What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-18 21:04:15 | CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach (lien direct) | A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.”
A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” |
Mobile | ★★ | |
 |
2024-12-18 20:06:19 | Mobile Spear Phishing Targets Executive Teams (lien direct) | >Over the past few months, enterprises have observed a pattern of sophisticated spearphishing attempts targeting their executives, with some specifically targeting their mobile devices. Our blog shares the details.
>Over the past few months, enterprises have observed a pattern of sophisticated spearphishing attempts targeting their executives, with some specifically targeting their mobile devices. Our blog shares the details. |
Mobile | ★★★ | |
 |
2024-12-18 19:13:34 | CISA pushes guide for high-value targets to secure mobile devices (lien direct) | >The guide comes as the government continues to deal with the fallout of the Salt Typhoon hack.
>The guide comes as the government continues to deal with the fallout of the Salt Typhoon hack. |
Hack Mobile | ★★ | |
 |
2024-12-18 18:56:30 | (Déjà vu) Hidden in Plain Sight: TA397\'s New Attack Chain Delivers Espionage RATs (lien direct) | #### Targeted Geolocations - Türkiye #### Targeted Industries - Defense Industrial Base ## Snapshot Proofpoint recently observed TA397, an advanced persistent threat (APT) group also known as Bitter, targeting a Turkish defense organization using spearphishing emails. The campaign leveraged lures related to public infrastructure projects in Madagascar, containing RAR archives with NTFS alternate data streams (ADS). These ADS streams delivered a malicious shortcut (LNK) file, which executed PowerShell commands to create a scheduled task for downloading additional payloads. ## Description In this attack, TA397 deployed two remote access trojans (RATs): WmRAT and MiyaRAT, both designed for intelligence gathering and data exfiltration. WmRAT is a C++-based backdoor capable of executing commands, capturing screenshots, determing geolocation data, and stealing system information. MiyaRAT, also written in C++, offers similar functionality. According to Proofpoint, this attack aligns with TA397\'s established tactics, which include using RAR archives and scheduled tasks for persistence, targeting defense sector organizations in the EMEA and APAC regions, and leveraging RATs historically attributed to the group. Notably, MiyaRAT appears to be reserved for high-value targets, as evidenced by its limited use. Proofpoint assesses that TA397\'s activities are likely intelligence-gathering efforts in support of a South Asian government. The group\'s consistent focus on the defense, energy, and engineering sectors in EMEA and APAC regions underscores their ability to adapt tools and techniques to target high-value entities effectively. ## Microsoft Analysis and Additional OSINT Context TA397, also known as [Bitter and T-APT-17](https://attack.mitre.org/groups/G1002/), is a likely South Asian cyber espionage threat group, active since at least 2013. The[group\'s targets](https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/) have included organizations within the energy, engineering, government, and military sectors of China, Bangladesh, Pakistan, and Saudi Arabia, among others. The group is primarily motivated by espionage and has been observed targeting both mobile and desktop platforms. TA397 has used a number of RATs including Bitter RAT, SlideRAT, AndroRAT, and Almond RAT in addition to WmRAT and MiyaRAT, mentioned above. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [ne | Ransomware Malware Tool Threat Mobile Industrial | ★★★ | |
 |
2024-12-18 13:17:59 | How to Lose a Fortune with Just One Bad Click (lien direct) | Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device.
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. |
Mobile | ★★★ | |
 |
2024-12-18 13:00:03 | How SASE Addresses Enterprise Network Challenges (lien direct) | >Unified Security and Network Performance The proliferation of remote work, cloud services, and mobile devices has expanded the traditional network perimeter, introducing complexities in ensuring secure and efficient access to resources and the need to defend against web-based threats. All of this presents challenges to balancing flexibility, security, and performance. Enter Secure Access Service Edge (SASE), a transformative framework that converges networking and security into a unified, cloud-native service. SASE integrates wide-area networking (WAN) capabilities with comprehensive security services-such as Secure Web Gateway (SWG), Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), and more -into a single, cloud-delivered […]
>Unified Security and Network Performance The proliferation of remote work, cloud services, and mobile devices has expanded the traditional network perimeter, introducing complexities in ensuring secure and efficient access to resources and the need to defend against web-based threats. All of this presents challenges to balancing flexibility, security, and performance. Enter Secure Access Service Edge (SASE), a transformative framework that converges networking and security into a unified, cloud-native service. SASE integrates wide-area networking (WAN) capabilities with comprehensive security services-such as Secure Web Gateway (SWG), Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA), and more -into a single, cloud-delivered […] |
Mobile Cloud | ★★ | |
 |
2024-12-17 15:20:40 | Appdome announced that the Appdome Mobile Defense Platform now protects applications running on mobile-enabled platforms (lien direct) | Appdome Announces Broader Device and System Coverage to Protect the Mobile Economy\'s Future
New Defenses Empower Mobile Businesses to Securely Extend their Offerings to New Mobile-Enabled VR, AR, TV, Automotive and PC Platforms
-
Product Reviews
Appdome Announces Broader Device and System Coverage to Protect the Mobile Economy\'s Future New Defenses Empower Mobile Businesses to Securely Extend their Offerings to New Mobile-Enabled VR, AR, TV, Automotive and PC Platforms - Product Reviews |
Mobile | ★★ | |
|
2024-12-16 12:50:03 | Weekly OSINT Highlights, 16 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlighted a diverse range of cyber threats, emphasizing sophisticated malware, targeted attacks, and global threat actor activities. Credential theft and data exfiltration emerged as prominent attack types, as seen in campaigns like Bizfum Stealer and Meeten malware targeting cryptocurrency users. Phishing remained a key attack vector, deployed in operations like UAC-0185\'s MeshAgent campaign against Ukraine and APT-C-60\'s SpyGlace backdoor targeting Japan. Nation-state actors dominated the landscape, including North Korea\'s UNC4736 exploiting DeFi systems and China\'s espionage on critical industries, while hacktivists like Holy League targeted France amid geopolitical unrest. The attacks primarily focused on sensitive targets such as critical infrastructure, financial systems, and government entities, underscoring the rising risks to global cybersecurity. ## Description 1. [Bizfum Stealer:](https://sip.security.microsoft.com/intel-explorer/articles/b522b6ae) CYFIRMA researchers discovered "Bizfum Stealer," an advanced information-stealing malware designed to exfiltrate credentials, cookies, and sensitive files from infected systems. Targeting popular browsers and leveraging platforms like GoFile and Telegram, it employs sophisticated techniques for stealth, encryption, and evasion. 1. [IOCONTROL Malware:](https://sip.security.microsoft.com/intel-explorer/articles/5fa3e494) Team82 identified IOCONTROL, a modular malware linked to Iran\'s IRGC-CEC, targeting IoT and OT devices to disrupt fuel systems in the U.S. and Israel. The malware uses advanced techniques, including DNS-over-HTTPS and AES-256-CBC encryption, to evade detection while compromising critical infrastructure. 1. [Kimsuky\'s Million OK Campaign:](https://sip.security.microsoft.com/intel-explorer/articles/d1e1ee65) Hunt researchers uncovered infrastructure tied to North Korea\'s APT group Kimsuky, which employed domains mimicking South Korea\'s Naver platform to steal credentials. The campaign\'s infrastructure used distinctive HTTP responses, shared server configurations, and phishing techniques to target South Korean users. 1. [UNC4736 Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/3a647a38): Mandiant attributed the $50 million cryptocurrency theft from Radiant Capital to North Korea\'s UNC4736. The attackers used malware to compromise trusted developers, executing unauthorized transactions that exploited DeFi multi-signature processes while bypassing robust security measures. 1. [PUMAKIT Malware Report](https://sip.security.microsoft.com/intel-explorer/articles/a16902ac): Elastic Security Labs detailed PUMAKIT, a modular Linux malware employing fileless execution, kernel rootkits, and syscall hooking for stealth and persistence. Its sophisticated architecture allows it to manipulate system behaviors, evade detection, and target older kernel versions with privilege escalation capabilities. 1. [Android Banking Trojan in India](https://sip.security.microsoft.com/intel-explorer/articles/5ff566b7): McAfee researchers uncovered a trojan targeting Indian Android users, masquerading as utility apps and stealing financial data via malicious APKs distributed on platforms like WhatsApp. The malware exfiltrates data using Supabase and employs stealth tactics, compromising over 400 devices and intercepting thousands of SMS messages. 1. [DarkGate Malware via Teams Call](https://sip.security.microsoft.com/intel-explorer/articles/5cac0381): Trend Micro identified an attack leveraging Microsoft Teams to distribute DarkGate malware through social engineering and remote desktop applications. The attacker used vishing to gain trust and access, deploying malware with persistence and evasion techniques before being intercepted. 1. [Socks5Systemz Botnet Resurgence](https://sip.security.microsoft.com/intel-explorer/articles/15cfbc2f): Bitsight TRACE uncovered the long-standing Socks5Systemz botnet, which peaked at 250,000 compr | Ransomware Malware Tool Vulnerability Threat Legislation Mobile Industrial Prediction Cloud | APT C 60 | ★★ |
 |
2024-12-16 12:15:00 | Amnesty Accuses Serbia of Tracking Journalists and Activists with Spyware (lien direct) | The Serbian authorities have been using advanced mobile forensics products made by Israeli firm Cellebrite to extract data from mobile devices illegally
The Serbian authorities have been using advanced mobile forensics products made by Israeli firm Cellebrite to extract data from mobile devices illegally |
Mobile | ★★ | |
 |
2024-12-16 10:06:16 | New Android NoviSpy spyware linked to Qualcomm zero-day bugs (lien direct) | The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named \'NoviSpy,\' used to spy on activists, journalists, and protestors. [...]
The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named \'NoviSpy,\' used to spy on activists, journalists, and protestors. [...] |
Vulnerability Threat Mobile | ★★ | |
 |
2024-12-16 06:00:00 | Guide technologique: détection de logiciels espions novispy avec AndroidQF et la boîte à outils de vérification mobile (MVT) Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) (lien direct) |
> Il s'agit d'un blog compagnon à notre rapport «une prison numérique» - surveillance et suppression de la société civile en Serbie. Amnesty Security Lab a publié des indicateurs de compromis (IOC) pour l'application novispy spyware. Ce tutoriel explique comment utiliser AndroidQF Android Quick Forensics (AndroidQF) et la boîte à outils de vérification mobile (MVT) pour examiner un Android […]
>This is a companion blogpost to our report “A Digital Prison” – Surveillance and the Suppression of Civil Society in Serbia. Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android […] |
Mobile | ★★★ | |
|
2024-12-16 06:00:00 | Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists (lien direct) | >This press release is also available in Serbian “Srbija: Vlasti koriste špijunske softvere i forenzičke alate kompanije Cellebrite za hakovanje novinara i aktivista“. Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty […]
>This press release is also available in Serbian “Srbija: Vlasti koriste špijunske softvere i forenzičke alate kompanije Cellebrite za hakovanje novinara i aktivista“. Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty […] |
Hack Tool Legislation Mobile | ★★★★ | |
 |
2024-12-15 22:11:23 | The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit (lien direct) | Posted by Seth Jenkins, Google Project ZeroThis blog post provides a technical analysis of exploit artifacts provided to us by Google\'s Threat Analysis Group (TAG) from Amnesty International. Amnesty’s report on these exploits is available here. Thanks to both Amnesty International and Google\'s Threat Analysis Group for providing the artifacts and collaborating on the subsequent technical analysis!IntroductionEarlier this year, Google\'s TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs.ArtifactsUsually when successfully reverse-engineering an ITW exploit, Project Zero/TAG have had access to the exploit sample itself, making determining what vulnerability was exploited primarily a matter of time and effort. However, in this particular case, we received several kernel panic logs but unfortunately not the exploit sample. This meant we could not directly reproduce crashes or reverse engineer what bug was being exploited.Accurately determining what vulnerability an exploit uses working only off of crash logs and without the exploit itself can range in difficulty from highly plausible to impossible. I decided to give it a try and see what I could learn. Out of the 6 panics we received, 4 panics in particular contained potentially useful information:Log 1:[ 47.223480] adsprpc: fastrpc_init_process: untrusted app trying to attach to privileged DSP PD[ 47.254494] adsprpc: mapping not found to unmap fd 0xffffffff, va | Vulnerability Threat Mobile Technical | ★★★ | |
 |
2024-12-13 18:15:29 | Google\\'s Android XR May Usher in New Generation of Smart Glasses (lien direct) | Developers can try out the Android XR SDK now. Samsung has announced one upcoming set of glasses using the new OS.
Developers can try out the Android XR SDK now. Samsung has announced one upcoming set of glasses using the new OS. |
Mobile | ★★ | |
|
2024-12-13 15:35:43 | Germany cuts hacker access to 30,000 devices infected with BadBox malware (lien direct) | Germany\'s Federal Office for Information Security (BSI) blocked communication between the infected devices - which are typically Android products such as smartphones, tablets and streaming boxes sold through online retailers or resale sites - and the criminals\' control servers.
Germany\'s Federal Office for Information Security (BSI) blocked communication between the infected devices - which are typically Android products such as smartphones, tablets and streaming boxes sold through online retailers or resale sites - and the criminals\' control servers. |
Malware Mobile | ★★ | |
 |
2024-12-13 15:03:07 | Android beefs up Bluetooth tag stalker protections (lien direct) | Wider ecosystem still has work to do, though Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.…
Wider ecosystem still has work to do, though Google is rolling out two new features to help Android users evade stalkers who abuse Bluetooth tags to surreptitious track them.… |
Mobile | ★★ | |
|
2024-12-13 12:43:23 | Russian cyberspies target Android users with new spyware (lien direct) | Russian cyberspies Gamaredon has been discovered using two Android spyware families named \'BoneSpy\' and \'PlainGnome\' to spy on and steal data from mobile devices. [...]
Russian cyberspies Gamaredon has been discovered using two Android spyware families named \'BoneSpy\' and \'PlainGnome\' to spy on and steal data from mobile devices. [...] |
Mobile | ★★ | |
|
2024-12-13 12:29:31 | Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States (lien direct) | #### Targeted Geolocations - Uzbekistan - Kazakhstan - Tajikistan - Kyrgyzstan ## Snapshot Researchers at Lookout Threat Lab have uncovered two Android surveillance tools, BoneSpy and PlainGnome, linked to the Russian APT group Gamaredon (tracked by Microsoft as Aqua Blizzard). These tools have been targeting Russian-speaking individuals in former Soviet states, with BoneSpy active since at least 2021 and PlainGnome emerging in 2024. ## Description BoneSpy and PlainGnome both collect sensitive mobile data such as SMS, call logs, photos, device location, and contact lists from android devices. BoneSpy is derived from the Russian open-source DroidWatcher, while PlainGnome, not developed from the same code base, acts as a dropper for a surveillance payload. Of note, BoneSpy can be controlled via SMS messages. The attribution to Gamaredon is based on shared IP addresses, domain naming conventions, and the use of dynamic DNS providers, which are consistent with the group\'s operations. These are the first mobile malware families to be publicly attributed to Gamaredon, according to Lookout Threat Lab. The malware likely spreads through targeted social engineering, with BoneSpy evolving to use trojanized Telegram apps as lures, indicating possible enterprise targeting. PlainGnome\'s deployment involves a minimal first stage that drops a malicious APK, followed by a second stage that carries out surveillance activities. The command and control infrastructure for both uses No-IP Dynamic DNS service and is linked to Russian ISP Global Internet Solutions LLC, owned by Yevgeniy Valentinovich Marinko, who has a history of involvement in hacker forums and stolen-credential trading. ## Microsoft Analysis and Additional OSINT Context The actor that Microsoft tracks as [Aqua Blizzard](https://sip.security.microsoft.com/intel-profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80) (aka Gamaredon) is a nation-state activity group based out of Russia. The [Ukrainian government has publicly attributed](https://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy) this group to the Russian Federal Security Service (FSB). Aqua Blizzard is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard focuses on espionage and exfiltration of sensitive information. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store. - Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources. Use mobile solutions such as [Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) on Android to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. - Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed. - If a device is no longer receiving updates, strongly consider replacing it with a new device. ## Detections/Hunting Queries ### Microsoft Defender Antivirus *Microsoft Defender Antivirus detects the threat components as the following malware.* - *[Trojan:AndroidOS/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:AndroidOS/Multiverze)* ## References [Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States](https:// | Malware Tool Threat Legislation Mobile | ★★★ | |
|
2024-12-13 10:22:05 | Germany blocks BadBox malware loaded on 30,000 Android devices (lien direct) | Germany\'s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [...]
Germany\'s Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [...] |
Malware Mobile | ★★ | |
 |
2024-12-13 07:00:00 | \\'Dubai Police\\' Lures Anchor Wave of UAE Mobile Attacks (lien direct) | A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore.
A sophisticated social engineering cybercrime campaign bent on financial gain was observed being run from Tencent servers in Singapore. |
Legislation Mobile | ★★★ | |
 |
2024-12-12 23:07:26 | A New Android Banking Trojan Masquerades as Utility and Banking Apps in India (lien direct) | >
Authored by Dexter Shin Over the years, cyber threats targeting Android devices have become more sophisticated and persistent. Recently, McAfee...
>
Authored by Dexter Shin Over the years, cyber threats targeting Android devices have become more sophisticated and persistent. Recently, McAfee...
|
Mobile | ★★★ | |
|
2024-12-12 21:21:31 | Chinese Cops Caught Using Android Spyware to Track Mobile Devices (lien direct) | Law enforcement across mainland China have been using EagleMsgSpy surveillance tool to collect mobile device data since at least 2017, new research shows.
Law enforcement across mainland China have been using EagleMsgSpy surveillance tool to collect mobile device data since at least 2017, new research shows. |
Tool Legislation Mobile | ★★★ | |
|
2024-12-12 20:36:12 | Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus (lien direct) | ## Snapshot Researchers at Lookout Threat Lab have identified a new surveillance tool called EagleMsgSpy developed by a Chinese software company. ## Description Operational since at least 2017, this spyware has been used by Chinese law enforcement to extract extensive data from mobile devices. It can access third-party chat messages, call logs, device contacts, SMS messages, location data, and network activity. The tool also features screenshot and screen recording capabilities. According to Lookout\'s analysis, EagleMsgSpy includes two key components: an installer APK and a surveillance payload that operates in the background, concealing its activities from the victim. The source code reveals functions that differentiate between device platforms, suggesting the existence of both Android and iOS versions. However, researchers note that physical access to the target device is required to initiate surveillance and EagleMsgSpy has not been found on Google Play or other app stores. Lookout further reports that domain infrastructure linked to EagleMsgSpy overlaps with those associated with public security bureaus in mainland China. This connection indicates widespread use of the tool within the region. Additionally, EagleMsgSpy shares ties with other Chinese surveillance apps, such as PluginPhantom and CarbonSteal, suggesting its role in a broader ecosystem of state-sponsored surveillance targeting various groups in China. ## Microsoft Analysis and Additional OSINT Context Chinese cyber threat actors have been [widely reported](https://www.bloomberg.com/news/articles/2022-11-10/lookout-researchers-say-spyware-tied-to-china-is-targeting-apps-used-by-uyghurs?srnd=technology-vp&sref=E9Urfma4) to employ advanced surveillance tools to conduct targeted espionage against minority groups -- particularly the Uyghurs -- and against activists, journalists, and dissidents both within China and abroad. These tools are designed to quietly infiltrate devices, monitor communications, collect sensitive data, and allow for real-time tracking of individuals. In 2021, [Meta reported](https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/) that it disrupted a campaign by Earth Empusa which aimed to distribute [PluginPhantom](https://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/) and [ActionSpy](https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html) to target Uyghurs living in China and abroad in Turkey, Kazakhstan, the United States, Syria, Australia, and Canada, among other countries. Earlier this year, Lookout Threat Lab detailed [BadBazaar](https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15), a surveillance tool attributed to APT15, tracked by Microsoft as [Nylon Typhoon](https://security.microsoft.com/intel-profiles/6c01b907db21988312af12a7569e4b53eaaeffe1c82c5acd622972735b5c95dc), used to target Tibetan and Uyghur minorities in China. At least one variant of the tool, masquerading as an app called "TibetOne" was distributed via Telegram in a channel named, "tibetanphone." ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store. - Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources. Use mobile solutions such as [Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) on Android to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. - Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong unde | Malware Tool Threat Legislation Mobile | APT 15 | ★★★ |
 |
2024-12-12 19:05:00 | Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States (lien direct) | The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns.
"BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both |
Malware Tool Threat Mobile | ★★★ | |
 |
2024-12-12 18:18:32 | Google steps into “extended reality” once again with Android XR (lien direct) | No pricing or availability, but there\'s new competition in headsets and glasses.
No pricing or availability, but there\'s new competition in headsets and glasses. |
Mobile | ★★★ | |
 |
2024-12-12 16:39:42 | Mobile Phishing Campaign Targets Job Seekers (lien direct) |
|
Mobile | ★★ | |
 |
2024-12-12 16:00:00 | Hands On With Google\\'s Gemini-Powered Smart Glasses, Android XR, and Project Moohan Headset (lien direct) | Google has new smart glasses, as well as a mixed-reality headset developed with Samsung. Both are powered by Gemini, both run a new version of Android, and both are due in 2025. I got to try them on.
Google has new smart glasses, as well as a mixed-reality headset developed with Samsung. Both are powered by Gemini, both run a new version of Android, and both are due in 2025. I got to try them on. |
Mobile | ★★★ | |
|
2024-12-12 12:00:00 | Securing Mobile Devices and Apps: Critical Operational Resilience in Airlines (lien direct) | Our blog is sharing the five biggest mobile security threats your business needs to be aware of
Our blog is sharing the five biggest mobile security threats your business needs to be aware of |
Mobile | ★★★ | |
|
2024-12-11 16:32:00 | Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017 (lien direct) | Cybersecurity researchers have discovered a novel surveillance program that\'s suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices.
The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as
Cybersecurity researchers have discovered a novel surveillance program that\'s suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as |
Malware Tool Legislation Mobile | ★★★ | |
|
2024-12-11 16:03:24 | New EagleMsgSpy Android spyware used by Chinese police, researchers say (lien direct) | A previously undocumented Android spyware called \'EagleMsgSpy\' has been discovered and is believed to be used by law enforcement agencies in China to monitor mobile devices. [...]
A previously undocumented Android spyware called \'EagleMsgSpy\' has been discovered and is believed to be used by law enforcement agencies in China to monitor mobile devices. [...] |
Legislation Mobile | ★★★ | |
|
2024-12-11 09:22:28 | Opera améliore son bloqueur de publicités intégré sur Android (lien direct) | Opera booste son bloqueur de publicités sur Android avec de nouveaux modes de confidentialité, plus d\'efficacité de de personnalisation
-
Produits
Opera booste son bloqueur de publicités sur Android avec de nouveaux modes de confidentialité, plus d\'efficacité de de personnalisation - Produits |
Mobile | ★★★ | |
|
2024-12-10 19:43:00 | Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam (lien direct) | Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that\'s designed to distribute an updated version of the Antidot banking trojan.
"The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu Pratapagiri researcher said in a new report.
"As part of their fraudulent hiring process, the
Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that\'s designed to distribute an updated version of the Antidot banking trojan. "The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu Pratapagiri researcher said in a new report. "As part of their fraudulent hiring process, the |
Mobile | ★★★ | |
 |
2024-12-10 14:57:28 | Hackers Target Job Seekers with AppLite Trojan Using Fake Job Emails (lien direct) | SUMMARY AppLite banking trojan is a newly discovered stealthy mobile malware threat targeting mobile devices. Learn about its…
SUMMARY AppLite banking trojan is a newly discovered stealthy mobile malware threat targeting mobile devices. Learn about its… |
Malware Threat Mobile | ★★★ | |
 |
2024-12-10 14:44:41 | AppLite, une nouvelle campagne de mishing ciblant les appareils mobiles des demandeurs d\'emploi (lien direct) | >L\'équipe de recherche zLabs deZimperium vient d\'identifier AppLite, une attaque de mishing installant des chevaux de Troie bancaires sur les appareils mobiles Android des demandeurs d\'emploi. Le leader mondial de la sécurité mobile alerte sur cette cyber-escroquerie extrêmement sophistiquée, qui exploite la confiance et la vulnérabilité des victimes et permet un large éventail d’actions malveillantes, […]
The post AppLite, une nouvelle campagne de mishing ciblant les appareils mobiles des demandeurs d\'emploi first appeared on UnderNews.
>L\'équipe de recherche zLabs deZimperium vient d\'identifier AppLite, une attaque de mishing installant des chevaux de Troie bancaires sur les appareils mobiles Android des demandeurs d\'emploi. Le leader mondial de la sécurité mobile alerte sur cette cyber-escroquerie extrêmement sophistiquée, qui exploite la confiance et la vulnérabilité des victimes et permet un large éventail d’actions malveillantes, […] The post AppLite, une nouvelle campagne de mishing ciblant les appareils mobiles des demandeurs d\'emploi first appeared on UnderNews. |
Mobile | ★★ | |
|
2024-12-10 14:00:00 | New AppLite Malware Targets Banking Apps in Phishing Campaign (lien direct) | New AppLite Banker malware targets Android devices, employing advanced phishing techniques to steal credentials and data
New AppLite Banker malware targets Android devices, employing advanced phishing techniques to steal credentials and data |
Malware Mobile | ★★ | |
|
2024-12-10 14:00:00 | AppLite: A New AntiDot Variant Targeting Mobile Employee Devices (lien direct) | >Our zLabs team has identified an extremely sophisticated mishing (mobile-targeted phishing) campaign that delivers malware to the user\'s Android mobile device enabling a broad set of malicious actions including credential theft of banking, cryptocurrency and other critical applications.
>Our zLabs team has identified an extremely sophisticated mishing (mobile-targeted phishing) campaign that delivers malware to the user\'s Android mobile device enabling a broad set of malicious actions including credential theft of banking, cryptocurrency and other critical applications. |
Malware Mobile | ★★ | |
|
2024-12-09 12:22:03 | Weekly OSINT Highlights, 9 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse range of cyber threats spanning ransomware, espionage, supply chain attacks, and disinformation campaigns. Espionage activity remains prominent, with Chinese and Russian actors targeting organizations for geopolitical and industrial intelligence. Key trends include the exploitation of vulnerabilities in widely used software, such as Apache ActiveMQ (CVE-2023-46604) and Docker APIs, and advanced malware like SmokeLoader and MOONSHINE to target industries ranging from manufacturing to financial services. Ransomware groups, including Howling Scorpius and Venom Spider, leverage sophisticated techniques like double extortion and hybrid encryption, focusing on SMBs and enterprises. Targets span global industries, including sensitive infrastructure, while attack vectors predominantly involve phishing, misconfigured systems, and supply chain manipulation, underscoring the adaptability and persistence of modern threat actors. ## Description 1. [Manufacturing Sector Cyberattack](https://sip.security.microsoft.com/intel-explorer/articles/d976ecc3): Cyble Research and Intelligence Labs uncovered a campaign targeting the manufacturing sector with malicious LNK files masquerading as PDFs. The attack employs LOLBins, DLL sideloading, and advanced obfuscation techniques, using tools like Lumma stealer and Amadey bot to exfiltrate data and establish persistence. 1. [Phishing Malware Impersonating the National Tax Service (NTS)](https://sip.security.microsoft.com/intel-explorer/articles/6542e5a4): AhnLab has observed a significant increase in phishing emails impersonating the National Tax Service (NTS), particularly during tax filing periods. These phishing attempts involve emails with manipulated sender addresses to appear as if they are from the NTS, and they contain malicious attachments in various formats or hyperlinks leading to malware-hosting websites and the ultimate deployment of XWorm malware. 1. [Solana Web3.js library backdoored to steal secret, private keys](https://sip.security.microsoft.com/intel-explorer/articles/04dd6cf6): Socket security firm reported that versions 1.95.6 and 1.95.7 of the Solana Web3.js library contained code designed to exfiltrate private and secret keys, which could allow attackers to drain funds from wallets. The attack is believed to be the result of a social engineering/phishing attack targeting maintainers of the official Web3.js open-source library maintained by Solana. 1. [Exploitation of CVE-2023-46604 in Korea](https://sip.security.microsoft.com/intel-explorer/articles/ccb7bd15): AhnLab identified active exploitation of Apache ActiveMQ vulnerability CVE-2023-46604, enabling remote code execution on unpatched Korean systems. Threat actors, including Andariel and Mauri ransomware groups, used tools like Quasar RAT and AnyDesk to exfiltrate data and control compromised environments. 1. [China-Linked Espionage on U.S.-China Organization](https://sip.security.microsoft.com/intel-explorer/articles/9c09d15e): Symantec reported a four-month-long intrusion by suspected Chinese threat actors targeting a U.S. organization with a Chinese presence. The attackers used DLL sideloading, Impacket, and credential-dumping tactics to exfiltrate data, leveraging tools like FileZilla and PSCP for intelligence gathering. 1. [Earth Minotaur\'s MOONSHINE Campaign](https://sip.security.microsoft.com/intel-explorer/articles/699406a4): Trend Micro detailed Earth Minotaur\'s use of the MOONSHINE exploit kit to target vulnerabilities in Android apps like WeChat, delivering the DarkNimbus backdoor. The campaign, likely linked to Chinese actors, focuses on Uyghur and Tibetan communities, employing phishing and Chromium browser exploits to monitor devices. 1. [Vulnerabilities in RAG Systems](https://sip.security.microsoft.com/intel-explorer/articles/53083f3e): Trend Micro exposed critical vulnerabilities in Retrieval-Augmented Generation (RAG) systems, including vector stores and LLM hosting platforms like l | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction | APT 45 | ★★★ |
|
2024-12-07 13:45:36 | New DroidBot Android Spyware Targeting Banking and Crypto Users (lien direct) | DroidBot, a sophisticated Android RAT, is targeting individuals and financial institutions across Europe.
DroidBot, a sophisticated Android RAT, is targeting individuals and financial institutions across Europe. |
Mobile | ★★ | |
|
2024-12-06 21:45:00 | FSB Uses Trojan App to Monitor Russian Programmer Accused of Supporting Ukraine (lien direct) | A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year.
The findings come as part of a collaborative investigation by First Department and the University of Toronto\'s Citizen Lab.
"The spyware placed on his device allows the operator to track a target device\'s
A Russian programmer accused of donating money to Ukraine had his Android device secretly implanted with spyware by the Federal Security Service (FSB) after he was detained earlier this year. The findings come as part of a collaborative investigation by First Department and the University of Toronto\'s Citizen Lab. "The spyware placed on his device allows the operator to track a target device\'s |
Mobile | ★★★ | |
 |
2024-12-06 14:54:06 | How to delete emails at once on an Android phone (lien direct) | […] | Mobile | ★★ | |
|
2024-12-06 12:09:12 | Detecting Pegasus Infections (lien direct) | This tool seems to do a pretty good job.
The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries...
This tool seems to do a pretty good job. The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries... |
Malware Tool Threat Mobile | ★★★ | |
|
2024-12-06 11:02:31 | Vigilance.fr - Google Android | Pixel: multiple vulnerabilities of June 2023, analyzed on 06/06/2023 (lien direct) | An attacker can use several vulnerabilities of Google Android | Pixel.
-
Security Vulnerability
An attacker can use several vulnerabilities of Google Android | Pixel. - Security Vulnerability |
Vulnerability Mobile | ★★ | |
|
2024-12-06 11:02:31 | Vigilance.fr - Google Android | Pixel : multiples vulnérabilités de juin 2023, analysé le 06/06/2023 (lien direct) | Un attaquant peut employer plusieurs vulnérabilités de Google Android | Pixel.
-
Vulnérabilités
Un attaquant peut employer plusieurs vulnérabilités de Google Android | Pixel. - Vulnérabilités |
Mobile | ★ | |
|
2024-12-05 23:21:01 | MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur\'s Multi-Platform Attacks (lien direct) | ## Snapshot Researchers at Trend Micro have released a report detailing the activities of Earth Minotaur, an unattributed intrusion set with connections to prior Chinese operations. ## Description Earth Minotaur employs the MOONSHINE exploit kit, a sophisticated framework targeting vulnerabilities in Android instant messaging apps, including WeChat. MOONSHINE, active since 2019 and now operating on over 55 identified servers, has been upgraded to include new exploits and features, such as enhanced evasion techniques. Earth Minotaur uses MOONSHINE to deliver a cross-platform backdoor called DarkNimbus, which enables extensive surveillance on Android and Windows devices. According to Trend Micro, the attacks primarily target Tibetan and Uyghur communities, exploiting Chromium-based browser vulnerabilities (e.g., [CVE-2020-6418](https://security.microsoft.com/intel-explorer/cves/CVE-2020-6418/), [CVE-2018-17480](https://security.microsoft.com/intel-explorer/cves/CVE-2018-17480/), and [CVE-2018-17463](https://security.microsoft.com/intel-explorer/cves/CVE-2018-17463/), among others) within instant messaging apps to implant malicious code. Social engineering tactics are a key part of the Earth Minotaur\'s campaigns, as phishing links are disguised as Chinese travel information, government announcements, news related to religions, news related to Tibetans or Uyghurs, and news related to COVID-19. Once installed, DarkNimbus grants attackers access to device data, communications, and multimedia. Its Android variant leverages accessibility services for monitoring, while its Windows counterpart uses advanced command-and-control protocols. Trend Micro also highlights the likelihood of MOONSHINE being shared among multiple Chinese-linked threat actors, underscoring the evolving threat posed by such exploit frameworks. ## Microsoft Analysis and Additional OSINT Context Chinese-linked cyber actors have historically targeted Tibetan and Uyghur communities with sophisticated cyber-espionage campaigns. Groups like [Poison Carp](https://www.cfr.org/cyber-operations/poison-carp) and [Evasive Panda](https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/) have used malware-laden apps, phishing campaigns, and infected websites to infiltrate devices used by these groups. These campaigns can be longstanding. In September 2022, [Check Point Research reported](https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/) on a seven-year campaign by Scarlet Mimic to conduct espionage using Android malware against the Uyghur community. ## Recommendations - Only install applications from trusted sources and official stores. - If a device is no longer receiving updates, strongly consider replacing it with a new device. - Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [PUA:Win32/Kuping](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Kuping) - [Trojan:Win32/Wacatac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Wacatac.B!ml) - [TrojanSpy:Win32/Hanove](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Hanove!pz) - [Trojan:Win32/Vindor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Vindor!pz) - [Trojan:Win32/ShadowPad](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description | Malware Vulnerability Threat Mobile Prediction | ★★ | |
|
2024-12-05 21:28:00 | This $3,000 Android Trojan Targeting Banks and Cryptocurrency Exchanges (lien direct) | As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot.
"DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring," Cleafy researchers Simone Mattia, Alessandro
As many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot. "DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring," Cleafy researchers Simone Mattia, Alessandro |
Mobile | ★★★ | |
|
2024-12-05 20:49:12 | Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges (lien direct) | At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.
At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn. |
Mobile | ★★ | |
|
2024-12-05 19:15:08 | Top 5 Mobile Security Risks for Enterprises (lien direct) | >Our blog is sharing the five biggest mobile security threats your business needs to be aware of
>Our blog is sharing the five biggest mobile security threats your business needs to be aware of |
Mobile | ★★ | |
|
2024-12-05 18:13:00 | Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (lien direct) | A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs.
"Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a
A previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs. "Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a |
Threat Mobile | ★★★ | |
|
2024-12-05 17:00:00 | Android Is Now Using AI to Upgrade Your Phone\\'s Closed Captions (lien direct) | Google is rolling out new features for Android and Pixel devices, including a new memory capability for Gemini and the ability to generate expressive captions for nonspoken audio elements in videos.
Google is rolling out new features for Android and Pixel devices, including a new memory capability for Gemini and the ability to generate expressive captions for nonspoken audio elements in videos. |
Mobile | ★★ | |
 |
2024-12-05 14:00:00 | Bridging the Gap: Elevating Red Team Assessments with Application Security Testing (lien direct) | Written by: Ilyass El Hadi, Louis Dion-Marcil, Charles Prevost
Executive Summary Whether through a comprehensive Red Team engagement or a targeted external assessment, incorporating application security (AppSec) expertise enables organizations to better simulate the tactics and techniques of modern adversaries. This includes: Leveraging minimal access for maximum impact: There is no need for high privilege escalation. Red Team objectives can often be achieved with limited access, highlighting the importance of securing all internet-facing assets. Recognizing the potential of low-impact vulnerabilities through vulnerability chaining: Low- and medium-impact vulnerabilities can be exploited in combination to achieve significant impact. Developing your own exploits: Skilled adversaries or consultants will invest the time and resources to reverse-engineer and/or find zero-day vulnerabilities in the absence of public proof-of-concept exploits. Employing diverse skill sets: Red Team members should include individuals with a wide range of expertise, including AppSec. Fostering collaboration: Combining diverse skill sets can spark creativity and lead to more effective attack simulations. Integrating AppSec throughout the engagement: Offensive application security contributions can benefit Red Teams at every stage of the project. By embracing this approach, organizations can proactively defend against a constantly evolving threat landscape, ensuring a more robust and resilient security posture. Introduction In today\'s rapidly evolving threat landscape, organizations find themselves engaged in an ongoing arms race against increasingly sophisticated cyber criminals and nation-state actors. To stay ahead of these adversaries, many organizations turn to Red Team assessments, simulating real-world attacks to expose vulnerabilities before they are exploited. However, many traditional Red Team assessments typically prioritize attacking network and infrastructure components, often overlooking a critical aspect of modern attack surfaces: web applications. This gap hasn\'t gone unnoticed by cyber criminals. In recent years, industry reports consistently highlight the evolving trend of attackers exploiting public-facing application vulnerabilities as a primary entry point into organizations. This aligns with Mandiant\'s observations of common tactics used by threat actors, as observed in our 2024 M-Trends Report |
Tool Vulnerability Threat Studies Mobile Prediction Cloud Commercial | ★★★ |
To see everything:
Our RSS (filtrered)
