What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-03-14 15:00:00 | La violation de données de l'agence d'emploi française pourrait affecter 43 millions de personnes French Employment Agency Data Breach Could Affect 43 Million People (lien direct) |
L'agence d'emploi de la France a subi une violation massive, exposant les données des utilisateurs qui se sont inscrits au cours des 20 dernières années
France\'s employment agency suffered a massive breach, exposing the data of users who registered over the past 20 years |
Data Breach | APT 19 | ★★★ |
 |
2023-02-08 14:15:09 | CVE-2022-41620 (lien direct) | Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin | Vulnerability | APT 19 | |
 |
2023-01-01 08:00:00 | Comment enlever un watermark d\'une photo ? (lien direct) | Quand on a un site web, il faut l’illustrer. La plupart des webmasters se contentent de pomper des photos depuis Google Images. Pour ma part, j’utilisais jusqu’à présent une banque d’images, mais également des photos libres de droits sur différents sites comme Unsplash. Mais depuis quelques mois, je reçois des … Suite | APT 19 | ★★★ | |
 |
2022-10-18 08:41:18 | The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct) |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
Threat Medical Cloud | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
|
2022-08-04 08:00:13 | Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (lien direct) |  By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.What is "Dark Utilities?"In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.  Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing develo |
Spam Malware Hack Tool Threat Guideline | APT 19 | |
|
2022-08-02 08:00:14 | Manjusaka: A Chinese sibling of Sliver and Cobalt Strike (lien direct) |  By Asheer Malhotra and Vitor Ventura.Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.IntroductionCisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable - a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese - on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an advers |
Malware Threat Guideline | APT 19 | |
|
2022-07-27 12:22:17 | Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products (lien direct) |  By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: |
Vulnerability Guideline Medical | APT 38 APT 19 | |
 |
2022-07-13 11:27:07 | Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) (lien direct) | “Referers†are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. | APT 19 | ||
|
2022-06-24 13:40:08 | The sadly neglected Risk Treatment Plan (lien direct) |  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3: |
Threat Guideline | APT 19 APT 10 | ★★★★ |
 |
2022-06-01 17:47:00 | Anomali Cyber Watch: TURLA\'s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Credit Card Stealer Targets PsiGate Payment Gateway Software
(published: May 25, 2022)
Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX
How the Saitama Backdoor uses DNS Tunneling
(published: May 25, 2022)
MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling
|
Ransomware Malware Tool Threat | APT 19 | |
 |
2022-04-03 15:44:11 | China-linked APT Deep Panda employs new Fire Chili Windows rootkit (lien direct) | The China-linked hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to install a new Fire Chili rootkit. Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit to compromise VMware Horizon servers and deploy previously undetected Fire Chili rootkit. The experts observed opportunistic attacks against organizations […] | APT 19 | ||
 |
2022-04-01 11:54:00 | Chinese hackers Deep Panda return with Log4Shell exploits, new Fire Chili rootkit (lien direct) | Log4Shell is being exploited to deploy the kernel rootkit. | APT 19 | ★★★★ | |
 |
2022-04-01 03:41:53 | Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit (lien direct) | A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. "The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates," said | Threat | APT 19 | |
 |
2022-03-30 00:00:00 | New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits (lien direct) | FortiGuard Labs discovered a campaign by Deep Panda exploiting Log4Shell, along with a novel kernel rootkit signed with a stolen digital certificate also used by Winnti. Read to learn about these attacks, tools, and attribution to these APT groups.
|
APT 19 | ★★★★ | |
 |
2021-11-28 10:31:12 | Comparatif – Top 10 des meilleurs hébergeurs Web francophones (lien direct) | Ce top est basé sur une multitudes d'avis consommateurs et de tests réalisés par des webmasters professionnels. Vous trouverez ci-dessous les meilleurs solutions d'hébergement Web français d'après les principaux critères. Tous les hébergeurs notés ici proposent au moins un pack mutualisé à moins de 10 euros par mois comprenant un nom de domaine gratuit. The post Comparatif – Top 10 des meilleurs hébergeurs Web francophones first appeared on UnderNews. | APT 19 | ||
 |
2021-11-22 21:09:00 | In a first, scientists captured growth of butterfly wings inside chrysalis on video (lien direct) | MIT team replaced part of a pupa's cuticle with a glass window for experiments. | APT 19 | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
 |
2020-12-15 11:01:00 | 18 000 entreprises et organisations ont téléchargé la backdoor des hackers de Poutine (lien direct) | L'ampleur de l'infection orchestrée par APT19, alias Cozy Bear, est certes énorme, mais cela ne veut pas dire que toutes les victimes ont réellement été piratées.  |
APT 29 APT 19 | ||
|
2020-09-29 14:00:00 | Weekly Threat Briefing: Federal Agency Breach, Exploits, Malware, and Spyware (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Cyber Espionage, FinSpy, Magento, Taurus Project and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed
(published: September 25, 2020)
Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071
Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware
Magento Credit Card Stealing Malware: gstaticapi
(published: September 25, 2020)
Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132
T |
Data Breach Malware Vulnerability Threat | APT 19 | ★★★★★ |
 |
2020-07-13 09:07:16 | Security Expert Re: New WordPress RCE Exploit (CVSS Score 10.0 ) (lien direct) | Webmasters who use WordPress plugin Adning Advertising are urged to patch against a critical vulnerability that is reportedly being exploited in the wild. Exploitation of the flaw enables an unauthenticated attacker to upload arbitrary files, leading to remote code execution (RCE) and potentially a full site takeover. Such is the flaw's seriousness, MITRE has assigned … The ISBuzz Post: This Post Security Expert Re: New WordPress RCE Exploit (CVSS Score 10.0 ) | Vulnerability Guideline | APT 19 | |
|
2020-01-17 13:10:22 | WordPress plugin vulnerability can be exploited for total website takeover (lien direct) | The “easily exploitable” bug in WP Database Reset has serious consequences for webmasters. | Vulnerability | APT 19 | |
 |
2019-11-18 14:00:00 | How website security and SEO are intimately connected (lien direct) | Learning how to optimize your website can be a challenge. At one time, it was only about figuring out what Google wanted, which was largely keywords. Now, it’s much more complex. Google is focused on not only delivering high-quality, relevant search results, but also on protecting people from malware and unscrupulous websites. Not only that, a hack of your website by others can give Google false information that directly impacts your rankings. That’s why it’s vital for your website to have strong web security if you want to do well in SEO. How security can directly impact SEO Hacks, or attempts at hacks, can keep Google’s bots from accessing your site and assessing your content and keywords. Your server may report missing pages to Google because of a web scraper or hacker impacting your website. Why would someone hack your site? Usually it’s to do back-door SEO. For instance, a hacker wants to put a link on your site, or add a web page. Sometimes they even target your domain and redirect it to another site altogether. Sucuri has an excellent example of a common hack they see on WordPress sites. These hacks make your website look like an untrustworthy page, or may even draw penalties from Google that cause your site to be blacklisted. Sometimes, no matter how much effort you put into SEO, failures in cybersecurity can drastically impact how Google sees your site, therefore also impacting your place in the SERPs. The First Step in Security to Boost SEO One of the first things you need to do to protect your website and boost your Google ranking is to install HTTPS. Google named this security protocol a ranking signal several years ago, so it’s obvious that your SEO results will be tied to it. You’ll need to make sure you have a proper certificate and allow indexing so that Google can still read your website. However, this is only the beginning. An HTTPS setup does not secure a website, it only secures the connection and encrypts data that is sent. That means that communication between your server and the web browser a visitor is using is secure and data — like a credit card number used for purchase — cannot be stolen. Other Important Security Steps Information security, or keeping your stored data secure, is another important part of keeping your website secure and helping it rank well, and the good news is that this security requires the same vigilance that SEO does. As a result, you can monitor both simultaneously. Platform Security Be sure you’ve chosen a good web host that has strong security on their end. Use security software or plugins as appropriate. For smaller websites using WordPress, you can use Wordfence, iThemes Security, or Bulletproof Security, for example. Overall, you want plugins that address the known security issues in the platform you use. All websites can also benefit from using SiteLock, which not only closes security loopholes but also monitors your website daily for malware, viruses, and more. Secure Passwords Believe it or not, the | Malware Hack | APT 19 | |
 |
2019-03-10 00:12:05 | Un bon référencement pour contrer les pirates ? (lien direct) | Alors que vous surfiez sur vos sites favoris, quelle ne fût pas votre surprise de découvrir en lieu et place de votre portail préféré la vente de contrefaçons. Des sites pirates qui, si les webmasters n’y prennent pas garde, se transforment en perturbateurs du référencement officiel des sites ... Cet article Un bon référencement pour contrer les pirates ? est apparu en premier sur ZATAZ. | APT 19 | ||
|
2018-12-20 14:00:00 | Let\'s Chat: Healthcare Threats and Who\'s Attacking (lien direct) |
Healthcare is under fire and there’s no sign of the burn slowing.
Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.
Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.
So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.
.png)
And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.
SamSam attackers are known to:
Gain remote access through traditional attacks, such as JBoss exploits
Deploy web-shells
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading |
Threat | Wannacry APT 19 APT 18 APT 22 APT 23 | |
|
2018-10-30 00:08:00 | Google launches reCAPTCHA v3 that detects bad traffic without user interaction (lien direct) | reCAPTCHA v3 assigns incoming site visitors a risk score and lets webmasters takes custom actions based on this score. | APT 19 | ||
|
2018-10-29 17:00:00 | MadoMiner Part 2 - Mask (lien direct) |
This is a guest post by independent security researcher James Quinn.
If you have not yet read the first part of the MadoMiner analysis, please do so now. This analysis will pick up where Part 1 left off, while also including a brief correction. The x64 version of the Install module was listed as identical to the x86 Install module. However, this is not correct. The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.
In addition, take care with this portion of the malware. The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.
Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies. Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit. While madominer was earning $6,000 a month as of the last analysis,
Around 10/14, MineXMR closed the old address due to botnet reports. A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again. Currently, the hashrate is at 109Kh/s, and steadily rising.
Also, around the time that the address changed, MadoMiner also became drastically different.
Malware Analysis
Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files. In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.
 Domains
In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:
http://d.honker[dot]info
However, the domain is currently dead. In addition, the mining server currently used is pool.minexmr[dot]com
A C2 server(newly updated version):
http://qq.honker[dot]info
Previously identified distribution domains:
http://da[dot]alibuf.com:3/
http://bmw[dot]hobuff.info:3/
Previously Identified IPs:
61.130.31.174
Previously identified mining servers:
http://gle[dot]freebuf.info
http://etc[dot]freebuf.info
http://xmr[dot]freebuf.info
http://xt[dot]freebuf.info
http://boy[dot]freebuf.info
http://liang[dot]alibuf.com
http://dns[dot]alibuf.com
http://x[dot]alibuf.com
In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.
Exploits
During the execution |
APT 19 | ||
 |
2018-05-05 12:13:02 | New Service Blocks EU Users So Companies Can Save Thousands on GDPR Compliance (lien direct) | A new service called GDPR Shield is making the rounds this week and for all the wrong reasons. The service, advertised as a piece of JavaScript that webmasters embed on their sites, blocks EU-based users from accessing a website, just so the parent company won't have to deal with GDPR compliance. [...] | APT 19 | ||
|
2018-05-03 14:35:04 | Facebook\'s Phishing Detection Tool Now Recognizes Homograph Attacks (lien direct) | Facebook has updated a phishing detection toolkit it developed two years ago. The update now allows webmasters who sign up for the tool to detect homograph (Unicode-based lookalike) domains created for their websites. [...] | APT 19 | ||
|
2018-03-02 05:51:02 | New Tools Make Checking for Leaked Passwords a Lot Easier (lien direct) | The work that Australian security researcher Troy Hunt has done with the Have I Been Pwned project is yielding useful tools that developers and webmasters can now use to make sure users stop using silly and easy to guess passwords. [...] | APT 19 | ||
|
2018-02-06 14:00:00 | Debunking these 3 Domain Name Registration Myths Once and For All (lien direct) |
Let’s be honest:
Domain names suck.
It’s a pain to come up with possible variations. It’s time-consuming to sift through which are available (none are). And going through the process of buying an unavailable one is about as much fun as a root canal.
But there’s a reason they’re such a hassle. There’s a lot riding on them. There’s a massive difference between a good one and a great one.
Many times, that difference is millions or billions. That sounds like an exaggeration, but it’s not. Here’s why.
Myth #1. Domain Registrations Increase SEO
Exact match domains (EMDs) used to be a thing (or still are, depending on who you talk to). You stuffed a few keywords into the domain before checkout to give yourself that extra edge to rank for cut-throat queries like “bestvitaminshop.com.”
Domain age has also been rumored to influence rankings. Somehow, the older the domain and the longer you register it for tells Google… to like you more?
Admittedly, the logic is flimsy.
But Google originally debunked these myths in 2009, according to some digging by Matt McGee at Search Engine Land.
First, they had a Google Webmaster Help forum thread where Googler, John Mueller, addressed this question head-on:
“A bunch of TLDs do not publish expiration dates — how could we compare domains with expiration dates to domains without that information? It seems that would be pretty hard, and likely not worth the trouble. Even when we do have that data, what would it tell us when comparing sites that are otherwise equivalent? A year (the minimum duration, as far as I know) is pretty long in internet-time :-).”
Next up, they had former Google PR chief, Matt Cutts, on the record several times addressing this issue:
“To the best of my knowledge, no search engine has ever confirmed that they use length-of-registration as a factor in scoring. If a company is asserting that as a fact, that would be troubling.”
So there you have it. “Officially,” domain registrations don’t affect SEO. At least, not directly.
Recently, there’s some evidence that search engine result page (SERP) click-through rate (CTR) affects rankings. One experiment had a sizable group of people click on a random listing in the seventh position to see what (if any) changes occurred.
And within just a few hours? Straight to the top.
(image source)
The finding shows an odd correlation between SERP performance and its influence on ranks. The point of this being that it is possible that a better domain name, one that’s more credible and interesting for people to click, could indirectly influence rankings.
The industry standard .com domain is still seen as the most credible, even though new top-level domains (TLDs) continue to pop up and gain acceptance. Studies have backed this up, showing that .com domains generally dr |
APT 19 | ||
|
2017-12-13 10:05:21 | Google Releases an Updated SEO Starter Guide (lien direct) | After many years, Google has finally released an updated version of their SEO Starter Guide. This guide is a resource for webmasters that contains Google's recommendations on how to make sure web sites are search-engine-friendly. [...] | APT 19 | ||
|
2017-11-02 09:19:30 | WordPress patches SQL injection bug in security release (lien direct) | Webmasters should update immediately to prevent website takeovers. | APT 19 | ||
|
2017-09-15 11:10:39 | Security.txt Standard Proposed, Similar to Robots.txt (lien direct) | Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. [...] | APT 19 | ||
|
2017-07-07 10:26:58 | ZIP Bombs Can Protect Websites From Getting Hacked (lien direct) | Webmasters can use so-called ZIP bombs to crash a hacker's vulnerability and port scanner and prevent him from gaining access to their website. [...] | APT 19 | ||
|
2017-07-06 15:30:00 | Let\'s Encrypt brings free wildcard certificates to the web (lien direct) | The CA's new certificate option will give webmasters another tool to encrypt the internet. | APT 19 | ||
 |
2017-06-06 17:30:00 | Privilèges et références: phisés à la demande de conseil Privileges and Credentials: Phished at the Request of Counsel (lien direct) |
Résumé
En mai et juin 2017, Fireeye a observé une campagne de phishing ciblant au moins sept sociétés mondiales de droit et d'investissement.Nous avons associé cette campagne à APT19, un groupe que nous évaluons est composé de pigistes, avec un certain degré de parrainage par le gouvernement chinois.
APT19 a utilisé trois techniques différentes pour tenter de compromettre les cibles.Début mai, les leurres de phishing ont exploité les pièces jointes RTF qui ont exploité la vulnérabilité Microsoft Windows décrite dans CVE 2017-0199.Vers la fin de mai, APT19 est passé à l'utilisation de documents Microsoft Excel (XLSM) compatibles avec macro.Dans le
Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the |
Vulnerability | APT 19 | ★★★★ |
|
2017-03-22 08:29:52 | Piratages – L\'avertissement de Google pour 2017 (lien direct) |  D'après Google, il est aujourd'hui facile pour les pirates informatiques de pirater les sites Web. La raison ? Leur obsolescence surtout. Le géant américain met en garde les webmasters pour 2017 face aux dangers. |
APT 19 | ||
 |
2017-03-21 10:05:00 | Hacked Sites Up By 32% in 2016 Over 2015, Says Google (lien direct) | Webmasters should register on Search Console for hack notifications, advises the company. | APT 19 | ||
|
2017-03-20 13:00:00 | Interview with Daniel Cid, founder of OSSEC (lien direct) |
Daniel Cid
Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS).
Q: What are the most serious challenges and trends you are seeing with website security?
At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period.
As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure.
Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low.
So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt.
Q: Can just buying products really fix website security?
No. Technology alone will never be the solution; just buying a product won’t work at any level of security.
Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture.
Q: What do you think about OWASP and other organizations that are focused on web application security?
I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues.
Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently?
The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spre |
Guideline | APT 19 | |
 |
2017-03-07 12:03:12 | WordPress webmasters urged to upgrade to version 4.73 to patch six security holes (lien direct) | Another day, another important security update for WordPress. If your running a self-hosted version of WordPress, you must update the software on your website now. | APT 19 | ||
|
2017-02-09 17:06:50 | Google Makes WordPress Site Owners Nervous Due to Confusing Security Alerts (lien direct) | For the past few days, Google has been making a lot of webmasters very nervous, as its Google Search Console service, formerly known as Google Webmaster, has been sending out security alerts to people it shouldn't. [...] | APT 19 | ★★★ | |
|
2017-02-08 11:41:55 | Thousands of WordPress websites defaced through patch failures (lien direct) | A patched zero-day vulnerability is at fault, but webmasters are not paying attention to updates. | APT 19 | ||
|
2016-11-21 16:35:08 | Russian Spammer Uses Fake Google Domain to Tell Webmasters to Vote Trump (lien direct) | Some clever Russian crook has found a way to register a lookalike Google domain by taking advantage of Unicode characters to create an alternative way of spelling Google. [...] | APT 19 | ||
 |
2016-11-15 00:49:31 | Le spam analytics (lien direct) | Tags: SpamBotsBlack SEOSurveiller ses logs, c'est bien mais regarder ce qui se passe du côté de ses statistiques de fréquentation, c'est mieux. En faisant un tour sur mon Google Analytics, j'ai eu l'immense surprise de voir ceci dans la catégorie langue :
En faisant une recherche rapide, j'ai découvert qu'il s'agissait d'une variété de spam : le spam analytics.
Le spam analytics : pourquoi ?
Cette technique, que je classe dans la section Black SEO, peut aussi – comme le spam traditionnel – être vectrice de malware. Dans le cas illustré ici, il s'agissait surtout d'une campagne électorale. L'idée générale est de pourrir les rapports analytics des webmasters, community managers, développeurs, etc. pour les inciter à visiter des sites et voir dans quel contexte on parle de leur application Web. Il peut aussi s'agir de générer du trafic vers ses sites. En effet, certains portails laissent publics leurs backlinks et leurs référents, améliorant du même coup les backlinks-spammeurs et donc leur notoriété et donc leur rang dans les résultats de recherche. C'est ce qu'on appelle du spamindexing.
En résumé, le spam analytics sert à :
Générer un faux trafic ;
Propager des malwares ;
Faire grimper sa propre notoriété.
On a vu le pourquoi, passons au comment.
Comment fonctionne le spam analytics ?
En matière de spam analytics, il y a deux techniques :
Le bot Referral Spam ;
Le Ghost Referral Spam.
Comme son nom l'indique, le premier est un robot qui va effectivement visiter votre site, donc générer du trafic. Cette technique est simple et tout le monde sait le faire. Le second est un peu plus vicieux car il ne concerne que les sites fonctionnant avec Google Analytics, il ne visite pas votre site mais il laisse quand même une empreinte dans vos statistiques, soit par faux référents, par faux langages ou par faux mots-clefs.
Mais alors, comment peut-on polluer des statistiques en ne visitant pas un site Web ? En utilisant une petite " faille " de Google Analytics, qui en réalité une fonctionnalité, faisant ainsi une démonstration remarquable de la phrase " it's not a bug, it's a feature ". On commence par générer des codes Google Analytics. On envoie ensuite de fausses données grâce au protocole de mesure de Google Analytics et ces fausses données sont ensuite enregistrées dans les statistiques des comptes ciblés. |
APT 19 | ||
 |
2016-11-10 11:03:00 | Google punishes web backsliders in Chrome (lien direct) | Google said it will deal with website recidivists that have dodged the company's punishments for spreading malware and spawning email scams.When Google flags sites for hosting malicious code or unwanted software, or running some kind of scam, users see warnings in Chrome and other browsers. The alerts appear as long as Google believes the site poses a threat.But after making changes to align their sites with Google's "Safe Browsing" terms, webmasters may ask Google to lift the virtual embargo.Not surprisingly, some took advantage of the mechanism for lifting the warnings. Sites would cease their illicit practices, but only long enough to get back into Google's good graces. Once Google gave the all-clear, the once-dirty-then-clean site would have a serious relapse and again distribute malware or spew phishing emails.To read this article in full or to leave a comment, please click here | APT 19 | ||
|
2016-11-02 03:21:37 | Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System (lien direct) | Hey Webmasters, are you using Memcached to boost the performance of your website?
Beware! It might be vulnerable to remote hackers.
Three critical Remote Code Execution vulnerabilities have been reported in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers.
Memcached is a fabulous
|
APT 19 | ||
|
2016-09-28 08:16:27 | WordPress remporte la palme du CMS le plus visé par les cyberattaques (lien direct) |  La firme de sécurité Sucuri vient de publier le Website Hacked Trend Report pour le deuxième trimestre de 2016, en mettant en évidence l'impressionnant palmarès du CMS WordPress. Bien entendu, c'est la faute à la négligence des webmasters et non du système en lui-même... |
APT 19 | ||
|
2016-09-11 10:43:41 | Google Chrome : Vers une signalisation des pages HTTP “non sécurisées†(lien direct) |  Google Chrome affiche actuellement une icône informative grise sur les sites HTTP. Mais le géant explique sur son blog qu'à partir du début 2017, son navigateur avertira les utilisateurs qui se trouvent sur une page non protégée par HTTPS. Lorsqu'une alerte s'affichera pour tous les visiteurs d'un site, cela pourra être considéré comme un important moyen de pression pour forcer les webmasters à passer leur site en HTTPS. |
APT 19 | ||
|
2016-08-26 08:14:40 | Mozilla launches free website security scanning service (lien direct) | In order to help webmasters better protect their websites and users, Mozilla has built an online scanner that can check if web servers have the best security settings in place.Dubbed Observatory, the tool was initially built for in-house use by Mozilla security engineer April King, who was then encouraged to expand it and make it available to the whole world.She took inspiration from the SSL Server Test from Qualys' SSL Labs, a widely appreciated scanner that rates a website's SSL/TLS configuration and highlights potential weaknesses. Like Qualys' scanner, Observatory uses a scoring system from 0 to 100 -- with the possibility of extra bonus points -- which translates into grades from F to A+.To read this article in full or to leave a comment, please click here | APT 19 |
To see everything:
Our RSS (filtrered)
