What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-17 02:00:00 | Android security: Which smartphones can enterprises trust? (lien direct) | Google's Android operating system dominates smartphone usage throughout the world - in every region except North America and Oceania, in fact. Thus, businesses in many regions are likely to support and issue Android devices to employees as their mainstay mobile devices. Even in areas where Apple's iPhone dominates or is comparable in market share, businesses are likely to support or issue Android devices at least as a secondary option.But Android security has long been an IT concern, despite significant security improvements made to the platform a decade ago in response to security standards put in place for iPhones, which quickly gained the security seal approval as a result. That makes the buying and support decision around Android phones more complex for CISOs - whether as corporate-liable devices (that is, the devices that enterprises buy for their employees) or as employee-liable devices or bring-your-own devices (BYOD) that IT allows access at least to work email and calendars, and often to web-based services.To read this article in full, please click here | APT 32 | ||
 |
2022-11-17 00:00:00 | Mustang Panda, APT29, APT36, Phobos, Cobalt Strike : Les acteurs émergents de la cybermenace se structurent et les rançongiciels évoluent (lien direct) | Mustang Panda, APT29, APT36, Phobos, Cobalt Strike : Les acteurs émergents de la cybermenace se structurent et les rançongiciels évoluent Le Trellix Advanced Research Center dévoile son premier rapport faisant le point sur l'activité des menaces cyber - Malwares | APT 29 APT 36 | ||
 |
2022-11-16 18:50:05 | Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs (lien direct) | >North Korea-linked Lazarus APT is using a new version of the DTrack backdoor in attacks aimed at organizations in Europe and Latin America. North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe and Latin America, Kaspersky researchers warn. DTrack is a modular backdoor used by the […] | APT 38 | ||
 |
2022-11-15 16:00:00 | Lazarus Backdoor DTrack Evolves to Target Europe and Latin America (lien direct) | DTrack has not changed substantially, but Lazarus made some “interesting” modifications | APT 38 | ★★★★★ | |
 |
2022-11-09 13:58:50 | Crude OilRig: Drilling into MITRE\'s Managed Service Evaluations (lien direct) | Here's how Red Canary detected and thwarted simulated OilRig activity in MITRE's inaugural Managed Services ATT&CK® Evaluation. | APT 34 | ||
 |
2022-11-04 19:13:00 | Researchers Detail New Malware Campaign Targeting Indian Government Employees (lien direct) | The Transparent Tribe threat actor has been linked to a new campaign aimed at Indian government organizations with trojanized versions of a two-factor authentication solution called Kavach. "This group abuses Google advertisements for the purpose of malvertising to distribute backdoored versions of Kavach multi-authentication (MFA) applications," Zscaler ThreatLabz researcher Sudeep Singh said | Malware Threat | APT 36 | |
 |
2022-10-31 16:15:11 | CVE-2022-3374 (lien direct) | The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | Guideline | APT 32 | |
 |
2022-10-31 01:57:31 | A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (lien direct) | In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in... | Malware Hack Vulnerability Threat Medical | APT 38 | |
 |
2022-10-28 20:57:47 | Friday Squid Blogging: Chinese Squid Fishing (lien direct) | China claims that it is “engaging in responsible squid fishing”: Chen Xinjun, dean of the College of Marine Sciences at Shanghai Ocean University, made the remarks in response to recent accusations by foreign reporters and actor Leonardo DiCaprio that China is depleting its own fish stock and that Chinese boats have sailed to other waters to continue deep-sea fishing, particularly near Ecuador, affecting local fish stocks in the South American nation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered... | APT 32 | ||
|
2022-10-27 09:15:45 | N-able continue d\'innover et d\'investir dans des domaines clés pour la réussite des partenaires avec la nomination de Mike Cullen à la tête de l\'activité RMM (lien direct) | Mike Cullen souhaite accorder une plus grande place à l'innovation menée par les partenaires et orienter les MSP vers une stratégie " Blue Ocean " N-able, éditeur mondial de solutions de supervision et gestion à distance, de protection des données en tant que service et de sécurité pour les fournisseurs de services informatiques, vient d'annoncer la nomination de l'un des cadres fondateurs de l'industrie MSP, Mike Cullen, au poste de directeur général de l'activité RMM. Avec ce nouveau rôle, Mike (...) - Business | APT 32 | ||
 |
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
 |
2022-10-18 09:53:56 | The not-so-Charming Kitten working for Iran (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
APT 35 | ||
 |
2022-10-18 08:41:18 | The benefits of taking an intent-based approach to detecting Business Email Compromise (lien direct) |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
Threat Medical Cloud | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 | |
|
2022-10-12 04:48:14 | Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) (lien direct) | While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware... | APT 38 | ||
|
2022-10-06 18:16:03 | CVE-2022-32172 (lien direct) | In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed and allow an attacker to access the user’s credentials. | Medical | APT 38 | |
|
2022-10-06 18:16:02 | CVE-2022-32171 (lien direct) | In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials. | Medical | APT 38 | |
 |
2022-10-05 15:45:00 | Bogus job offers hide trojanised open-source software (lien direct) | >Categories: NewsTags: malware Tags: ZINC Tags: microsoft Tags: infection Tags: C&C Tags: open source Tags: job offer Tags: fake Tags: LinkedIn A North Korean ZINC group is accused of creating compromised versions of KiTTY, PuTTY, TightVNC, and other popular open-source software apps (Read more...) | Guideline Medical | APT 38 | |
|
2022-10-05 12:15:00 | North Korea\'s Lazarus group uses vulnerable Dell driver to blind security solutions (lien direct) | The notorious North Korean state-sponsored hacker group Lazarus has begun exploiting a known vulnerability in an OEM driver developed by Dell to evade detection by security solutions. This is a prime example of why it's important to always keep third-party PC manufacturer software, which is often neglected, up to date, as well as to add vulnerable versions to blocklists.“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”To read this article in full, please click here | Tool Vulnerability | APT 38 | |
|
2022-10-04 18:08:00 | Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia, and Social engineering. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Royal Ransomware Emerges in Multi-Million Dollar Attacks
(published: September 29, 2022)
AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.
Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566
Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering
ZINC Weaponizing Open-Source Software
(published: September 29, 2022)
Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.
Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Threat Medical | APT 38 | |
|
2022-10-04 15:02:16 | Lazarus APT employed an exploit in a Dell firmware driver in recent attacks (lien direct) | >North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver. The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn. The discovery was made by ESET researchers while […] | Medical | APT 38 | |
|
2022-10-03 16:26:00 | Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers (lien direct) | The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary. The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter) | Vulnerability Threat Medical | APT 38 | |
|
2022-10-03 15:00:00 | Lazarus Group Exploits Dell Driver Vulnerability to Bypass Windows Security (lien direct) | ESET said the vulnerability was exploited at least twice via a specific user-mode module | Vulnerability | APT 38 | |
|
2022-09-30 15:32:00 | North Korean Hackers Weaponizing Open-Source Software in Latest Cyber Attacks (lien direct) | A "highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Microsoft's threat intelligence teams, alongside LinkedIn Threat Prevention and Defense, attributed the intrusions with high confidence to Zinc, which is | Threat Medical | APT 38 | |
|
2022-09-30 15:00:00 | Lazarus-Associated Hackers Weaponize Open-Source Tools Against Several Countries (lien direct) | The advisory suggests Zinc has targeted media, defense and aerospace, and IT services | Medical | APT 38 | |
 |
2022-09-30 14:10:38 | ESET Research into new attacks by Lazarus – Week in security with Tony Anscombe (lien direct) | The attack involved the first recorded abuse of a security vulnerability in a Dell driver that was patched in May 2021 | Vulnerability | APT 38 | |
|
2022-09-30 10:00:12 | Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium (lien direct) | ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers | APT 38 | ||
 |
2022-09-27 21:40:00 | Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings (lien direct) | Previously observed using fake Coinbase jobs, the North Korea-sponsored APT has expanded into using Crypo.com gigs as cover to distribute malware. | APT 38 | ||
|
2022-09-27 20:39:33 | North Korea-linked Lazarus continues to target job seekers with macOS malware (lien direct) | >North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry. North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets. Last week, SentinelOne researchers discovered a decoy documents advertising positions […] | Malware | APT 38 | |
|
2022-09-27 16:00:00 | Lazarus Group Targets MacOS Users Seeking Crypto Jobs (lien direct) | The new attacks would be a new instance of a campaign spotted by ESET and Malwarebytes in August | APT 38 | ||
 |
2022-09-27 14:55:43 | Lazarus hackers drop macOS malware via Crypto.com job offers (lien direct) | The North Korean Lazarus hacking group is now using fake 'Crypto.com' job offers to hack developers and artists in the crypto space, likely with a long-term goal of stealing digital assets and cryptocurrency. [...] | Malware Hack | APT 38 | |
|
2022-09-22 05:47:21 | Analysis Report on Lazarus Group\'s Rootkit Attack Using BYOVD (lien direct) | Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process... | Medical | APT 38 | ★★★★ |
|
2022-09-21 18:36:17 | Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance (lien direct) | At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes. | Cloud | APT 37 | |
 |
2022-09-19 13:47:00 | Meeting the “Ministrer” (lien direct) | FortiGuard Labs discovered an unassuming phishing email that attempts to deploy malware. The actions used to execute this strategy are consistent with Konni, a RAT that has been tied to the group APT 37. Read to learn more about this social engineering lure. | Cloud | APT 37 | |
 |
2022-09-14 17:22:49 | North Korean cyberespionage actor Lazarus targets energy providers with new malware (lien direct) | >Lazarus, a North Korean cyberespionage group, keeps hitting energy providers in the U.S., Canada and Japan with a new malware arsenal. | Malware | APT 38 | |
|
2022-09-14 05:09:00 | Iranian cyberspies use multi-persona impersonation in phishing threads (lien direct) | One of the most prolific state-sponsored Iranian cyber espionage groups is targeting researchers from different fields by setting up sophisticated spear-phishing lures in which they use multiple fake personas inside the same email thread for increased credibility.Security firm Proofpoint tracks the group as TA453, but it overlaps with activity that other companies have attributed to Charming Kitten, PHOSPHORUS and APT42. Incident response company Mandiant recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here | Conference | APT 35 APT 42 | |
|
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-13 11:51:39 | FBI Seizes Stolen Cryptocurrencies (lien direct) | The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something. The Axie Infinity recovery represents a shift in law enforcement’s ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds. In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain... | Medical | APT 38 | |
 |
2022-09-12 14:24:45 | Lazarus APT Uses Log4j Flaw To Hack US, Canadian Energy Co\'s – Cyber Experts Comment (lien direct) | Researchers have uncovered a new campaign targeting U.S., Canadian and Japanese energy providers to the North Korean Lazarus APT hacking group. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers which was used to gain an initial foothold into targeted organizations https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html | Hack | APT 38 | |
|
2022-09-12 08:30:00 | North Korean Lazarus Group Hacked Energy Providers Worldwide (lien direct) | The campaign was disclosed by Symantec and AhnLab but Cisco Talos is now providing more details | APT 38 | ||
|
2022-09-09 17:06:00 | U.S. Seizes Cryptocurrency Worth $30 Million Stolen by North Korean Hackers (lien direct) | More than $30 million worth of cryptocurrency plundered by the North Korea-linked Lazarus Group from online video game Axie Infinity has been recovered, marking the first time digital assets stolen by the threat actor have been seized. "The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and | Threat Medical | APT 38 | |
|
2022-09-09 16:48:02 | US Sanctions Iran Over APT Cyberattack Activity (lien direct) | The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities. | Prediction | APT 39 | |
|
2022-09-09 16:09:44 | $30 Million worth of cryptocurrency stolen by Lazarus from Axie Infinity was recovered (lien direct) | >US authorities recovered more than $30 million worth of cryptocurrency stolen by the North Korea-linked Lazarus APT from Axie Infinity. A joint operation conducted by enforcement and leading organizations in the cryptocurrency industry allowed to recover more than $30 million worth of cryptocurrency stolen by North Korean-linked APT group Lazarus from online video game Axie […] | Guideline | APT 38 | |
|
2022-09-08 17:50:00 | North Korean Lazarus Hackers Targeting Energy Providers Around the World (lien direct) | A malicious campaign mounted by the North Korea-linked Lazarus Group is targeting energy providers around the world, including those based in the United States, Canada, and Japan. “The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary's nation-state,” Cisco Talos said in a report shared | Medical | APT 38 | |
|
2022-09-08 15:12:53 | North Korea-linked Lazarus APT targets energy providers around the world (lien direct) | >North Korea-linked Lazarus APT group is targeting energy providers around the world, including organizations in the US, Canada, and Japan. Talos researchers tracked a campaign, orchestrated by North Korea-linked Lazarus APT group, aimed at energy providers around the world, including organizations in the US, Canada, and Japan. The campaign was observed between February and July 2022. The attacks […] | APT 38 | ||
|
2022-09-08 14:14:00 | North Korean state-sponsored hacker group Lazarus adds new RAT to its malware toolset (lien direct) | Security researchers have discovered a new remote access Trojan (RAT) being used in attack campaigns this year by Lazarus, a threat actor tied to the North Korean government. The new RAT has been used alongside other malware implants attributed to Lazarus and it's mainly used in the first stages of an attack.Dubbed MagicRAT, the new Lazarus malware program was developed using Qt, a framework commonly used to develop graphical user interfaces for cross-platform applications. Since the Trojan doesn't have a GUI, researchers from Cisco Talos believe the reason for using Qt was to make detection harder.To read this article in full, please click here | Malware Threat | APT 38 | |
 |
2022-09-08 12:00:09 | Lazarus Group unleashed a MagicRAT to spy on energy providers (lien direct) | Cisco finds custom malware in North Korea's latest cyberespionage effort The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan, according to Cisco Talos.… | Malware Medical | APT 38 | |
|
2022-09-08 11:08:00 | Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (lien direct) | Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and | Ransomware Threat Conference | APT 35 | |
|
2022-09-08 08:39:42 | Lazarus and the tale of three RATs (lien direct) |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern |
Malware Tool Vulnerability Threat Medical | APT 38 | |
|
2022-09-07 17:40:00 | North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns (lien direct) | The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT. The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News. "While being | Malware Medical | APT 38 | |
|
2022-09-07 08:01:43 | MagicRAT: Lazarus\' latest gateway into victim networks (lien direct) |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog. Executive SummaryCisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.We have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.Actor profile |
Malware Threat Medical | APT 38 | ★★★ |
To see everything:
Our RSS (filtrered)
