What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-05-04 16:45:45 | Researchers raise bats in helium-rich air to check how they sense sound (lien direct) | Bats seem to have an innate sense of the speed of sound-and can't adjust it. | APT 17 | ||
 |
2021-04-19 04:20:51 | Passwordless: More Mirage Than Reality (lien direct) | The concept of "passwordless" authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn't want an easier way?
That's the premise behind |
APT 15 APT 15 | ||
 |
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-03-31 01:42:43 | Hackers are implanting multiple backdoors at industrial targets in Japan (lien direct) | Cybersecurity researchers on Tuesday disclosed details of a sophisticated campaign that deploys malicious backdoors for the purpose of exfiltrating information from a number of industry sectors located in Japan.
Dubbed "A41APT" by Kaspersky researchers, the findings delve into a new slew of attacks undertaken by APT10 (aka Stone Panda or Cicada) using previously undocumented malware to deliver |
Malware | APT 10 APT 10 | |
 |
2021-03-30 10:00:07 | APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign (lien direct) | A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. | Malware | APT 10 | ★★★★★ |
|
2021-03-10 08:31:56 | Researchers Unveil New Linux Malware Linked to Chinese Hackers (lien direct) | Cybersecurity researchers on Wednesday shed light on a new sophisticated backdoor targeting Linux endpoints and servers that's believed to be the work of Chinese nation-state actors.
Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as PWNLNX, |
Malware Threat | APT 17 | |
 |
2021-03-05 11:15:25 | Cybersécurité : les Français craignent pour leur identité en ligne (lien direct) | La pandémie intervient dans un contexte où les préoccupations relatives à la sécurité vont croissantes. En novembre dernier déjà, le Cigref avait adressé un courrier au Premier ministre pour lui faire part de la préoccupation des grandes entreprises et des administrations publiques françaises vis-à-vis de l'augmentation, en nombre et en intensité, des cyberattaques. The post Cybersécurité : les Français craignent pour leur identité en ligne first appeared on UnderNews. | APT 15 | ||
 |
2021-01-27 20:11:25 | Unstable helium adds a limit on the ongoing saga of the proton\'s size (lien direct) | Putting a muon in orbit around a helium nucleus gives us measurements that make sense. | APT 17 | ||
|
2021-01-20 17:00:09 | Paramount+ will replace CBS All Access on March 4 (lien direct) | The service combines CBS, MTV, BET, Paramount, Nickelodeon, and more. | APT 15 | ||
 |
2020-12-15 11:01:00 | 18 000 entreprises et organisations ont téléchargé la backdoor des hackers de Poutine (lien direct) | L'ampleur de l'infection orchestrée par APT19, alias Cozy Bear, est certes énorme, mais cela ne veut pas dire que toutes les victimes ont réellement été piratées.  |
APT 29 APT 19 | ||
 |
2020-12-07 20:46:46 | Ever Evolving: Katie Nickels on Incident Response in a Remote World (lien direct) |
We spent some time with Katie Nickels - current Director of Intelligence at Red Canary and formerly MITRE ATT&CK Threat Intelligence Lead - to discuss applied threat intelligence, prioritizing threats for impact, and working incident response in remote environments - check it out... |
Threat Guideline | APT 15 | |
 |
2020-11-18 20:27:53 | China-linked APT10 leverages ZeroLogon exploits in recent attacks (lien direct) | Researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability. Symantec’s Threat Hunter Team, a Broadcom division, uncovered a global campaign conducted by a China-linked APT10 cyber-espionage group targeting businesses using the recently-disclosed ZeroLogon vulnerability. The group, also known as Cicada, Stone Panda, and Cloud Hopper, has been active at […] | Threat | APT 10 | |
|
2020-09-29 14:00:00 | Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cyber Espionage, FinSpy, Magento, Taurus Project and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
(published: September 25, 2020)
Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware
Magento Credit Card Stealing Malware: gstaticapi
(published: September 25, 2020)
Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132
T |
Data Breach Malware Vulnerability Threat | APT 19 | ★★★★★ |
 |
2020-09-09 14:00:00 | How to Calculate How Many Helium Balloons David Blaine Needed (lien direct) | I'm not saying you should float yourself up into the air, but if you wanted to, you need to take pressure, density, and a few other things into account. | APT 17 | ||
 |
2020-07-13 09:07:16 | Security Expert Re: New WordPress RCE Exploit (CVSS Score 10.0 ) (lien direct) | Webmasters who use WordPress plugin Adning Advertising are urged to patch against a critical vulnerability that is reportedly being exploited in the wild. Exploitation of the flaw enables an unauthenticated attacker to upload arbitrary files, leading to remote code execution (RCE) and potentially a full site takeover. Such is the flaw's seriousness, MITRE has assigned … The ISBuzz Post: This Post Security Expert Re: New WordPress RCE Exploit (CVSS Score 10.0 ) | Vulnerability Guideline | APT 19 | |
|
2020-07-06 19:09:32 | Axiom – Pen-Testing Server For Collecting Bug Bounties (lien direct) |  Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
With Axiom, you just need to run a single command to get setup, and then you can use the Axiom toolkit scripts to spin up and down your new hacking VPS.
Setting up your own 'hacking vps', to catch shells, run enumeration tools, scan, let things run in the background in a tmux window, used to be an afternoon project – running into a whole day sometimes if you hit some package isues or 'dependency hell'.
Read the rest of Axiom – Pen-Testing Server For Collecting Bug Bounties now! Only available at Darknet.
|
APT 17 | ||
 |
2020-07-02 12:11:14 | Researchers link APT15 hackers to Chinese military company (lien direct) | Researchers have linked the APT15 hacking group known for Android spyware apps to a Chinese military company, Xi'an Tian He Defense Technology Co. Ltd. [...] | APT 15 | ||
 |
2020-07-02 01:25:33 | Connection discovered between Chinese hacker group APT15 and defense contractor (lien direct) | Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese defense contractor. | Malware | APT 15 | |
 |
2020-06-18 22:10:28 | Spear-phishing campaign tricks users to transfer money (TTPs & IOC) (lien direct) | We are publishing the following information in order to help organisations to identify this threat before attackers will perform successful phishing on their employees. Attackers are targeting companies which have foreign trading partners, i.a. in Asia, to perform a wire transfer to a wrong bank account number.We found that domains registered using muhammad.appleseed1@mail.ru e-mail address are actively used in a spear phishing campaign that aims to trick targets to transfer money into bank accounts controller by the attacker using social engineering.Most likely attack scenario looks like following:There is an ongoing e-mail communication between company X and YAn attacker has gained access to an e-mail account of one of the parties | Threat Guideline | APT 15 | |
|
2020-05-28 07:51:22 | Ke3chang hacking group adds new Ketrum malware to its arsenal (lien direct) | The Ke3chang hacking group added a new malware dubbed Ketrum to its arsenal, it borrows portions of code and features from older backdoors. The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and […] | Malware | APT 15 APT 25 | |
|
2020-05-26 11:22:03 | Hacking group builds new Ketrum malware from recycled backdoors (lien direct) | The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors. [...] | Malware | APT 15 APT 25 | |
|
2020-03-19 11:35:31 | Experts Insight On NutriBullet.com Magecart Attack (lien direct) | Researchers have uncovered a Magecart Group 8 attack against blender vendor NutriBullet that installed credit card stealing malware on the company's website. Security experts provide insight into this attack. The ISBuzz Post: This Post Experts Insight On NutriBullet.com Magecart Attack | Malware | APT 17 | ★★★★ |
 |
2020-01-22 09:00:00 | NBlog Jan 22 - further lessons from Travelex (lien direct) |  At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot |
Ransomware Malware Patching Guideline | APT 15 | |
|
2020-01-17 13:10:22 | WordPress plugin vulnerability can be exploited for total website takeover (lien direct) | The “easily exploitable” bug in WP Database Reset has serious consequences for webmasters. | Vulnerability | APT 19 | |
 |
2020-01-07 14:00:00 | Healthcare cybersecurity for 2020 and beyond (lien direct) |
An independent guest blogger wrote this blog.
These days, effective cybersecurity in healthcare is as critical as ever. Last year, more than 32 million patients had their personal and medical information stolen in data breaches across the United States. While moves are being made, the fact remains that healthcare providers still have many holes to plug when it comes to the illegal or accidental outpouring of patient data.
The issue is that current problems need to be solved now before hackers move on to new, more advanced attack strategies. The good news is that there are many methods currently available to mitigate the chances of data leakage if medical professionals are proactive enough to enforce them.
HIPAA on the front lines
When patients visit the doctor, they expect to go to a safe place where their best interests are always the top priority. To foster that confidence, the Health Insurance Portability and Accountability Act was created to protect patient data while also giving the patients control over who can see their information. Along with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, encourages medical practices also to ensure that all technology they use is protected to eliminate wrongful data leakage.
Medical records contain an abundance of private information that can be used for any number of malicious means. Full medical records can often go for $1000 on the black market where the addresses, social security numbers, and financial information within can be used to create fake identification or take out large loans that can leave the patient in debt. If a hacker catches wind of a patient’s surgery date, they can even attempt to shut down hospital functions until a ransom is paid, like the $14K one paid by Columbia Surgical Specialists.
For these security reasons and to retain the trust of the patients, proper data security is essential, and it starts on the front lines. Nurse leaders should train their staff on how to retain patient confidentiality properly. When discussing the patients near the front desk, only use first names, and conversations should be had behind a closed door or as quietly as possible. Hard copies of patent data should never be left lying around, and your printer should be set to print pages facing down. The last thing you need is to have security precautions in place but still allow a criminal to simply walk up and take private information out of the office.
Proper record keeping
Because hackers have so much to gain from stealing patient data, proper record-keeping is essential. Per HIPAA, medical records are required to be kept between five to 10 years, based on the state and the patient’s last treatment or discharge. If paperwork is to be discarded, it must be properly shredded. If you keep paper records, they must be stored in locked cabinet |
Threat Guideline | APT 10 | |
|
2019-12-22 13:14:31 | NBlog Dec 22 - zero-based risk assessment (lien direct) |  In a thread on the ISO27k Forum, Ed Hodgson said:"There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy and illegible. But I don't tend to include the risk of papers getting damaged by rain in my risk assessment".Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS? That question took me back to the origins of ISO27k, pre-BS7799 even. As I recall, Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for additional controls where the baseline controls are insufficient to mitigate the risks. [I'm hazy on the details now: that was ~30 years ago after all.]I have previous used and still have a soft-spot for the baseline concept … and yet it's no easier to define a generic baseline today than it was way back then. In deciding how to go about information risk analysis, should we:Go right back to basics and assume there are no controls at |
APT 17 | ||
|
2019-11-18 14:00:00 | How website security and SEO are intimately connected (lien direct) | Learning how to optimize your website can be a challenge. At one time, it was only about figuring out what Google wanted, which was largely keywords. Now, it’s much more complex. Google is focused on not only delivering high-quality, relevant search results, but also on protecting people from malware and unscrupulous websites. Not only that, a hack of your website by others can give Google false information that directly impacts your rankings. That’s why it’s vital for your website to have strong web security if you want to do well in SEO. How security can directly impact SEO Hacks, or attempts at hacks, can keep Google’s bots from accessing your site and assessing your content and keywords. Your server may report missing pages to Google because of a web scraper or hacker impacting your website. Why would someone hack your site? Usually it’s to do back-door SEO. For instance, a hacker wants to put a link on your site, or add a web page. Sometimes they even target your domain and redirect it to another site altogether. Sucuri has an excellent example of a common hack they see on WordPress sites. These hacks make your website look like an untrustworthy page, or may even draw penalties from Google that cause your site to be blacklisted. Sometimes, no matter how much effort you put into SEO, failures in cybersecurity can drastically impact how Google sees your site, therefore also impacting your place in the SERPs. The First Step in Security to Boost SEO One of the first things you need to do to protect your website and boost your Google ranking is to install HTTPS. Google named this security protocol a ranking signal several years ago, so it’s obvious that your SEO results will be tied to it. You’ll need to make sure you have a proper certificate and allow indexing so that Google can still read your website. However, this is only the beginning. An HTTPS setup does not secure a website, it only secures the connection and encrypts data that is sent. That means that communication between your server and the web browser a visitor is using is secure and data — like a credit card number used for purchase — cannot be stolen. Other Important Security Steps Information security, or keeping your stored data secure, is another important part of keeping your website secure and helping it rank well, and the good news is that this security requires the same vigilance that SEO does. As a result, you can monitor both simultaneously. Platform Security Be sure you’ve chosen a good web host that has strong security on their end. Use security software or plugins as appropriate. For smaller websites using WordPress, you can use Wordfence, iThemes Security, or Bulletproof Security, for example. Overall, you want plugins that address the known security issues in the platform you use. All websites can also benefit from using SiteLock, which not only closes security loopholes but also monitors your website daily for malware, viruses, and more. Secure Passwords Believe it or not, the | Malware Hack | APT 19 | |
 |
2019-11-07 17:00:15 | Helium activates wireless network for IoT devices in more than 425 US cities (lien direct) | Designed to connect Internet of Things devices over a long distance, Helium's network of hotspots uses peer-to-peer sharing and rewards adopters with cryptocurrency. | APT 17 | ||
|
2019-09-24 14:54:31 | US Utility Firms Targeted By Spear-phishing Campaign – Comments (lien direct) | It has been reported by Proofpoint that 17 US utility firms have been hit by phishing attacks to install LookBack malware. While no formal attribution has been made, it is suspected that the state-sponsored group APT10 may be behind the attacks. The ISBuzz Post: This Post US Utility Firms Targeted By Spear-phishing Campaign – Comments | APT 10 | ||
|
2019-08-14 21:45:48 | Threat hunting using DNS firewalls and data enrichment (lien direct) | After seeing a few advertisements about DNS firewalls and how expensive they are, I want to share my experience with blue teamers about how DNS firewalls work and how that knowledge can be used for in-house threat hunting solutions and/or building your own DNS firewall (aka do it yourself). These are examples of an approach to detect malicious behaviour, not a tailor made solutions.At the beginning I would like to highlight that it's a good practice to monitor not only logs but also DNS traffic in real time. Such traffic isn't encrypted and if you only check DNS server logs then you can miss direct requests to other DNS servers. Additionally you can also use recently published version of Sysmon [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with | Spam Malware Threat Guideline | APT 18 | |
|
2019-07-25 13:00:00 | Can you trust threat intelligence from threat sharing communities? | AT&T ThreatTraq (lien direct) | Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jaime Blasco, VP and Chief Scientist, AlienVault, Stan Nurilov, Lead Member of Technical Staff, AT&T, and Joe Harten, Director Technical Security. Stan: Jaime. I think you have a very interesting topic today about threat intelligence. Jaime: Yes, we want to talk about how threat intelligence is critical for threat detection and incident response, but then when this threat intelligence and the threat actors try to match those indicators and that information that is being shared, it can actually be bad for companies. So we are going to share some of the experiences we have had with managing the Open Threat Exchange (OTX) - one of the biggest threat sharing communities out there. Stan: Jaime mentioned that they have so many threat indicators and so much threat intelligence as part of OTX, the platform. Jaime: We know attackers monitor these platforms and are adjusting tactics and techniques and probably the infrastructure based on public reaction to cyber security companies sharing their activities in blog posts and other reporting. An example is in September 2017, we saw APT28, and it became harder to track because we were using some of the infrastructure and some of the techniques that were publicly known. And another cyber security company published content about that and then APT28 became much more difficult to track. The other example is APT1. If you remember the APT1 report in 2013 that Mandiant published, that made the group basically disappear from the face of earth, right? We didn't see them for a while and then they changed the infrastructure and they changed a lot of the tools that they were using, and then they came back in 2014. So we can see that that threat actor disappeared for a while, changed and rebuilt, and then they came back. We also know that attackers can try to publish false information in this platform, so that's why it's important that not only those platforms are automated, but also there are human analysts that can verify that information. Joe: It seems like you have to have a process of validating the intelligence, right? I think part of it is you don't want to take this intelligence at face value without having some expertise of your own that asks, is this valid? Is this a false positive? Is this planted by the adversary in order to throw off the scent? I think it's one of those things where you can't automatically trust - threat intelligence. You have to do some of your own diligence to validate the intelligence, make sure it makes sense, make sure it's still fresh, it's still good. This is something we're working on internally - creating those other layers to validate and create better value of our threat intelligence. Jaime: The other issue I wanted to bring to the table is what we call false flag operations - that's when an adversary or a threat actor studies another threat actor and tries to emulate their behavior. So when companies try to do at | Malware Threat Studies Guideline | APT 38 APT 28 APT 1 | |
|
2019-07-24 18:24:00 | APT-doxing group exposes APT17 as Jinan bureau of China\'s Security Ministry (lien direct) | Intrusion Truth's previous two exposes -- for APT3 and APT10 -- resulted in DOJ charges. Will this one as well? | APT 17 APT 10 APT 3 | ||
|
2019-07-24 03:07:00 | (Déjà vu) China-Linked APT15 group is using a previously undocumented backdoor (lien direct) | ESET researchers reported that China-linked cyberespionage group APT15 has been using a previously undocumented backdoor for more than two years. Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active […] | Threat | APT 15 APT 25 | |
 |
2019-07-23 14:31:00 | China-Linked Threat Actor Using New Backdoor (lien direct) | The China-linked threat actor known as APT15 has been using a previously undocumented backdoor for more than two years, ESET's security researchers have discovered. | Threat | APT 15 | |
 |
2019-07-22 15:50:03 | A week in security (July 15 – 21) (lien direct) |
A roundup of cybersecurity news from July 15–21, including the Zoom camera vulnerability, Extenbro, Sodinokibi, Magecart, and cybersecurity challenges facing the education sector.
Categories:
A week in security
Tags: 2fa bypassadvanced persistent threatAndroid appsAPTbackdoorBitPaymer ransomwarebrowser extensionsbulletproofchromecybersecurity educationDataSpiiDDos attackDoppelPaymerEvilGnomeExtenbroFaceAppfacebookFacebook reporting toolfirefoxgenerationInstagramKe3changMagecartMedia File JackingprivacyRingCentral flawSodinokibitelegramvital infrastructurewhatsappZhumu flawzoom zero-day
(Read more...)
|
APT 15 APT 25 | ||
 |
2019-07-19 14:35:01 | Malware that waits for three mouse clicks before running. (lien direct) | An elusive hacking operation is using a previously unreported backdoor in a malware campaign targeting diplomats and government departments around the world. The Ke3chang advanced persistent threat group is thought to operate out of China and has conducted cyber-espionage campaigns using remote access trojans and other malware since at least 2010. Now cybersecurity researchers at ESET have identified […] | Malware Threat | APT 15 APT 25 | ★★ |
 |
2019-07-18 09:30:01 | Okrum: Ke3chang group targets diplomatic missions (lien direct) | >Tracking the malicious activities of the elusive Ke3chang APT group, ESET researchers have discovered new versions of malware families linked to the group, and a previously unreported backdoor | Malware | APT 15 APT 25 | |
|
2019-07-18 07:03:00 | New Okrum Malware Used by Ke3chang Group to Target Diplomats (lien direct) | Updated malware implants and a new backdoor named Okrum connected with the Ke3chang threat group operating from China have been found by ESET researchers while monitoring their operations between 2015 and 2019. [...] | Malware Threat | APT 15 APT 25 | |
 |
2019-07-01 08:00:07 | Reference: TaoSecurity News (lien direct) | I started speaking publicly about digital security in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. 2017 Mr. Bejtlich led a podcast titled Threat Hunting: Past, Present, and Future, in early July 2017. He interviewed four of the original six GE-CIRT incident handlers. The audio is posted on YouTube. Thank you to Sqrrl for making the reunion possible. Mr. Bejtlich's latest book was inducted into the Cybersecurity Canon. Mr. Bejtlich is doing limited security consulting. See this blog post for details. 2016 Mr. Bejtlich organized and hosted the Management track (now "Executive track") at the 7th annual Mandiant MIRCon (now "FireEye Cyber Defense Summit") on 29-30 November 2016. Mr. Bejtlich delivered the keynote to the 2016 Air Force Senior Leaders Orientation Conference at Joint Base Andrews on 29 July 2016. Mr. Bejtlich delivered the keynote to the FireEye Cyber Defense Live Tokyo event in Tokyo on 12 July 2016. Mr. Bejtlich delivered the keynote to the New Zealand Cyber Security Summit in Auckland on 6 May 2016. Mr. Bejtlich delivered the keynote to the Lexpo Summit in Amsterdam on 21 April 2016. Video posted here. Mr. Bejtlich discussed cyber security campaigns at the 2016 War Studies Cumberland Lodge Conference near London on 30 March 2016. Mr. Bejtlich offered a guest lecture to the Wilson Center Congressional Cybersecurity Lab on 5 February 2016. Mr. Bejtlich delivered the keynote to the SANS Cyber Threat Intelligence Summit on 4 February 2016. Slides and video available. 2015 Mr. Bejtlich spoke on a panel at the DefenseOne Summit on 2 November 2015. Mr. Bejtlich spoke on a panel at the AEI Internet Strategy event on 27 October 2015. Mr. Bejtlich organized and hosted the Management track at the 6th annual Mandiant MIRCon on 13-14 October 2015. Mr. Bejtlich testified to the House Foreign Affairs Committee on 7 October 2015. Mr. Bejtlich testified to the House Armed Services Committee on 30 September 2015. Mr. Bejtlich delivered a keynote at the 2015 Army Cyber Institute Cyber Talks on 22 September 2015 in Washington, DC. Mr. Bejtlich delivered a keynote at the 2015 Security Onion Conference on 11 September 2015 in Augusta, GA. Mr. Bejtlich delivered a keynote at the 2015 World Services Group Conference on 10 S | Guideline | APT 1 | |
|
2019-06-28 13:19:00 | Industry Reactions to Nation-State Hacking of Global Telcos (lien direct) | On June 25, 2019, Cybereason reported that hackers, most likely China's state affiliated APT10 group, had comprehensively hacked numerous telecommunications companies around the world. | APT 10 | ||
|
2019-06-26 08:43:01 | MY TAKE: Let\'s not lose sight of why Iran is pushing back with military, cyber strikes (lien direct) | It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend. Related: We’re in the golden age of cyber spying Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK […] | APT 17 | ||
|
2019-05-28 16:27:04 | New APT10 Activity Detected in Southeast Asia (lien direct) | Researchers have detected what they believe to be new activity from Chinese cyber espionage group, APT10. The activity surfaced in the Philippines and shares similar tactics, techniques, and procedures (TTPs) and code associated with APT10. | APT 10 | ||
|
2019-05-28 05:48:02 | APT10 is back with two new loaders and new versions of known payloads (lien direct) | The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia. In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia. The group […] | Malware | APT 10 | |
 |
2019-05-12 16:08:00 | Equifax : le pirate à plus de 1,4 milliard de perte (lien direct) | Le piratage informatique a un vrai coût qu’il est difficile à quantifier tant les ramifications venant s’y greffer ne se découvrent pas du jour au lendemain. Un exemple avec le piratage de 2017 de la banque Equifax. Deux ans après l’intrusion, la facture ne cesse de gonfler. Le piratage informatique est déjà psychologiquement difficile à […] | Equifax APT 15 | ||
|
2019-04-18 13:00:00 | Ethical hacking as a post-graduation opportunity (lien direct) |
The world of cybersecurity is an ever-changing one of constant preemptive preparation, where companies are forced to hunt for any kinks in their defenses to ensure that they’re as protected as possible. Working as an ethical hacker allows information technology graduates to come into the job market and aid companies in finding those kinks so that they can remain safe in a world of increasing cybercrime. As the world of cybersecurity grows more linked with everyday life, it’s important to know what awaits those entering this job market.
Great pay
Ethical hacking is a skilled trade, reserved for those that know their way around design and programming. The average salary for ethical hacking offers a wide range - between $24,760 and $132,322. There are also many freelancing opportunities for one-time or part time positions, which can offer multiple opportunities and flexible pay. For graduates looking to deal with school loans or simply wishing to jumpstart their finances, the high ceiling of earning averages provides an excellent opportunity
Rapid growth
Ethical hacking is one of the swiftest growing areas for information technology graduates, if for no other reason than for demand. The increasingly connected internet of things is forcing companies to have a powerful online presence, which then needs to be defended. As more and more companies become connected to the internet, the need for ethical hackers to test their defenses increases as well.
In fact, the United States Bureau of Labor Statistics expect to see information security analysts, a category which includes ethical hackers, to see job growth increase by as much as 28% from 2016 to 2026. This is four times the job growth that other sectors expect to see, which sits around 7%. The job growth for ethical hacking is due to the increased need for online security, and means that graduates entering the field can expect a surplus of available positions. Additionally, the constant growth of jobs equates to advanced job options, as graduates are likely to always be able to find another position if the need arises.
Increasing skill sets
Graduates are likely to have been focusing on one or two subjects while going through their collegiate career. Ethical hacking provides an excellent way to diversify the skills one has learned, as well as providing opportunities to grow in acclaim. Many ethical hacking positions may require brief training courses that will end with the ethical hacker being rewarded with certification and verification of skills. While often optional, this is highly recommended, as certified ethical hacking professionals earn significantly more than their non-certified peers.
Ultimately, many experts believe ethical hacking to be one of the most prominent fields of information security analysis in the future. Ethical hac |
APT 15 | ||
|
2019-03-15 11:00:00 | This Guy Predicted Society\'s Thirst for Internet Fame-in 1999 (lien direct) | Early dot-com millionaire Josh Harris spent his fortune on a series of lurid social experiments to prove his point that people didn't want just 15 minutes of fame in their lives. They wanted it every day. | APT 15 | ||
 |
2019-03-10 00:12:05 | Un bon référencement pour contrer les pirates ? (lien direct) | Alors que vous surfiez sur vos sites favoris, quelle ne fût pas votre surprise de découvrir en lieu et place de votre portail préféré la vente de contrefaçons. Des sites pirates qui, si les webmasters n’y prennent pas garde, se transforment en perturbateurs du référencement officiel des sites ... Cet article Un bon référencement pour contrer les pirates ? est apparu en premier sur ZATAZ. | APT 19 | ||
|
2019-02-11 21:30:02 | APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack (lien direct) | It has been reported that a Chinese nation-state hacking group known as APT10 has hacked and stolen data from Visma, a Norwegian company that provides cloud-based business software solutions for European companies. The intrusion into Visma’s network took place on August 17, 2018, according to a joint report published today by US cyber-security firms Rapid7 … The ISBuzz Post: This Post APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack | APT 10 | ||
|
2019-02-06 15:01:00 | China hacked Norway\'s Visma cloud software provider (lien direct) | APT10 hacker group breaches Visma cloud provider, a US law firm, and an international apparel company, a report published today says. | APT 10 | ||
|
2019-01-31 17:24:00 | APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs (lien direct) |
Threat Actors That Don’t Discriminate
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
Wired Maga |
Malware Vulnerability Threat | APT 10 |
To see everything:
Our RSS (filtrered)
