What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-05-31 07:33:02 | Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) (lien direct) | Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" /> Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions. Digital Shadows WCry ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows: A sophisticated financially-motivated cybercriminal actor - H1 An unsophisticated financially-motivated cybercriminal actor - H2 A nation state or state-affiliated actor conducting a disruptive operation - H3 A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px" /> Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H3 way closer. My WCry ACH Analysis Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses. When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it. | Medical | Wannacry APT 38 | |
 |
2017-05-30 15:55:19 | Latest WannaCry Theory: Currency Manipulation (lien direct) | The recent WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don't know who or why. We're not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors -- but none of these has gained general acceptance. | Wannacry APT 38 | ||
 |
2017-05-30 14:00:19 | New Evidence Cements Theory That North Korea is Behind Lazarus Group (lien direct) | A 53-page report released today by Group-IB, a Russian cyber-security vendor, contains new evidence that cements the theory that the North Korean government is behind the Lazarus Group, a cyber-espionage outfit. [...] | Medical | APT 38 | |
 |
2017-05-29 11:10:00 | Linguistic Analysis Suggests WannaCry Hackers Could be From Southern China (lien direct) | It's been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet.
However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to 'Lazarus Group,' a state-sponsored hacking group believed to work for the North Korean government.
Now, new research from dark web
|
Medical | Wannacry APT 38 | |
|
2017-05-24 11:37:10 | How APT32 Hacked a Global Asian Firm With Persistence (lien direct) | In a cyber intrusion dubbed Operation Cobalt Kitty, the OceanLotus hacking group -- otherwise known as APT32 -- played cat-and-mouse with a security firm that was tracking its every move. | APT 32 | ||
|
2017-05-23 11:11:31 | WannaCry \'Highly Likely\' Work of North Korean-linked Hackers, Symantec Says (lien direct) | North Korea-linked Lazarus Hacking Group is "Highly Likely" to be Responsible for the Global "WannaCry" Ransomware Attack, Symantec Says | Wannacry APT 38 | ||
 |
2017-05-23 10:35:15 | WannaCry connection to North Korea hacking group \'compelling\' (lien direct) | WannaCry, the ransomware that spread through the UK's National Health Service and companies around the world, shows “compelling evidence†of a link to North Korean hacking group Lazarus, according to a new report by Symantec.  The cyber security company believes there is a “close connection†to Lazarus, the group behind the cyber attacks on Sony ... | Wannacry APT 38 | ★★ | |
 |
2017-05-23 08:30:40 | WannaCry : de nouveaux indices pointent vers la Corée du Nord (lien direct) | Une société de sécurité informatique a enquêté sur l'attaque WannaCry. Elle a détecté plusieurs indices mettant en cause le groupe de hackers Lazarus, lié à la Corée du Nord.  |
Wannacry APT 38 | ||
 |
2017-05-22 22:19:59 | WannaCry: Ransomware attacks show strong links to Lazarus group (lien direct) | Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks | Wannacry APT 38 | ||
 |
2017-05-19 19:00:00 | Diversity in Recent Mac Malware (lien direct) |
In recent weeks, there have been some high-profile reports about Mac malware, most notably OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile piece of Mac malware making the rounds is Mac.Backdoor.Systemd.1.
Figure 1: Systemd pretending to be corrupted and un-runnable.
There have been no public reports as to who is behind these attacks and only little information about their targets. OSX/Dok is reported to have targeted European victims, while users of HandBrake were the victims of Proton.B. One corporate victim of Proton.B was Panic, Inc. which had its source code stolen and received a ransom demand from the attackers.
Each of these malware variants is designed to take advantage of Macs, but analysis shows that they are actually drastically different from each other, showing just how diverse the Mac malware space has grown. Let’s dive into some of the technical details (but not too technical ;) of each piece of malware to learn more about what they do and how they work.
OSX/Dok
OSX.Proton.B
Mac.BackDoor.System.1
Functionality
HTTP(S) proxy
Credential theft (potentially other RAT functionality)
Backdoor/RAT
Language
Objective-C (with heavy use of shell commands)
Objective-C (with heavy use of shell commands)
C++ (with a handful of shell commands)
Persistence
Launch Agent
Launch Agent
Launch Agent
Launch Daemon
Startup Item
Uses chflags to make files read-only
Distribution
Phishing emails
Compromised software download
(presumably) Phishing
Anti-Analysis
None
Anti-debugger (PT_DENY_ATTACH)
Closes Terminal and Wireshark Windows
None
Binary Obfuscation
Newer variants are packed with UPX
Password protected zip archive
Encrypted configuration file
Encrypted configuration file
XOR encrypted strings in binary
Detection Avoidance
Signed App bundle
Installs trusted root certificate
Modifies sudo settings to prevent prompting
Checks for security software
Infected legitimate software
Use of “hidden” dot files
Uses chflags to hide files from UI
Use of “hidden” dot files
C2
MiTM proxy (no separate C2)
HTTPS
Custom 3DES
Functionality
Dok is very basic in its functionality – it reconfigures a system to proxy web traffic through a malicious h |
Wannacry APT 32 | ||
 |
2017-05-19 13:00:19 | Threatpost News Wrap, May 19, 2017 (lien direct) | Mike Mimoso and Chris Brook discuss WannaCry, Microsoft's response, the killswitches, a potential link with Lazarus Group, and what the future holds for the ShadowBrokers. | Medical | Wannacry APT 38 | |
 |
2017-05-18 02:12:30 | APT Inc.: Research Finds Ties Between Chinese Security Firm and Advanced Threat Group (lien direct) | In-brief: The hacking group known as APT 3 appears to be a commercial outfit working on behalf of the Chinese Ministry of State Security (MSS), the firm Recorded Future reported on Wednesday. The hacking group known as APT 3 appears to be a commercial outfit working on behalf of the Chinese Ministry of State Security (MSS), the firm Recorded...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/324578408/0/thesecurityledger -->»       Related StoriesEmboldened, Fancy Bear hacking crew targets French, German PoliticiansAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsFatal Flaw Slows WannaCry Ransomware Spread, but Threats Remain |
Wannacry APT 28 APT 3 | ||
|
2017-05-17 18:52:54 | APT3 Linked to Chinese Ministry of State Security (lien direct) | Researchers claim that APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS). | APT 3 | ||
|
2017-05-17 13:03:55 | APT3 Hackers Linked to Chinese Ministry of State Security (lien direct) | Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS). | APT 3 | ||
 |
2017-05-17 08:33:49 | Le cyber-espionnage continue à proliférer : Menace d\'APT32 pour les multinationales (lien direct) |  Des acteurs de cyber-espionnage, désignés par FireEye sous le nom d'APT32 (Groupe OceanLotus), mènent activement des intrusions au sein d'entreprises privées dans de multiples industries, et ont également ciblé des gouvernements, des dissidents et des journalistes. |
APT 32 | ||
|
2017-05-17 06:50:12 | 3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware (lien direct) | While initially, we thought this would be a silly and unsubstantiated discovery, the number of security firms claiming they've identified and confirmed connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three. [...] | Medical | Wannacry APT 38 | |
 |
2017-05-17 03:33:55 | WanaCrypt0r Ransomworm (lien direct) | Written by Sergei Shevchenko and Adrian NishBACKGROUNDSince the release of the ETERNALBLUE exploit by 'The Shadow Brokers' last month security researchers have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.The infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in further detail in subsequent sections of this report along with initial clues on attribution. ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02 "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03 57u); 04 h1 = InternetOpenA(0,&nbs |
Guideline Medical | Wannacry APT 38 | |
|
2017-05-16 15:45:50 | WannaCry Shares Code with Lazarus APT Samples (lien direct) | Experts have confirmed there are similarities between code used by the ransomware WannaCry and the Lazarus APT. | Wannacry APT 38 | ||
|
2017-05-16 10:39:48 | WannaCry ransomware cyber-attack \'may have N Korea link\' (lien direct) | You may not have heard of the Lazarus Group, but you may be aware of its work. The devastating hack on Sony Pictures in 2014, and another on a Bangladeshi bank in 2016, have both been attributed to the highly sophisticated group. It is widely believed that the Lazarus Group worked out of China, but on behalf ... | Medical | Wannacry APT 38 | |
|
2017-05-16 08:01:19 | La Corée du Nord serait derrière l\'attaque WannaCry (lien direct) | Des indices techniques pointent vers le groupe de pirates Lazarus, connu pour le cybersabotage de Sony Pictures et qui seraient lié au régime de Pyongyang.  |
Wannacry APT 38 | ★★★★★ | |
 |
2017-05-14 17:00:00 | Le cyber-espionnage est bien vivant: APT32 et la menace pour les sociétés mondiales Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations (lien direct) |
Les acteurs de cyber-espionnage, désormais désignés par Fireeye comme APT32 (Oceanlotus Group), effectuent des intrusions dans des sociétés du secteur privé dans plusieurs industries et ont également ciblé des gouvernements étrangers, des dissidents et des journalistes.FireEye évalue que l'APT32 exploite une suite unique de logiciels malveillants entièrement tracés, en conjonction avec des outils disponibles commercialement, pour mener des opérations ciblées qui sont alignées sur les intérêts de l'État vietnamien.
APT32 et Réponse communautaire de Fireeye \\
Au cours des enquêtes sur les intrusions dans plusieurs sociétés ayant des intérêts commerciaux au Vietnam
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. APT32 and FireEye\'s Community Response In the course of investigations into intrusions at several corporations with business interests in Vietnam |
Threat | APT 32 APT 32 | ★★★★ |
 |
2017-04-27 20:00:32 | OilRig Actors Provide a Glimpse into Development and Testing Efforts (lien direct) | Unit 42 researches the techniques used by attackers to avoid antivirus detection and successfully deliver OilRig campaign attacks. | APT 34 | ||
 |
2017-04-27 14:10:00 | Iranian Hackers Believed Behind Massive Attacks on Israeli Targets (lien direct) | OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks. | APT 34 | ||
|
2017-04-05 14:15:00 | Matching Wits with a North Korea-Linked Hacking Group (lien direct) | Skilled 'Bluenoroff' arm of infamous Lazarus hacking team behind Bangladesh Bank heist and Sony attacks actively resists investigators on its trail, Kaspersky Lab says. | APT 38 | ||
 |
2017-04-04 22:20:41 | À la poursuite de " Lazarus " (lien direct) | À la poursuite de " Lazarus " : sur les traces du groupe chasseur de grandes banques internationales Kaspersky Lab... Cet article À la poursuite de " Lazarus " est diffusé par Data Security Breach. | APT 38 | ||
 |
2017-04-04 08:22:00 | Kaspersky Lab reveals \'direct link\' between banking heist hackers and North Korea (lien direct) | Kaspersky Lab found a “direct link†between the Lazarus group banking heist hackers and North Korea.While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.â€The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.To read this article in full or to leave a comment, please click here | Medical | APT 38 | |
|
2017-04-03 22:53:52 | Security Analyst Summit 2017 Day One Recap (lien direct) | Mike Mimoso and Chris Brook recap the first day of this year's Security Analyst Summit, including Mark Dowd's memory corruption bug keynote, the digital archeology around Moonlight Maze, ATM hacking, and the Lazarus APT. | APT 38 | ||
|
2017-04-03 20:38:44 | Lazarus APT Spinoff Linked to Banking Hacks (lien direct) | The Lazarus Group has splintered off a group whose mission is to attack banks and steal money in order to fund its operations. | Medical | APT 38 | |
 |
2017-04-03 18:33:00 | Hackers responsible for $80M bank heist show \'no signs of stopping\' (lien direct) | Lazarus, linked to the famous Bangladeshi bank heist, is probing Southeast Asia and Europe in the hunt for fresh targets. | APT 38 | ||
|
2017-04-03 16:33:01 | Banking hackers left a clue that may link them to North Korea (lien direct) | The notorious hackers behind a string of banking heists have left behind a clue that supports a long-suspected link to North Korea, according to security researchers.The so-called Lazarus Group has been eyed as a possible culprit behind the heists, which included last February's $81 million theft from Bangladesh's central bank through the SWIFT transaction software.However, hackers working for the group recently made a mistake: They failed to wipe the logs from a server the group had hacked in Europe, security firm Kaspersky Lab said on Monday.To read this article in full or to leave a comment, please click here | Medical | APT 38 | |
 |
2017-03-31 03:00:53 | Disttrack Malware Distribution Suggests Link between Shamoon 2 and Magic Hound (lien direct) | In November 2016, the security community first learned of a series of attacks known as “Shamoon 2.” The campaign has launched three waves as of this writing. In the first wave, bad actors infected an organization in Saudi Arabia with Disttrack. This trojan used a wiper component to overwrite protected parts of a system, including […]… Read More | APT 35 | ||
|
2017-03-28 21:12:08 | Microsoft Offers Analysis of Zero-Day Exploited By Zirconium Group (lien direct) | Microsoft patched a zero-day vulnerability actively used in a campaign by a hacking group known as Zirconium. | APT 31 | ||
|
2017-03-27 20:51:22 | New Clues Surface on Shamoon 2\'s Destructive Behavior (lien direct) | Researchers report new connections between Magic Hound and Shamoon 2, along with descriptions of how the Disttrack malware component of campaigns moves laterally within infected networks. | Conference | APT 35 | |
|
2017-03-27 16:55:51 | Microsoft Quietly Patched Windows Zero-Day Used in Attacks by Zirconium Group (lien direct) | Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium. The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions. [...] | APT 31 | ||
|
2017-03-24 13:21:06 | I thought everyone knew this by now (lien direct) | But apparently not. I just saw some “Security Awareness Training†that gave the bad old advice of “look for the padlock†in your web browser. Here's my answer to that:  In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn't that easy, we need to teach better. Also, “don't click stuff†really defeats the point of the web, so while I understand the sentiment, it is not practical advice. The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn't assure you that the traffic isn't being decrypted, inspected, and re-encrypted. Or maybe it isn't encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn't prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock†we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn't entirely true if we are going to oversimplify this I think we're better off telling folks that the padlock doesn't mean a damn thing anymore, if it ever did. While we're on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you wantâ€. I did find a few things which made me think of typical browser warnings:  This means it's OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean. And this, you know what it means, but what does it say?  That's right, it says don't P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me. |
APT 32 | ||
|
2017-03-21 10:00:00 | Report: \'OilRig\' Attacks Expanding Across Industries, Geographies (lien direct) | The highly-effective malware targets Middle Eastern airlines, government, financial industries and critical infrastructures with a simple but powerful backdoor created by infected Excel files attached to phishing emails. | APT 34 | ||
|
2017-03-17 14:10:00 | North Korea\'s \'Lazarus\' Likely Behind New Wave of Cyberattacks (lien direct) | Symantec says it has digital evidence that hack group Lazarus is behind the recent sophisticated cyberattacks on 31 countries. | APT 38 | ||
|
2017-03-06 19:27:49 | Destructive StoneDrill Wiper Malware On The Loose (lien direct) | Kaspersky Lab released details about new wiper malware called StoneDrill that bears similarities to Shamoon2 and an APT outfit known as NewsBeef. | Conference | APT 35 | |
|
2017-03-06 12:13:22 | Lazarus & Watering-hole attacks (lien direct) | On 3rd February 2017, researchers at badcyber.com released an article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below: From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen |
Guideline Medical | APT 38 | |
|
2017-03-06 12:13:03 | Lazarus\' False Flag Malware (lien direct) | Written by Sergei Shevchenko and Adrian NishBACKGROUNDWe continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb | Guideline Medical | APT 38 | |
 |
2017-02-23 14:30:47 | Smashing Security #009: False flags and hacker clues (lien direct) |  The Lazarus malware attempts to trick you into believing it was written by Russians, second-hand connected cars may be easier to steal, and is your child a malicious hacker?
All this and more is discussed in the latest podcast by computer security veterans Graham Cluley, Vanja Svajcer and Carole Theriault.
Oh, and Carole gets Graham and Vanja to apologise for mistakes of their past...
|
APT 38 | ||
|
2017-02-20 18:31:49 | Russian Words Used as Decoy in Lazarus-Linked Bank Attacks (lien direct) | A group of hackers that has been targeting financial organizations around the world has unsuccessfully attempted to trick researchers into attributing their operation to Russian-speaking attackers. | APT 38 | ||
 |
2017-02-17 11:01:37 | DigitalOcean Launches Public Bug Bounty Program (lien direct) | Cloud computing platform DigitalOcean announced the public availability of its bug bounty program, after successfully running it in private mode. | APT 32 | ||
|
2017-02-16 12:27:22 | Iranian Spies Target Saudi Arabia in "Magic Hound" Attacks (lien direct) | 
A cyber espionage operation linked to Iran and the recent Shamoon 2 attacks has targeted several organizations in the Middle East, particularly in Saudi Arabia.
|
APT 35 | ||
|
2017-02-16 05:16:26 | Magic Hound Campaign Attacks Saudi Targets (lien direct) | Unit 42 discovers a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which they have named Magic Hound. | Conference | APT 35 | |
|
2017-02-13 20:39:54 | Lazarus mob possibly behind malware attacks against Polish banks (lien direct) |  A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations.
David Bisson reports.
|
Medical | APT 38 | |
|
2017-02-13 11:07:38 | Malware Attacks on Polish Banks Linked to Lazarus Group (lien direct) | Poland Bank Attacks Part of Bigger Campaign Targeting Over 100 Organizations The recently discovered attacks aimed at banks in Poland appear to be part of a bigger campaign targeting financial organizations around the world, and researchers have found some links to the threat actor known as Lazarus. | APT 38 | ||
|
2017-02-13 09:11:13 | Recent malware attacks on Polish banks tied to wider hacking campaign (lien direct) | Malware attacks that recently put the Polish banking sector on alert were part of a larger campaign that targeted financial organizations from more than 30 countries.Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering hole attacks. They then injected code into them that redirected visitors to a custom exploit kit.To read this article in full or to leave a comment, please click here | APT 38 | ||
|
2017-02-08 19:32:39 | Cloud Metadata Urls, (Wed, Feb 8th) (lien direct) | This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form. Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, public ip addresses, private addresses, public keys configured and event rotating secret keys. The userdata can contain everything like initialization scripts, variables, passwords etc. The metadata urls will vary per cloud provider, Ive written a few down together with their metadata url and a link to the documentation. Google http://169.254.169.254/computeMetadata/v1/ https://cloud.google.com/compute/docs/storing-retrieving-metadata Amazon http://169.254.169.254/latest/meta-data/hostname http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Openstack http://169.254.169.254/2009-04-04/meta-data/instance-id https://blogs.vmware.com/openstack/introducing-the-metadata-service/ Dreamhost http://169.254.169.254/metadata/v1/hostname https://developers.digitalocean.com/documentation/metadata/ Azure http://169.254.169.254/metadata/v1/maintenance The configuration and userdata is used by scripts, automating tasks and applications, but the danger is that it can be abused to leak information about the current instance. Information an attacker needs to elevate privileges or move laterally. This information can contain usernames, passwords, configuration, keys or scripts. When your application accepts remote urls as data like a proxy server, vpn server or a web application (think about wordpress plugins for embedding remote content, web screenshotting applications and many more), you need to be sure the metadata url is not accessible. If you install a default squidproxy for example, just executing this command: $ http_proxy=proxy:3128 curl http://169.254.169.254/latest/dynamic/instance-identity/document { devpayProductCodes : null, privateIp : 172.31.9.215, availabilityZone : eu-west-1c, version : 2010-08-31, region : eu-west-1, instanceId : i-*****, billingProducts : null, pendingTime : 2017-02-03T20:21:11Z, instanceType : m3.medium, accountId : *****, architecture : x86_64, kernelId : null, ramdiskId : null, imageId : ami-e31bab90 } This will return all metadata of the proxy server. Anyhow the metadata contains information you dont want to disclose. Youll be safe when the private ip has been blocked, but this is not always possible (in the case of the rotating secret keys for example). Blocking the requests can be done using good old iptables: $ iptables -A OUTPUT -m owner ! | APT 32 | ||
|
2017-01-06 14:49:11 | Iranian Group Delivers Malware via Fake Oxford University Sites (lien direct) | An Iran-linked advanced persistent threat (APT) group dubbed OilRig has used a fake Juniper Networks VPN portal and fake University of Oxford websites to deliver malware to victims. | APT 34 |
To see everything:
Our RSS (filtrered)
