What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-17 14:12:35 | Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys (lien direct) | SUMMARY Datadog Security Labs\' cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified…
SUMMARY Datadog Security Labs\' cybersecurity researchers have discovered a new, malicious year-long campaign from a threat actor identified… |
Threat | ★★ | |
 |
2024-12-17 13:00:15 | What We Saw in Web Security in 2024 and What We Can Do About It (lien direct) | >2024 was a defining year for web security, marked by some of the most sophisticated cyber threats we\'ve seen. As businesses continued shifting to web-based work environments – relying on SaaS platforms, cloud-based application, remote work and BYOD policies – attackers increased their focus on browsers, exploiting vulnerabilities faster than ever before. The rise of AI-powered attacks, Ransomware-as-a-Service (RaaS) and Zero-day vulnerabilities that focused on the web has made it clear that a new approach to browser security is needed. Traditional endpoint, SaaS or email security solution alone – are no longer enough. In response, advanced browser security solutions and […]
>2024 was a defining year for web security, marked by some of the most sophisticated cyber threats we\'ve seen. As businesses continued shifting to web-based work environments – relying on SaaS platforms, cloud-based application, remote work and BYOD policies – attackers increased their focus on browsers, exploiting vulnerabilities faster than ever before. The rise of AI-powered attacks, Ransomware-as-a-Service (RaaS) and Zero-day vulnerabilities that focused on the web has made it clear that a new approach to browser security is needed. Traditional endpoint, SaaS or email security solution alone – are no longer enough. In response, advanced browser security solutions and […] |
Vulnerability Threat Cloud | ★★★ | |
 |
2024-12-17 13:00:00 | Dragos Industrial Ransomware Analysis: Q3 2024 (lien direct) | >Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary...
The post Dragos Industrial Ransomware Analysis: Q3 2024 first appeared on Dragos.
>Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary... The post Dragos Industrial Ransomware Analysis: Q3 2024 first appeared on Dragos. |
Ransomware Threat Industrial | ★★ | |
 |
2024-12-17 12:25:00 | The Mask APT Resurfaces with Sophisticated Multi-Platform Malware Arsenal (lien direct) | A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022.
"The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets
A little-known cyber espionage actor known as The Mask has been linked to a new set of attacks targeting an unnamed organization in Latin America twice in 2019 and 2022. "The Mask APT is a legendary threat actor that has been performing highly sophisticated attacks since at least 2007," Kaspersky researchers Georgy Kucherin and Marc Rivero said in an analysis published last week. "Their targets |
Malware Threat | ★★ | |
 |
2024-12-17 08:31:31 | Hidden in Plain Sight: TA397\\'s New Attack Chain Delivers Espionage RATs (lien direct) | Key findings Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads. TA397 was observed manually delivering WmRAT and MiyaRAT malware families in the final stages of this attack chain. Both malware families are designed to enable intelligence gathering and exfiltration. Proofpoint assesses TA397 campaigns are almost certainly intelligence collection efforts in support of a South Asian government\'s interests. Overview On November 18, 2024, TA397 (also known by third-party researchers as Bitter) targeted a defense sector organization in Turkey with a spearphishing lure. The email included a compressed archive (RAR) file attachment containing a decoy PDF (~tmp.pdf) file detailing a World Bank public initiative in Madagascar for infrastructure development, a shortcut (LNK) file masquerading as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file that contained PowerShell code. The lure contained the subject “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” which closely matched the LNK file name masquerading as a PDF within the RAR archive: “PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk”. This subject line theme is very common for TA397, as the majority of the organizations they target are either in the public sector or receive public investments and is indicative of the targeted nature of their campaigns. The usage of RAR archives is a staple tactic of TA397 payload delivery. Throughout the first half of 2024, Proofpoint has observed TA397 utilizing Microsoft Compiled Help Files (CHM) files within RAR archives as a means of creating scheduled tasks on target machines. This blog post details TA397\'s usage of NTFS alternate data streams (ADS) in combination with PDF and LNK files to gain persistence, which facilitates the deployment of further malware. This research also looks at the continued usage of wmRAT by TA397, the recently discovered MiyaRAT - a contemporary addition to the threat actor\'s arsenal – and the associated infrastructure of TA397. Infection chain The spearphishing email originated from a compromised email account belonging to a government organization and contained a RAR archive with a variety of artifacts inside. Alongside the LNK file, was a “~tmp.pdf” file and two NTFS alternate data streams (ADS), one titled “Participation” and the other a “Zone.Identifier”. Illustration of the TA397 infection chain. When opening the RAR file, the target would only see the LNK file as the ADS streams are hidden from the user when using Windows\' built in RAR extraction utility, or WinRAR. Further, the PDF had the attribute Hidden, System & Files ready for archiving (HSA) enabled so the user is lured to believe that a PDF file is being opened due to the extension pdf.lnk. By default, Windows hides the real extension of a file. However, if the RAR is opened in 7-Zip, the user can view and extract the NTFS ADS streams on Windows systems (NTFS file formatted system): 7-Zip view on 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1. ADS streams are a feature of the NTFS file system in Windows that allows users to attach data streams to a file. There are certain archive formats and software that allow ADS streams to be included into the archive container along with the file. The archive format used in this attack chain is RAR v5 which allows the storage of NTFS ADS streams. The Zone.Identifier stream is an ADS introduced in older Windows versions as a security feature. It stores information about the origin of a file, such as the URL Security Zone (e.g., Zone 3 for the internet | Malware Tool Threat | ★★ | |
 |
2024-12-17 08:30:20 | Rubrik lance la fonctionnalité Turbo Threat Hunting (lien direct) | Rubrik lance la fonctionnalité Turbo Threat Hunting
Turbo Threat Hunting est capable de scanner près de 75 000 sauvegardes en 60 secondes
pour permettre aux organisations d\'identifier des points de récupération sains et réduire les temps d\'arrêt après des cyberattaques.
-
Produits
Rubrik lance la fonctionnalité Turbo Threat Hunting Turbo Threat Hunting est capable de scanner près de 75 000 sauvegardes en 60 secondes pour permettre aux organisations d\'identifier des points de récupération sains et réduire les temps d\'arrêt après des cyberattaques. - Produits |
Threat | ★★ | |
 |
2024-12-17 03:59:36 | London\\'s CNI is Under Threat (lien direct) | London is one of the smartest and most interconnected cities in the world. Digital infrastructure plays a role in almost every facet of society, streamlining public transport, improving healthcare provision, boosting sustainability, and more. However, this reliance on technology has left London\'s critical national infrastructure ( CNI) perilously vulnerable to digital attacks. As geopolitical relationships deteriorate and nation-state threats to critical infrastructure increase, the UK can no longer ignore this problem. The Impact of Critical National Infrastructure Failures As a sprawling...
London is one of the smartest and most interconnected cities in the world. Digital infrastructure plays a role in almost every facet of society, streamlining public transport, improving healthcare provision, boosting sustainability, and more. However, this reliance on technology has left London\'s critical national infrastructure ( CNI) perilously vulnerable to digital attacks. As geopolitical relationships deteriorate and nation-state threats to critical infrastructure increase, the UK can no longer ignore this problem. The Impact of Critical National Infrastructure Failures As a sprawling... |
Threat Medical | ★★ | |
 |
2024-12-16 19:00:00 | The Education Industry: Why Its Data Must Be Protected (lien direct) | The sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment.
The sector must prioritize comprehensive data protection strategies to safeguard PII in an aggressive threat environment. |
Threat | ★★ | |
 |
2024-12-16 18:46:53 | "Notice of Violation" by UAC-0099 (lien direct) | #### Targeted Geolocations - Ukraine ## Snapshot The Government Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of cyberattacks by UAC-0099 targeting Ukrainian government organizations, including forestry, forensic institutions, and factories, during November-December 2024. CERT-UA attributes these attacks to espionage efforts, noting the attackers\' evolving tactics and techniques. ## Description UAC-0099 employs phishing emails containing double-archived LNK or HTA files to deliver malicious tools, sometimes exploiting the WinRAR vulnerability [CVE-2023-38831](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-38831/). Once systems are compromised, the LONEPAGE program executes commands, with recent attacks showcasing a shift from a single VBS file to a dual-file method involving an encrypted 3DES file and a .NET program that decrypts and executes PowerShell code in memory. To obscure and ensure the fault tolerance of their operations, the attackers rely on Cloudflare for infrastructure. CERT-UA emphasizes that insufficient organizational and technical cyber defenses in affected entities have facilitated these compromises, jeopardizing the confidentiality of state information resources. ## Microsoft Analysis and Additional OSINT Context The cyber espionage group "UAC-0099" has been targeting Ukrainian organizations and individuals since at least mid-2022. [CERT-UA has previously observed](https://cert.gov.ua/article/4818341) the group targeting state organizations and media representatives in Ukraine with phishing campaigns leveraging malicious file types, including HTA, EXE, RAR, and LNK, to deploy malware such as LONEPAGE, THUMBCHOP, and CLOGFLAG. These tools facilitate credential theft, unauthorized remote access, and lateral movement within networks. [Deep Instinct reports](https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine) that UAC-0099\'s campaigns often involve phishing emails impersonating Ukrainian legal authorities, such as the Lviv city court, and distributing fabricated court summons to trick victims into executing malicious payloads. In recent attacks targeting Ukrainian employees working for companies outside Ukraine, [UAC-0099 exploited CVE-2023-38831](https://therecord.media/ukraine-remote-workers-targeted-espionage-winrar-vulnerability), a critical vulnerability in the Windows file archiver tool WinRAR, to deploy malware. The group\'s tactics, though seemingly simple, are effective due to sophisticated social engineering and exploitation methods. CERT-UA and Deep Instinct both emphasize the need for strict controls on running legitimate tools such as PowerShell, mshta.exe, and wscript.exe, which the group frequently abuses for malicious purposes. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Pilot and deploy [phishing-resistant authentication methods](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for users. - Implement [Conditional Access authentication strength](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-strengths?ocid=magicti_ta_learndoc) to require phishing-resistant authentication for employees and external users for critical apps. - [Specify trusted Microsoft 365 organizations](https://learn.microsoft.com/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings&ocid=magicti_ta_learndoc#specify-trusted-microsoft-365-organizations) to define which external domains are allowed or blocked to chat and meet. - Keep [Microsoft 365 auditing](https://learn.microsoft.com/purview/audit-solutions-overview?ocid=magicti_ta_learndoc) enabled so that audit records can be investigated if required. - Understand and select the [best access settings for external collaboration](https://learn.microsoft.com/microsoftteams/communicate-with-user | Malware Tool Vulnerability Threat Cloud Technical | ★★★ | |
 |
2024-12-16 16:57:45 | ESET Threat Report H2 2024: Key findings (lien direct) | ESET Chief Security Evangelist Tony Anscombe looks at some of the report\'s standout findings and their implications for staying secure in 2025
ESET Chief Security Evangelist Tony Anscombe looks at some of the report\'s standout findings and their implications for staying secure in 2025 |
Threat | ★★ | |
|
2024-12-16 15:07:03 | Create a Strong Security Culture: How to Turn Good Security Habits into Second Nature for Your Employees (lien direct) | Last year, 74% of breaches involved human factors, like users behaving in risky ways or maliciously. No doubt, it\'s a challenge to address any type of insider threat-whether it stems from human error and oversight or from more sinister intentions. However, when you foster a strong security culture you can significantly reduce these incidents. But creating a strong security culture isn\'t easy. For starters, the concept of security culture itself can often feel vague. And this is partly because there aren\'t any standardized metrics to measure it. Some organizations assess culture through phishing simulation click rates or reporting rates; others rely on training completion rates or the speed at which assignments are finished. In this blog post, we\'ll explore what security culture truly means, why it\'s critical to your organization, and the key steps that you can take toward building a strong, sustainable culture at your own organization. What is security culture? Proofpoint defines security culture as the beliefs, values and attitudes that shape how employees behave when it comes to protecting their organizations from cyberattacks. This concept was first outlined by MIT researchers Keman Huang and Keri Pearlson in 2019. Notably, an organization\'s security culture will be weak if its employees don\'t see the value in security best practices, or if they view cybersecurity negatively like if they think of it as an obstacle to their productivity. What\'s a good way to measure security culture? Our goal is to make the concept of security culture more concrete. So, we\'ve broken it down into three critical aspects: Responsibility. In other words, employees feel like they should take a proactive role in preventing security incidents. Importance. Employees believe that cyber threats are a material risk to the success of the organization. What\'s more, these threats could impact them personally. Empowerment. Employees feel empowered to act because they have a working knowledge of cybersecurity and policy. If they make a wrong security decision, they trust that their organization will resolve any issue quickly. The Proofpoint model of cybersecurity culture sits at the nexus of three key factors. If an organization wants to gauge where their security culture stands, it can conduct a security culture survey. This can help with estimating the likelihood that employees will make security-aware decisions and take the appropriate actions. At the end of the day, the goal is to drive positive behavior change. Employees should feel encouraged to help keep their organization safe by adopting security best practices. Why is security culture important? As highlighted in the Proofpoint 2024 State of the Phish report, 96% of working adults who took risky actions were aware that what they were doing was risky. This result challenges the traditional belief that people engage in risky behavior due to a lack of security knowledge. It also explains why training alone is not enough-and why building a strong security culture is so essential. Security culture is about how people perceive, engage with and follow security practices and policies. It shapes their decisions, like how they handle sensitive data or respond to potential phishing emails. Ultimately, it\'s their decisions that impact an organization\'s overall security posture. A strong security culture helps mitigate human risks by giving people the right tools as well as the right knowledge so that they know what\'s risky and can avoid those behaviors. It also motivates them to follow best security practices because they understand the value of security, the risks involved, and the consequences of non-compliance. A robust security culture also fosters employee accountability. In our 2024 State of the Phish report, 60% of people either weren\'t sure or didn\'t believe that they were responsible for h | Tool Threat | ★★ | |
|
2024-12-16 12:50:03 | Weekly OSINT Highlights, 16 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlighted a diverse range of cyber threats, emphasizing sophisticated malware, targeted attacks, and global threat actor activities. Credential theft and data exfiltration emerged as prominent attack types, as seen in campaigns like Bizfum Stealer and Meeten malware targeting cryptocurrency users. Phishing remained a key attack vector, deployed in operations like UAC-0185\'s MeshAgent campaign against Ukraine and APT-C-60\'s SpyGlace backdoor targeting Japan. Nation-state actors dominated the landscape, including North Korea\'s UNC4736 exploiting DeFi systems and China\'s espionage on critical industries, while hacktivists like Holy League targeted France amid geopolitical unrest. The attacks primarily focused on sensitive targets such as critical infrastructure, financial systems, and government entities, underscoring the rising risks to global cybersecurity. ## Description 1. [Bizfum Stealer:](https://sip.security.microsoft.com/intel-explorer/articles/b522b6ae) CYFIRMA researchers discovered "Bizfum Stealer," an advanced information-stealing malware designed to exfiltrate credentials, cookies, and sensitive files from infected systems. Targeting popular browsers and leveraging platforms like GoFile and Telegram, it employs sophisticated techniques for stealth, encryption, and evasion. 1. [IOCONTROL Malware:](https://sip.security.microsoft.com/intel-explorer/articles/5fa3e494) Team82 identified IOCONTROL, a modular malware linked to Iran\'s IRGC-CEC, targeting IoT and OT devices to disrupt fuel systems in the U.S. and Israel. The malware uses advanced techniques, including DNS-over-HTTPS and AES-256-CBC encryption, to evade detection while compromising critical infrastructure. 1. [Kimsuky\'s Million OK Campaign:](https://sip.security.microsoft.com/intel-explorer/articles/d1e1ee65) Hunt researchers uncovered infrastructure tied to North Korea\'s APT group Kimsuky, which employed domains mimicking South Korea\'s Naver platform to steal credentials. The campaign\'s infrastructure used distinctive HTTP responses, shared server configurations, and phishing techniques to target South Korean users. 1. [UNC4736 Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/3a647a38): Mandiant attributed the $50 million cryptocurrency theft from Radiant Capital to North Korea\'s UNC4736. The attackers used malware to compromise trusted developers, executing unauthorized transactions that exploited DeFi multi-signature processes while bypassing robust security measures. 1. [PUMAKIT Malware Report](https://sip.security.microsoft.com/intel-explorer/articles/a16902ac): Elastic Security Labs detailed PUMAKIT, a modular Linux malware employing fileless execution, kernel rootkits, and syscall hooking for stealth and persistence. Its sophisticated architecture allows it to manipulate system behaviors, evade detection, and target older kernel versions with privilege escalation capabilities. 1. [Android Banking Trojan in India](https://sip.security.microsoft.com/intel-explorer/articles/5ff566b7): McAfee researchers uncovered a trojan targeting Indian Android users, masquerading as utility apps and stealing financial data via malicious APKs distributed on platforms like WhatsApp. The malware exfiltrates data using Supabase and employs stealth tactics, compromising over 400 devices and intercepting thousands of SMS messages. 1. [DarkGate Malware via Teams Call](https://sip.security.microsoft.com/intel-explorer/articles/5cac0381): Trend Micro identified an attack leveraging Microsoft Teams to distribute DarkGate malware through social engineering and remote desktop applications. The attacker used vishing to gain trust and access, deploying malware with persistence and evasion techniques before being intercepted. 1. [Socks5Systemz Botnet Resurgence](https://sip.security.microsoft.com/intel-explorer/articles/15cfbc2f): Bitsight TRACE uncovered the long-standing Socks5Systemz botnet, which peaked at 250,000 compr | Ransomware Malware Tool Vulnerability Threat Legislation Mobile Industrial Prediction Cloud | APT C 60 | ★★ |
 |
2024-12-16 11:51:29 | Cyfirma report: UK faces intensifying cyber threats from state-backed Russian hackers amid geopolitical tensions (lien direct) | New research from Cyfirma identified that the U.K. faces an escalating cyber threat landscape dominated by sophisticated Russian...
New research from Cyfirma identified that the U.K. faces an escalating cyber threat landscape dominated by sophisticated Russian... |
Threat | ★★★ | |
|
2024-12-16 10:22:25 | Microsoft Teams Vishing Spreads DarkGate RAT (lien direct) | A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.
A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning. |
Malware Threat | ★★ | |
 |
2024-12-16 10:06:16 | New Android NoviSpy spyware linked to Qualcomm zero-day bugs (lien direct) | The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named \'NoviSpy,\' used to spy on activists, journalists, and protestors. [...]
The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named \'NoviSpy,\' used to spy on activists, journalists, and protestors. [...] |
Vulnerability Threat Mobile | ★★ | |
|
2024-12-16 10:00:00 | ESET Threat Report H2 2024 (lien direct) | A view of the H2 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
A view of the H2 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts |
Threat | ★★ | |
|
2024-12-16 07:36:47 | 16th December – Threat Intelligence Report (lien direct) | >For the latest discoveries in cyber research for the week of 16th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Romanian National Cybersecurity Directorate (DNSC) has disclosed a ransomware attack conducted by Lynx ransomware gang on the country’s energy provider Electrica Group, which provides services to more than 3.8M people across […]
>For the latest discoveries in cyber research for the week of 16th December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The Romanian National Cybersecurity Directorate (DNSC) has disclosed a ransomware attack conducted by Lynx ransomware gang on the country’s energy provider Electrica Group, which provides services to more than 3.8M people across […] |
Ransomware Threat | ★★ | |
 |
2024-12-15 22:11:23 | The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit (lien direct) | Posted by Seth Jenkins, Google Project ZeroThis blog post provides a technical analysis of exploit artifacts provided to us by Google\'s Threat Analysis Group (TAG) from Amnesty International. Amnesty’s report on these exploits is available here. Thanks to both Amnesty International and Google\'s Threat Analysis Group for providing the artifacts and collaborating on the subsequent technical analysis!IntroductionEarlier this year, Google\'s TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs.ArtifactsUsually when successfully reverse-engineering an ITW exploit, Project Zero/TAG have had access to the exploit sample itself, making determining what vulnerability was exploited primarily a matter of time and effort. However, in this particular case, we received several kernel panic logs but unfortunately not the exploit sample. This meant we could not directly reproduce crashes or reverse engineer what bug was being exploited.Accurately determining what vulnerability an exploit uses working only off of crash logs and without the exploit itself can range in difficulty from highly plausible to impossible. I decided to give it a try and see what I could learn. Out of the 6 panics we received, 4 panics in particular contained potentially useful information:Log 1:[ 47.223480] adsprpc: fastrpc_init_process: untrusted app trying to attach to privileged DSP PD[ 47.254494] adsprpc: mapping not found to unmap fd 0xffffffff, va | Vulnerability Threat Mobile Technical | ★★★ | |
|
2024-12-15 15:15:00 | Clop ransomware claims responsibility for Cleo data theft attacks (lien direct) | The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and steal data. [...]
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and steal data. [...] |
Ransomware Vulnerability Threat | ★★★ | |
|
2024-12-14 15:46:00 | Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques (lien direct) | Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai.
"The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope\'s Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not
Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai. "The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope\'s Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not |
Threat | ★★ | |
|
2024-12-14 10:17:27 | 390,000 WordPress accounts stolen from hackers in supply chain attack (lien direct) | A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. [...]
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. [...] |
Threat | ★★ | |
|
2024-12-14 01:30:00 | 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits (lien direct) | A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.
The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that |
Tool Threat | ★★ | |
|
2024-12-13 23:31:38 | (Déjà vu) “Million OK !!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure (lien direct) | ## Snapshot Researchers observed new infrastructure tied to the North Korean threat group Kimsuky, featuring a distinctive "Million OK !!!!" HTTP response and malicious domains impersonating South Korea\'s Naver platform. ## Description A security researcher on Twitter first observed a series of IP addresses delivering an unusual "Million OK !!!!" HTTP response in March 2024. Hunt researchers later identified additional infrastructure using the same response and linked it to the North Korean APT group Kimsuky (tracked by Microsoft as [Emerald Sleet](https://security.microsoft.com/intel-profiles/f1e214422dcaf4fb337dc703ee4ed596d8ae16f942f442b895752ad9f41dd58e)). The threat actors use domains that mimic Naver\'s login pages, employing Naver branding, to include favicons. In addition to these observations, the newly observed activity involves registration under top-level domains such as p-e\[.\]kr, o-r\[.\]kr, and n-e\[.\]kr, previously associated with Kimsuky\'s malicious operations. Hunt also found a webpage that shared the same ASN, Sectigo-issued TLS certificate, and a similar Apache server configuration. The server to this page responded with a simple \'Hello\' message. Further analysis revealed connections to a registrant\'s email tied to domains used by malware families KLogEXE and FPSpy, previously [reported by Unit42](https://security.microsoft.com/intel-explorer/articles/47182999). Hunt researchers note that Kimsuky has historically targeted South Korean platforms like Naver with phishing campaigns designed to steal user credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match?ocid=magicti_ta_learndoc). Refer to [this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for an example. - Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password syncing in browser on managed devices using [Group Policy](https://learn.microsoft.com/deployedge/microsoft-edge-enterprise-sync#sync-group-policies?ocid=magicti_ta_learndoc). - Educate end users about [preventing malware infections](https://learn.microsoft.com/en-us/defender-endpoint/malware/prevent-malware-infection). - Activate conditional access policies. [Conditional access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview?ocid=magicti_ta_learndoc) policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can p | Ransomware Malware Tool Threat | ★★ | |
|
2024-12-13 21:56:35 | Cleo MFT Zero-Day Exploits Are About Escalate, Analysts Warn (lien direct) | Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.
Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued. |
Ransomware Vulnerability Threat Patching | ★★ | |
|
2024-12-13 20:57:31 | Bizfum Stealer (lien direct) | ## Snapshot Researchers at CYFIRMA discovered a new information stealer malware, dubbed "Bizfum Stealer," on GitHub. ## Description This advanced malware is designed to collect browser credentials, cookies, saved passwords, Discord tokens, clipboard content, and sensitive files from infected systems. It operates stealthily by compressing and encrypting stolen data using RSA encryption before exfiltrating it to a remote GoFile server. The download link for the stolen data is then sent to an attacker-controlled Telegram bot. Written primarily in C, the malware effectively interacts with Windows system components, enabling it to perform tasks like file manipulation, credential harvesting, and detection evasion. Bizfum specifically targets popular browsers such as Chrome, Edge, Firefox, and Brave to extract sensitive information, while also capturing desktop screenshots and clipboard text. It stores collected files in temporary directories for later encryption and transmission. The malware uses sophisticated techniques, including exploiting anonymous file-sharing platforms like GoFile to evade detection and conceal its communication with attackers. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/office-365-security/defender-for-office-365?ocid=magicti_ta_learndoc) for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?ocid=magicti_ta_learndoc) and [delete sent mail](https://learn.microsoft.com/microsoft-365/security/office-365-security/zero-hour-auto-purge?ocid=magicti_ta_learndoc) in response to newly acquired threat intelligence. Turn on [safe attachments policies](https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-attachments-policies-configure?ocid=magicti_ta_learndoc) to check attachments to inbound email. - Encourage users to use Microsoft Edge and other web browsers that support [SmartScreen](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview?ocid=magicti_ta_learndoc), which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy?ocid=magicti_ta_learndoc) from all devices, in all locations, at all times. - Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. [Refer to this article](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc) for the different authentication methods and features. - For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their [devices](https://learn.microsoft.com/azure/active-directory/authentication | Ransomware Spam Malware Tool Threat | ★★★ | |
|
2024-12-13 18:00:57 | Declawing PUMAKIT (lien direct) | ## Snapshot Researchers at Elastic Security Labs released a report detailing PUMAKIT, an advanced malware featuring a multi-stage architecture to evade detection and maintain control over infected systems. ## Description It begins with a dropper (cron) that initiates the malware execution chain, creating two memory-resident executables that operate entirely in memory, avoiding traces on disk. These executables work together to deploy a kernel-level rootkit (LKM) and a userland rootkit (SO), enabling the malware to manipulate system behaviors stealthily. The rootkit component, known as "PUMA," employs ftrace to hook 18 system calls and kernel functions, allowing it to hide files, processes, and itself while facilitating privilege escalation and communication with command-and-control (C2) servers. Notably, it leverages unconventional methods, such as using the rmdir() syscall, for privileged operations and system interaction. Its functionality also includes anti-debugging measures and precise checks on system conditions, like secure boot status and kernel symbol availability, before activation. PUMAKIT\'s fileless execution is achieved using the memfd\_create syscall, allowing binaries to exist only in memory. It uses advanced techniques, such as the execveat() syscall, to execute payloads directly from memory, further complicating detection and forensic analysis. The loader mimics legitimate processes, such as sshd, to blend into the system and executes shell scripts only when predefined criteria are met. The LKM rootkit uses the syscall table and the now-unexported kallsyms\_lookup\_name() function for symbol resolution, targeting older Linux kernel versions. Its capabilities include privilege escalation, file and process hiding, and syscall manipulation to achieve stealth and persistence. According to Elastic Security Labs, PUMAKIT demonstrates a sophisticated approach to malware design, employing a highly modular and conditional activation strategy to avoid detection. ## Microsoft Analysis and Additional OSINT Context Fileless malware, also called memory-based malware, presents a significant challenge for security teams due to its ability to evade traditional detection methods. Unlike conventional malware, fileless malware doesn\'t rely on files stored on a hard drive, making it difficult for signature-based antivirus, sandboxing, and machine learning-based analysis to detect. This type of malware often operates within trusted, legitimate programs like PowerShell or Windows scripting tools, leveraging them to carry out malicious activities without leaving a trace on the disk. By exploiting the trust placed in these whitelisted applications, fileless malware can move laterally across networks, avoid suspicion, and remain undetected for extended periods. This stealthy behavior makes it particularly insidious and effective, allowing attackers to maintain persistence and execute their objectives while bypassing most security defenses. Read [Now you see me: Exposing fileless malware](https://www.microsoft.com/en-us/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/) and [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) on Microsoft\'s Security Blog to learn more about how Microsoft\'s security solutions can be used to combat threats from fileless malware. ## Recommendations [Windows Defender AV](https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc) blocks the vast majority of malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Windows Defender AV protects against fileless malware through these capabilities: - Detecting script-based techniques by leveraging [AMSI](https://blogs.technet.microsoft.com/mmpc/2015 | Malware Tool Threat | ★★ | |
|
2024-12-13 17:14:00 | Iran-Linked IOCONTROL Malware Targets SCADA and Linux-Based IoT Platforms (lien direct) | Iran-affiliated threat actors have been linked to a new custom malware that\'s geared toward IoT and operational technology (OT) environments in Israel and the United States.
The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable
Iran-affiliated threat actors have been linked to a new custom malware that\'s geared toward IoT and operational technology (OT) environments in Israel and the United States. The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable |
Malware Threat Industrial | ★★★★ | |
|
2024-12-13 16:08:38 | Radiant links $50 million crypto heist to North Korean hackers (lien direct) | ## Snapshot Mandiant attributes the $50 million USD cryptocurrency heist from Radiant Capital, which occurred [in October 2024](https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081), to North Korean state-affiliated threat actor UNC4736. ## Description Threat actors used sophisticated malware to target three trusted developers at Radiant, a decentralized finance (DeFi) platform. They compromised the developers\' devices to execute unauthorized transactions, exploiting the multi-signature process and stealing funds from Arbitrum and Binance Smart Chain markets. The initial infiltration began on September 11, 2024, when a Radiant developer was tricked into downloading a malicious ZIP file via a Telegram message that appeared to be from a former contractor. The contractor said they were pursuing a new career opportunity and asked for feedback on an alleged endeavor. The message included a ZIP file that contained a decoy PDF and a macOS malware payload named \'InletDrift,\' which established a backdoor on the infected device. Radiant Capital stated that requests to review PDFs are routine in professional settings, and that, post compromise, the devices showed only minor glitches and error messages during signing, typical for hardware wallets and Safe. Additionally, the domain sent with the ZIP file had spoofed the former contractor\'s actual website. Despite Radiant\'s security measures, including transaction simulations and verification layers, the attack went undetected as it was designed to display benign transaction data on the interfaces while signing malicious transactions in the background. Mandiant, assisting in the ongoing investigation, assesses with high confidence that UNC4736 (tracked by Microsoft as [Citrine Sleet](https://security.microsoft.com/intel-profiles/740afa51582ebef367a7120efe99a535ba803f2169356580369a0fd680137145)) is behind the attack. Radiant is working with United States law enforcement and zeroShadow to recover the stolen funds and is emphasizing the need for more robust device-level security solutions to prevent such sophisticated attacks in the future. [ZeroShadow](https://x.com/zeroshadow_io/status/1865839771798429699) also attributes with high confidence this incident to the DPRK. ## Microsoft Analysis and Additional OSINT Context In a related observation, Microsoft first identified atokyonews\[.\]com in November 2023 and attributed the domain to Citrine Sleet. This threat actor primarily targets financial institutions and, using social engineering, conducts thorough reconnaissance of the cryptocurrency industry and associated individuals. Additionally, Citrine Sleet has previously used registered domain names for social engineering, malware hosting, and command-and-control (C2). ## Recommendations [Radiant Captial provided the following preventative recommendations](https://medium.com/@RadiantCapital/radiant-post-mortem-fecd6cd38081): - Implement a governance layer where, if one or more signers encounter issues or anomalies, the process is halted for further verification before proceeding. - Utilize an uncompromised, independent device to verify transaction data before signing. - Avoid using blind signing for critical transactions. - Integrate a mechanism where recurring transaction errors or glitches automatically trigger a full audit of the transaction before additional signing attempts can be made. - Manually review transaction payloads. Microsoft recommends the following to reduce the risk of these threats. - [Help prevent social engineering attacks](https://www.microsoft.com/en-us/security/security-insider/emerging-threats/feeding-from-the-trust-economy-social-engineering-fraud?ocid=magicti_ta_blog) by not blending personal accounts with work emails or work-related tasks. Avoid opening emails, attachments, and links, including links from social networks, from suspicious sources. Ask yourself if the sender is who they say they are before clicking anything. Lastly, don\'t overshare online. If t | Malware Tool Threat Legislation | ★★★ | |
 |
2024-12-13 15:00:00 | New Yokai Side-loaded Backdoor Targets Thai Officials (lien direct) | >Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […]
>Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […] |
Threat | APT 41 | ★★★ |
|
2024-12-13 13:00:19 | Unlocking the Power of In-Context Emulation in Malware Sandboxing (lien direct) | >In the cyber security world, malware analysis is crucial for identifying and neutralizing threats. Attackers constantly evolve their methods, and defenders must stay ahead with advanced tools. One such tool is sandboxing, a controlled environment where suspicious files are executed and observed safely. At Check Point, our Threat Emulation blade\'s new feature “In-Context Emulation”, improves malware detection by replicating real-world environments, addressing some of the toughest detection challenges. What is In-Context Emulation? Traditional sandboxing runs files in isolation, which helps identify basic malicious behavior. However, modern malware often requires specific files, interactions, or system configurations to activate fully. This is […]
>In the cyber security world, malware analysis is crucial for identifying and neutralizing threats. Attackers constantly evolve their methods, and defenders must stay ahead with advanced tools. One such tool is sandboxing, a controlled environment where suspicious files are executed and observed safely. At Check Point, our Threat Emulation blade\'s new feature “In-Context Emulation”, improves malware detection by replicating real-world environments, addressing some of the toughest detection challenges. What is In-Context Emulation? Traditional sandboxing runs files in isolation, which helps identify basic malicious behavior. However, modern malware often requires specific files, interactions, or system configurations to activate fully. This is […] |
Malware Tool Threat | ★★ | |
|
2024-12-13 12:29:31 | Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States (lien direct) | #### Targeted Geolocations - Uzbekistan - Kazakhstan - Tajikistan - Kyrgyzstan ## Snapshot Researchers at Lookout Threat Lab have uncovered two Android surveillance tools, BoneSpy and PlainGnome, linked to the Russian APT group Gamaredon (tracked by Microsoft as Aqua Blizzard). These tools have been targeting Russian-speaking individuals in former Soviet states, with BoneSpy active since at least 2021 and PlainGnome emerging in 2024. ## Description BoneSpy and PlainGnome both collect sensitive mobile data such as SMS, call logs, photos, device location, and contact lists from android devices. BoneSpy is derived from the Russian open-source DroidWatcher, while PlainGnome, not developed from the same code base, acts as a dropper for a surveillance payload. Of note, BoneSpy can be controlled via SMS messages. The attribution to Gamaredon is based on shared IP addresses, domain naming conventions, and the use of dynamic DNS providers, which are consistent with the group\'s operations. These are the first mobile malware families to be publicly attributed to Gamaredon, according to Lookout Threat Lab. The malware likely spreads through targeted social engineering, with BoneSpy evolving to use trojanized Telegram apps as lures, indicating possible enterprise targeting. PlainGnome\'s deployment involves a minimal first stage that drops a malicious APK, followed by a second stage that carries out surveillance activities. The command and control infrastructure for both uses No-IP Dynamic DNS service and is linked to Russian ISP Global Internet Solutions LLC, owned by Yevgeniy Valentinovich Marinko, who has a history of involvement in hacker forums and stolen-credential trading. ## Microsoft Analysis and Additional OSINT Context The actor that Microsoft tracks as [Aqua Blizzard](https://sip.security.microsoft.com/intel-profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80) (aka Gamaredon) is a nation-state activity group based out of Russia. The [Ukrainian government has publicly attributed](https://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy) this group to the Russian Federal Security Service (FSB). Aqua Blizzard is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard focuses on espionage and exfiltration of sensitive information. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store. - Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources. Use mobile solutions such as [Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) on Android to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. - Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed. - If a device is no longer receiving updates, strongly consider replacing it with a new device. ## Detections/Hunting Queries ### Microsoft Defender Antivirus *Microsoft Defender Antivirus detects the threat components as the following malware.* - *[Trojan:AndroidOS/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:AndroidOS/Multiverze)* ## References [Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States](https:// | Malware Tool Threat Legislation Mobile | ★★★ | |
|
2024-12-13 10:52:09 | CSIS Threat Matrix Report highlights challenges and shifts in the cyber threat landscape (lien direct) | CSIS Threat Matrix Report highlights challenges and shifts in the cyber threat landscape
A new report from CSIS Security Group reveals a significant rise in nation-state attacks, hacktivism and advanced cyber attacks, and offers actionable insights to help organisations strengthen their defences
CSIS reports over one billion compromised credentials circulating on the dark web every month
-
Special Reports
CSIS Threat Matrix Report highlights challenges and shifts in the cyber threat landscape A new report from CSIS Security Group reveals a significant rise in nation-state attacks, hacktivism and advanced cyber attacks, and offers actionable insights to help organisations strengthen their defences CSIS reports over one billion compromised credentials circulating on the dark web every month - Special Reports |
Threat | ★★★ | |
 |
2024-12-13 06:01:37 | Not Every Gift Comes from Santa Claus: Avoiding Cyber Scams This Holiday Season (lien direct) | The holidays are a time for joy, connection, and giving, but amidst the festive cheer lies a growing cyber threat that\'s anything but jolly. As we fill our online shopping carts with gifts for loved ones, scammers are busy crafting their own presents-persuasive, GenAI-generated phishing emails and ads designed to steal your personal information, financial [...]
The holidays are a time for joy, connection, and giving, but amidst the festive cheer lies a growing cyber threat that\'s anything but jolly. As we fill our online shopping carts with gifts for loved ones, scammers are busy crafting their own presents-persuasive, GenAI-generated phishing emails and ads designed to steal your personal information, financial [...] |
Threat | ★★★ | |
|
2024-12-12 22:03:04 | Hacktivist Alliances Target France Amidst Political Crisis (lien direct) | #### Targeted Geolocations - France ## Snapshot Cyble Research & Intelligence Labs (CRIL) observed that hacktivist groups have targeted France amidst political instability, using a coordinated cyber campaign. The "Holy League" alliance -- comprised of ideologically diverse groups like pro-Russian NoName057(16), pro-Islamic Mr. Hamza, and pro-Palestinian Anonymous Guys -- launched these attacks in response to France\'s support for Ukraine and Israel. ## Description Between December 7 and December 10, 2024, the "Holy League" executed a series of cyberattacks, including DDoS operations, defacements, unauthorized access to ICS and CCTV systems, and data breaches targeting French governmental and industrial entities. NoName057(16) and the People\'s Cyber Army concentrated their efforts on the official websites of French cities and private organizations, including the major financial corporation AXA. Mr. Hamza targeted high-value governmental institutions like the Ministry of Foreign Affairs, while Anonymous Guys focused on several ministries. These attacks disrupted critical infrastructure and governmental operations, demonstrating the alliance\'s unified strategy. The campaign leveraged France\'s political crisis, marked by a no-confidence vote against Prime Minister Michel Barnier and increasing pressure on President Macron. Pro-Russian and pro-Islamic actors worked together, breaching SCADA systems, defacing websites, and exfiltrating sensitive data. The Holy League has threatened to launch additional attacks against other countries, including Germany. ## Microsoft Analysis and Additional OSINT Context Hacktivists and DDoS attacks have emerged as increasingly potent tools in geopolitical struggles, often used to disrupt services and amplify political messages. These attacks, frequently accompanied by influence operations, target governments and private entities alike to exert psychological pressure and provoke unrest. For instance, the Russian hacktivist group NoName057(16), alongside pro-Russian groups like the Cyber Army of Russia Reborn, [launched DDoS campaigns against South Korean government agencies](https://sip.security.microsoft.com/intel-explorer/articles/8eac574e) in November 2024. These operations retaliated against South Korea\'s political stance on weapon supplies to Ukraine. Similarly, Russian operators like [UNC5812](https://sip.security.microsoft.com/intel-explorer/articles/bfdf1409) and campaigns such as [Operation Undercut](https://sip.security.microsoft.com/intel-explorer/articles/ca4c0b91) extend these efforts into influence domains, using malware, AI-generated disinformation, and hybrid tactics to erode trust in institutions and exploit societal divisions. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of the threats of DDoS attacks. - Avoid having a single virtual machine backend so that it is less likely to get overwhelmed. [Azure DDoS Protection](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc") covers scaled-out costs incurred for all resources during an attack, so configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in. - Use [Azure Web Application Firewall](https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc") to protect web applications. When using Azure WAF: 1. Use the bot protection managed rule set for additional protections. See the article on [configuring bot protection](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection "https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection"). 2. Create custom rules to block traffic from IP addresses and ranges that you identify as malicious; block, rate l | Malware Tool Threat Industrial | ★★★ | |
|
2024-12-12 21:33:09 | Lynx Ransomware Pouncing on Utilities (lien direct) | #### Targeted Geolocations - United States #### Targeted Industries - Energy ## Snapshot A recent report from the Center for Internet Security (CIS) highlights the growing threat of ransomware attacks targeting utility organizations, with a particular focus on the activities of the Lynx ransomware group (tracked by Microsoft as [Storm-2113](https://security.microsoft.com/intel-profiles/7d8b27d096bfce159d3602d5221a20a8c2fddc95db7401efe10f486f57c1e5d2)). ## Description Between 2022 and 2024, attacks on utilities surged due to their reliance on outdated hardware and software, making them attractive targets for groups like Lynx. The group claimed over 20 victims in the energy, oil, and gas sectors in the United States between July and November 2024. Despite its claims to be an "ethical hacking group" that avoids impacting organizations in healthcare and government, Lynx employs double extortion tactics, encrypting victims\' data and threatening to leak sensitive information unless additional ransoms are paid. The stolen data often includes trade secrets, financial records, and internal documents, causing severe reputational and operational damage. The group\'s initial compromise methods include phishing attacks to harvest credentials, followed by disabling antivirus software, deleting shadow copies, and encrypting both local files and network shares. Victims are pressured through ransom notes directing them to a Lynx-operated .onion site and public blogs where the group leaks or threatens to leak stolen data. ## Microsoft Analysis and Additional OSINT Context The threat actor that Microsoft tracks as [Storm-2113](https://security.microsoft.com/intel-profiles/7d8b27d096bfce159d3602d5221a20a8c2fddc95db7401efe10f486f57c1e5d2) is a financially motivated group known for deploying Lynx ransomware. The actor has targeted entities in multiple sectors, including manufacturing, energy, and commercial facilities, among others. Microsoft has observed Storm-2113 has obtain initial access through exploitation of publicly disclosed vulnerabilities. Post-compromise activity by the group includes the use of several remote monitoring and management (RMM) tools in intrusions for lateral movement and persistence. Storm-2113 also leverages tools like [Mimikatz](https://security.microsoft.com/intel-profiles/2dffdfcf7478886ee7de79237e5aeb52b0ab0cd350f1003a12064c7da2a4f1cb) and [Impacket](https://security.microsoft.com/intel-profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6) to steal credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Harden internet-facing assets and identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [Microsoft Defender External Attack Surface Management](https://www.microsoft.com/security/business/cloud-security/microsoft-defender-external-attack-surface-management), can be used to augment data. The Attack Surface Summary dashboard surfaces assets such as Exchange servers which require security updates as well as provides recommended remediation steps. - Organizations can use [Microsoft Defender Vulnerability Management](https://security.microsoft.com/vulnerabilities?ocid=magicti_ta_ta2) to assess the current status of disclosed vulnerabilities and deploy any updates that might have been missed. - As more organizations move to the cloud, it is important to continue to protect Active Directory resources through credential hardening during this transition. Threat actors are motivated by easy access and continue to look for easy paths to acquire domain administrator privileges. Microsoft provides some steps organizations can take to build credential hygiene in our [on-premises credential theft threat overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport). - Enforce multifactor authentication (MFA) on all accounts, remo | Ransomware Malware Tool Vulnerability Threat Medical Cloud Commercial | ★★★ | |
|
2024-12-12 20:36:12 | Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus (lien direct) | ## Snapshot Researchers at Lookout Threat Lab have identified a new surveillance tool called EagleMsgSpy developed by a Chinese software company. ## Description Operational since at least 2017, this spyware has been used by Chinese law enforcement to extract extensive data from mobile devices. It can access third-party chat messages, call logs, device contacts, SMS messages, location data, and network activity. The tool also features screenshot and screen recording capabilities. According to Lookout\'s analysis, EagleMsgSpy includes two key components: an installer APK and a surveillance payload that operates in the background, concealing its activities from the victim. The source code reveals functions that differentiate between device platforms, suggesting the existence of both Android and iOS versions. However, researchers note that physical access to the target device is required to initiate surveillance and EagleMsgSpy has not been found on Google Play or other app stores. Lookout further reports that domain infrastructure linked to EagleMsgSpy overlaps with those associated with public security bureaus in mainland China. This connection indicates widespread use of the tool within the region. Additionally, EagleMsgSpy shares ties with other Chinese surveillance apps, such as PluginPhantom and CarbonSteal, suggesting its role in a broader ecosystem of state-sponsored surveillance targeting various groups in China. ## Microsoft Analysis and Additional OSINT Context Chinese cyber threat actors have been [widely reported](https://www.bloomberg.com/news/articles/2022-11-10/lookout-researchers-say-spyware-tied-to-china-is-targeting-apps-used-by-uyghurs?srnd=technology-vp&sref=E9Urfma4) to employ advanced surveillance tools to conduct targeted espionage against minority groups -- particularly the Uyghurs -- and against activists, journalists, and dissidents both within China and abroad. These tools are designed to quietly infiltrate devices, monitor communications, collect sensitive data, and allow for real-time tracking of individuals. In 2021, [Meta reported](https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/) that it disrupted a campaign by Earth Empusa which aimed to distribute [PluginPhantom](https://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/) and [ActionSpy](https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html) to target Uyghurs living in China and abroad in Turkey, Kazakhstan, the United States, Syria, Australia, and Canada, among other countries. Earlier this year, Lookout Threat Lab detailed [BadBazaar](https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15), a surveillance tool attributed to APT15, tracked by Microsoft as [Nylon Typhoon](https://security.microsoft.com/intel-profiles/6c01b907db21988312af12a7569e4b53eaaeffe1c82c5acd622972735b5c95dc), used to target Tibetan and Uyghur minorities in China. At least one variant of the tool, masquerading as an app called "TibetOne" was distributed via Telegram in a channel named, "tibetanphone." ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store. - Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources. Use mobile solutions such as [Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) on Android to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. - Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong unde | Malware Tool Threat Legislation Mobile | APT 15 | ★★★ |
|
2024-12-12 20:10:48 | Attack Exploiting Legitimate Service by APT-C-60 (lien direct) | #### Targeted Geolocations - Japan ## Snapshot The JPCERT Coordination Center (JPCERT/CC) released a report detailing an attack by APT-C-60 against an organization in Japan during August 2024. ## Description The attacker used a phishing email disguised as a job application to lure the victim into downloading malware via a Google Drive link. The malicious file, a VHDX virtual disk image, contained LNK files and decoy documents. Upon execution, the LNK file triggered a series of actions, including creating a downloader, SecureBootUEFI.dat, which was made persistent through COM hijacking. SecureBootUEFI.dat communicated with legitimate services Bitbucket and StatCounter, using the latter to identify infected devices by encoding unique device information into StatCounter\'s referrer data. The downloader subsequently fetched additional payloads, Service.dat, which in turn retrieved and decoded further malware components, cn.dat and sp.dat, storing them in the system. The backdoor used in the attack, dubbed SpyGlace by ESET, is a well-documented tool with advanced functionality, including encrypted communication and modular execution. The backdoor has been observed in attacks attributed to APT-C-60, notably in similar campaigns reported between August and September 2024 targeting East Asian countries. ## Microsoft Analysis and Additional OSINT Context [APT-C-60](https://malpedia.caad.fkie.fraunhofer.de/actor/apt-c-60) is a South Korea-linked cyberespionage group that focuses its targeting in East Asian countries, active since at least December 2021. In August, [ESET researchers observed](https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/) the group exploiting a remote code execution (RCE) vulnerability in WPS Office for Windows ([CVE-2024-7262](https://security.microsoft.com/intel-explorer/cves/CVE-2024-7262/)) to deploy its custom backdoor, SpyGlace, to impact users in East Asia. Previously, [the group was observed](https://threatbook.io/blog/Military-Topics-in-Focus:-APT-C-60-Threat-Continues-to-be-Exposed) using military-themed lures in phishing campaigns to gain access to victim enviornments. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential h | Malware Tool Vulnerability Threat | APT C 60 | ★★★ |
|
2024-12-12 19:33:38 | US Sanctions Chinese Cybersecurity Firm for Firewall Exploit, Ransomware Attacks (lien direct) | SUMMARY The United States has taken strong action against a Chinese cybersecurity company, Sichuan Silence Information Technology, for…
SUMMARY The United States has taken strong action against a Chinese cybersecurity company, Sichuan Silence Information Technology, for… |
Ransomware Threat | ★★★ | |
|
2024-12-12 19:05:00 | Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States (lien direct) | The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns.
"BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both |
Malware Tool Threat Mobile | ★★★ | |
|
2024-12-12 18:05:00 | Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (lien direct) | Details have emerged about a now-patched security vulnerability in Apple\'s iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information.
The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved
Details have emerged about a now-patched security vulnerability in Apple\'s iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information. The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved |
Vulnerability Threat | ★★★ | |
|
2024-12-12 15:46:32 | New IOCONTROL malware used in critical infrastructure attacks (lien direct) | Iranian threat actors are utilizing a new malware named IOCONTROL to compromise Internet of Things (IoT) devices and OT/SCADA systems used by critical infrastructure in Israel and the United States. [...]
Iranian threat actors are utilizing a new malware named IOCONTROL to compromise Internet of Things (IoT) devices and OT/SCADA systems used by critical infrastructure in Israel and the United States. [...] |
Malware Threat Industrial | ★★★ | |
|
2024-12-12 14:13:45 | Cequence Security Research Reveals £2M Per Hour at Risk to Cybercrime During Holiday Shopping Season (lien direct) | Cequence Security Research Reveals £2M Per Hour at Risk to Cybercrime During Holiday Shopping Season
Cequence\'s CQ Prime threat research highlights the alarming financial toll of malicious automated attacks, with e-commerce businesses worldwide facing potential losses of over a billion in December.
-
Special Reports
Cequence Security Research Reveals £2M Per Hour at Risk to Cybercrime During Holiday Shopping Season Cequence\'s CQ Prime threat research highlights the alarming financial toll of malicious automated attacks, with e-commerce businesses worldwide facing potential losses of over a billion in December. - Special Reports |
Threat | ★★★ | |
|
2024-12-12 13:10:09 | Scammers Exploit Fake Domains in Dubai Police Phishing Scams (lien direct) | BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money.
BforeAI has discovered a surge in phishing attacks targeting the Dubai Police, a government-run entity. Learn how cybercriminals are exploiting the Dubai Police name to steal personal information and money. |
Threat Legislation | ★★★ | |
 |
2024-12-12 08:15:43 | The story behind Sekoia.io Custom Integrations (lien direct) | >Since launching in 2017, Sekoia.io has made a name for itself with its groundbreaking vision in threat detection, leveraging advanced analytics and smart machine learning. But the journey does not end there! Sekoia.io is always growing and improving its services to stay ahead of new cyber threats. The story behind Sekoia.io Custom Integrations is a […]
La publication suivante The story behind Sekoia.io Custom Integrations est un article de Sekoia.io Blog.
>Since launching in 2017, Sekoia.io has made a name for itself with its groundbreaking vision in threat detection, leveraging advanced analytics and smart machine learning. But the journey does not end there! Sekoia.io is always growing and improving its services to stay ahead of new cyber threats. The story behind Sekoia.io Custom Integrations is a […] La publication suivante The story behind Sekoia.io Custom Integrations est un article de Sekoia.io Blog. |
Threat | ★★★ | |
|
2024-12-12 02:01:48 | Socks5Systemz Botnet Creates Massive Proxy Network Through 250,000 Infected Systems Worldwide (lien direct) | ## Snapshot Bitsight TRACE\'s security research team has uncovered extensive details about the Socks5Systemz botnet. Since 2013, the malware has been covertly sold or integrated into other malware, including Andromeda, Smokeloader, and [Trickbot](https://sip.security.microsoft.com/intel-profiles/5a0aed1313768d50c9e800748108f51d3dfea6a4b48aa71b630cff8979882f7c). ## Description Socks5Systemz was initially believed to have around 10,000 compromised systems, but it was later discovered to have peaked at 250,000 bots, with a presence in nearly every country. The botnet, which has been used by the proxy service PROXY.AM since 2016, provides anonymous proxy exit nodes for criminal activities. The integration of Socks5Systemz as a proxy module within other malware might explain the absence of references to it before September 2023, when it made headlines as part of broad distribution campaigns involving loaders like [Privateloader](https://sip.security.microsoft.com/intel-profiles/49921aa8f61714680f9645c77fad076c9439af357597272d874d7d0073910c99), Smokeloader, and Amadey. Prior to 2023, Socks5Systemz likely operated covertly, being detected as part of other malware, and thus escaped the notice of the threat intelligence community. The botnet\'s size has since decreased to an estimated 120,000 bots due to the threat actor losing control and having to rebuild the botnet with a new command and control (C2) infrastructure, now referred to as Socks5Systemz V2. The malware is also linked to BoostyProxy, a service sold on Telegram by an actor named \'boost\', who is believed to be a reseller in a larger operation. Alexey Pavlov from Novosibirsk, Russia, has been identified as a key registrant associated with the proxy service. As of October 2024, Bitsight TRACE has observed recent updates to the malware, including new servers, geographic dispersion, host providers, fallback domains, an updated C2 protocol and obfuscation techniques. The core functionality of the malware, however, has remained unchanged. ## Microsoft Analysis and Additional OSINT Context Botnet threats have made headlines in recent months, continuing to evolve and posing risks to both individual users and critical infrastructure. Recent examples include the FBI\'s disruption of the [Flax Typhoon botnet](https://www.cybersecuritydive.com/news/us-takedown-china-botnet/727501/), which compromised over 260,000 devices to target critical infrastructure. Additionally, emerging botnet families are targeting Linux and Internet of Things (IoT) devices, exemplified by the [Ngioweb botnet](https://sip.security.microsoft.com/intel-explorer/articles/44f917c6), which exploits vulnerabilities in various IoT devices to turn them into residential proxies sold on the black market. The [emergence of new botnet families like Gorilla](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023), which draws from the infamous Mirai botnet source code, indicates a trend towards more aggressive and widespread attacks. GorillaBot has issued over 300,000 attack commands in a single month, targeting a wide range of sectors across more than 100 countries. This botnet\'s high attack density and focus on distributed denial-of-service (DDoS) attacks illustrate the growing complexity and impact of botnet threats. [Research by](https://nsfocusglobal.com/company-overview/resources/botnet-trends-2023-review-and-2024-predictions/) [NSFOCUS](https://nsfocusglobal.com/company-overview/resources/botnet-trends-2023-review-and-2024-predictions/) revealed that distributed denial-of-service (DDoS) was the most common botnet attack vector 2023. ## Recommendations **Microsoft recommends the following mitigations to reduce the impact of botnets.** - [Restrict automatic prompts](https://support.microsoft.com/en-us/windows/automatic-file-download-notifications-in-windows-dc73c9c9-1b4c-a8b7-8d8b-b471736bb5a0) for non-user-initiated file downloads. - [Enable Safe Links](https://learn.microsoft.com/en-us/powershell/module | Spam Malware Vulnerability Threat Prediction | ★★★ | |
 |
2024-12-12 00:00:00 | INTERPOL & Trend\\'s Fight Against Cybercrime (lien direct) | Trend threat intelligence and training were crucial to the success of two major policing operations in 2024
Trend threat intelligence and training were crucial to the success of two major policing operations in 2024 |
Threat Prediction | ★★★ | |
|
2024-12-11 23:32:00 | Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service (lien direct) | The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically
The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine. The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically |
Malware Threat | ★★★ | |
|
2024-12-11 22:47:17 | Chinese Hacker Pwns 81K Sophos Devices With Zero-Day Bug (lien direct) | The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks.
The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks. |
Vulnerability Threat | ★★★ | |
|
2024-12-11 22:38:07 | Likely China-based Attackers Target High-profile Organizations in Southeast Asia (lien direct) | #### Targeted Geolocations - Southeast Asia #### Targeted Industries - Government Agencies & Services - Transportation Systems - Aviation - Communications Infrastructure ## Snapshot Researchers at Symantec detailed an espionage campaign, active since at least October 2023, likely conducted by China-based threat actors. The campaign targeted organizations in a number of industries, including government, telecommunications, and aviation. ## Description The attackers employed a mix of open-source (e.g., Dismap, [Impacket](https://security.microsoft.com/intel-profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6), and FastReverseProxy) and living-off-the-land (e.g., PowerShell, Reg.exe, and Windows Management Instrumentation) tools in their attacks. Many of these tools have been previously observed in attacks attributed to Chinese actors including Rakshasa, a tool previously used by Earth Baku and SharpNBTScan, a .NET application previously used by Mustang Panda (tracked by Microsoft as [Twill Typhoon](https://security.microsoft.com/intel-profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c)). The operations focused on exfiltrating data of interest, including credentials, from targeted organizations. The threat actors maintaining prolonged access to target environments, allowing them to map the network and identify systems of interest. According to Symantec, data was exfiltrated using WinRAR to gather and compress files of interest into password-protected archives. These archives were then uploaded to cloud storage platforms like File.io, allowing the attackers to discreetly transfer the data. ## Microsoft Analysis and Additional OSINT Context Most Chinese threat activity is for intelligence collection purposes and, as represented in Microsoft Threat Intelligencce nation-state notification (NSN) data, especially prevalent in Association of Southeast Asian Nations countries around the South China Sea. To learn more about Chinese cyber threat activity in and around the South China Sea, read [Microsoft\'s most recent Digial Defense Report](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/LotusBlossom](https://www.microsoft.com/en-us/wdsi/threats/mal | Malware Tool Threat Cloud | APT 41 | ★★★ |
|
2024-12-11 22:13:51 | Krispy Kreme Doughnut Delivery Gets Cooked in Cyberattack (lien direct) | Threat actors punch holes in the company\'s online ordering systems, tripping up doughnut deliveries across the US after a late November breach.
Threat actors punch holes in the company\'s online ordering systems, tripping up doughnut deliveries across the US after a late November breach. |
Threat | ★★★ |
To see everything:
Our RSS (filtrered)
