What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-05-31 17:19:00 | Anomali Cyber Watch: Shadow Force cible les serveurs coréens, Volt Typhoon abuse des outils intégrés, Cosmicenergy Tests Electric Distribution Perturbation Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption (lien direct) |
Les différentes histoires de l'intelligence des menaces dans cette itération de la cyber-montre anomali discutent des sujets suivants: Chine, chargement de DLL, vivant de la terre, technologie opérationnelle, ransomware, et Russie .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
shadowVictiticoor et Coinmin de Force Group \\
(Publié: 27 mai 2023)
Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor.
Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor |
Ransomware Malware Tool Vulnerability Threat | APT 38 Guam CosmicEnergy | ★★ |
 |
2023-05-25 21:18:00 | Groupe Lazarus frappant des serveurs Web vulnérables IIS IIS Lazarus Group Striking Vulnerable Windows IIS Web Servers (lien direct) |
Le tristement célèbre groupe nord-coréen APT utilise Log4Shell, l'attaque de la chaîne d'approvisionnement 3CX et d'autres vecteurs connus pour briser les serveurs Web Microsoft.
The infamous North Korean APT group is using Log4Shell, the 3CX supply chain attack, and other known vectors to breach Microsoft Web servers. |
APT 38 | ★★ | |
 |
2023-05-24 15:00:00 | Groupe Lazare ciblant les serveurs Web Microsoft pour lancer des logiciels malveillants d'espionnage Lazarus Group Targeting Microsoft Web Servers to Launch Espionage Malware (lien direct) |
Les chercheurs détaillent la technique de chargement latéral DLL utilisé pour déployer des logiciels malveillants qui facilitent le vol d'identification et le mouvement latéral
Researchers detail the DLL side-loading technique used to deploy malware that facilitates credential theft and lateral movement |
Malware | APT 38 | ★★ |
 |
2023-05-24 13:00:00 | Le groupe coréen Lazarus cible les serveurs Microsoft IIS pour déployer des logiciels malveillants d'espionnage N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware (lien direct) |
Le tristement célèbre acteur du groupe Lazarus a ciblé les versions vulnérables des serveurs Microsoft Internet Information Services (IIS) comme voie de violation initiale pour déployer des logiciels malveillants sur des systèmes ciblés.
Les résultats proviennent du Ahnlab Security Emergency Response Center (ASEC), qui a détaillé la poursuite de la menace persistante avancée (APT) Abus continu des techniques de chargement secondaire DLL pour déployer des logiciels malveillants.
"Le
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat\'s (APT) continued abuse of DLL side-loading techniques to deploy malware. "The |
Malware | APT 38 | ★★ |
 |
2023-05-23 01:00:00 | Groupe Lazare ciblant les serveurs Web Windows IIS Lazarus Group Targeting Windows IIS Web Servers (lien direct) |
Ahnlab Security Emergency Response Center (ASEC) a récemment confirmé le groupe Lazarus, un groupe connu pour recevoir un soutienÀ l'échelle nationale, effectuant des attaques contre les serveurs Web Windows IIS.Habituellement, lorsque les acteurs de la menace effectuent une analyse et trouvent un serveur Web avec une version vulnérable, ils utilisent la vulnérabilité adaptée à la version pour installer un shell Web ou exécuter des commandes malveillantes.Le journal AHNLAB Smart Defense (ASD) affiché ci-dessous dans la figure 1 montre que les systèmes Windows Server sont ...
AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are... |
Vulnerability Threat | APT 38 | ★★ |
 |
2023-05-05 12:00:43 | Faire l'authentification plus rapidement que jamais: Passkeys vs mots de passe Making authentication faster than ever: passkeys vs. passwords (lien direct) |
Silvia Convento, Senior UX Researcher and Court Jacinic, Senior UX Content DesignerIn recognition of World Password Day 2023, Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo | APT 38 APT 15 APT 10 Guam | ★★ | |
|
2023-04-27 19:50:44 | Lazare, Scarcruft nord-coréen Apts Shift Tactics, prospère Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive (lien direct) |
Alors que les acteurs de la menace du monde entier grandissent et évoluent, les aptes de la RPDC se distinguent par leur propagation et leur variété de cibles.
As threat actors around the world grow and evolve, APTs from the DPRK stand out for their spread and variety of targets. |
Threat | APT 38 APT 37 | ★★ |
|
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
|
2023-04-25 16:57:00 | Sous-groupe Lazarus ciblant les appareils Apple avec un nouveau malware macOS de RustBucket Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware (lien direct) |
Un acteur de menace nord-coréen motivé financièrement est soupçonné d'être derrière une nouvelle souche malveillante de pomme de macos appelée Rustbucket.
"[RustBucket] communique avec les serveurs de commande et de contrôle (C2) pour télécharger et exécuter divers PAyloads, "les chercheurs de Jamf Threat Labs Ferdous Saljooki et Jaron Bradley ont déclaré enUn rapport technique publié la semaine dernière.
La société de gestion d'appareils Apple l'a attribuée
A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket. "[RustBucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week. The Apple device management company attributed it |
Malware Threat | APT 38 | ★★★ |
 |
2023-04-24 15:38:54 | ESET Research découvre une campagne menée par le groupe APT Lazarus ciblant des utilisateurs de Linux (lien direct) | Les chercheurs d'ESET ont découvert une nouvelle campagne " Operation DreamJob " menée par le groupe Lazarus ciblant des utilisateurs de Linux. " Operation DreamJob " est le nom d'une série de campagnes qui utilisent des techniques d'ingénierie sociale pour compromettre leurs cibles, avec de fausses offres d'emploi comme appât. ESET a reconstitué la chaîne complète, depuis le fichier ZIP qui fournit une fausse offre d'emploi chez HSBC en guise de leurre jusqu'au malware final contenant la porte dérobée. Les similitudes observées dans cette porte dérobée Linux la relient avec grande certitude à l'attaque contre la chaîne d'approvisionnement de 3CX. L'entreprise a été piratée et son logiciel a été utilisé dans une attaque distribuant des malwares à des clients spécifiques via la chaîne d'approvisionnement de 3CX. L'attaque a été planifiée longtemps à l'avance, depuis le mois de décembre 2022. - Malwares | Malware | APT 38 | ★★ |
 |
2023-04-24 13:11:29 | Les pirates nord-coréens ciblent les utilisateurs de Mac avec de nouveaux logiciels malveillants \\ 'Rustbucket \\' North Korean Hackers Target Mac Users With New \\'RustBucket\\' Malware (lien direct) |
Le groupe de piratage lié à la Corée du Nord, Bluenoroff / Lazarus, a été vu en utilisant le malware de Rustbucket MacOS lors des attaques récentes.
North Korea-linked hacking group BlueNoroff/Lazarus was seen using the RustBucket macOS malware in recent attacks. |
Malware | APT 38 | ★★ |
|
2023-04-22 12:16:00 | Lazarus X_Trader Hack a un impact sur les infrastructures critiques au-delà Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach (lien direct) |
Lazare, le prolifique groupe de piratage nord-coréen derrière l'attaque de la chaîne d'approvisionnement en cascade ciblant 3CX, a également violé deux organisations d'infrastructures critiques dans le secteur de l'énergie et de l'énergie et deux autres entreprises impliquées dans le négociation financière en utilisant l'application X_Trader Trojanisée.
Les nouvelles conclusions, qui viennent gracieuseté de l'équipe Hunter Hunter de Symantec \\, confirment les soupçons antérieurs que le
Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of Symantec\'s Threat Hunter Team, confirm earlier suspicions that the |
Hack Threat | APT 38 | ★★ |
|
2023-04-20 17:26:00 | Le groupe Lazarus ajoute des logiciels malveillants Linux à Arsenal dans l'opération Dream Job Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job (lien direct) |
Le célèbre acteur parrainé par l'État aligné par la Corée du Nord connue sous le nom de groupe Lazare a été attribué à une nouvelle campagne destinée aux utilisateurs de Linux.
Les attaques font partie d'une activité persistante et de longue date suivie sous le nom de l'opération Dream Job, a déclaré Eset dans un nouveau rapport publié aujourd'hui.
Les résultats sont cruciaux, notamment parce qu'il marque le premier exemple publié publiquement de la
The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users. The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today. The findings are crucial, not least because it marks the first publicly documented example of the |
Malware | APT 38 | ★★★ |
 |
2023-04-20 15:30:34 | Intelligence Insights: avril 2023 Intelligence Insights: April 2023 (lien direct) |
La chaîne d'approvisionnement 3CX a compromis Labyrinth Chollima à la première place de ce mois-ci de l'édition de Intelligence Insights de ce mois-ci
The 3CX supply chain compromise vaulted Labyrinth Chollima to the top spot in this month\'s edition of Intelligence Insights |
APT 38 | ★★★ | |
 |
2023-04-20 11:43:51 | Les pirates de Lazarus poussent désormais les logiciels malveillants Linux via de fausses offres d'emploi Lazarus hackers now push Linux malware via fake job offers (lien direct) |
Une nouvelle campagne Lazare considérée comme faisant partie de "Operation DreamJob" a été découverte pour cibler les utilisateurs de Linux avec des logiciels malveillants pour la première fois.[...]
A new Lazarus campaign considered part of "Operation DreamJob" has been discovered targeting Linux users with malware for the first time. [...] |
Malware | APT 38 | ★★ |
 |
2023-04-20 09:30:34 | Linux Malware renforce les liens entre Lazarus et l'attaque de la chaîne d'approvisionnement 3CX Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack (lien direct) |
Les similitudes avec les logiciels malveillants Linux nouvellement découverts utilisés dans l'opération Dreamjob corroborent la théorie selon laquelle le tristement célèbre groupe aligné par la Corée du Nord est derrière l'attaque de la chaîne d'approvisionnement 3CX
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack |
Malware | APT 38 | ★★ |
|
2023-04-13 14:37:00 | Le groupe de pirates de Lazarus évolue des tactiques, des outils et des cibles dans la campagne DeathNote Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign (lien direct) |
L'acteur de menace nord-coréen connue sous le nom de groupe Lazare a été observé pour déplacer son objectif et évoluer rapidement ses outils et tactiques dans le cadre d'une activité de longue durée appelée DeathNote.
Alors que l'adversaire de l'État-nation est connu pour ses attaques persistantes contre le secteur des crypto-monnaies, il a également ciblé les secteurs automobile, académique et de défense en Europe de l'Est et dans d'autres parties du monde
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running activity called DeathNote. While the nation-state adversary is known for its persistent attacks on the cryptocurrency sector, it has also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world |
Threat | APT 38 | ★★ |
|
2023-04-12 21:41:00 | Lazarus Group \\ 'S \\' Deathnote \\ 'Cluster Pivots to Defense secteur Lazarus Group\\'s \\'DeathNote\\' Cluster Pivots to Defense Sector (lien direct) |
Habituellement axé sur les organisations de crypto-monnaie, l'acteur de menace a commencé à cibler les entreprises de défense dans le monde.
Usually focused on going after cryptocurrency organizations, the threat actor has begun targeting defense companies around the world. |
Threat | APT 38 | ★★ |
|
2023-04-12 16:00:00 | La campagne Deathnote de Lazarus Group \\ révèle un changement dans les cibles Lazarus Group\\'s DeathNote Campaign Reveals Shift in Targets (lien direct) |
Kaspersky a découvert un changement dans les cibles de l'attaque et les vecteurs d'infection mis à jour en 2020
Kaspersky uncovered a shift in the attack\'s targets and updated infection vectors in 2020 |
APT 38 | ★★ | |
|
2023-04-12 09:36:00 | Le labyrinthe sous-groupe de Lazarus Chollima découvert comme cerveau dans l'attaque de la chaîne d'approvisionnement 3CX Lazarus Sub-Group Labyrinth Chollima Uncovered as Mastermind in 3CX Supply Chain Attack (lien direct) |
Le fournisseur de services de communication d'entreprise 3CX a confirmé que l'attaque de la chaîne d'approvisionnement ciblant son application de bureau pour Windows et MacOS était le travail d'un acteur de menace au nord-coréen Nexus.
Les résultats sont le résultat d'une évaluation provisoire réalisée par Mandiant appartenant à Google, dont les services ont été enrôlés après que l'intrusion a été lancée à la fin du mois dernier.L'intelligence de la menace
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence |
Threat | APT 38 | ★★ |
 |
2023-04-12 08:00:00 | Suivant le groupe Lazare en suivant la campagne DeathNote Following the Lazarus group by tracking DeathNote campaign (lien direct) |
Le groupe Lazare est un acteur de menace coréen de haut niveau avec plusieurs sous-campagnols.Dans ce blog, nous nous concentrons sur un cluster actif que nous avons surnommé DeathNote.
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. In this blog, we\'ll focus on an active cluster that we dubbed DeathNote. |
Threat | APT 38 | ★★★ |
|
2023-04-03 21:12:07 | La violation de 3CX s'élargit à mesure que les cyberattaquiers baissent la porte dérobée de deuxième étape 3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor (lien direct) |
"Gopuram" est une porte dérobée que le groupe de Lazarus de la Corée du Nord a utilisée dans certaines campagnes datant de 2020, selon certains chercheurs.
"Gopuram" is a backdoor that North Korea\'s Lazarus Group has used in some campaigns dating back to 2020, some researchers say. |
General Information | APT 38 | ★★ |
 |
2023-03-31 15:44:16 | Utilisation de Thor Lite pour rechercher des indicateurs de l'activité de Lazarus liés au compromis 3CX [Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise] (lien direct) | "Gopuram" est une porte dérobée que le groupe de Lazarus de la Corée du Nord a utilisée dans certaines campagnes datant de 2020, selon certains chercheurs.
"Gopuram" is a backdoor that North Korea\'s Lazarus Group has used in some campaigns dating back to 2020, some researchers say. |
APT 38 | ★★★ | |
 |
2023-03-31 12:16:00 | Plus de preuves relie l'attaque de la chaîne d'approvisionnement 3CX au groupe de piratage nord-coréen [More evidence links 3CX supply-chain attack to North Korean hacking group] (lien direct) |
L'attaque de la chaîne d'approvisionnement contre la société de téléphone d'entreprise 3CX a utilisé le code de piratage qui «correspond exactement» au malware maltraité précédemment dans les attaques par un groupe nord-coréen notoire, selon une nouvelle analyse.L'établissement de l'étendue des dommages causés par le pirat
The supply-chain attack on the enterprise phone company 3CX used hacking code that “exactly matches” malware previously seen in attacks by a notorious North Korean group, according to new analysis. Establishing the extent of the damage caused by the hack has been a priority for researchers after a number of cybersecurity businesses went public with |
Malware Hack | APT 38 | ★★ |
 |
2023-03-30 15:37:54 | Le compromis de la chaîne d'approvisionnement 3CX mène à des incidents emblématiques 3CX Supply Chain Compromise Leads to ICONIC Incident (lien direct) |
> [MISE À JOUR: Après une analyse supplémentaire de Shellcode utilisée dans l'emblématique, en conjonction avec d'autres observations de la communauté de sécurité plus large, la volexité attribue désormais l'activité décrite dans ce post à l'acteur de la menace de Lazarus.Plus précisément, en plus d'autres revendications de similitude, la séquence ShellCode {E8 00 00 00 00 59 49 89 C8 48 81 C1 58 06 00 00} semble avoir été utilisée uniqueêtre lié à Lazarus.Le poste d'origine a été laissé comme écrit.] Le mercredi 29 mars 2023, la volexité a pris conscience d'un compromis de la chaîne d'approvisionnement par un acteur de menace nord-coréen présumé, qui suit la volexité comme UTA0040 *.Les points de terminaison avec l'application de bureau 3CX installée ont reçu une mise à jour malveillante de ce logiciel signé par 3CX et téléchargé à partir de leurs serveurs.Cela faisait partie du processus de mise à jour automatique par défaut et [& # 8230;]
>[Update: Following additional analysis of shellcode used in ICONIC, in conjunction with other observations from the wider security community, Volexity now attributes the activity described in this post to the Lazarus threat actor. Specifically, in addition to other claims of similarity, the shellcode sequence {E8 00 00 00 00 59 49 89 C8 48 81 C1 58 06 00 00} appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus. The original post has been left as written.] On Wednesday, March 29, 2023, Volexity became aware of a supply chain compromise by a suspected North Korean threat actor, which Volexity tracks as UTA0040*. Endpoints with the 3CX Desktop application installed received a malicious update of this software that was signed by 3CX and downloaded from their servers. This was part of the default automatic update process and would […] |
Threat | APT 38 | ★★★ |
 |
2023-03-29 23:42:34 | La cyberattaque de la chaîne d'approvisionnement avec des liens possibles avec la Corée du Nord pourrait avoir des milliers de victimes à l'échelle mondiale [Supply chain cyberattack with possible links to North Korea could have thousands of victims globally] (lien direct) | > Une attaque qui pourrait être le travail du célèbre groupe de Lazare a tenté d'installer des logiciels malveillants infoséaler à l'intérieur des réseaux d'entreprise.
>An attack that could be the work of the notorious Lazarus Group attempted to install infostealer malware inside corporate networks. |
Malware | APT 38 | ★★ |
|
2023-03-22 12:30:00 | Le Royaume-Uni émet une stratégie pour protéger les services de santé nationaux contre les cyberattaques [UK issues strategy to protect National Health Service from cyberattacks] (lien direct) |
Le gouvernement britannique a publié mercredi sa nouvelle stratégie de cybersécurité pour le National Health Service, visant à rendre le secteur de la santé du pays \\ «durcie considérablement à la cyberattaque, au plus tard en 2030».La stratégie vient dans le sillage de la [Wannacry] (https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) Ransomware Attack en 2017, parallèlement à une attaque criminelle contre le fournisseur de logiciels [Advanced] (https://www.bbc.co.uk/news/technology-62725363) l'année dernière,
The British government published on Wednesday its new cybersecurity strategy for the National Health Service, aiming to make the country\'s healthcare sector “significantly hardened to cyber attack, no later than 2030.” The strategy comes in the wake of the [WannaCry](https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) ransomware attack in 2017, alongside a criminal attack on the software supplier [Advanced](https://www.bbc.co.uk/news/technology-62725363) last year, |
Ransomware General Information | Wannacry APT 38 | ★★ |
 |
2023-03-20 18:30:00 | When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule (lien direct) | > En février 2023, X-Force a publié un blog intitulé & # 8220; Direct Kernel Object Manipulation (DKOM) Attacks contre les fournisseurs ETW & # 8221;Cela détaille les capacités d'un échantillon attribué au groupe Lazare se sont exploités pour altérer la visibilité des opérations de logiciels malveillants.Ce blog ne remaniera pas l'analyse de l'échantillon de logiciel malveillant Lazarus ou du traçage d'événements pour Windows (ETW) comme [& # 8230;]
>In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as […] |
Malware Medical | APT 38 | ★★★ |
|
2023-03-08 17:00:00 | Lazarus Group Targets South Korean Finance Firm Via Zero-Day Flaw (lien direct) | Asec recorded attacks in May and October 2022 | APT 38 | ★★ | |
|
2023-03-08 16:04:00 | Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity (lien direct) | The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the | Hack Vulnerability Medical | APT 38 | ★★★ |
|
2023-03-06 23:30:00 | Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities (lien direct) | Since two years ago (March 2021), the Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. As such, ASEC (AhnLab Security Emergency Response Center) has been pursuing and analyzing the Lazarus threat group’s activities and related malware. The affected company in this case had been infiltrated by the Lazarus group in May 2022 and was re-infiltrated recently through the same software’s 0-Day vulnerability. During the infiltration in May 2022,... | Malware Vulnerability Threat Medical | APT 38 | ★★★ |
|
2023-02-28 16:15:00 | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery | |
Ransomware Malware Tool Threat Medical Medical Cloud | APT 38 | ★ |
 |
2023-02-28 14:00:00 | CyberheistNews Vol 13 #09 [Eye Opener] Should You Click on Unsubscribe? (lien direct) |
CyberheistNews Vol 13 #09 | February 28th, 2023
[Eye Opener] Should You Click on Unsubscribe?
By Roger A. Grimes.
Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?"
The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use.
In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
[CONTINUED] at the KnowBe4 blog:https://blog.knowbe4.com/should-you-click-on-unsubscribe
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approac |
Malware Hack Tool Vulnerability Threat Guideline Prediction | APT 38 ChatGPT | ★★★ |
|
2023-02-23 18:00:00 | WinorDLL64 Backdoor Linked to Lazarus Group (lien direct) | The Wslink loader can reportedly serve other connecting clients and load additional payloads | APT 38 | ★★★ | |
|
2023-02-23 17:17:00 | Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data (lien direct) | A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. | Malware Tool Medical | APT 38 | ★ |
|
2023-02-23 10:30:19 | WinorDLL64: A backdoor from the vast Lazarus arsenal? (lien direct) | >The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group | Tool | APT 38 | ★★ |
|
2023-02-23 02:00:00 | Anti-Forensic Techniques Used By Lazarus Group (lien direct) | Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensics refers to the tampering of evidence in... | Malware Threat Medical | APT 38 | ★★ |
 |
2023-02-21 15:23:27 | (Déjà vu) Norway Seizes Stolen Crypto Funds Linked to the Lazarus Group (lien direct) | >In March 2022, the Lazarus Group, a North Korea-backed hacking group, stole around $5.84 million worth of cryptocurrency through the Axie Infinity Ronin Bridge hack. However, over ten months later, the Norwegian police agency Økokrim announced they had seized the stolen funds. The crime-fighting unit was able to track the money on the blockchain, even … | Medical | APT 38 | ★★ |
|
2023-02-21 15:23:27 | Norwegian Seize Stolen Crypto Funds Linked to the Lazarus Group (lien direct) | >In March 2022, the Lazarus Group, a North Korea-backed hacking group, stole around $5.84 million worth of cryptocurrency through the Axie Infinity Ronin Bridge hack. However, over ten months later, the Norwegian police agency Økokrim announced they had seized part of the stolen funds. The crime-fighting unit was able to track the money on the … | Medical | APT 38 | ★★ |
|
2023-02-20 16:53:00 | Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers (lien direct) | Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the agency said in a statement. The development | Medical | APT 38 | ★★ |
|
2023-02-17 12:19:21 | Norwegian police recover $5.8M crypto from massive Axie Infinity hack (lien direct) | Norwegian police (Økokrim) have seized 60 million kroner ($5,800,000) worth of cryptocurrency stolen by the North Korean Lazarus hacking group last year from Axie Infinity's Ronin Bridge. [...] | Hack | APT 38 | ★★ |
 |
2023-02-17 05:15:06 | Norway finds a way to recover crypto North Korea pinched in Axie heist (lien direct) | Meanwhile South Korea's Do Kwon is sought for fraud by US authorities Norwegian authorities announced on Thursday that they had recovered $5.9 million of cryptocurrency stolen in the Axie Infinity hack – an incident widely held to have been perpetrated by the Lazarus Group, which has links to North Korea.… | Hack Medical | APT 38 | ★★★ |
|
2023-02-15 20:29:00 | North Korea\'s APT37 Targeting Southern Counterpart with New M2RAT Malware (lien direct) | The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and | Malware Threat Cloud | APT 38 APT 37 | ★★ |
|
2023-02-07 21:05:00 | DPRK Using Unpatched Zimbra Devices to Spy on Researchers (lien direct) | Lazarus Group used a known Zimbra bug to steal data from medical and energy researchers. | Medical Medical | APT 38 | ★★★ |
|
2023-02-07 17:23:00 | Anomali Cyber Watch: MalVirt Obfuscates with KoiVM Virtualization, IceBreaker Overlay Hides V8 Bytecode Runtime Interpretation, Sandworm Deploys Multiple Wipers in Ukraine (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
(published: February 2, 2023)
In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.
Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.
MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | |
Malware Tool Threat Medical Medical | APT 38 | ★★★ |
|
2023-02-02 21:04:29 | Hackers linked to North Korea targeted Indian medical org, energy sector (lien direct) |  The North Korean military's notorious hacking arm – known as the Lazarus Group – has been accused of targeting public and private sector research organizations, an Indian medical research company and other businesses in the energy sector. Security analysts at WithSecure said they were called on to respond to a cyberattack that they initially tied to the [… |
Medical Medical | APT 38 | ★★★ |
|
2023-02-02 16:00:00 | Lazarus Group Attack Identified After Operational Security Fail (lien direct) | The new campaign highlighted several "noteworthy developments" in TTPs | APT 38 | ★★★★ | |
|
2023-02-02 15:15:00 | North Korean Hackers Exploit Unpatched Zimbra Devices in \'No Pineapple\' Campaign (lien direct) | A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization | Medical | APT 38 | ★★ |
|
2023-02-02 12:56:58 | North Korean hackers stole research data in two-month-long breach (lien direct) | A new cyber espionage campaign dubbed 'No Pineapple!' has been attributed to the North Korean Lazarus hacking group, allowing the threat actors to stealthily steal 100GB of data from the victim without causing any destruction. [...] | Threat | APT 38 | ★★ |
|
2023-02-02 09:12:35 | WithSecure™ researchers link intelligence-gathering campaign targeting medical research and energy organizations back to North Korea\'s Lazarus Group (lien direct) | North Korean attackers out themselves with operational security fail WithSecure™ researchers link intelligence-gathering campaign targeting medical research and energy organizations back to North Korea's Lazarus Group. - Malware Update | Medical Medical | APT 38 | ★ |
To see everything:
Our RSS (filtrered)
