What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-10-24 08:07:41 | Cloud de confiance : la vision environnementale du Cigref (lien direct) | Le Cigref a retravaillé le volet " environnement " de son référentiel du cloud de confiance. Comment se présente-t-il désormais ? | Cloud | APT 15 | ★★ |
|
2023-10-20 10:19:43 | Métiers IT – Scrum Master : fonction, formation et salaire (lien direct) | Le Scrum Master anime une équipe pluridisciplinaire, composé de développeurs et de product owners, et met en oeuvre les pratiques Scrum pour développer un projet IT. | APT 15 | ★★ | |
 |
2023-10-10 20:05:50 | L'acteur de la triade de la triade saliss Smishing Triad Threat Actor Sets Its Sights on the UAE (lien direct) |
Resesecurity avertit que l'acteur de la triade de smirage a «largement élargi son empreinte d'attaque» aux Émirats arabes unis (EAU).
Resecurity warns that the Smishing Triad threat actor has “vastly expanded its attack footprint” in the United Arab Emirates (UAE). |
Threat | APT 15 | ★★★ |
 |
2023-09-01 13:43:32 | Un groupe d\'espionnage aligné avec les intérêts chinois usurpant Signal et Telegram (lien direct) | Des chercheurs identifient deux campagnes actives ciblant les utilisateurs d’Android. L'acteur opérant ces outils d'espionnage pour Telegram et Signal sont attribués au groupe APT GREF, aligné sur les intérêts de la Chine. Très probablement actives depuis juillet 2020 et depuis juillet 2022, respectivement pour chaque application malveillante, les campagnes ont distribué le code d’espionnage Android … Continue reading Un groupe d'espionnage aligné avec les intérêts chinois usurpant Signal et Telegram | Tool | APT 15 | ★★★ |
 |
2023-08-31 09:18:59 | ESET découvre un groupe d\'espionnage aligné avec les intérêts chinois usurpant les applications Signal et Telegram (lien direct) | ESET découvre un groupe d'espionnage aligné avec les intérêts chinois usurpant les applications Signal et Telegram Télémétrie ESET pour les applications trojanisées. ● ESET Research a découvert des applications Signal et Telegram trojanisées pour Android, nommées Signal Plus Messenger et FlyGram, sur Google Play et Samsung Galaxy Store ; les deux applications ont ensuite été supprimées de Google Play. ● Signal Plus Messenger représente le premier cas documenté d'espionnage des communications Signal en liant secrètement et automatiquement l'appareil compromis à l'appareil Signal de l'attaquant. ● Le code malveillant trouvé dans ces applications est attribué à la famille de logiciels malveillants BadBazaar, qui a été utilisée dans le passé par un groupe APT aligné sur les intérêts de la Chine, nommé GREF. ● Des milliers d'utilisateurs ont téléchargé les applications d'espionnage. La télémétrie d'ESET a signalé des détections sur des appareils Android dans plusieurs pays de l'UE, aux États-Unis, en Ukraine et dans d'autres endroits du monde. ● Le malware BadBazaar a déjà été utilisé pour cibler les Ouïghours et d'autres minorités ethniques turques. Le malware FlyGram a également été vu partagé dans un groupe Telegram ouïghour, ce qui correspond au ciblage précédent de la famille de logiciels malveillants BadBazaar. - Malwares | Malware | APT 15 | ★★ |
 |
2023-08-30 19:13:00 | Les logiciels espions Android BadBazaar liés à la Chine ciblant les utilisateurs de signaux et de télégrammes China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users (lien direct) |
Des chercheurs en cybersécurité ont découvert des applications Android malveillantes pour Signal et Telegram distribuées via le Google Play Store et le Samsung Galaxy Store, conçues pour diffuser le logiciel espion BadBazaar sur les appareils infectés.
La société slovaque ESET a attribué la campagne à un acteur lié à la Chine appelé GREF.
"Très probablement actives respectivement depuis juillet 2020 et depuis juillet 2022, les campagnes
Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns |
APT 15 APT 15 | ★★ | |
 |
2023-08-30 16:00:00 | Le groupe chinois APT GREF utilise BadBazaar pour l'espionnage Android Chinese APT Group GREF Use BadBazaar in Android Espionage (lien direct) |
ESET a déclaré que BadBazaar était disponible via le Google Play Store, le Samsung Galaxy Store et divers sites d'applications.
ESET said BadBazaar was available via the Google Play Store, Samsung Galaxy Store and various app sites |
APT 15 APT 15 | ★★★ | |
 |
2023-08-30 11:16:48 | Les applications Trojanized Signal et Telegram sur Google Play ont livré des logiciels espions Trojanized Signal and Telegram apps on Google Play delivered spyware (lien direct) |
Des applications de chevaux de Troie Signal et Telegram contenant le logiciel espion BadBazaar ont été téléchargées sur Google Play et Samsung Galaxy Store par un groupe de piratage APT chinois connu sous le nom de GREF.[...]
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF. [...] |
APT 15 | ★★★ | |
 |
2023-08-30 09:30:18 | L'outil d'espionnage Badbazaar cible les utilisateurs d'Android via des applications de signaux et de télégrammes trojanisés BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps (lien direct) |
Les chercheurs de l'ESET ont découvert des campagnes actives liées au groupe APT aligné par la Chine connu sous le nom de GREF, distribuant un code d'espionnage qui a déjà ciblé les Ouïghours
ESET researchers have discovered active campaigns linked to the China-aligned APT group known as GREF, distributing espionage code that has previously targeted Uyghurs |
Tool | APT 15 | ★★ |
 |
2023-08-16 06:46:45 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juin 2023 Threat Trend Report on APT Groups – June 2023 (lien direct) |
Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT
APT Group Trends – June 2023 1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 32 APT 32 APT 28 APT 28 APT 15 APT 15 APT 25 | ★★ |
 |
2023-08-02 10:00:00 | Code Mirage: Comment les cybercriminels exploitent le code halluciné AI pour les machinations malveillantes Code Mirage: How cyber criminals harness AI-hallucinated code for malicious machinations (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Introduction:
The landscape of cybercrime continues to evolve, and cybercriminals are constantly seeking new methods to compromise software projects and systems. In a disconcerting development, cybercriminals are now capitalizing on AI-generated unpublished package names also known as “AI-Hallucinated packages” to publish malicious packages under commonly hallucinated package names. It should be noted that artificial hallucination is not a new phenomenon as discussed in [3]. This article sheds light on this emerging threat, wherein unsuspecting developers inadvertently introduce malicious packages into their projects through the code generated by AI.
AI-hallucinations:
Artificial intelligence (AI) hallucinations, as described [2], refer to confident responses generated by AI systems that lack justification based on their training data. Similar to human psychological hallucinations, AI hallucinations involve the AI system providing information or responses that are not supported by the available data. However, in the context of AI, hallucinations are associated with unjustified responses or beliefs rather than false percepts. This phenomenon gained attention around 2022 with the introduction of large language models like ChatGPT, where users observed instances of seemingly random but plausible-sounding falsehoods being generated. By 2023, it was acknowledged that frequent hallucinations in AI systems posed a significant challenge for the field of language models.
The exploitative process:
Cybercriminals begin by deliberately publishing malicious packages under commonly hallucinated names produced by large language machines (LLMs) such as ChatGPT within trusted repositories. These package names closely resemble legitimate and widely used libraries or utilities, such as the legitimate package ‘arangojs’ vs the hallucinated package ‘arangodb’ as shown in the research done by Vulcan [1].
The trap unfolds:
When developers, unaware of the malicious intent, utilize AI-based tools or large language models (LLMs) to generate code snippets for their projects, they inadvertently can fall into a trap. The AI-generated code snippets can include imaginary unpublished libraries, enabling cybercriminals to publish commonly used AI-generated imaginary package names. As a result, developers unknowingly import malicious packages into their projects, introducing vulnerabilities, backdoors, or other malicious functionalities that compromise the security and integrity of the software and possibly other projects.
Implications for developers:
The exploitation of AI-generated hallucinated package names poses significant risks to developers and their projects. Here are some key implications:
Trusting familiar package names: Developers commonly rely on package names they recognize to introduce code snippets into their projects. The presence of malicious packages under commonly hallucinated names makes it increasingly difficult to distinguish between legitimate and malicious options when relying on the trust from AI generated code.
Blind trust in AI-generated code: Many develo |
Tool | APT 15 ChatGPT ChatGPT | ★★★ |
|
2023-07-19 16:09:41 | IA générative : les tuyaux du Cigref (lien direct) | Fournisseurs, développeurs, sous-traitants, utilisateurs finaux... Le Cigref a compilé quelques observations sur le sujet de l'IA générative. | APT 15 | ★★★ | |
|
2023-07-07 16:00:00 | L'utilisateur de Twitter expose la fuite de données nickelodeon Twitter User Exposes Nickelodeon Data Leak (lien direct) |
Les rapports sur les réseaux sociaux suggèrent qu'une personne prétendument vide environ 500 Go de fichiers d'animation
Social media reports suggest an individual allegedly dumped approximately 500GB of animation files |
APT 15 | ★★ | |
 |
2023-07-06 22:45:12 | Nickelodeon sonde les affirmations de fuite de données massives alors que les fans de Bob éponge se réjouissent Nickelodeon probes claims of massive data leak as SpongeBob fans rejoice (lien direct) |
TV Network \'s Attorneys \\ 'Sur un Rampage DMCA \' ... êtes-vous sûr que vous êtes prêt, les enfants? Nickelodeon dit qu'il a sondé les affirmations que "Des décennies "Matériel a été volée et a divulgué en ligne.Cela suit des rapports sur les réseaux sociaux selon lesquels quelqu'un avait jeté 500 Go de fichiers d'animation arrachés.L'hilarité, et de nombreux mèmes de squarepants d'éponge, ont suivi.…
TV network\'s attorneys \'on a DMCA rampage\' ... are you sure you\'re ready, kids? Nickelodeon says it is probing claims that "decades old" material was stolen from it and leaked online. This follows reports on social media that someone had dumped 500GB of snatched animation files. Hilarity, and many SpongeBob SquarePants memes, ensued.… |
APT 15 | ★★ | |
 |
2023-07-06 19:11:00 | Nickelodeon dit que certaines des données prétendument volées \\ 'semble avoir des décennies \\' Nickelodeon says some of allegedly stolen data \\'appears to be decades old\\' (lien direct) |
Le géant de la télévision des enfants, Nickelodeon, a déclaré qu'il enquêtait sur une violation présumée après que les pirates aient prétendu avoir volé 500 Go de données.Pendant des jours, les experts en cybersécurité ont averti que pirates partagent des documents volés du réseau qui comprenait des fuites du département d'animation Nickellodeon.Certaines des informations auraient remonté des décennies.[Captures d'écran du
Children\'s television giant Nickelodeon said it is investigating an alleged breach after hackers claimed to have stolen 500 GB of data. For days, cybersecurity experts have warned that hackers are sharing stolen documents from the network that included leaks from the Nickelodeon animation department. Some of the information allegedly dates back decades. [Screenshots of the |
APT 15 | ★★ | |
|
2023-07-06 11:03:36 | Nickelodeon enquête sur la violation après la fuite de \\ 'DÉCÉSION \\' DONNÉES Nickelodeon investigates breach after leak of \\'decades old\\' data (lien direct) |
Nickelodeon a confirmé que les données divulguées à partir d'une violation présumée de l'entreprise étaient légitimes, mais elle semble avoir des décennies.[...]
Nickelodeon has confirmed that the data leaked from an alleged breach of the company is legitimate but it appears to be decades old. [...] |
APT 15 | ★★ | |
|
2023-06-27 13:00:00 | Cyberheistnews Vol 13 # 26 [Eyes Open] La FTC révèle les cinq dernières escroqueries par SMS CyberheistNews Vol 13 #26 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams (lien direct) |
CyberheistNews Vol 13 #26 | June 27th, 2023
[Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams
The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says.
These are the top five text scams reported by the FTC:
Copycat bank fraud prevention alerts
Bogus "gifts" that can cost you
Fake package delivery problems
Phony job offers
Not-really-from-Amazon security alerts
"People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they\'ll get a call from a phony \'fraud department\' claiming they want to \'help get your money back.\' What they really want to do is make unauthorized transfers.
"What\'s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft."
Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there\'s a problem with a delivery.
"The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small \'redelivery fee.\'"
Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake \'mystery shopper\' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says.
"Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person\'s money – and the phony \'employer\' – are long gone."
Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from \'Amazon,\' asking to verify a big-ticket order they didn\'t place," the FTC says. "Concerned |
Ransomware Spam Malware Hack Tool Threat | FedEx APT 28 APT 15 ChatGPT ChatGPT | ★★ |
 |
2023-06-23 21:30:46 | CISOS de plus en plus préoccupés par les menaces mobiles CISOs Increasingly Concerned About Mobile Threats (lien direct) |
> Un nouvel avertissement de Verizon de la montée en puissance des smirs, des messages texte et des escroqueries par texte et du FBI signalent 10,3 milliards de dollars de fraude sur Internet l'année dernière, les CISO sont de plus en plus préoccupés par les menaces mobiles ciblant les employés et l'impact sur leur organisation.La montée en puissance du smirage, des messages texte de spam et des escroqueries par texte.Dans une enquête récente [& # 8230;]
Le post CISOS de plus en plus préoccupé par les menaces mobiles : //slashnext.com "> slashnext .
>A new warning from Verizon about the rise of smishing, spam text messages and text scams and the FBI reporting $10.3 billion in internet fraud last year, CISOs are increasingly concerned about mobile threats targeting employees and the impact to their organization. The rise of smishing, spam text messages and text scams. In recent survey […] The post CISOs Increasingly Concerned About Mobile Threats first appeared on SlashNext. |
Spam | APT 15 | ★★ |
 |
2023-06-21 21:35:00 | L'APT15 chinois de 20 ans trouve une nouvelle vie dans les attaques du ministère des Affaires étrangères 20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks (lien direct) |
Le célèbre APT15 a utilisé des outils de logiciels malveillants communs et une porte dérobée "graphique" personnalisée de troisième génération pour poursuivre ses exploits de collecte d'informations, cette fois contre les ministères étrangères.
The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries. |
Malware | APT 15 APT 15 | ★★ |
|
2023-06-21 17:13:00 | Le groupe de piratage expérimenté en Chine a un nouvel outil de porte dérobée, disent les chercheurs Experienced China-based hacking group has new backdoor tool, researchers say (lien direct) |
Le groupe de cyber-espionnage chinois connu sous le nom de nickel ou APT15 a utilisé une porte dérobée auparavant invisible pour attaquer mercredi des ministères des affaires étrangères en Amérique centrale et du Sud.Dans la campagne qui s'est déroulée de la fin de 2022 au début de 2023, les pirates ont ciblé un département des finances du gouvernement et une société anonyme ainsi que les affaires étrangères
The Chinese cyber-espionage group known as Nickel or APT15 used a previously unseen backdoor to attack ministries of foreign affairs in Central and South America, researchers reported Wednesday. In the campaign that ran from late 2022 into early 2023, hackers targeted a government finance department and an unnamed corporation as well as the foreign affairs |
APT 15 APT 15 | ★★ | |
|
2023-06-21 06:00:00 | Les pirates chinois APT15 refont surface avec de nouveaux logiciels malveillants graphiques Chinese APT15 hackers resurface with new Graphican malware (lien direct) |
Le groupe de piratage chinois parrainé par l'État suivi comme APT15 a été observé à l'aide d'une nouvelle porte dédominale nommée \\ 'graphican \' dans une nouvelle campagne entre la fin 2022 et le début de 2023. [...]
The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named \'Graphican\' in a new campaign between late 2022 and early 2023. [...] |
Malware | APT 15 APT 15 | ★★★ |
|
2023-06-20 08:37:46 | Quelques clés d\'analyse de la performance des DSI (lien direct) | Avec quelques exemples à l'appui, dont celui de la SNCF, le Cigref fournit des pistes pour l'évaluation de la performance des DSI. | APT 15 | ★★★ | |
|
2023-05-29 09:42:08 | RSE et projets IT : le Cigref pousse un outil de scoring (lien direct) | À partir d'un modèle émanant d'Enedis, le Cigref propose un outil d'évaluation a priori des projets informatiques. | APT 15 | ★★★ | |
 |
2023-05-17 07:28:14 | Release: Harita Group (510 GB) (lien direct) | Courriels du conglomérat indonésien impliqué dans le nickel, le charbon et l'exploitation minière de bauxite, les fonderies de ferronickel, les raffineries d'alumine, l'exploitation forestière et les plantations d'huile de palme.
Emails from the Indonesian conglomerate involved in nickel, coal, and bauxite mining, ferronickel smelters, alumina refineries, logging, and palm oil plantations. |
APT 15 | ★★ | |
 |
2023-05-05 12:00:43 | Faire l'authentification plus rapidement que jamais: Passkeys vs mots de passe Making authentication faster than ever: passkeys vs. passwords (lien direct) |
Silvia Convento, Senior UX Researcher and Court Jacinic, Senior UX Content DesignerIn recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo | APT 38 APT 15 APT 10 Guam | ★★ | |
 |
2023-04-26 16:11:23 | Microsoft reconnaît Katie Nickels pour son impact sur la communauté de la sécurité Microsoft recognizes Katie Nickels for her impact on the security community (lien direct) |
Microsoft a décerné au directeur des opérations de renseignement de Red Canary \\ son prix de la sécurité du Changemaker de Security lors de ses prix d'excellence en matière de sécurité 2023.
Microsoft has awarded Red Canary\'s Director of Intelligence Operations its Security Changemaker award at its 2023 Security Excellence Awards. |
APT 15 | ★★ | |
|
2023-04-12 23:37:00 | Une attaque de ransomwares qui a forcé un comté de New York à retour à la plume et au papier a commencé en 2021, dit officiel Ransomware attack that forced a New York county back to pen and paper began in 2021, official says (lien direct) |
Le comté de Suffolk de New York a conclu une enquête sur une attaque de ransomware déstabilisatrice qui a forcé les travailleurs du gouvernement à s'appuyer sur des télécopies et des archives papier, découvrant des déficiences marquantes dans les pratiques de cybersécurité du greffier du comté.Steven Bellone du comté de Suffolk [a tenu une conférence de presse] (https://www.facebook.com/stevebellone/videos/550329996987344/) mercredi pour dévoiler les résultats de l'enquête médico-légale sur le septembre
New York\'s Suffolk County has concluded an investigation into a destabilizing ransomware attack that forced government workers to rely on fax machines and paper records, discovering stark deficiencies in the county clerk\'s cybersecurity practices. Suffolk County Executive Steven Bellone [held a press conference](https://www.facebook.com/SteveBellone/videos/550329996987344/) Wednesday to unveil the findings of the forensic investigation into the September |
Ransomware | APT 15 | ★★ |
|
2023-02-22 16:34:23 | Gestion de crise cyber : l\'approche du Cigref en 7 chiffres (lien direct) | Communication, remédiation, gestion des équipes... Voici quelques-unes des recommandations que le Cigref fournit en matière de gestion de crise cyber. | APT 15 | ★★★ | |
|
2023-02-20 16:33:54 | Métiers IT : " la technologie a besoin de femmes " (lien direct) | Femmes@Numérique, Cigref et d'autres formulent 14 propositions issues des Assises nationales de la féminisation des métiers et filières numérique. | APT 15 | ★★ | |
|
2023-02-17 17:00:00 | EU Cybersecurity Agency Warns Against Chinese APTs (lien direct) | The document directly mentions APT27, APT30, APT31, Ke3chang, Gallium and Mustang Panda | APT 30 APT 27 APT 15 APT 25 APT 31 | ★★ | |
|
2023-02-17 08:29:11 | Fortinet enrichit son offre de services et de formations pour aider les équipes SOC à mieux anticiper et déjouer les cybermenaces (lien direct) | Fortinet enrichit son offre de services et de formations pour aider les équipes SOC à mieux anticiper et déjouer les cybermenaces L'approche pluridisciplinaire de Fortinet reflète l'engagement de l'éditeur à pallier le déficit de compétences en cybersécurité - Formations des Instituts privés et public | APT 15 | ★★ | |
 |
2023-01-24 16:30:00 | Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Banking trojans, DNS hijacking, China, Infostealers, Malvertising, Phishing, and Smishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022
(published: January 19, 2023)
In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains.
Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software.
MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure
Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android
Hook: a New Ermac Fork with RAT Capabilities
(published: January 19, 2023)
ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones.
Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive |
Malware Tool Threat Guideline | APT 15 APT 25 | ★★★ |
 |
2023-01-19 04:27:00 | Chinese hackers targeted Iranian government entities for months: Report (lien direct) | Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here | Malware Threat | APT 15 APT 25 | ★★★ |
|
2023-01-18 18:00:00 | Chinese APT Group Vixen Panda Targets Iranian Government Entities (lien direct) | The claims come from cybersecurity researchers at Palo Alto Networks' Unit 42 | APT 15 APT 25 | ★★★ | |
|
2023-01-09 10:58:20 | Low-code : Enedis, Pierre Fabre et la STIME témoignent (lien direct) | Pierre Fabre, STIME, Enedis : trois retex agrémentent le dernier rapport du Cigref sur le développement low code / no code. | APT 15 | ★★ | |
|
2023-01-09 09:34:59 | Low-code : le Cigref pose la question des coûts (lien direct) | La question des coûts émaille la réflexion du Cigref à propos des solutions de développement low code et no code. | APT 15 | ★★ | |
|
2022-12-09 16:00:00 | Cobalt Mirage Affiliate Uses GitHub to Relay Drokbk Malware Instructions (lien direct) | Secureworks said the malicious code is written in .NET and comprises a dropper and a payload | Malware | APT 15 | ★★★ |
|
2022-12-09 11:17:25 | Un groupe soutenu par l\'Iran utilise Github pour relayer les instructions de logiciels malveillants (lien direct) | Un groupe soutenu par l'Iran utilise Github pour relayer les instructions de logiciels malveillants Un sous-groupe du groupe iranien Cobalt Mirage, Cluster B, cible les organisations américaines avec un malware Drokbk personnalisé - Malwares | Malware | APT 15 | ★★ |
 |
2022-12-09 04:00:00 | Drokbk Malware Uses GitHub as Dead Drop Resolver (lien direct) | Type: BlogsDrokbk Malware Uses GitHub as Dead Drop ResolverA subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence.A subgroup of the Iranian COBALT MIRAGE threat group leverages Drokbk for persistence. | Malware Threat | APT 15 | ★★ |
|
2022-12-08 15:27:58 | Machine learning : un peu de TensorFlow dans Google Sheets (lien direct) | Google greffe à son tableur un module complémentaire expérimental qui repose sur une bibliothèque associée à TensorFlow. | APT 15 | ★★ | |
 |
2022-12-07 20:15:11 | CVE-2022-46770 (lien direct) | qubes-mirage-firewall (aka Mirage firewall for QubesOS) 0.8.x through 0.8.3 allows guest OS users to cause a denial of service (CPU consumption and loss of forwarding) via a crafted multicast UDP packet (IP address range of 224.0.0.0 through 239.255.255.255). | APT 15 | ||
|
2022-11-29 08:46:30 | RSE : quel positionnement pour les DSI ? (lien direct) | Crédit Agricole, Docaposte et Enedis sont quelques-unes des entreprises que le Cigref met en lumière dans un rapport " RSE et IT ". | General Information | APT 15 | ★★★ |
|
2022-11-07 08:46:21 | Crise énergétique : les pistes du Cigref pour les directions numériques (lien direct) | Le Cigref formule une dizaine de mesures déployables en cas de pic de demande sur le réseau électrique. | APT 15 | ||
|
2022-10-18 15:36:10 | Du low-code au métavers : les projections du Cigref (lien direct) | Défi climatique, contexte géopolitique, pénurie de compétences... Comment le Cigref intègre-t-il ces paramètres dans ses conseils aux directions numériques ? | APT 15 | ||
 |
2022-10-18 08:41:18 | The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct) |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
Threat Medical Cloud | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 | |
|
2022-09-20 15:00:00 | Anomali Cyber Watch: Uber and GTA 6 Were Breached, RedLine Bundle File Advertises Itself on YouTube, Supply-Chain Attack via eCommerce Fishpig Extensions, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Iran, Ransomware, Stealers, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hacker Pwns Uber Via Compromised VPN Account
(published: September 16, 2022)
On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker.
Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer
Self-Spreading Stealer Attacks Gamers via YouTube
(published: September 15, 2022)
Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.”
Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496
Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub |
Ransomware Malware Tool Vulnerability Threat Guideline | Uber Uber APT 41 APT 15 | |
|
2022-09-13 09:53:05 | Sanction de 250 000 euros à l\'encontre d\'INFOGREFFE (lien direct) | La CNIL a prononcé une sanction de 250 000 euros à l'encontre du GIE INFOGREFFE pour avoir manqué à plusieurs obligations du RGPD en matière de durées de conservation et de sécurité des données personnelles. - RGPD / cybersecurite_home_gauche | APT 15 | ||
|
2022-09-06 13:39:03 | Comment le Cigref voit évoluer les métiers du SI (lien direct) | Actualisée, la nomenclature RH du Cigref met en lumière de nouvelles perspectives d'évolution pour certains métiers du SI. | APT 15 | ||
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
 |
2022-08-05 11:34:14 | Meta a chassé de Facebook et d\'Instagram des centaines de trolls russes payés pour manipuler l\'opinion (lien direct) | 
Des centaines de trolls basés à Saint-Pétersbourg généraient des commentaires pro-russes en série sur les réseaux sociaux. Mais au final, l'opération était d'un niveau médiocre et peu efficace.
L'article Meta a chassé de Facebook et d’Instagram des centaines de trolls russes payés pour manipuler l’opinion est à retrouver sur 01net.com. |
APT 15 |
To see everything:
Our RSS (filtrered)
