What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-08-19 10:07:14 | Les pirates utilisent le certificat de code VPN Provider \\ pour signer des logiciels malveillants Hackers use VPN provider\\'s code certificate to sign malware (lien direct) |
Le groupe APT (Advanced Advanced Persistance Menace) aligné en Chine connu sous le nom de \\ 'Bronze Starlight \' a été vu ciblant l'industrie du jeu d'Asie du Sud-Est avec des logiciels malveillants signés en utilisant un certificat valide utilisé par le fournisseur IVACY VPN.[...]
The China-aligned APT (advanced persistent threat) group known as \'Bronze Starlight\' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider. [...] |
Malware | APT 10 | ★★★ |
 |
2023-05-30 22:00:00 | Rat Seroxen à vendre SeroXen RAT for sale (lien direct) |
This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th |
Malware Tool Threat | Uber APT 10 | ★★ |
 |
2023-05-05 12:00:43 | Faire l'authentification plus rapidement que jamais: Passkeys vs mots de passe Making authentication faster than ever: passkeys vs. passwords (lien direct) |
Silvia Convento, Senior UX Researcher and Court Jacinic, Senior UX Content DesignerIn recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo | APT 38 APT 15 APT 10 Guam | ★★ | |
 |
2022-11-01 20:45:00 | Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware (lien direct) | The Chinese state-sponsored threat actor known as Stone Panda has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities. Targets include media, diplomatic, governmental and public sector organizations and think-tanks in Japan, according to twin reports published by Kaspersky. Stone Panda, also called APT10, Bronze Riverside, Cicada, and Potassium, is a | Malware Threat | APT 10 | |
|
2022-10-31 11:34:52 | Hacking group abuses antivirus software to launch LODEINFO malware (lien direct) | The Chinese Cicada hacking group, tracked as APT10, was observed abusing security software to install a new version of the LODEINFO malware against Japanese organizations. [...] | Malware | APT 10 | |
 |
2022-10-31 08:00:54 | APT10: Tracking down LODEINFO 2022, part II (lien direct) | In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022. | APT 10 | ||
|
2022-10-31 08:00:52 | APT10: Tracking down LODEINFO 2022, part I (lien direct) | The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor. | APT 10 | ||
 |
2022-10-18 08:41:18 | The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct) |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
Threat Medical Cloud | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 | |
 |
2022-10-04 07:05:05 | Linux Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group (lien direct) | >Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying […] | Ransomware | APT 10 | |
|
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-07-10 13:41:08 | Complexity, simplified (lien direct) | Following its exit from the EU, the UK is having to pick up on various important matters that were previously covered by EU laws and regulations. One such issue is to be addressed through a new law on online safety."Online safety: what's that?" I hear you ask. "Thank you for asking, lady in the blue top over there! Kindly allow me to elaborate ... errrr ..."'Online safety' sounds vaguely on-topic for us and our clients, so having tripped over a mention of this, I went Googling for more information. First stop: the latest amended version of the Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g. | Guideline | APT 10 | |
|
2022-06-26 13:40:00 | China-linked APT Bronze Starlight deploys ransomware as a smokescreen (lien direct) | >China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations. Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10), is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as […] | Ransomware | APT 10 | |
|
2022-06-24 13:40:08 | The sadly neglected Risk Treatment Plan (lien direct) |  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3: |
Threat Guideline | APT 19 APT 10 | ★★★★ |
 |
2022-05-03 16:31:00 | Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity
(published: April 28, 2022)
ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | |
Ransomware Malware Tool Vulnerability Threat Guideline Cloud | APT 37 APT 10 APT 10 | |
|
2022-04-05 03:11:07 | Researchers Trace Widespread Espionage Attacks Back to Chinese \'Cicada\' Hackers (lien direct) | A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting. The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied | Threat | APT 10 | |
|
2022-02-22 13:20:44 | China-linked APT10 Target Taiwan\'s financial trading industry (lien direct) | China-linked APT group APT10 (aka Stone Panda, Bronze Riverside) targets Taiwan’s financial trading sector with a supply chain attack. The campaign was launched by the APT10 group started in November 2021, but it hit a peak between 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported. The group (also known as Cicada, Stone Panda, MenuPass group, […] | APT 10 APT 10 | ||
|
2022-02-22 00:11:01 | Chinese Hackers Target Taiwan\'s Financial Trading Sector with Supply Chain Attack (lien direct) | An advanced persistent threat (APT) group operating with objectives aligned with the Chinese government has been linked to an organized supply chain attack on Taiwan's financial sector. The attacks are said to have first commenced at the end of November 2021, with the intrusions attributed to a threat actor tracked as APT10, also known as Stone Panda, the MenuPass group, and Bronze Riverside, | Threat | APT 10 APT 10 | |
 |
2022-01-18 14:18:17 | Malicious Life Podcast: The Mystery of Cicada 3301 (lien direct) |
"Hello. We are looking for highly intelligent individuals. To find them, we have devised a test…" These words, found in a message posted on 4Chan in January 2012, started a global treasure hunt, with thousands of crypto-puzzle-loving and curious individuals desperately competing with one another to be the first to crack the devilish puzzles created by the mysterious Cicada 3301. Who is Cicada3301, and what are their goals? Check it out… |
APT 10 | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
 |
2021-05-30 11:00:00 | I\'m a Cicada. You\'re a Horny Human. We Are Not the Same (lien direct) | People preparing for a post-vax summer are likening themselves to the emerging insects. WIRED commissioned one cicada for its take. | APT 10 | ||
|
2021-05-21 11:00:00 | We Hiked Along With Cicada Biologists So You Don\'t Have To (lien direct) | Researchers only get a chance to study Brood X every 17 years. WIRED came for the ride-and got up close to thousands of hatching cicadas. | APT 10 | ||
|
2021-05-11 11:00:00 | The Cicadas Are Coming. Let\'s Eat Them! (lien direct) | Why not embrace Brood X as the free-range, sustainable source of protein that it truly is? | APT 10 | ★★★ | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-03-31 01:42:43 | Hackers are implanting multiple backdoors at industrial targets in Japan (lien direct) | Cybersecurity researchers on Tuesday disclosed details of a sophisticated campaign that deploys malicious backdoors for the purpose of exfiltrating information from a number of industry sectors located in Japan.
Dubbed "A41APT" by Kaspersky researchers, the findings delve into a new slew of attacks undertaken by APT10 (aka Stone Panda or Cicada) using previously undocumented malware to deliver |
Malware | APT 10 APT 10 | |
|
2021-03-30 10:00:07 | APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign (lien direct) | A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. | Malware | APT 10 | ★★★★★ |
|
2020-11-18 20:27:53 | China-linked APT10 leverages ZeroLogon exploits in recent attacks (lien direct) | Researchers uncovered a large-scale campaign conducted by China-linked APT10 targeting businesses using the recently-disclosed ZeroLogon vulnerability. Symantec’s Threat Hunter Team, a Broadcom division, uncovered a global campaign conducted by a China-linked APT10 cyber-espionage group targeting businesses using the recently-disclosed ZeroLogon vulnerability. The group, also known as Cicada, Stone Panda, and Cloud Hopper, has been active at […] | Threat | APT 10 | |
|
2020-01-07 14:00:00 | Healthcare cybersecurity for 2020 and beyond (lien direct) |
An independent guest blogger wrote this blog.
These days, effective cybersecurity in healthcare is as critical as ever. Last year, more than 32 million patients had their personal and medical information stolen in data breaches across the United States. While moves are being made, the fact remains that healthcare providers still have many holes to plug when it comes to the illegal or accidental outpouring of patient data.
The issue is that current problems need to be solved now before hackers move on to new, more advanced attack strategies. The good news is that there are many methods currently available to mitigate the chances of data leakage if medical professionals are proactive enough to enforce them.
HIPAA on the front lines
When patients visit the doctor, they expect to go to a safe place where their best interests are always the top priority. To foster that confidence, the Health Insurance Portability and Accountability Act was created to protect patient data while also giving the patients control over who can see their information. Along with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, encourages medical practices also to ensure that all technology they use is protected to eliminate wrongful data leakage.
Medical records contain an abundance of private information that can be used for any number of malicious means. Full medical records can often go for $1000 on the black market where the addresses, social security numbers, and financial information within can be used to create fake identification or take out large loans that can leave the patient in debt. If a hacker catches wind of a patient’s surgery date, they can even attempt to shut down hospital functions until a ransom is paid, like the $14K one paid by Columbia Surgical Specialists.
For these security reasons and to retain the trust of the patients, proper data security is essential, and it starts on the front lines. Nurse leaders should train their staff on how to retain patient confidentiality properly. When discussing the patients near the front desk, only use first names, and conversations should be had behind a closed door or as quietly as possible. Hard copies of patent data should never be left lying around, and your printer should be set to print pages facing down. The last thing you need is to have security precautions in place but still allow a criminal to simply walk up and take private information out of the office.
Proper record keeping
Because hackers have so much to gain from stealing patient data, proper record-keeping is essential. Per HIPAA, medical records are required to be kept between five to 10 years, based on the state and the patient’s last treatment or discharge. If paperwork is to be discarded, it must be properly shredded. If you keep paper records, they must be stored in locked cabinet |
Threat Guideline | APT 10 | |
 |
2019-09-24 14:54:31 | US Utility Firms Targeted By Spear-phishing Campaign – Comments (lien direct) | It has been reported by Proofpoint that 17 US utility firms have been hit by phishing attacks to install LookBack malware. While no formal attribution has been made, it is suspected that the state-sponsored group APT10 may be behind the attacks. The ISBuzz Post: This Post US Utility Firms Targeted By Spear-phishing Campaign – Comments | APT 10 | ||
 |
2019-07-24 18:24:00 | APT-doxing group exposes APT17 as Jinan bureau of China\'s Security Ministry (lien direct) | Intrusion Truth's previous two exposes -- for APT3 and APT10 -- resulted in DOJ charges. Will this one as well? | APT 17 APT 10 APT 3 | ||
 |
2019-06-28 13:19:00 | Industry Reactions to Nation-State Hacking of Global Telcos (lien direct) | On June 25, 2019, Cybereason reported that hackers, most likely China's state affiliated APT10 group, had comprehensively hacked numerous telecommunications companies around the world. | APT 10 | ||
|
2019-05-28 16:27:04 | New APT10 Activity Detected in Southeast Asia (lien direct) | Researchers have detected what they believe to be new activity from Chinese cyber espionage group, APT10. The activity surfaced in the Philippines and shares similar tactics, techniques, and procedures (TTPs) and code associated with APT10. | APT 10 | ||
|
2019-05-28 05:48:02 | APT10 is back with two new loaders and new versions of known payloads (lien direct) | The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia. In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia. The group […] | Malware | APT 10 | |
|
2019-02-11 21:30:02 | APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack (lien direct) | It has been reported that a Chinese nation-state hacking group known as APT10 has hacked and stolen data from Visma, a Norwegian company that provides cloud-based business software solutions for European companies. The intrusion into Visma’s network took place on August 17, 2018, according to a joint report published today by US cyber-security firms Rapid7 … The ISBuzz Post: This Post APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack | APT 10 | ||
|
2019-02-06 15:01:00 | China hacked Norway\'s Visma cloud software provider (lien direct) | APT10 hacker group breaches Visma cloud provider, a US law firm, and an international apparel company, a report published today says. | APT 10 | ||
|
2019-01-31 17:24:00 | APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs (lien direct) |
Threat Actors That Don’t Discriminate
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
Wired Maga |
Malware Vulnerability Threat | APT 10 | |
 |
2019-01-21 16:48:03 | A week in security (January 14 – 20) (lien direct) |
A roundup of last week's security news from January 14 to 20, including APT10, Fallout EK, Colllection 1 data, Youtube challenges, hosting malicious sites and a Fortnite security flaw.
Categories:
Security world
Week in security
Tags: APT10ArsTechnicaBleepingComputerCoinDeskcollection 1cryptopiacve-2019-0543DASFallout EKfortnitegarminGarmin watchhostingHTTPSoregonpowershellPowerShell Team BlogSC Mediashutdowntelegramthreadxyoutube
(Read more...)
|
APT 10 | ||
|
2019-01-16 17:00:00 | The Advanced Persistent Threat files: APT10 (lien direct) |
While security companies are getting good at analyzing the tactics of nation-state threat actors, they still struggle with placing these actions in context and making solid risk assessments. So in this series, we're going to take a look at a few APT groups, and see how they fit into the larger threat landscape-starting with APT10.
Categories:
Cybercrime
Hacking
Tags: advanced persistent threatadvanced persistent threatsaerospaceAPTAPT10APTschinaChinese Ministry of State SecurityconstructionengineeringFireEyeMSSPlugXPoison Ivyscanboxsogutelecomsthreat actors
(Read more...)
|
Threat | APT 10 | |
|
2018-12-21 15:51:02 | Industry Reactions to U.S. Charging APT10 Hackers: Feedback Friday (lien direct) | The United States, United Kingdom, Canada, Australia, New Zealand and Japan have pointed the finger at China for sophisticated cyberattacks launched by a threat group known as APT10 against organizations around the world. The U.S. | Threat | APT 10 | |
|
2018-12-21 15:44:05 | Five other countries formally accuse China of APT10 hacking spree (lien direct) | Australia, Canada, Japan, New Zealand, and the UK also point the finger at the Beijing government. Germany expected as well. | APT 10 | ||
|
2018-12-21 09:55:03 | Historic APT10 Cyber Espionage Group Breached Systems in Over 12 Countries (lien direct) | A well-known hacking group linked with China's intelligence and security agency has been pilfering secrets for over a decade from organizations in at least 12 countries, from a diverse range of industries. [...] | APT 10 | ||
|
2018-12-21 07:24:01 | \'Five Eyes\' Nations Blame China for APT10 Attacks (lien direct) | The United States, United Kingdom, Canada, Australia and New Zealand officially blamed China on Thursday for the cyberattacks launched by a threat group known as APT10 against organizations around the world. | Threat | APT 10 | |
|
2018-12-20 23:45:03 | US Indicts Two Chinese Government Hackers Over Global Hacking Campaign (lien direct) | The US Department of Justice on Thursday charged two Chinese hackers associated with the Chinese government for hacking numerous companies and government agencies in a dozen countries.
The Chinese nationals, Zhu Hua (known online as Afwar, CVNX, Alayos and Godkiller) and Zhang Shilong (known online as Baobeilong, Zhang Jianguo and Atreexp), are believed to be members of a state-sponsored
|
APT 10 | ||
 |
2018-12-20 19:38:02 | U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign (lien direct) | The homeland security implications are significant: the two, working with Beijing-backed APT10, allegedly stole sensitive data from orgs like the Navy and NASA. | APT 10 | ||
|
2018-12-20 16:38:00 | US charges two Chinese nationals for hacking cloud providers, NASA, the US Navy (lien direct) | The two Chinese nationals were members of the infamous APT10 cyber-espionage group, DOJ said. | APT 10 | ||
|
2018-10-03 17:00:00 | DHS aware of ongoing APT attacks on cloud service providers (lien direct) | Attacks most likely linked to APT10, a Chinese cyber-espionage group, also known as Red Apollo, Stone Panda, POTASSIUM, or MenuPass. | APT 10 | ||
|
2018-09-15 08:34:01 | China-linked APT10 group behind new attacks on the Japanese media sector (lien direct) | Recently researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector In July, security researchers from FireEye uncovered and blocked a campaign carried out by Chinese APT10 group (aka Menupass, and Stone Panda) aimed at Japanese media sector. Experts noticed the group since around […] | APT 10 | ||
|
2018-09-14 17:23:01 | China-linked APT10 Hackers Update Attack Techniques (lien direct) | Recently attacks launched by the China-linked threat actor APT10 against the Japanese media sector revealed the use of updated tactics, techniques and procedures (TTPs), FireEye says. | Threat | APT 10 | |
 |
2018-09-13 11:00:00 | APT10 ciblant les sociétés japonaises à l'aide de TTPS mis à jour APT10 Targeting Japanese Corporations Using Updated TTPs (lien direct) |
Introduction
En juillet 2018, les appareils FireEye ont détecté et bloqué ce qui semble être une activité APT10 (Menupass) ciblant le secteur des médias japonais.APT10 est un groupe de cyber-espionnage chinois que Fireeye a suivi depuis 2009, et ils ont une histoire de ciblant les entités japonaises .
Dans cette campagne, le groupe a envoyé des e-mails de phishing de lance contenant des documents malveillants qui ont conduit à l'installation de la porte dérobée Uppercut.Cette porte dérobée est bien connue dans la communauté de la sécurité comme Anel , et il venait en bêta ou en RC (candidat à la libération) jusqu'à récemment.Une partie de cet article de blog discutera du
Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC (release candidate) until recently. Part of this blog post will discuss the |
Technical | APT 10 APT 10 | ★★★★ |
|
2018-09-03 12:49:03 | APT10 Under Close Scrutiny as Potentially Linked to Chinese Ministry of State Security (lien direct) | An advanced threat actor has been associated with China's Ministry of State Security via two individuals and a Chinese firm. | Threat | APT 10 |
To see everything:
Our RSS (filtrered)
