What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-01 23:25:26 | Les logiciels malveillants ciblent les routeurs pour voler les mots de passe des demandes Web Malware Targets Routers To Steal Passwords From Web Requests (lien direct) |
Les chercheurs ont récemment suivi un nouveau malware, "Sweetfish", qui cible les équipements de mise en réseau, en particulier les petits routeurs de bureau / bureau à domicile (SOHO), pour voler le matériel d'authentification trouvé dans les demandes Web qui transitent le routeur de la locale adjacenteréseau régional (LAN). Lumen Technologies & # 8217;Black Lotus Labs, qui a examiné les logiciels malveillants, a déclaré que la seiche crée un tunnel proxy ou VPN via un routeur compromis pour exfiltrer les données en contournant l'analyse basée sur la connexion anormale, puis utilise des informations d'identification volées pour accéder aux ressources ciblées. Le malware a également la capacité d'effectuer un détournement HTTP et DNS pour les connexions aux adresses IP privées, qui sont normalement associées aux communications dans un réseau interne. Les chercheurs déclarent que la plate-forme de logiciels malveillants de secteur offre une approche zéro clique pour capturer les données des utilisateurs et des appareils derrière le bord du réseau ciblé. «Toutes les données envoyées sur les équipements réseau infiltrés par ce malware sont potentiellement exposés.Ce qui rend cette famille de logiciels malveillants si insidie-the-cuttlefish-malware / "data-wpel-link =" external "rel =" nofollow nopenner noreferrer "> avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » | Malware Threat Cloud Technical | APT 32 | ★★★★ |
 |
2023-11-05 17:35:51 | Les drones maritimes sont-ils l'avenir de la guerre navale? Are Maritime Drones the Future of Naval Warfare? (lien direct) |
Vous êtes-vous déjà trouvé à réfléchir sur l'avenir du combat en mer?Je veux dire, ce n'est pas votre bavardage quotidien, mais imaginez l'océan grouillant avec ces [plus ...]
Ever found yourself musing over the future of combat at sea? I mean, it’s not your everyday chatter, but imagine the ocean teeming with these [more...] |
APT 32 | ★★ | |
 |
2023-10-05 07:00:00 | TIO – Des interpréteurs de code gratuits pour les développeurs et les enseignants (lien direct) | Try It Online (TIO) est une plateforme en ligne gratuite, sans publicité et open source pour tester divers langages de programmation sans les installer. Parfait pour les débutants, enseignants et développeurs, TIO favorise la collaboration et le partage de code. Soutenu par DigitalOcean, il offre une large gamme de langages populaires et exotiques. | APT 32 | ★★ | |
 |
2023-09-20 12:01:22 | Ingénierie de détection hebdomadaire # 41 - Ocean \\ 's 11, mais avec un chat Detection Engineering Weekly #41 - Ocean\\'s 11, but with a cat (lien direct) |
Et le chat se plaint beaucoup quand les choses tournent mal
And the cat complains a lot when things go wrong |
APT 32 | ★★ | |
 |
2023-08-25 21:06:48 | Blogs sur le calmar du vendredi : l'interdiction de la pêche au calmar en Chine est inefficace Friday Squid Blogging: China\\'s Squid Fishing Ban Ineffective (lien direct) |
La Chine imposé un « programme pilote interdisant la pêche dans certaines parties du sud-ouest de l’océan Atlantique de juillet à octobre et dans certaines parties de l’est de l’océan Pacifique de septembre à décembre ».Cependant, le groupe de conservation Oceana a analysé les données et a découvert que les Chinois ne pêchaient pas dans ces zones au cours de ces mois-là, de toute façon.
<
blockquote>Dans la zone du moratoire du sud-ouest de l'Atlantique, Oceana a constaté qu'aucune pêche n'avait été menée par les flottes chinoises au cours de la même période en 2019. Entre 1 800 et 8 500 heures de pêche ont été détectées dans la zone dans chacune descinq ans jusqu'en 2019. Dans la zone du Pacifique oriental, la flotte de pêche chinoise semblait ne pêcher que 38 heures au cours de l'année précédant l'introduction de l'interdiction...
China imposed a “pilot program banning fishing in parts of the south-west Atlantic Ocean from July to October, and parts of the eastern Pacific Ocean from September to December.” However, the conservation group Oceana analyzed the data and figured out that the Chinese weren’t fishing in those areas in those months, anyway. < blockquote>In the south-west Atlantic moratorium area, Oceana found there had been no fishing conducted by Chinese fleets in the same time period in 2019. Between 1,800 and 8,500 fishing hours were detected in the zone in each of the five years to 2019. In the eastern Pacific zone, China’s fishing fleet appeared to fish only 38 hours in the year before the ban’s introduction... |
APT 32 | ★ | |
 |
2023-08-22 18:02:00 | Le grand système hospitalier du Mississippi met les services hors ligne après la cyberattaque Major Mississippi hospital system takes services offline after cyberattack (lien direct) |
L'un des plus grands systèmes hospitaliers du Mississippi a été contraint de retirer plusieurs services internes hors ligne après avoir connu une cyberattaque qui a commencé la semaine dernière.Singing River Health System & # 8211;qui gère l'hôpital Pascagoula, l'Ocean Springs Hospital et l'hôpital Gulfport ainsi que des dizaines de cliniques et de centres le long de la côte du Golfe & # 8211;est à propos d'un
One of the largest hospital systems in Mississippi was forced to take several internal services offline after experiencing a cyberattack that began last week. Singing River Health System – which runs Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital as well as dozens of clinics and centers along the Gulf Coast – is about an |
APT 32 | ★★★ | |
 |
2023-08-16 15:15:11 | CVE-2023-40341 (lien direct) | Une vulnérabilité de contrefaçon de demande croisée (CSRF) dans le plugin de Jenkins Blue Ocean 1.27.5 et plus tôt permet aux attaquants de se connecter à une URL spécifiée par l'attaquant, capturant les informations d'identification GitHub associées à un travail spécifié par l'attaquant.
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. |
Vulnerability | APT 32 | |
 |
2023-08-16 06:46:45 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juin 2023 Threat Trend Report on APT Groups – June 2023 (lien direct) |
Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT
APT Group Trends – June 2023 1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 32 APT 32 APT 28 APT 28 APT 15 APT 15 APT 25 | ★★ |
 |
2023-08-10 10:00:00 | Les systèmes Mac se sont transformés en nœuds de sortie proxy par adcharge Mac systems turned into proxy exit nodes by AdLoad (lien direct) |
This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.
Executive summary
AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.
Key takeaways:
AdLoad malware is still present and infecting systems, with a previously unreported payload.
At least 150 samples have been observed in the wild during the last year.
AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.
Analysis
AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.
These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.
The main purpose of the malware has always been to act as a downloader for subsequent payloads.
It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.
AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.
Figure 1. Histogram of AdLoad samples identified by Alien Labs.
The vast numb |
Spam Malware Threat Cloud | APT 32 | ★★ |
|
2023-07-12 08:15:09 | CVE-2020-36760 (lien direct) | Le plugin Ocean Extra pour WordPress est vulnérable à la contrefaçon de demande de site transversal dans les versions jusqu'à et comprenant 1.6.5].Cela est dû à la validation non pas manquante ou incorrecte sur la fonction add_core_extensions_bundle_validation ().Cela permet aux attaquants non authentifiés de valider les faisceaux d'extension via une demande forgée accordée qu'ils peuvent inciter un administrateur de site à effectuer une action telle que cliquer sur un lien.
The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to missing or incorrect nonce validation on the add_core_extensions_bundle_validation() function. This makes it possible for unauthenticated attackers to validate extension bundles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
APT 32 | ||
 |
2023-07-03 18:35:12 | Le piratage d'équipage ciblant les États sur les interdictions de transition affirme que la cyberattaque a frappé les systèmes de satellite mondial Hacking crew targeting states over transition bans claims cyberattack hitting global satellite systems (lien direct) |
> Un groupe qui a précédemment piraté Fort Worth, Texas, a revendiqué une cyberattaque qui a affecté Halliburton, Shell, Helix Energy et Oceaneering.
>A group that previously hacked Fort Worth, Texas, claimed a cyberattack that affected Halliburton, Shell, Helix Energy and Oceaneering. |
APT 32 | ★★ | |
 |
2023-05-10 11:00:50 | Capita regardant une facture de & livre; 20m sur les frais de nettoyage de la violation Capita looking at a bill of £20M over breach clean-up costs (lien direct) |
L'analyste dit que les dépenses \\ 'pas une petite baisse de l'océan \', mais les dommages de réputation pourraient être \\ 'beaucoup plus grand \' La Capita du géant de l'externalisation de la Grande-Bretagne a averti les investisseurs queLa facture de nettoyage pour son récent effraction numérique coûtera jusqu'à & livre; 20 millions (25,24 millions de dollars).…
Analyst says expense \'no small drop in ocean\' but reputational damage could be \'far greater\' Britain\'s leaky outsourcing behemoth Capita is warning investors that the clean-up bill for its recent digital break-in will cost up to £20 million ($25.24 million).… |
APT 32 | ★★ | |
|
2023-04-14 21:14:26 | Vendredi Blogging Squid: Colossal Squid Friday Squid Blogging: Colossal Squid (lien direct) |
intéressant Article Sur le calmar colossal, qui est plus grand que le calmar géant.
L'article répond à une question vexante:
Alors pourquoi entendons-nous toujours parler du calmar géant et non du calmar colossal?
Eh bien, une partie de celui-ci a à voir avec le fait que le calmar géant a été découvert et étudié bien avant le calmar colossal.
Les scientifiques étudient le calmar géant depuis les années 1800, tandis que le calmar colossal n'a même pas découvert jusqu'en 1925.
Et sa première découverte n'était que la tête et les bras trouvés dans l'estomac de spermatozoïde. .
Ce n'était pas jusqu'en 1981 que le premier animal entier a été trouvé par un chalutier près de la côte de l'Antarctique ...
Interesting article on the colossal squid, which is larger than the giant squid. The article answers a vexing question: So why do we always hear about the giant squid and not the colossal squid? Well, part of it has to do with the fact that the giant squid was discovered and studied long before the colossal squid. Scientists have been studying giant squid since the 1800s, while the colossal squid wasn’t even discovered until 1925. And its first discovery was just the head and arms found in a sperm whale’s stomach. It wasn’t until 1981 that the first whole animal was found by a trawler near the coast of Antarctica... |
APT 32 | ★★ | |
|
2023-04-06 14:15:07 | CVE-2023-23891 (lien direct) | Auth.(Contributeur +) Vulnérabilité des scripts croisés (XSS) dans le plugin supplémentaire OceanWP Ocean | Vulnerability | APT 32 | |
 |
2023-04-06 13:59:23 | Assistance technique Pivots de DigitalOcean à StackPath CDN Tech Support Scam Pivots from DigitalOcean to StackPath CDN (lien direct) |
> Les attaquants récapitulatifs qui abusaient auparavant DigitalOcean pour héberger une arnaque de support technologique ont élargi l'opération, abusant désormais de StackPath CDN pour distribuer l'arnaque, et sont susceptibles de commencer à abuser des services cloud supplémentaires pour fournir l'arnaque dans un avenir proche.Du 1er février au 16 mars, NetSkope Threat Labs a vu une augmentation de 10x [& # 8230;]
>Summary Attackers who were previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future. From February 1 to March 16, Netskope Threat Labs has seen a 10x increase […] |
Threat Cloud | APT 32 | ★★★ |
|
2023-03-30 12:15:07 | CVE-2023-24399 (lien direct) | Auth.(Contributeur +) Vulnérabilité des scripts croisés (XSS) dans le plugin supplémentaire OceanWP Ocean | Vulnerability | APT 32 | |
|
2023-03-13 17:15:12 | CVE-2023-0749 (lien direct) | The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones. | APT 32 | ||
|
2023-03-09 21:46:24 | Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing (lien direct) | >Summary Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal […] | Threat | APT 32 | ★★ |
 |
2023-02-13 14:00:00 | Avoid Being a Downstream Victim of Service Provider Attacks (lien direct) | >Attacks on service providers are mounting — and so are downstream victims. Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords — their email addresses had been compromised in a data breach. But the cybersecurity incident didn’t start […] | APT 32 | ★★ | |
|
2022-12-04 23:15:09 | CVE-2022-35730 (lien direct) | Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin | Vulnerability | APT 32 | |
 |
2022-11-17 02:00:00 | Android security: Which smartphones can enterprises trust? (lien direct) | Google's Android operating system dominates smartphone usage throughout the world - in every region except North America and Oceania, in fact. Thus, businesses in many regions are likely to support and issue Android devices to employees as their mainstay mobile devices. Even in areas where Apple's iPhone dominates or is comparable in market share, businesses are likely to support or issue Android devices at least as a secondary option.But Android security has long been an IT concern, despite significant security improvements made to the platform a decade ago in response to security standards put in place for iPhones, which quickly gained the security seal approval as a result. That makes the buying and support decision around Android phones more complex for CISOs - whether as corporate-liable devices (that is, the devices that enterprises buy for their employees) or as employee-liable devices or bring-your-own devices (BYOD) that IT allows access at least to work email and calendars, and often to web-based services.To read this article in full, please click here | APT 32 | ||
|
2022-10-31 16:15:11 | CVE-2022-3374 (lien direct) | The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | Guideline | APT 32 | |
|
2022-10-28 20:57:47 | Friday Squid Blogging: Chinese Squid Fishing (lien direct) | China claims that it is “engaging in responsible squid fishing”: Chen Xinjun, dean of the College of Marine Sciences at Shanghai Ocean University, made the remarks in response to recent accusations by foreign reporters and actor Leonardo DiCaprio that China is depleting its own fish stock and that Chinese boats have sailed to other waters to continue deep-sea fishing, particularly near Ecuador, affecting local fish stocks in the South American nation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered... | APT 32 | ||
 |
2022-10-27 09:15:45 | N-able continue d\'innover et d\'investir dans des domaines clés pour la réussite des partenaires avec la nomination de Mike Cullen à la tête de l\'activité RMM (lien direct) | Mike Cullen souhaite accorder une plus grande place à l'innovation menée par les partenaires et orienter les MSP vers une stratégie " Blue Ocean " N-able, éditeur mondial de solutions de supervision et gestion à distance, de protection des données en tant que service et de sécurité pour les fournisseurs de services informatiques, vient d'annoncer la nomination de l'un des cadres fondateurs de l'industrie MSP, Mike Cullen, au poste de directeur général de l'activité RMM. Avec ce nouveau rôle, Mike (...) - Business | APT 32 | ||
 |
2022-08-25 18:55:21 | Twilio Hackers Scarf 10K Okta Credentials in Sprawling Supply Chain Attack (lien direct) | The "0ktapus" cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp. | APT 32 | ||
 |
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam | |
 |
2022-08-16 12:46:53 | New MailChimp breach exposed DigitalOcean customer email addresses (lien direct) | DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets. [...] | APT 32 | ||
|
2022-08-16 05:31:12 | Digital Ocean dumps Mailchimp after attack leaked customer email addresses (lien direct) | Somebody went after crypto-centric companies' outsourced email but the damage was felt in the cloud Junior cloud Digital Ocean has revealed that some of its clients' email addresses were exposed to attackers, thanks to an attack on email marketing service Mailchimp.… | APT 32 | ||
|
2022-06-20 11:15:08 | CVE-2021-25104 (lien direct) | The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue | Guideline | APT 32 | |
 |
2022-06-08 11:00:49 | Privilege Escalation in Azure: Keep your enemies close, and your permissions closer (lien direct) | >By Omer Shmuelly, Security Researcher, Cloud Security, published June 8, 2022 As more and more organizations are migrating their infrastructure to the cloud, a unified cloud security tool, such as Check Point's CloudGuard becomes essential. In an ocean of standards and regulations, managing your cloud security posture (CSPM) can be a challenging task. While some… | APT 32 | ||
|
2022-05-17 15:15:09 | CVE-2022-30952 (lien direct) | Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | APT 32 | ★★ | |
|
2022-05-17 15:15:09 | CVE-2022-30954 (lien direct) | Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | APT 32 | ★★★★★ | |
|
2022-05-17 15:15:09 | CVE-2022-30953 (lien direct) | A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | Vulnerability | APT 32 | ★★★★ |
 |
2022-05-13 13:26:53 | devOcean Emerges From Stealth With Cloud-Native Security Operations Platform (lien direct) | devOcean has emerged from stealth mode with a cloud-native security operations platform and $6 million in funding. The company's seed round was led by Glilot Capital Partners, with participation from angel investors. | APT 32 | ||
 |
2022-02-21 19:50:06 | Phishing Campaign Targets NFT Speculators (lien direct) |
Scams follow fashion because money follows fashion. So it's no surprise that non-fungible tokens (NFTs), which have become a hot speculative property, have drawn scam artists for phishing campaigns. They're not so much interested in the NFTs themselves as they are in the speculators' cash. OceanSea, a leading NFT marketplace, has responded to panicky tweets from users to reassure them that it's on top of rumors of “an exploit” connected to the smart contracts traders use. |
Guideline | APT 32 | |
|
2022-01-12 10:20:43 | OceanLotus hackers turn to web archive files to deploy backdoors (lien direct) | Vietnamese hackers of the APT32 group (Ocean Lotus) are now using Web Archive files (.mht and .mhtml) to deploy backdoors on their targets. [...] | APT 32 | ||
 |
2022-01-06 18:27:00 | Investigation Launched into RIPTA Data Breach (lien direct) | Rhode Island attorney general to probe data breach of the Ocean State's public transit authority | Data Breach | APT 32 | |
 |
2022-01-04 15:37:00 | Ocean battery, SPIDER-GO drone and digital radar system stand out in high-tech CES 2022 awards (lien direct) | These 10 products from the 26 categories highlight the themes shaping this year's show: electric vehicles, sustainability and remote work. | APT 32 | ||
 |
2021-12-14 18:19:08 | There\'s a lot we don\'t know about ocean CO₂ removal (lien direct) | There are some intriguing ideas, but big questions remain about all of them. | APT 32 | ★★★★★ | |
 |
2021-11-26 13:33:37 | (Déjà vu) Humans have broken a fundamental law of the ocean (lien direct) | Industrial fishing messes with strange but stable pattern of undersea creatures. | APT 32 | ||
|
2021-11-24 16:15:14 | CVE-2021-41192 (lien direct) | Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory. | APT 32 | ||
 |
2021-11-23 12:00:00 | Humans Have Broken a Fundamental Law of the Ocean (lien direct) | The size of undersea creatures seemed to follow a strange but stable pattern-until industrial fishing came along. | APT 32 | ||
|
2021-10-26 11:00:00 | This Groundbreaking Simulator Generates a Huge Indoor Ocean (lien direct) | It's a 32,000-gallon concrete tank with a wind tunnel grafted on top. With it, researchers can study the seas-and climate change-like never before. | APT 32 | ||
 |
2021-10-06 19:06:00 | Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) | Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2]
Technical Analysis
Scripts (/cmd/)
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
Binaries (/bin/)
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.
|
Malware Tool Threat | Uber APT 32 | |
|
2021-10-06 12:00:00 | Astronomers Get Ready to Probe Europa\'s Hidden Ocean for Life (lien direct) | Jupiter's most enigmatic moon, one of a few ocean worlds in the solar system, will be the target of upcoming missions by NASA and the European Space Agency. | APT 32 | ||
|
2021-07-17 14:25:03 | Gus Grissom taught NASA a hard lesson: “You can hurt yourself in the ocean” (lien direct) | From the archives: Grissom's infamous (and impactful) ocean landing turns 60 this week. | APT 32 | ||
|
2021-07-13 10:00:00 | A Son Is Rescued at Sea. But What Happened to His Mother? (lien direct) | Nathan Carman went fishing with his mom. A week later, he was found on a life raft-alone. Tragic accident or murder? Ocean sensors may point to the truth. | APT 32 | ||
 |
2021-07-10 21:56:51 | Scanning for Microsoft Secure Socket Tunneling Protocol, (Sat, Jul 10th) (lien direct) | Over the past month I noticed a resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway. Additional information on this protocol available here. | APT 32 | ||
 |
2021-06-25 13:00:04 | Cryptomining Cloud Attack: Compromise Sensitive Console Access (lien direct) | Remember how the Ocean's Eleven crew couldn't just attack one casino… they had to go for three? Well, the same goes for some cyber criminals who think, “Why stop at data theft when I can... | APT 32 | ||
|
2021-06-19 13:00:57 | Two Viking burials, separated by an ocean, contain close kin (lien direct) | Two Viking Age warriors from the same family died hundreds of kilometers apart. | APT 32 |
To see everything:
Our RSS (filtrered)
