What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-04-20 09:29:58 | Joint Cybersecurity Advisory Warns Of Blockchain Hackers Targeting Developers And DevOps teams (lien direct) | It has been reported that the FBI, CISA and U.S. Treasury Department have issued a joint cybersecurity advisory warning all businesses in cryptocurrency to watch out for attacks from North Korean state-sponsored hackers. The full advisory can be viewed here. Within the advisory there's also warning of how Lazarus attacks start by targeting employees of these firms, […] | APT 38 APT 28 | ★★★ | |
 |
2022-04-19 15:00:00 | Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lazarus Targets Chemical Sector
(published: April 14, 2022)
In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.
Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector
Old Gremlins, New Methods
(published: April 14, 2022)
Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode |
Ransomware Spam Malware Vulnerability Threat Guideline Medical | APT 38 APT 28 | |
 |
2022-04-19 10:41:45 | (Déjà vu) Blockchain companies warned of North Korean hackers (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation and the Treasury Department have all warned of new, ongoing attacks targeting blockchain companies, carried out by the Lazarus Group. The activity cluster has been dubbed TraderTraitor, involving the North Korean state-sponsored advanced persistent threat (APT) actor striking entities operating in the […] | Threat Medical | APT 38 APT 28 | |
 |
2022-04-19 10:12:54 | US: Hackers Continue Aiding North Korea Generate Funds via Cryptocurrency Attacks (lien direct) | North Korean state-sponsored hacking group Lazarus continues to target blockchain and cryptocurrency organizations in recent campaigns, the United States government warns. | APT 38 APT 28 | ||
 |
2022-04-19 09:00:00 | Ronin Crypto Heist of $618m Traced to North Korea (lien direct) | Lazarus Group blamed by US Treasury | Medical | APT 38 APT 28 | |
 |
2022-04-19 00:02:44 | FBI, U.S. Treasury and CISA Warn of North Korean Hackers Targeting Blockchain Companies (lien direct) | The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Treasury Department, warned of a new set of ongoing cyber attacks carried out by the Lazarus Group targeting blockchain companies. Calling the activity cluster TraderTraitor, the infiltrations involve the North Korean state-sponsored advanced persistent threat (APT) | Threat Medical | APT 38 APT 28 | |
 |
2022-04-17 09:53:35 | Security Affairs newsletter Round 361 by Pierluigi Paganini (lien direct) | A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. U.S. Gov believes North Korea-linked Lazarus APT is behind Ronin Validator cyber heist The […] | APT 38 APT 28 | ||
|
2022-04-16 20:30:51 | U.S. Gov believes North Korea-linked Lazarus APT is behind Ronin Validator cyber heist (lien direct) | The U.S. government blames North Korea-linked APT Lazarus for the recent $600 million Ronin Validator cyber heist. The U.S. government attributes the recent $600 million Ronin Validator cryptocurrencty heist to the North Korea-linked APT Lazarus. The U.S. Treasury announced in a notice the sanctions against the Ethereum address used by the APT to receive the […] | APT 38 APT 28 | ||
|
2022-04-16 01:31:45 | Lazarus Group Behind $540 Million Axie Infinity Crypto Hack and Attacks on Chemical Sector (lien direct) | The U.S. Treasury Department has implicated the North Korea-backed Lazarus Group (aka Hidden Cobra) in the theft of $540 million from video game Axie Infinity's Ronin Network last month. On Thursday, the Treasury tied the Ethereum wallet address that received the stolen funds to the threat actor and sanctioned the funds by adding the address to the Office of Foreign Assets Control's (OFAC) | Hack Threat Medical | APT 38 APT 28 | |
|
2022-04-15 14:24:33 | North Korea APT Lazarus Targeting Chemical Sector (lien direct) | Threat hunters at Symantec have spotted signs that North Korea's Lazarus APT group is targeting companies in the chemical sector in an ongoing cyberespionage campaign that includes fake job lures and clever social engineering. | APT 38 APT 28 | ||
|
2022-04-14 20:07:22 | U.S. Gov Blames North Korea Hackers for $600M Cryptocurrency Heist (lien direct) | The U.S. government says the recent $600 million Ronin Validator cryptocurrency heist was conducted by Lazarus Group, the notorious hacking outfit linked to the North Korean government. | Medical | APT 38 APT 28 | |
 |
2022-04-11 15:15:09 | CVE-2022-27115 (lien direct) | In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload. | Vulnerability | APT 33 | |
|
2022-04-07 17:15:08 | CVE-2021-43421 (lien direct) | A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. | Vulnerability | APT 33 | ★★ |
|
2022-04-04 16:15:09 | CVE-2022-0403 (lien direct) | The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders. | APT 33 | ||
|
2022-04-01 03:37:45 | North Korean Hackers Distributing Trojanized DeFi Wallet Apps to Steal Victims\' Crypto (lien direct) | The North Korean state-backed hacking crew, otherwise known as the Lazarus Group, has been attributed to yet another financially motivated campaign that leverages a trojanized decentralized finance (DeFi) wallet app to distribute a fully-featured backdoor onto compromised Windows systems. The app, which is equipped with functionalities to save and manage a cryptocurrency wallet, is also designed | Medical | APT 38 | |
 |
2022-03-31 12:00:23 | Lazarus Trojanized DeFi app for delivering malware (lien direct) | We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. | Malware | APT 38 | |
 |
2022-03-29 12:00:00 | Transparent Tribe APT returns to strike India\'s government and military (lien direct) | The development of custom malware indicates the group is trying to "compromise even more victims." | Malware | APT 36 | |
|
2022-03-29 05:42:02 | New Hacking Campaign by Transparent Tribe Hackers Targeting Indian Officials (lien direct) | A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021. "Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis shared with The Hacker News. "Their primary targets have | Threat | APT 36 | |
 |
2022-03-29 05:02:08 | Transparent Tribe campaign uses new bespoke malware to target Indian government officials (lien direct) | By Asheer Malhotra and Justin Thattil with contributions from Kendall McKay. Cisco Talos has observed a new Transparent Tribe campaign targeting Indian government and military entities. While the actors are infecting victims with CrimsonRAT, their well-known malware of choice, they are also using... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware | APT 36 | |
 |
2022-03-23 09:00:00 | Pas si Lazarus: cartographie des groupes de cyber-menaces de la RPDC pour les organisations gouvernementales Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations (lien direct) |
Mandiant estime que la cyber-capacité de la Corée du Nord soutient les priorités de la sécurité politique et nationale de longue date et immédiate, ainsi que des objectifs financiers.Nous évaluons la plupart des cyber-opérations de la Corée du Nord, y compris l'espionnage, les opérations destructrices et les délits financiers, sont principalement menés par des éléments du Bureau général de reconnaissance.Pendant ce temps, les missions du ministère de la Sécurité des États et du Front United semblent jouer un rôle limité dans le programme de cyber \\ de la Corée du Nord. Les rapports open-source utilisent souvent le titre Lezarus Group comme terme parapluie se référant à
Mandiant believes that North Korea\'s cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals. We assess most of North Korea\'s cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau. Meanwhile, the Ministry of State Security and United Front Department\'s missions appear to play limited roles in North Korea\'s cyber program. Open-source reporting often uses the Lazarus Group title as an umbrella term referring to |
Threat | APT 38 | ★★★★ |
|
2022-03-21 17:15:07 | CVE-2022-26960 (lien direct) | connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. | APT 33 | ||
|
2022-03-09 21:09:28 | (Déjà vu) Google blocked China-linked APT31\'s attacks targeting U.S. Government (lien direct) | Google has blocked a phishing campaign conducted by China-linked group APT31 aimed at Gmail users associated with the U.S. government. Google announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) and aimed at Gmail users associated with the U.S. government. The campaign took […] | APT 31 | ||
|
2022-02-24 19:15:09 | CVE-2021-44663 (lien direct) | A Remote Code Execution (RCE) vulnerability exists in the Xerte Project Xerte through 3.8.4 via a crafted php file through elfinder in connetor.php. | Vulnerability | APT 33 | |
|
2022-02-22 15:18:36 | Enterprise IoT Security Firm Phosphorus Raises $38 Million (lien direct) | Nashville, TN-based IoT security firm Phosphorus Cybersecurity has raised $38 million in a Series A funding round led by SYN Ventures and MassMutual Ventures. Phosphorus discovers, delivers timely and automated patching and credential rotation for IoT devices in what it calls the 'Security of Things'. | Patching Conference | APT 35 APT 35 | |
 |
2022-02-21 19:50:06 | Phishing Campaign Targets NFT Speculators (lien direct) |
Scams follow fashion because money follows fashion. So it's no surprise that non-fungible tokens (NFTs), which have become a hot speculative property, have drawn scam artists for phishing campaigns. They're not so much interested in the NFTs themselves as they are in the speculators' cash. OceanSea, a leading NFT marketplace, has responded to panicky tweets from users to reassure them that it's on top of rumors of “an exploit” connected to the smart contracts traders use. |
Guideline | APT 32 | |
|
2022-02-18 15:21:14 | Iran-linked TunnelVision APT is actively exploiting the Log4j vulnerability (lien direct) | Iran-linked TunnelVision APT group is actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers. Researchers from SentinelOne have observed the potentially destructive Iran-linked APT group TunnelVision is actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers. TunnelVision’s TTPs overlap with the ones associated with Iran-linked nation-state actors Phosphorus, Charming Kitten […] | Ransomware Vulnerability Conference | APT 35 | |
|
2022-02-17 23:40:44 | Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware (lien direct) | A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group "TunnelVision" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker Phosphorus | Ransomware Conference | APT 35 | |
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-09 10:57:38 | Cryptocurrency organisations hit with fake job offers (lien direct) | North Korean threat actors, known as the Lazarus group have been posting fake job listings to target the cryptocurrency vertical in the US, UK, Germany, Singapore and more. Lazarus hackers, also known as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft, have targeted cryptocurrency organisations in the past. The North Koreans are […] | Threat Medical | APT 38 APT 28 | ★★ |
|
2022-02-09 09:31:42 | Lazarus hackers target defense industry with fake Lockheed Martin job offers (lien direct) | The APT has previously masqueraded as Northrop Grumman and BAE Systems. | APT 38 | ||
|
2022-02-09 05:06:14 | What\'s with the shared VBA code between Transparent Tribe and other threat actors? (lien direct) | By Vanja Svajcer and Vitor Ventura. Recently, we've been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories and VirusTotal while looking into... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Malware Threat | APT 36 | |
|
2022-02-09 03:25:23 | Iranian Hackers Using New Marlin Backdoor in \'Out to Sea\' Espionage Campaign (lien direct) | An advanced persistent threat (APT) group with ties to Iran has refreshed its malware toolset to include a new backdoor dubbed Marlin as part of a long-running espionage campaign that started in April 2018. Slovak cybersecurity company ESET attributed the attacks - code named Out to Sea - to a threat actor called OilRig (aka APT34), while also conclusively connecting its activities to a second | Malware Threat | APT 34 | |
|
2022-02-08 23:15:07 | CVE-2021-45919 (lien direct) | Studio 42 elFinder through 2.1.31 allows XSS via an SVG document. | APT 33 | ||
|
2022-02-08 16:00:00 | Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis |
Ransomware Malware Threat Conference | APT 35 APT 35 APT 29 APT 29 APT 36 | ★★ |
|
2022-02-08 14:23:51 | CyberheistNews Vol 12 #06 [Heads Up] Beware of New Quickbooks Payment Scams (lien direct) |
![CyberheistNews Vol 12 #06 [Heads Up] Beware of New Quickbooks Payment Scams](https://blog.knowbe4.com/hubfs/Stu_Headshot_2021_resize.png)
[Heads Up] Beware of New QuickBooks Payment Scams
Email not displaying? |
CyberheistNews Vol 12 #06 | Feb. 8th., 2022
[Heads Up] Beware of New QuickBooks Payment Scams
Many small and mid-sized companies use Intuit's popular QuickBooks program. They usually start out using its easy-to-use base accounting program and then the QuickBooks program aggressively pushes other complimentary features. One of those add-on features is the ability to send customers' invoices via email.
The payee can click on a “Review and pay” button in the email to pay the invoice. It used to be a free, but less mature, feature years ago, but these days, it costs extra. Still, if you are using QuickBooks for your accounting, the ability to generate, send, receive and electronically track invoices all in one place is a pretty easy sell.
Unfortunately, phishing criminals are using QuickBooks' popularity to send business email compromise (BEC) scams. The emails appear as if they are coming from a legitimate vendor using QuickBooks, but if the potential victim takes the bait, the invoice they pay will be to the scammer.
Worse, the payment request can require that the payee use ACH (automated clearing house) method, which requires the payee to input their bank account details. So, if the victim falls for the scam, the criminal now has their bank account information. Not good.
Note: Some other QuickBooks scam warnings will tell you that QuickBooks will never ask for your ACH or banking details. This is not completely true. QuickBooks, the company and its support staff, never will, but QuickBooks email payment requests often do. Warn your users in Accounting.
CONTINUED at the KnowBe4 blog with both legit and malicious example screenshots:
https://blog.knowbe4.com/beware-of-quickbooks-payment-scams
|
Malware Hack Threat Conference | APT 35 | |
 |
2022-02-02 14:00:05 | Finding elFinder: Who is looking for your files?, (Wed, Feb 2nd) (lien direct) | elFinder is an interesting open-source project implementing a file manager in JavaScript and PHP. The file manager promises a user experience similar to the "Finder" in macOS. Once you have elFinder installed, uploading/downloading files to your web server will be a lot easier. | APT 33 | ||
 |
2022-02-02 13:58:34 | Charming Kitten Sharpens Its Claws with PowerShell Backdoor (lien direct) | The notorious Iranian APT is fortifying its arsenal with new malicious tools and evasion tactics and may even be behind the Memento ransomware. | APT 35 | ||
|
2022-02-02 11:55:18 | Experts warn of a spike in APT35 activity and a possible link to Memento ransomware op (lien direct) | The Cybereason Nocturnus Team reported a spike in the activity of the Iran-linked APT group APT35 (aka Phosphorus or Charming Kitten). The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka 'Charming Kitten', 'Phosphorus', Newscaster, and Ajax Security Team) The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized […] | Ransomware Conference | APT 35 APT 35 | |
|
2022-02-01 16:24:06 | Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware (lien direct) | Attacks from the Iranian Phosphorus APT (aka Charming Kitten, APT35) are well documented. Now a new set of tools incorporated into the group's arsenal, and a connection with the Memento ransomware, have been discovered. | Ransomware Conference | APT 35 APT 35 | |
 |
2022-02-01 14:00:00 | Cyberspies linked to Memento ransomware use new PowerShell malware (lien direct) | An Iranian state-backed hacking group tracked as APT35 (aka Phosphorus or Charming Kitten) is now deploying a new backdoor called PowerLess and developed using PowerShell. [...] | Ransomware Malware Conference | APT 35 APT 35 | |
 |
2022-02-01 05:01:00 | PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage (lien direct) |
Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019. |
Conference | APT 35 APT 35 | |
|
2022-02-01 02:28:30 | Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks (lien direct) | An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason. The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's | Malware Threat Conference | APT 35 APT 35 | |
|
2022-01-31 15:41:44 | North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry (lien direct) | The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports. | Threat | APT 38 APT 28 | |
|
2022-01-28 21:47:21 | Lazarus APT Uses Windows Update to Spew Malware (lien direct) | The group once again dangled fake job opportunities at engineers in a spear-phishing campaign that used Windows Update as a living-off-the-land technique and GitHub as a C2. | Malware | APT 38 | |
|
2022-01-28 01:24:28 | North Korean Hackers Using Windows Update Service to Infect PCs with Malware (lien direct) | The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North | Malware Medical | APT 38 APT 28 | |
|
2022-01-27 20:30:53 | North Korea-linked Lazarus APT used Windows Update client and GitHub in recent attacks (lien direct) | North Korea-linked Lazarus APT group uses Windows Update client to deliver malware on Windows systems. North Korea-linked Lazarus APT started using Windows Update to execute the malicious payload and GitHub as a command and control server in recent attacks, Malwarebytes researchers reported. The activity of the Lazarus APT group surged in 2014 and 2015, its members used […] | Malware | APT 38 APT 28 | |
|
2022-01-27 13:31:40 | Lazarus hackers use Windows Update to deploy malware (lien direct) | North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems. [...] | Malware | APT 38 | |
 |
2022-01-24 00:00:00 | Investigating APT36 or Earth Karkaddan\'s Attack Chain and Malware Arsenal (lien direct) | We investigated the most recent activities of APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, and discuss its use of CapraRAT, an Android RAT with clear similarities in design to the group's favored Windows malware, Crimson RAT.
|
Malware Threat | APT 36 | |
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2022-01-18 16:59:26 | North Korean Cryptocurrency Theft Relies on Social Engineering (lien direct) |
A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang's Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees. |
Threat Medical | APT 38 APT 28 |
To see everything:
Our RSS (filtrered)
