What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-06-19 13:00:57 | Two Viking burials, separated by an ocean, contain close kin (lien direct) | Two Viking Age warriors from the same family died hundreds of kilometers apart. | APT 32 | ||
 |
2021-06-16 18:00:00 | This Robot Spies on Creatures in the Ocean\'s \'Twilight Zone\' (lien direct) | Mesobot looks like a giant AirPods case, but it's in fact a sophisticated machine that tracks animals making the most epic migration on Earth. | APT 32 | ||
|
2021-06-16 10:15:07 | Mercury is accumulating in deep ocean trenches (lien direct) | Following mercury around the environment isn't easy. | APT 32 | ||
 |
2021-06-16 05:25:25 | Malware Attack on South Korean Entities Was Work of Andariel Group (lien direct) | A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that Lazarus attackers are following the trends and their arsenal is in constant development.
"The way Windows commands and their options were used in this campaign is almost identical to previous Andariel |
Malware | APT 38 | |
 |
2021-06-14 17:15:07 | CVE-2021-32682 (lien direct) | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication. | APT 33 | ★★★ | |
|
2021-06-13 11:15:14 | CVE-2021-23394 (lien direct) | The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP. | APT 33 | ||
 |
2021-06-11 11:34:28 | Fake Lazarus DDoS Gang Launches New \'Attacks\' (lien direct) | The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP. | APT 38 APT 28 | ||
 |
2021-06-10 21:54:21 | \'Fancy Lazarus\' Cyberattackers Ramp up Ransom DDoS Efforts (lien direct) | The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies. | APT 38 | ||
 |
2021-06-10 12:33:45 | L\'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour (lien direct) | Les chercheurs Proofpoint suivent de près une nouvelle activité malveillante : la menace d'extorsion par déni de service distribué (DDoS) avec demande de rançon connue sous le nom de "Fancy Lazarus". The post L'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour first appeared on UnderNews. | APT 38 APT 28 | ||
|
2021-06-10 11:18:22 | \'Fancy Lazarus\' Criminal Group Launches DDoS Extortion Campaign (lien direct) | Les chercheurs Proofpoint suivent de près une nouvelle activité malveillante : la menace d'extorsion par déni de service distribué (DDoS) avec demande de rançon connue sous le nom de "Fancy Lazarus". The post L'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour first appeared on UnderNews. | APT 38 | ||
 |
2021-06-02 15:00:00 | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
Ransomware Malware Threat Medical | Solardwinds APT 38 APT 28 | |
 |
2021-05-28 07:30:24 | Talos Takes Ep. #55: How Transparent Tribe could evolve in the future (lien direct) | By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
We recently covered how the Transparent Tribe APT added another RAT to its arsenal. Where might they go from here? In...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 | ||
|
2021-05-24 10:23:01 | Researchers Link CryptoCore Attacks On Cryptocurrency Exchanges to North Korea (lien direct) | State-sponsored hackers affiliated with North Korea have been behind a slew of attacks on cryptocurrency exchanges over the past three years, new evidence has revealed.
Attributing the attack with "medium-high" likelihood to the Lazarus Group (aka APT38 or Hidden Cobra), researchers from Israeli cybersecurity firm ClearSky said the campaign, dubbed "CryptoCore," targeted crypto exchanges in |
Medical | APT 38 APT 28 | |
 |
2021-05-24 10:02:03 | North Korean hackers behind CryptoCore multi-million dollar heists (lien direct) | Security researchers piecing together evidence from multiple attacks on cryptocurrency exchanges, attributed to a threat actor they named CryptoCore have established a strong connection to the North Korean state-sponsored group Lazarus. [...] | Threat | APT 38 | |
 |
2021-05-23 12:33:32 | Security Affairs newsletter Round 315 (lien direct) | A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Avaddon Ransomware gang hacked France-based Acer Finance and AXA Asia MSBuild tool used to deliver RATs filelessly Pakistan-linked Transparent Tribe APT expands its arsenal Two flaws could allow bypassing AMD […] | Ransomware Tool | APT 36 | |
|
2021-05-18 19:05:00 | Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android, Malware, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps
(published: May 14, 2021)
A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices.
Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge
Threat Actors Use MSBuild to Deliver RATs Filelessly
(published: May 13, 2021)
Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection.
Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | |
Ransomware Malware Vulnerability Threat Guideline | APT 36 | |
|
2021-05-17 11:15:07 | CVE-2021-29053 (lien direct) | Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. | APT 33 | ||
|
2021-05-16 08:39:52 | Pakistan-linked Transparent Tribe APT expands its arsenal (lien direct) | Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware. Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal. The group used the new malware dubbed ObliqueRAT in cyberespionage attacks against Indian targets. The Operation Transparent Tribe (Operation C-Major, APT36, and Mythic […] | Malware | APT 36 | |
|
2021-05-15 11:00:00 | The Wondrous, Tedious Ocean of Subnautica: Below Zero (lien direct) | The game is, for the most part, a sublime seafaring sequel. Too bad it often feels like a grind. | APT 32 | ||
 |
2021-05-14 12:49:59 | AI under the sea: Autonomous robot to collect data from new depths (lien direct) | Terradepth CEO talks about a project to map out and collect data from all the oceans of the world. The company uses artificial intelligence and machine learning to gather and make sense of the data. | APT 32 | ||
|
2021-05-14 05:04:00 | Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal (lien direct) | Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research.
The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking |
Malware | APT 36 | |
|
2021-05-13 19:00:20 | Watch Us Roam Virtual Deep Seas With Real Oceanographers (lien direct) | WIRED will be playing Subnautica: Below Zero and talking about ocean-and space-exploration with scientists from NOAA and Woods Hole Oceanographic Institute. | APT 32 | ||
|
2021-05-13 05:09:57 | Transparent Tribe APT expands its Windows malware arsenal (lien direct) | By Asheer Malhotra, Justin Thattil and Kendall McKay.
Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos' previous research has mainly linked this...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Malware | APT 36 | |
 |
2021-05-10 06:00:29 | Ep. 145 – Baking a Human Behavior Cake with Jack Schafer (lien direct) | In this episode, Chris Hadnagy and Maxie Reynolds are joined by industry professional Jack Schafer, PhD. Dr. Schafer is a psychologist, professor, intelligence consultant, and former FBI Special Agent. Dr. Schafer spent fifteen years conducting counter-intelligence and counterterrorism investigations, and seven years as a behavioral analyst for the FBI’s National Security Division’s Behavioral Analysis Program. May 10, 2021 Download Ep. 145 […] | Prediction | APT 39 | |
|
2021-05-06 15:00:00 | Sharks Use the Earth\'s Magnetic Field Like a Compass (lien direct) | Biologists have long believed that these animals rely on magnetic sensing to migrate across oceans. Someone finally figured out how to prove it. | APT 32 | ||
|
2021-05-02 09:43:33 | Four astronauts make first nighttime landing in the ocean since 1968 (lien direct) | "I would just like to say, quite frankly, y'all are changing the world." | APT 32 | ||
 |
2021-04-30 07:30:29 | DigitalOcean admits data breach exposed customers\' billing details (lien direct) | DigitalOcean, the popular cloud-hosting provider, has told some of its customers that their billing details were exposed due to what it described as a "flaw." Read more in my article on the Hot for Security blog. | Data Breach | APT 32 | |
 |
2021-04-29 14:35:46 | DigitalOcean Discloses Breach Involving Billing Information (lien direct) | Cloud solutions provider DigitalOcean has started informing some customers that their billing information may have been compromised after someone exploited a vulnerability in the company's systems. | Vulnerability | APT 32 | |
|
2021-04-29 03:19:09 | Chinese Hackers Attacking Military Organizations With New Backdoor (lien direct) | Cybersecurity researchers on Wednesday exposed a new cyberespionage campaign targeting military organizations in Southeast Asia.
Attributing the attacks to a threat actor dubbed "Naikon APT," cybersecurity firm Bitdefender laid out the ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named "Nebulae" and "RainyDay" into their data-stealing |
Threat | APT 30 | |
|
2021-04-28 19:40:55 | Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs (lien direct) | China-linked APT Naikon employed a new backdoor in multiple cyber-espionage operations targeting military organizations from Southeast Asia in the last 2 years. The Naikon APT group is a China-linked cyber espionage group that has been active at least since 2010 and that remained under the radar since 2015 while targeting entities in Asia-Pacific (APAC) region. Organizations targeted by the […] | APT 30 | ||
|
2021-04-28 16:09:13 | DigitalOcean data breach exposes customer billing information (lien direct) | Cloud hosting provider DigitalOcean has disclosed a data breach after a flaw exposed customers' billing information. [...] | Data Breach | APT 32 | |
|
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
 |
2021-04-26 15:00:44 | You Don\'t Have to Give Up Your Crown Jewels in Hopes of Better Cloud Security (lien direct) | 
If you're like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean's 11 are riveting, but outside of cinema these types of heists don't really happen anymore, right? Think again. In 2019, the Green Vault Museum in Dresden, Germany reported a jewel burglary worthy of its own film. On […]
|
APT 32 | ★★★★★ | |
 |
2021-04-23 09:00:00 | APT35 âCharming Kitten\' discovered in a pre-infected environment (lien direct) | This blog discusses how Darktrace discovered a stealthy pre-existing APT35 infection in a customer environment. | Conference | APT 35 | |
|
2021-04-22 08:30:22 | Smashing Security podcast #224: The Lazarus Heist, Facebook faux pas, and no-cost security (lien direct) | Facebook has managed to do the seemingly impossible - and had a data breach about its handling of a data breach. Meanwhile, we chat to the host of the brand new podcast about North Korea's hackers targeting the rest of the world, and discuss if an intern can be trusted to monitor your security. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Geoff White and featuring an interview with Duo's Helen Patton. | Data Breach | APT 38 APT 28 | |
|
2021-04-20 16:06:24 | North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection (lien direct) | North Korea-linked Lazarus APT group is abusing bitmap (.BMP) image files in a recent spear-phishing campaign targeting entities in South Korea. Experts from Malwarebytes have uncovered a spear-phishing attack conducted by a North Korea-linked Lazarus APT group that obfuscated a malicious code within a bitmap (.BMP) image file. The malicious code within the bitmap image […] | APT 38 APT 28 | ||
 |
2021-04-20 10:35:48 | Lazarus hacking group now hides payloads in BMP image files (lien direct) | South Korea continues to be a favored target. | APT 38 | ||
|
2021-04-19 22:33:45 | Lazarus APT Hackers are now using BMP images to hide RAT malware (lien direct) | A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information.
Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes |
Malware Threat Medical | APT 38 | |
 |
2021-04-16 15:00:29 | Transparent Tribe APT Infrastructure Mapping (lien direct) | Introduction Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) is the name given to a threat actor group largely targeting Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan, the latter of which lean towards the assumed attribution of Pakistani intelligence. Tools used [...] | Threat | APT 36 | |
|
2021-04-16 06:22:51 | Lazarus BTC Changer. Back in action with JS sniffers redesigned to steal crypto (lien direct) | Group-IB observed the North Korea-linked Lazarus APT group stealing cryptocurrency using a never-before-seen tool. In the last five years, JavaScript sniffers have grown into one of the most dangerous threats for e-commerce businesses. The simple nature of such attacks combined with the use of malicious JavaScript code for intercepting payment data attract more and more […] | APT 38 APT 28 | ||
|
2021-04-14 12:00:00 | Will Future Electric Vehicles Be Powered by Deep-Sea Metals? (lien direct) | Mining companies and marine scientists want to know whether harvesting blobs of useful materials from the seafloor harms ocean life. | APT 32 | ||
|
2021-04-13 15:49:00 | Anomali Cyber Watch: Android Malware, Government, Middle East and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Group, FIN6, NetWalker, OilRig, Rocke Group, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Iran’s APT34 Returns with an Updated Arsenal
(published: April 8, 2021)
Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device.
Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064
Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East
New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
(published: April 7, 2021)
Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system.
Tags: Android, FlixOnline, WhatsApp
|
Ransomware Malware Vulnerability Threat Guideline | APT 34 | |
|
2021-04-08 09:36:31 | Vyveva: Lazarus hacking group\'s latest weapon strikes South African freight (lien direct) | The backdoor is being used to spy on the activities of freight companies. | APT 38 APT 28 | ||
 |
2021-04-08 09:30:57 | (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor (lien direct) | ESET researchers discover a new Lazarus backdoor deployed against a freight logistics firm in South Africa | APT 38 APT 28 | ||
|
2021-04-08 09:01:17 | North Korean hackers use new Vyveva malware to attack freighters (lien direct) | The North Korean-backed Lazarus hacking group used new malware with backdoor capabilities dubbed Vyveva by ESET researchers in targeted attacks against a South African freight logistics company. [...] | Malware | APT 38 APT 28 | |
|
2021-04-08 06:37:05 | Researchers uncover a new Iranian malware used in recent cyberattacks (lien direct) | An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems.
Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology.
APT34 (aka OilRig) is |
Malware Threat | APT 34 | |
|
2021-04-06 16:57:00 | Anomali Cyber Watch: APT Groups, Data Breach, Malspam, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
The Leap of a Cycldek-Related Threat Actor
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107
Tags: Chinese-speaking, Cycldek-related
Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Hancitor, Malspam, Cobalt Strike
|
Malware Tool Vulnerability Threat Conference | APT 35 APT 10 | |
|
2021-03-31 12:48:58 | APT Charming Kitten Pounces on Medical Researchers (lien direct) | Researchers uncover a credential-stealing campaign targeting genetic, neurology and oncology professionals. | APT 35 APT 35 | ||
|
2021-03-30 23:09:47 | Rick and Morty fans won\'t have long to wait for S5 as Adult Swim drops trailer (lien direct) | "Police? A strange, horny ocean man is on my lawn." | APT 32 | ||
|
2021-03-24 18:51:31 | How to optimize protecting the ocean (lien direct) | Researchers scan the world's oceans to find ideal locations for protection. | APT 32 |
To see everything:
Our RSS (filtrered)
