 37 | |
 |
2017-11-16 17:40:59 | Reaper: The Next Evolution of IoT Botnets (lien direct) | By now, everyone should be aware of two things related to IoT devices. The first is that these devices are being deployed everywhere, with no sign of slowing down. The second is that many of these devices are notoriously insecure. | APT 37 | ||
 |
2017-11-16 10:10:59 | Should you fear the Reaper? (lien direct) | >Move over Mirai, there's a new monstrous botnet in town. The newly-discovered botnet, dubbed “Reaper†or “IoTroop,†appears to be a more powerful strain of the Internet of Things (IoT) attack malware that Mirai was, the previous holder of the IoT botnet crown. And while Reaper hasn't yet to launch an attack, security researchers warn ... | Cloud | APT 37 | ★★ |
|
2017-11-15 17:21:07 | US Government Warns of Hidden Cobra North Korea Cyber Threat (lien direct) | A Department of Homeland Security (DHS) Alert released on Tuesday warns the public about a campaign of hacking by the government of North Korea it has code-named “Hidden Cobra.” DHS joined the FBI for a joint Technical Alert about the campaign and its use of a piece of malicious software dubbed FallChill, a remote access trojan (RAT)...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/493009316/0/thesecurityledger -->» | Medical | APT 38 | |
 |
2017-11-15 11:14:56 | US Government issues alert about North Korean "Hidden Cobra" cyber attacks (lien direct) |  The FBI and US Department of Homeland Security have issued an alert that hackers have targeted the aerospace industry, financial services and critical infrastructure with a remote access trojan (RAT) to further exploit vulnerable networks.
|
Medical | APT 38 | |
|
2017-11-15 08:52:11 | US DHS and FBI share reports on FALLCHILL and Volgmer malware used by North Korean Hidden Cobra APT (lien direct) | >US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government. The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group). […] | Medical | APT 38 | |
|
2017-11-09 10:36:35 | Backdoored IP scanner tricks hackers (lien direct) | >It was found that hackers, who were looking to create their own version of the Reaper botnet, downloaded an IP scanner which was a PHP file that was made available as a free download after news about Reaper botnet broke. View Full Story ORIGINAL SOURCE: BleepingComputer | Cloud | APT 37 | |
|
2017-11-09 09:07:00 | OceanLotus APT Group Unfolds New Tactic in Cyber Espionage Campaign (lien direct) | The group has begun using compromised websites to profile and target entities of interest to the Vietnamese government, Volexity says. | APT 32 | ||
|
2017-11-08 16:16:00 | Hacker Wannabes Fooled by Backdoored IP Scanner (lien direct) | Wannabe hackers looking to create their very own Reaper botnet might have gotten more than they asked when they downloaded an IP scanner over the past few weeks. [...] | Cloud | APT 37 | |
|
2017-11-07 13:36:51 | Vietnamese APT32 group is one of the most advanced APTs in the threat landscape (lien direct) | >According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated. Researchers at Volexity has been tracking the threat actor since […] | APT 32 | ||
 |
2017-11-03 12:39:20 | RickRolled by none other than IoTReaper (lien direct) | IoT_Reaper overview IoT_Reaper, or the Reaper in short, is a Linux bot targeting embedded devices like webcams and home router boxes. Reaper is somewhat loosely based on the Mirai source code, but instead of using a set of admin credentials, the Reaper tries to exploit device HTTP control interfaces. It uses a range of vulnerabilities […] |
Cloud | APT 37 | |
|
2017-10-30 12:55:31 | Researchers Downplay Size of Reaper IoT Botnet (lien direct) | The Mirai-like "Reaper" botnet that began infecting Internet of Things (IoT) devices in late September has only ensnared up to 20,000 bots so far, according to estimates from Arbor Networks. | Cloud | APT 37 | |
 |
2017-10-30 12:33:00 | Fear the Reaper? Experts reassess the botnet\'s size and firepower (lien direct) | Security researchers now say the botnet could be only as big as 28,000 infected devices, but warn that the figure could balloon in size at any given time. | APT 37 |
To see everything:
Our RSS (filtrered)
