What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-11-12 05:52:48 | CRAT wants to plunder your endpoints (lien direct) | By Asheer Malhotra.
Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.One of the plugins is a ransomware known as "Hansom."CRAT has been attributed to the Lazarus APT Group in the past.The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Ransomware Malware | APT 38 | |
 |
2020-10-06 14:00:00 | Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More (lien direct) |
The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities, and XDSpy. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Grindr Fixed a Bug Allowing Full Takeover of Any User Account
(published: October 3, 2020)
Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.
Recommendation: If your account has been breached, you can reset the password using the reset link sent to the associated email address.
Tags: Browser, Exposed tokens, Grindr, Sensitive Info
XDSpy: Stealing Government Secrets Since 2011
(published: October 2, 2020)
Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] File and Directory Discovery |
Ransomware Malware Vulnerability Threat Medical | APT 38 | ★★★★★ |
|
2020-09-09 16:24:00 | Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
‘Baka’ Javascript Skimmer Identified
(published: September 6, 2020)
Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.
Tags: Baka, Javascript, Skimmer
Netwalker Ransomware Hits Argentinian Government, Demands $4 Million
(published: September 6, 2020)
The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Argentina, Government, Netwalker, Ransomware
No Rest for the Wicked: Evilnum Unleashes PyVil RAT
(published: September 3, 2020)
Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 APT 28 | ★★★★ |
 |
2020-08-26 06:43:13 | Lazarus APT targets cryptocurrency organizations with using LinkedIn lures (lien direct) | North Korea-linked Lazarus APT group targets cryptocurrency organizations with fake job offers in an ongoing spear-phishing campaign. North Korea-linked Lazarus APT group (aka HIDDEN COBRA) has been observed while using LinkedIn lures in a spear-phishing campaign targeting the cryptocurrency organizations worldwide, including in the United States, the United Kingdom, Germany, Singapore, the Netherlands, Japan. The activity of […] | Medical | APT 38 | |
 |
2020-08-25 09:00:00 | Lazarus group strikes cryptocurrency firm through LinkedIn job adverts (lien direct) | A system administrator proved to be the weak link, opening the door for Lazarus to attack. | APT 38 | ||
|
2020-08-14 17:39:50 | (Déjà vu) North Korea\'s Lazarus compromised dozens of organizations in Israel (lien direct) | Since January 2020, the North Korea-linked Lazarus APT has successfully compromised dozens of organizations in Israel and other countries. The Israeli defence ministry announced on Wednesday that it had foiled a cyber attack carried out by a foreign threat actor targeting the country's defence manufacturers. According to the officials, the attack was launched by “an […] | Threat | APT 38 | |
|
2020-07-29 06:42:42 | North Korea-Linked Lazarus APT is behind the VHD ransomware (lien direct) | Security experts from Kaspersky Lab reported that North Korea-linked hackers are attempting to spread a new ransomware strain known as VHD. North Korean-linked Lazarus APT Group continues to be very active, the state-sponsored hackers are actively employing new ransomware, tracked as VHD, in attacks aimed at enterprises. The activity of the Lazarus Group surged in 2014 and […] | Ransomware | APT 38 | |
 |
2020-07-28 12:15:00 | North Korean hackers created VHD ransomware for enterprise attacks (lien direct) | North Korean-backed hackers tracked as the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets according to a report published by Kaspersky researchers today. [...] | Ransomware Medical | APT 38 | |
 |
2020-07-28 10:00:27 | Lazarus on the hunt for big game (lien direct) | By investigating a number of targeted ransomware attacks and through discussions with some of our trusted industry partners, we feel that we now have a good grasp on how the ransomware ecosystem is structured. | Ransomware | APT 38 | |
|
2020-07-23 14:46:05 | New MATA Multi-platform malware framework linked to NK Lazarus APT (lien direct) | North Korea-linked Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide The notorious Lazarus Group is using a new multi-platform malware framework, dubbed MATA, in attacks aimed at organizations worldwide, to deploy Kaspersky researchers observed that MATA was used by the threat actors to distribute ransomware (i.e. VHD […] | Ransomware Malware Threat Medical | APT 38 | |
 |
2020-07-23 02:18:46 | North Korean Hackers Spotted Using New Multi-Platform Malware Framework (lien direct) | Lazarus Group, the notorious hacking group with ties to the North Korean regime, has unleashed a new multi-platform malware framework with an aim to infiltrate corporate entities around the world, steal customer databases, and distribute ransomware.
Capable of targeting Windows, Linux, and macOS operating systems, the MATA malware framework - so-called because of the authors' reference to the |
Malware Medical | APT 38 | |
 |
2020-07-22 15:55:00 | North Korea\'s Lazarus Group Developing Cross-Platform Malware Framework (lien direct) | The APT group, known for its attack on Sony Pictures in 2014, has created an "advanced malware framework" that can launch and manage attacks against systems running Windows, MacOS, and Linux. | Malware | APT 38 | |
|
2020-07-22 14:49:59 | Lazarus hackers deploy ransomware, steal data using MATA malware (lien direct) | A recently discovered malware framework known as MATA and linked to the North Korean-backed hacking group known as Lazarus was used in attacks targeting corporate entities from multiple countries since April 2018 for ransomware deployment and data theft. [...] | Ransomware Malware | APT 38 | |
|
2020-07-06 13:45:36 | (Déjà vu) North Korean Lazarus APT stole credit card data from US and EU stores (lien direct) | North Korea-linked Lazarus APT has been stealing payment card data from customers of large retailers in the U.S. and Europe for at least a year. Sansec researchers reported that North Korea-linked Lazarus APT group has been stealing payment card information from customers of large retailers in the U.S. and Europe for at least a year. […] | APT 38 | ||
 |
2020-07-06 12:28:02 | (Déjà vu) Comment: North Korean Hackers Linked to Credit Card Stealing Attacks on US Stores (lien direct) | Hackers from North Korea have been stealing payment card information from customers of large retailers in the U.S. and Europe for at least a year, reveals new research released today. The fraudulent activity, which researchers attribute to the Lazarus (Hidden Cobra) group of nation-state hackers, used legitimate websites to exfiltrate the stolen credit card data and … The ISBuzz Post: This Post Comment: North Korean Hackers Linked to Credit Card Stealing Attacks on US Stores | Medical | APT 38 | |
|
2020-06-22 10:10:06 | (Déjà vu) North Korean State Hackers Reportedly Planning COVID-19 phishing campaign targeting 5M Across Six Nations (lien direct) | Singapore, Japan, and the US are amongst six nations targeted in a COVID-19 themed phishing campaign that is reportedly scheduled for June 21, during which 8,000 businesses in Singapore may receive email messages from a spoofed Ministry of Manpower account. North Korean state hacker group Lazarus are said to be behind the massive attack that … The ISBuzz Post: This Post North Korean State Hackers Reportedly Planning COVID-19 phishing campaign targeting 5M Across Six Nations | APT 38 | ||
 |
2020-06-19 10:36:38 | North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations (lien direct) | Singapore, Japan, and the US are amongst six nations reportedly targeted in a COVID-19 themed phishing campaign that is scheduled to take place June 21. North Korean state hacker group Lazarus are said to be behind the massive attack that will see more than 5 million businesses and individuals receiving phishing email messages from spoofed […] | APT 38 | ||
|
2020-05-13 06:49:31 | USCYBERCOM shares five new North Korea-linked malware samples (lien direct) | The United States Cyber Command (USCYBERCOM) has uploaded five new North Korean malware samples to VirusTotal. The United States Cyber Command (USCYBERCOM) has shared five new malware samples attributed to the North Korea-linked Lazarus APT, it has uploaded the malicious code to VirusTotal. “On May 12, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the […] | Malware | APT 38 | |
|
2020-05-12 16:30:00 | DHS, FBI & DoD Report on New North Korean Malware (lien direct) | Three new reports detail malware coming out of the Hidden Cobra cyber operations in North Korea. | Malware Medical | APT 38 | |
|
2020-05-12 11:36:58 | US govt exposes new North Korean malware, phishing attacks (lien direct) | The US government today released information on three new malware variants used in malicious cyber activity campaigns by a North Korean government-backed hacker group tracked as HIDDEN COBRA. [...] | Malware Medical | APT 38 | |
|
2020-05-09 22:14:52 | North Korea-linked Lazarus APT uses a Mac variant of the Dacls RAT (lien direct) | North Korea-linked Lazarus APT group employed a Mac variant of the Dacls Remote Access Trojan (RAT) in recent attacks. North Korea-linked Lazarus APT already used at least two macOS malware in previous attacks, now researchers from Malwarebytes have identified a new Mac variant of the Linux-based Dacls RAT. The activity of the Lazarus APT group (aka HIDDEN COBRA) […] | Malware Medical | APT 38 | |
|
2020-05-09 12:39:40 | North Korean hackers infect real 2FA app to compromise Macs (lien direct) | Hackers have hidden malware in a legitimate two-factor authentication (2FA) app for macOS to distribute Dacls, a remote access trojan associated with the North Korean Lazarus group. [...] | Malware Medical | APT 38 | |
|
2020-05-08 15:16:23 | (Déjà vu) Comment: Lazarus Group Hides macOS Spyware In 2FA Application (lien direct) | The North Korea-linked cyberthreat group known as Lazarus Group has added a new variant of the Dacls remote-access trojan (RAT) to its arsenal of spy gear, designed specifically for the Mac operating system. Dacls was first discovered last December targeting Windows and Linux platforms. The new version for Mac is now spreading via a trojanized two-factor … The ISBuzz Post: This Post Comment: Lazarus Group Hides macOS Spyware In 2FA Application | Medical | APT 38 | |
|
2020-05-07 09:56:52 | Lazarus macOS Spyware hidden in Two-Factor Authentication Application (lien direct) | The Dacls RAT has been ported from an existing Linux version. The North Korea-linked cyberthreat group known as Lazarus Group has added a new variant of the Dacls remote-access trojan (RAT) to its arsenal of spy gear, designed specifically for the Mac operating system. Dacls was first discovered last December targeting Windows and Linux platforms. […] | Medical | APT 38 | |
 |
2020-05-06 15:59:36 | New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app (lien direct) |
The Lazarus group improves their toolset with a new RAT specifically designed for the Mac.
Categories:
Mac
Malware
Threat analysis
Tags: APTDaclsLazarusmacmalwarerattinkaOTP
(Read more...)
|
Medical | APT 38 | |
|
2020-03-02 17:35:17 | US Charges Two With Laundering $100M for North Korean Hackers (lien direct) | Two Chinese nationals were charged today by the US Dept of Justice and sanctioned by the US Treasury for allegedly laundering over $100 million worth of cryptocurrency out of the nearly $250 million stolen by North Korean actors known as Lazarus Group after hacking a cryptocurrency exchange in 2018. [...] | Medical | APT 38 | |
 |
2020-02-25 12:00:00 | North Korea Is Recycling Mac Malware. That\'s Not the Worst Part (lien direct) | Lazarus Group hackers have long plagued the internet-using at least one tool they picked up just by looking around online. | Tool Medical | APT 38 | |
|
2020-02-14 21:07:17 | US Govt agencies detail North Korea-linked HIDDEN COBRA malware (lien direct) | The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released reports on North Korea-linked HIDDEN COBRA malware. The FBI, the US Cyber Command, and the Department of Homeland Security have published technical details of a new North-Korea linked hacking operation. The government experts released new and updated Malware Analysis Reports (MARs) […] | Malware Medical | APT 38 | |
 |
2020-01-16 11:11:35 | Lazarus renforce les capacités de son attaque AppleJeus contre les cryptomonnaies (lien direct) |  En 2018 l'équipe GReAT (Global Research & Analysis Team) de Kaspersky publiait les résultats de son enquête sur AppleJeus, une opération visant à dérober des cryptomonnaies et menée par le prolifique groupe malveillant Lazarus. |
APT 38 | ||
|
2020-01-10 06:23:08 | North Korea-linked Lazarus APT continues to target cryptocurrency exchanges (lien direct) | In the last 18 months, North Korea-linked Lazarus APT group has continued to target cryptocurrency exchanges evolving its TTPs. Kaspersky researchers have analyzed the attacks carried out by North Korea-linked Lazarus APT group in the past 18 months and confirmed their interest in banks and cryptocurrency exchanges. In the mid-2018, the APT targeted cryptocurrency exchanges and cryptocurrency […] | APT 38 | ||
|
2019-12-17 20:43:46 | (Déjà vu) Dacls RAT, the first Lazarus malware that targets Linux devices (lien direct) | Researchers spotted a new Remote Access Trojan (RAT), dubbed Dacls, that was used by the Lazarus APT group to target both Windows and Linux devices. Experts at Qihoo 360 Netlab revealed that the North-Korea Lazarus APT group used a new Remote Access Trojan (RAT), dubbed Dacls, to target both Windows and Linux devices. The activity […] | Malware | APT 38 | |
|
2019-12-17 13:05:00 | Lazarus Hackers Target Linux, Windows With New Dacls Malware (lien direct) | A new Remote Access Trojan (RAT) malware dubbed Dacls and connected to the Lazarus Group has been spotted by researchers while being used to target both Windows and Linux devices. [...] | Malware Medical | APT 38 | |
|
2019-12-17 12:12:46 | Lazarus pivots to Linux attacks through Dacls Trojan (lien direct) | The Trojan is able to infect both Windows and Linux machines. | APT 38 | ||
 |
2019-12-10 17:00:00 | New fileless malware for macOS linked to Lazarus Group (lien direct) | The new malware sample bears similarities to the well-known AppleJeus malware, which targets cryptocurrency exchanges. AppleJeus is the product of Lazarus Group, a shadowy cybercrime organization believed by many to be linked to North Korea. | Malware Medical | APT 38 | |
 |
2019-11-20 12:41:07 | Mac Backdoor Linked to Lazarus Targets Korean Users (lien direct) |  By Gabrielle Joyce Mabutas Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a...
|
Malware | APT 38 | |
|
2019-10-31 16:15:13 | Experts Reactions On North Korean Malware Found On Indian Nuclear Plants Network (lien direct) | It has been reported the network of one of India’s nuclear power plants was infected with malware created by North Korea’s state-sponsored hackers, the Nuclear Power Corporation of India Ltd (NPCIL) confirmed today. Several security researchers identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea’s elite hacking unit. There … The ISBuzz Post: This Post Experts Reactions On North Korean Malware Found On Indian Nuclear Plants Network | Malware Medical | APT 38 | |
|
2019-10-25 06:49:12 | Experts attribute NukeSped RAT to North Korea-Linked hackers (lien direct) | Experts at Fortinet analyzed NukeSped malware samples that share multiple similarities with malware associated with North Korea-linked APTs. Fortinet has analyzed the NukeSped RAT that is believed to be a malware in the arsenal of the Lazarus North-Korea linked APT group. The attribution to the Lazarus group is based on the similarities with other malware […] | Malware Medical | APT 38 | |
 |
2019-09-26 22:55:00 | Dtrack : un logiciel espion, jusque-là inconnu, du groupe malveillant Lazarus frappe des établissements financiers et des centres de recherche (lien direct) | L'équipe GReAT (Global Research & Analysis Team) de Kaspersky a découvert un logiciel espion jusque-là inconnu, repéré dans des établissements financiers et centres de recherche en Inde. Ce spyware dénommé Dtrack, qui aurait été créé par le groupe malveillant Lazarus, sert au téléchargement de fichiers sur les systèmes des victimes, à l'enregistrement de frappes clavier ainsi qu'à d'autres actions typiques d'un malware d'administration à distance (RAT). En 2018, des chercheurs de Kaspersky ont découvert (...) - Malwares | Malware | APT 38 | |
 |
2019-09-24 18:56:47 | North Korean-Linked Dtrack RAT Discovered (lien direct) | An investigation into banking malware targeting India has led to the discovery of a new remote access Trojan (RAT) employed by the North Korean-linked Lazarus group, Kaspersky reports. | Malware Medical | APT 38 | |
 |
2019-09-16 10:40:25 | Les États-Unis annoncent des sanctions financières contre les hackers nord-coréens (lien direct) | Les actifs des groupes Lazarus, Bluenoroff et Andariel sont désormais gelés ou blacklistés. Ces pirates sont soupçonnés, entre autres, de financer le régime nord-coréen en pillant des banques et par des opérations de cybercrime.  |
APT 38 | ||
|
2019-09-13 20:21:12 | The US Treasury placed sanctions on North Korea linked APT Groups (lien direct) | The US Treasury placed sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial. The US Treasury sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial. The groups are behind several hacking operations that resulted in the theft of hundreds of millions of dollars from financial institutions and cryptocurrency exchanges […] | Medical | APT 38 | |
|
2019-09-13 16:47:00 | US Treasury sanctions three North Korean hacking groups (lien direct) | US wants to seize financial assets associated with the Lazarus Group, Bluenoroff, and Andarial. | Medical | APT 38 | |
|
2019-09-13 15:00:00 | US Sanctions 3 Cyber Attack Groups Tied to DPRK (lien direct) | Lazarus Group, Bluenoroff, and Andariel were named and sanctioned by the US Treasury for ongoing attacks on financial systems. | Medical | APT 38 | |
|
2019-09-09 14:09:05 | U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal (lien direct) | The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus. | Malware Threat | APT 38 | |
 |
2019-07-25 13:00:00 | Can you trust threat intelligence from threat sharing communities? | AT&T ThreatTraq (lien direct) | Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jaime Blasco, VP and Chief Scientist, AlienVault, Stan Nurilov, Lead Member of Technical Staff, AT&T, and Joe Harten, Director Technical Security. Stan: Jaime. I think you have a very interesting topic today about threat intelligence. Jaime: Yes, we want to talk about how threat intelligence is critical for threat detection and incident response, but then when this threat intelligence and the threat actors try to match those indicators and that information that is being shared, it can actually be bad for companies. So we are going to share some of the experiences we have had with managing the Open Threat Exchange (OTX) - one of the biggest threat sharing communities out there. Stan: Jaime mentioned that they have so many threat indicators and so much threat intelligence as part of OTX, the platform. Jaime: We know attackers monitor these platforms and are adjusting tactics and techniques and probably the infrastructure based on public reaction to cyber security companies sharing their activities in blog posts and other reporting. An example is in September 2017, we saw APT28, and it became harder to track because we were using some of the infrastructure and some of the techniques that were publicly known. And another cyber security company published content about that and then APT28 became much more difficult to track. The other example is APT1. If you remember the APT1 report in 2013 that Mandiant published, that made the group basically disappear from the face of earth, right? We didn't see them for a while and then they changed the infrastructure and they changed a lot of the tools that they were using, and then they came back in 2014. So we can see that that threat actor disappeared for a while, changed and rebuilt, and then they came back. We also know that attackers can try to publish false information in this platform, so that's why it's important that not only those platforms are automated, but also there are human analysts that can verify that information. Joe: It seems like you have to have a process of validating the intelligence, right? I think part of it is you don't want to take this intelligence at face value without having some expertise of your own that asks, is this valid? Is this a false positive? Is this planted by the adversary in order to throw off the scent? I think it's one of those things where you can't automatically trust - threat intelligence. You have to do some of your own diligence to validate the intelligence, make sure it makes sense, make sure it's still fresh, it's still good. This is something we're working on internally - creating those other layers to validate and create better value of our threat intelligence. Jaime: The other issue I wanted to bring to the table is what we call false flag operations - that's when an adversary or a threat actor studies another threat actor and tries to emulate their behavior. So when companies try to do at | Malware Threat Studies Guideline | APT 38 APT 28 APT 1 | |
|
2019-05-13 18:50:03 | US Government Unveils New North Korean Hacking Tool (lien direct) | It has been reported that yesterday the Department of Homeland Security and the FBI publicly identified a new North Korean malware capable of funnelling information from a victim’s computer network. Dubbed ElectricFish by government officials, the malware is the latest tool in North Korea’s hacking program, referred to as Hidden Cobra. The U.S. Cyber Emergency Response Team published a report warning the public … The ISBuzz Post: This Post US Government Unveils New North Korean Hacking Tool | Malware Tool Medical | APT 38 | |
|
2019-05-10 13:53:03 | DHS and FBI published a Malware Analysis Report on North Korea-linked tool ELECTRICFISH (lien direct) | The U.S. Department of Homeland Security (DHS) and the FCI published a new joint report on ELECTRICFISH, a malware used by North Korea. US DHS and the Federal Bureau of Investigation (FBI) conducted a joint analysis of a traffic tunneling tool dubbed ELECTRICFISH used by North Korea-linked APT group tracked as Hidden Cobra (aka Lazarus). It […] | Malware Tool Medical | APT 38 | |
|
2019-05-10 10:41:04 | North Korea debuts new Electricfish malware in Hidden Cobra campaigns (lien direct) | The tool is used to forge covert pathways out of infected Windows PCs. | Malware Tool | APT 38 | |
|
2019-05-10 03:04:03 | North Korean Hackers Using ELECTRICFISH Tunnels to Exfiltrate Data (lien direct) | The U.S. Department of Homeland Security (DHS) and the FBI have issued another joint alert about a new piece of malware that the prolific North Korean APT hacking group Hidden Cobra has actively been using in the wild.
Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by North Korean government and known to launch cyber attacks against media |
Malware Medical | APT 38 | |
|
2019-05-09 16:59:05 | (Déjà vu) North Korean Hackers Use ELECTRICFISH Malware to Steal Data (lien direct) | The Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security (DHS) have issued a joint malware analysis report (MAR) on a new malware strain dubbed ELECTRICFISH and used by the North-Korean APT group Lazarus to exfiltrate data from victims. [...] | Malware | APT 38 |
To see everything:
Our RSS (filtrered)
