What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-17 15:30:00 | Le groupe nord-coréen Kimsuk exploite DMARC et les balises Web North Korean Group Kimsuky Exploits DMARC and Web Beacons (lien direct) |
ProofPoint a confirmé que Kimsuky a directement contacté des experts en politique étrangère depuis 2023 par le biais de conversations par e-mail apparemment bénignes
Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations |
APT 43 | ★★★ | |
 |
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
 |
2024-03-24 11:08:00 | Kimsuky de Kimsuky, en coréen, les déplacements pour les fichiers HTML compilés dans les cyberattaques en cours N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks (lien direct) |
L'acteur de menace lié à la Corée du Nord connue sous le nom de & NBSP; Kimsuky & nbsp; (aka Black Banshee, Emerald Sleet ou Springtail) a été observé en déplacement de ses tactiques, en levant des fichiers HTML compilés compilés (CHM) en tant que vecteurs pour offrir des logiciels malinés pour la récolte des données sensibles.
Kimsuky, actif depuis au moins 2012, est connu pour cibler des entités situées en Corée du Sud ainsi qu'en Amérique du Nord, en Asie et en Europe.
Selon
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According |
Malware Threat | APT 43 | ★★★ |
|
2023-12-29 14:39:00 | Des pirates Kimsuky déploient Appleseed, Meterpreter et Tinynuke dans les dernières attaques Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks (lien direct) |
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky. “A notable point about attacks that |
Tool Threat | APT 43 | ★★★ |
 |
2023-12-28 19:18:50 | Trend Analysis on Kimsuky Group\'s Attacks Using AppleSeed (lien direct) | #### Description
Le groupe de menaces Kimsuky, connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, les industries de la défense, les médias, la diplomatie, les organisations nationales et les secteurs académiques.
Leurs attaques visent à voler des informations internes et des technologies auprès des organisations.Alors que le groupe Kimsuky utilise généralement des attaques de phishing de lance pour un accès initial, la plupart de leurs attaques récentes impliquent l'utilisation de logiciels malveillants de type raccourci au format de fichier LNK.Bien que les logiciels malveillants LNK constituent une grande partie des attaques récentes, des cas utilisant des javascripts ou des documents malveillants continuent d'être détectés.Ces cas d'attaque qui utilisent des logiciels malveillants de type JavaScript impliquent généralement la distribution d'applications.En plus de JavaScript, des logiciels malwares de macro Excel sont également utilisés pour installer Appleseed.Appleseed est une porte dérobée qui peut recevoir les commandes de la menace acteur \\ du serveur C&C et exécuter les commandes reçues.L'acteur de menace peut utiliser Appleseed pour contrôler le système infecté.Il propose également des fonctionnalités telles qu'un téléchargeur qui installe des logiciels malveillants supplémentaires, Keylogging et prenant des captures d'écran, et en volant des informations en collectant des fichiers dans le système utilisateur et en les envoyant.Alphaseed est un logiciel malveillant développé dans Golang et prend en charge des fonctionnalités similaires à Appleseed telles que l'exécution des commandes et l'infostoritration.
#### URL de référence (s)
1. https://asec.ahnlab.com/en/60054/
#### Date de publication
27 décembre 2023
#### Auteurs)
Sanseo
#### Description The Kimsuky threat group, known to be supported by North Korea, has been active since 2013. The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed. In addition to JavaScript, Excel macro malware are also used to install AppleSeed. AppleSeed is a backdoor that can receive the threat actor\'s commands from the C&C server and execute the received commands. The threat actor can use AppleSeed to control the infected system. It also offers features such as a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by collecting files from the user system and sending them. AlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command execution and infostealing. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60054/ #### Publication Date December 27, 2023 #### Author(s) Sanseo |
Malware Threat Prediction | APT 43 | ★★★ |
|
2023-12-08 19:03:00 | N. Corée Kimsuky ciblant les instituts de recherche sud-coréens avec des attaques de porte dérobée N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks (lien direct) |
L'acteur de menace nord-coréenne connue sous le nom de & nbsp; Kimsuky & nbsp; a été observé ciblant les instituts de recherche en Corée du Sud dans le cadre d'une campagne de phisces de lance dans l'objectif ultime de distribuer des déambulations sur des systèmes compromis.
"L'acteur de menace utilise finalement une porte dérobée pour voler des informations et exécuter des commandes", le centre d'intervention d'urgence de sécurité AHNLAB (ASEC) & NBSP; dit & nbsp; dans un
The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an |
Threat | APT 43 | ★★★ |
 |
2023-12-01 21:00:00 | La Corée du Nord APT a giflé des cyber-sanctions après le lancement par satellite North Korea APT Slapped With Cyber Sanctions After Satellite Launch (lien direct) |
Les sanctions contre Kimsuky / APT43 se concentrent sur le monde sur la perturbation des opérations de cybercriminalité du régime de la RPRC, dit Expert.
Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime\'s sprawling cybercrime operations, expert says. |
APT 43 APT 43 | ★★★ | |
 |
2023-12-01 18:15:00 | US Sanctions North Coréen \\ 'Kimsuky \\' Hackers après le lancement de satellite de surveillance US sanctions North Korean \\'Kimsuky\\' hackers after surveillance satellite launch (lien direct) |
Les États-Unis se sont associés à plusieurs nations du Pacifique pour transmettre des sanctions contre la Corée du Nord - en particulier le groupe de cyber-espionnage du pays \\ du pays - après le pays Lancé Un satellite de surveillance la semaine dernière.Jeudi soir, le Office du Contrôle des actifs étrangers (OFAC) du Département américain du Trésor du Trésor a sanctionné huit agents nord-coréens pour
The U.S. partnered with several nations in the Pacific to hand down sanctions on North Korea - particularly the country\'s Kimsuky cyber espionage group - after the country launched a surveillance satellite last week. On Thursday evening, the U.S. Department of the Treasury\'s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for |
APT 43 | ★★★ | |
|
2023-11-23 20:16:00 | Groupe Konni utilisant des documents de mots malveillants en langue russe dans les dernières attaques Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks (lien direct) |
Une nouvelle attaque de phishing a été observée en tirant parti d'un document Microsoft Word en langue russe pour fournir des logiciels malveillants capables de récolter des informations sensibles auprès d'hôtes Windows compromis.
L'activité a été attribuée à un acteur de menace appelé Konni, qui est évalué pour partager les chevauchements avec un cluster nord-coréen suivi comme Kimsuky (aka apt43).
"Cette campagne repose sur un cheval de Troie à distance
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan |
APT 43 | ★★ | |
 |
2023-10-23 02:21:45 | 2023 août & # 8211;Rapport de tendance des menaces sur le groupe Kimsuky 2023 Aug – Threat Trend Report on Kimsuky Group (lien direct) |
Les activités de Kimsuky Group & # 8217;Les activités d'autres types étaient relativement faibles.De plus, des échantillons de phishing ont été trouvés dans l'infrastructure connue pour la distribution de logiciels malveillants antérieurs (fleurs, randomquery et appleseed), et des échantillons de babyshark ont été découverts dans l'infrastructure RandomQuery.Cela suggère la probabilité de plusieurs types de logiciels malveillants en utilisant une seule infrastructure.Rapport de tendance AUG_TRÉTÉE sur le groupe Kimsuk
The Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities of other types were relatively low. Also, phishing samples were found in the infrastructure known for distributing previous malware (FlowerPower, RandomQuery, and AppleSeed), and BabyShark samples were discovered in the RandomQuery infrastructure. This suggests the likelihood of multiple types of malware utilizing a single infrastructure. Aug_Threat Trend Report on Kimsuky Group |
Malware Threat Prediction | APT 43 | ★★★ |
|
2023-10-18 16:11:47 | Kimsuky de la Corée du Nord se double de la commande de bureau à distance North Korea\\'s Kimsuky Doubles Down on Remote Desktop Control (lien direct) |
L'APT sophistiqué utilise diverses tactiques pour abuser des fenêtres et d'autres protocoles intégrés avec des logiciels malveillants personnalisés et publics pour prendre le contrôle des systèmes de victimes.
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems. |
Malware | APT 43 | ★★ |
|
2023-10-17 09:08:51 | Kimsuky Threat Group utilise RDP pour contrôler les systèmes infectés Kimsuky Threat Group Uses RDP to Control Infected Systems (lien direct) |
Kimsuky, un groupe de menaces connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Au début, ils ont attaqué les instituts de recherche liés à la Corée du Nord en Corée du Sud avant d'attaquer une agence d'énergie sud-coréenne en 2014. D'autres pays sont également devenus des cibles de leur attaque depuis 2017. [1] Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, diplomatique diplomatique,, et les secteurs universitaires, les industries de la défense et des médias, ainsi que des organisations nationales.Leur objectif est d'exfiltrer les informations et la technologie internes ...
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as national organizations. Their goal is to exfiltrate internal information and technology... |
Threat | APT 43 | ★★★ |
 |
2023-06-13 13:00:00 | CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks (lien direct) |
CyberheistNews Vol 13 #24 | June 13th, 2023
[The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks
The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section.
They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill.
"The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top."
A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear.
BEC Attacks Have Nearly Doubled
It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor.
Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category.
Financially Motivated External Attackers Double Down on Social Engineering
Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection.
However, unlike the times we live in, this section isn\'t all doom and |
Spam Malware Vulnerability Threat Patching | Uber APT 37 ChatGPT ChatGPT APT 43 | ★★ |
|
2023-06-08 09:53:00 | Kimsuky cible les groupes de réflexion et les médias avec des attaques d'ingénierie sociale Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks (lien direct) |
L'acteur de menace nord-coréenne de l'État-nation connu sous le nom de Kimsuky a été lié à une campagne d'ingénierie sociale ciblant les experts des affaires nord-coréennes dans le but de voler des informations d'identification Google et de livrer des logiciels malveillants de reconnaissance.
"De plus, l'objectif de Kimsuky \\ s'étend au vol de titres d'abonnement de NK News", a déclaré la société de cybersécurité Sentineone dans un rapport partagé avec le
The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky\'s objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The |
Threat | APT 43 | ★★★ |
|
2023-06-07 16:00:00 | Le groupe nord-coréen APT Kimsuky étend les tactiques d'ingénierie sociale North Korean APT Group Kimsuky Expands Social Engineering Tactics (lien direct) |
Sentinélone a déclaré que la campagne cible spécifiquement des experts des affaires nord-coréennes
SentinelOne said the campaign specifically targets experts in North Korean affairs |
APT 43 | ★★★ | |
|
2023-06-06 19:33:00 | Groupe de piratage nord-coréen Kimsuky ciblant les experts régionaux, les médias North Korean hacking group Kimsuky targeting regional experts, news outlets (lien direct) |
Le groupe de piratage soutenu par le gouvernement nord-coréen Kimsuky vise des experts dans les affaires nord-coréennes et les médias dans le cadre d'une campagne pour recueillir des renseignements - même en recourant à voler des informations sur l'abonnement aux médias signalant des actualités sur les affaires du pays.Les résultats, publié mardi par Sentineone, coïncidant avec une alerte de la National Security Agency
The North Korean government-backed hacking group Kimsuky is targeting experts in North Korean affairs and media as part of a campaign to gather intelligence - even resorting to stealing subscription information for news outlets reporting on the country\'s affairs. The findings, published on Tuesday by SentinelOne, coincide with an alert from the National Security Agency |
APT 43 | ★★ | |
 |
2023-06-05 16:17:19 | Kimuky, le code malveillant made un Corée du Nord (lien direct) | Les États-Unis et la Corée du Sud avertissent sur les méthodes d'espionnage du groupe de piratage nord-coréen Kimsuky, alias Thallium. | APT 37 APT 43 | ★★ | |
|
2023-06-02 16:00:00 | Les agences américaines et coréennes émettent un avertissement sur les cyberattaques nord-coréennes US and Korean Agencies Issue Warning on North Korean Cyber-Attacks (lien direct) |
L'avis identifie plusieurs acteurs: Kimsuky, Thallium, APT43, Velvet Chollima et Black Banshee
The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee |
APT 37 APT 43 APT 43 | ★★★ | |
|
2023-06-02 14:42:00 | Les cyber-espaces de Kimsuky de la Corée du Nord gagnent une alerte de Washington, Séoul North Korea\\'s Kimsuky cyber-spies earn an alert from Washington, Seoul (lien direct) |
Les agences de renseignement des États-Unis et de la Corée du Sud ont émis un avertissement qui décrit les méthodes d'espionnage de Kimsuky, un groupe de piratage nord-coréen nord-coréen qui cible les chars, le monde universitaire et les médias.Selon le consultatif publié jeudi, kimsuky piratesUtilisez des tactiques d'identification, se faisant passer pour des sources fiables pour gagner la confiance de
Intelligence agencies from the U.S. and South Korea have issued a warning that describes the spying methods of Kimsuky, a notorious North Korean nation-state hacking group that targets think tanks, academia and news media. According to the advisory published on Thursday, Kimsuky hackers use impersonation tactics, masquerading as reliable sources to gain the trust of |
APT 43 | ★★ | |
|
2023-06-02 11:15:00 | Le groupe Kimsuky de la Corée du Nord imite les chiffres clés des cyberattaques ciblées North Korea\\'s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks (lien direct) |
Les agences de renseignement américaines et sud-coréennes ont émis un nouvel avertissement d'alerte des cyber-acteurs nord-coréens \\ '' Utilisation de tactiques d'ingénierie sociale pour frapper les groupes de réflexion, les universités et les secteurs des médias.
Les "efforts soutenus de la collecte d'informations" ont été attribués à un cluster parrainé par l'État surnommé Kimsuky, qui est également connu sous les noms apt43, archipel, Black Banshee, Emerald Sheet (
U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors\' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet ( |
APT 43 | ★★ | |
 |
2023-05-09 20:02:00 | Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution
(published: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.
Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information
Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows
Eastern Asian Android Assault – FluHorse
(published: May 4, 2023)
Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.
Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com |
Malware Tool Threat | APT 37 APT 43 | ★★★ |
|
2023-05-05 16:00:00 | L'APT nord-coréen Kimsuky lance la campagne mondiale de phisces de lance North Korean APT Kimsuky Launches Global Spear-Phishing Campaign (lien direct) |
Renshark est envoyé par e-mail contenant des liens OneDrive menant à des documents avec des macros malveillants
ReconShark is sent via emails containing OneDrive links leading to documents with malicious macros |
APT 43 | ★★ | |
|
2023-05-05 15:49:00 | N. Corée des pirates de Kimsuky utilisant un nouvel outil Recon Reonshark dans les dernières cyberattaques N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks (lien direct) |
L'acteur de menace nord-coréen parrainé par l'État connu sous le nom de Kimsuky a été découvert à l'aide d'un nouvel outil de reconnaissance appelé Reonshark dans le cadre d'une campagne mondiale en cours.
"[Reonshark] est activement livré à des individus spécifiquement ciblés par le biais de courriels de lance-phishing, des liens OneDrive menant à des téléchargements de documents et à l'exécution de macros malveillants", cherche aux chercheurs de Sentinélone Tom Hegel
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel |
Tool Threat | APT 43 | ★★★ |
 |
2023-05-01 11:32:18 | Réaction en chaîne: le lien manquant de Rokrat \\ Chain Reaction: ROKRAT\\'s Missing Link (lien direct) |
> Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]
>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] |
Threat | APT 37 APT 43 | ★★ |
|
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
|
2023-04-05 17:49:00 | Google Tag met en garde contre les cyberattaques archipelles liées à la coréenne nord-coréenne Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (lien direct) |
Un acteur de menace soutenu par le gouvernement nord-coréen a été lié à des attaques ciblant le gouvernement et le personnel militaire, les groupes de réflexion, les décideurs politiques, les universitaires et les chercheurs en Corée du Sud et aux États-Unis.
Le groupe d'analyse des menaces de Google (TAG) suit le cluster sous le nom Archipelago, qui, selon lui, est un sous-ensemble d'un autre groupe de menaces suivi par Mandiant sous le nom d'APT43.
Le géant de la technologie
A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. Google\'s Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43. The tech giant |
Threat | APT 43 | ★★ |
|
2023-04-05 12:00:00 | Les pirates se sont présentés comme des journalistes dans des attaques contre des experts en Corée du Nord, dit Google Hackers posed as reporters in attacks on North Korea experts, Google says (lien direct) |
Les pirates soutenus par le gouvernement seraient liés à l'armée nord-coréenne ciblée des personnes ayant une expertise en matière de questions politiques de Corée du Nord en se faisant passer pour des journalistes, selon un nouveau rapport.Des chercheurs du groupe d'analyse des menaces de Google (TAG) ont publié mercredi le rapport comme un suivi de One [publié la semaine dernière] (https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) par la société de cybersécurité Mandiant - qui appartient à
Government-backed hackers allegedly connected to the North Korean military targeted people with expertise in North Korea policy issues by posing as journalists, according to a new report. Researchers from Google\'s Threat Analysis Group (TAG) released the report Wednesday as a follow-up to one [published last week](https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) by cybersecurity firm Mandiant - which is owned by |
Threat | APT 43 | ★★★★ |
|
2023-04-04 13:00:00 | CyberheistNews Vol 13 # 14 [Eyes sur le prix] Comment les inconvénients croissants ont tenté un courteur par e-mail de 36 millions de vendeurs CyberheistNews Vol 13 #14 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist (lien direct) |
CyberheistNews Vol 13 #14 | April 4th, 2023
[Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist
The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam.
It\'s not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes.
This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor\'s domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there\'s the now-obvious problem with it looking very much like .com to the cursory glance).
The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT).
This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests.
Blog post with screenshots and links:https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 i |
Ransomware Malware Hack Threat | ChatGPT ChatGPT APT 43 | ★★ |
 |
2023-03-30 04:40:47 | Une autre année, un autre gang nord-coréen dépassant les logiciels malveillants et crypto-vole nommé [Another year, another North Korean malware-spreading, crypto-stealing gang named] (lien direct) | mandiant identifie \\ 'modérément sophistiqué \' mais \\ 'prolifique \' apt43 comme la menace mondiale la tenue de sécurité récemment acquise de Google Cloud \\ a nommé un nouveau méchant de NorthCorée: un gang de cybercriminalité, il appelle APT43 et accuse un déchaînement de cinq ans.…
Mandiant identifies \'moderately sophisticated\' but \'prolific\' APT43 as global menace Google Cloud\'s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.… |
Studies Prediction | APT 43 | ★★ |
|
2023-03-29 11:02:00 | Le groupe nord-coréen APT43 utilise la cybercriminalité pour financer les opérations d'espionnage [North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations] (lien direct) | Un nouveau cyber-opérateur nord-coréen national a été attribué à une série de campagnes orchestrées pour rassembler des renseignements stratégiques qui s'alignent sur les intérêts géopolitiques de Pyongyang \\ depuis 2018.
Mandiant appartenant à Google, qui suit le cluster d'activités sous le surnom APT43, a déclaré que les motifs du groupe sont à la fois des techniques d'espionnage et financièrement motivées comme des informations d'identification
A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang\'s geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group\'s motives are both espionage- and financially-motivated, leveraging techniques like credential |
APT 43 | ★★ | |
|
2023-03-29 08:30:00 | Les experts mettent en garde contre le groupe nord-coréen auto-financé APT43 [Experts Warn of Self-Funding North Korean Group APT43] (lien direct) | Mandiant dit que l'unité est axée sur l'espionnage et le vol cryptographique
Mandiant says unit is focused on espionage and crypto theft |
APT 43 | ★★ | |
 |
2023-03-28 21:57:06 | Mandiant attrape un autre groupe de pirates gouvernementaux nord-coréens [Mandiant Catches Another North Korean Gov Hacker Group] (lien direct) | > Mandiant Flags APT43 comme un «cyber opérateur modérément sophistiqué qui soutient les intérêts du régime nord-coréen». "
>Mandiant flags APT43 as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime." |
APT 43 | ★★ | |
|
2023-03-28 21:28:00 | Anomali Cyber Watch: Takeover comptable, APT, Banking Trojans, Chine, Cyberespionage, Inde, Malspam, Corée du Nord, Phishing, Skimmers, Ukraine et Vulnérabilités [Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities] (lien direct) | Aucun Sélectionné Sauter vers le contenu à l'aide d'Anomali Inc Mail avec les lecteurs d'écran Yury 1 sur 52 ACW CONSEIL POLOZOV ACCORDS MAR 27 MAR, 2023, 10: 11 & # 8239; AM (1 jour) pour moi, marketing, recherche Cher Jarom etMarketing, ACW est prêt https://ui.thereatstream.com/tip/6397663 - Yury Polozov |Analyste de renseignement sur la menace de Sr. |ATR |www.anomali.com Téléphone: + 1-347-276-5554 3 pièces jointes et taureau;Scanné par gmail
& nbsp;
Anomali Cyber Watch: Spies amer sur l'énergie nucléaire chinoise, Kimsuky prend le contrôle de Google pour infecter les appareils Android connectés, les mauvaises cibles magiques occupées des parties de l'Ukraine, et plus encore.
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent des sujets suivants: Takeover, APT, Banking Trojans, China, Cyberspionage, Inde, Malspam, North Corée, Phishing, Skimmers, Ukraine, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
campagne de phishingCible l'industrie chinoise de l'énergie nucléaire
(Publié: 24 mars 2023)
Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection.
Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at |
Malware Tool Threat Cloud | APT 37 APT 43 | ★★ |
|
2023-03-28 17:05:00 | Kimsuky de la Corée du Nord évolue en APT à part entière et prolifique [North Korea\\'s Kimsuky Evolves into Full-Fledged, Prolific APT] (lien direct) | Dans les cyberattaques contre les États-Unis, la Corée du Sud et le Japon, le groupe (alias APT43 ou Thallium) utilise des tactiques avancées d'ingénierie sociale et de cryptomiminage qui le distinguent des autres acteurs de la menace.
In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors. |
Threat Cloud | APT 37 APT 43 | ★★★★ |
 |
2023-03-28 15:08:13 | Les pirates nord-coréens se tournent vers \\ 'Cloud Mining \\' pour la crypto pour éviter l'examen de l'application des lois [North Korean hackers turn to \\'cloud mining\\' for crypto to avoid law enforcement scrutiny] (lien direct) | Les chercheurs de Mandiant ont identifié un nouveau groupe de piratage connu sous le nom d'APT 43 qui utilise le bitcoin volé pour financer les opérations de cyberespionnage.
Researchers at Mandiant identified a new hacking group knowns as APT 43 that uses stolen bitcoin to fund cyberespionage operations. |
Threat | APT 43 | ★★ |
 |
2023-03-28 15:03:38 | APT43 : Un groupe nord-coréen utilise la cybercriminalité pour financer des opérations d\'espionnage (lien direct) | L'APT43 est un cyber-opérateur très actif qui soutient les intérêts du régime nord-coréen. Le groupe combine des compétences techniques modérément sophistiquées avec des tactiques agressives d'ingénierie sociale, en particulier contre des organisations gouvernementales, des universitaires et des groupes de réflexion basés en Corée du Sud et aux États-Unis qui s'intéressent aux questions géopolitiques de la péninsule coréenne. - Malwares | General Information | APT 43 | ★★★ |
 |
2023-03-28 10:00:00 | APT43: le groupe nord-coréen utilise la cybercriminalité pour financer les opérations d'espionnage APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (lien direct) |
 Aujourd'hui, nous publions un rapport sur |
Threat | APT 43 APT 43 | ★★★★ |
|
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
|
2022-02-15 14:24:51 | CyberheistNews Vol 12 #07 [Heads Up] FBI Warns Against New Criminal QR Code Scams (lien direct) |
[Heads Up] FBI Warns Against New Criminal QR Code Scams
Email not displaying? |
CyberheistNews Vol 12 #07 | Feb. 15th., 2022
[Heads Up] FBI Warns Against New Criminal QR Code Scams
QR codes have been around for many years. While they were adopted for certain niche uses, they never did quite reach their full potential. They are a bit like Rick Astley in that regard, really popular for one song, but well after the boat had sailed. Do not get me wrong, Rick Astley achieved a lot. In recent years, he has become immortalized as a meme and Rick roller, but he could have been so much more.
However, in recent years, with lockdown and the drive to keep things at arms length, QR codes have become an efficient way to facilitate contactless communications, or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things.
QRime Codes
As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals.
The rise in QR code fraud resulted in the FBI releasing an advisory warning against fake QR codes that are being used to scam users. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply.
CONTINUED with links and 4 example malicious QR codes on the KnowBe4 blog:
https://blog.knowbe4.com/qr-codes-in-the-time-of-cybercrime
|
Ransomware Data Breach Spam Malware Threat Guideline | APT 15 APT 43 | |
 |
2022-02-08 15:35:47 | Kimsuki hackers use commodity RATs with custom Gold Dragon malware (lien direct) | South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. [...] | Malware | APT 43 | |
 |
2020-11-17 11:19:05 | COVID-19 vaccine research firms targeted by Russian and North Korean hackers (lien direct) | Microsoft has recently alerted governments across the globe that the North Korean hacker groups Cerium and Zinc, as well as the Russian hacker group Strontium, have been targeting organisations involved in COVID-19 vaccine research using brute-force, credential stuffing and spear-phishing attacks. Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust, said in a […] | Medical | APT 38 APT 28 APT 43 | |
 |
2020-11-13 17:18:12 | Three APT groups have targeted at least seven COVID-19 vaccine makers (lien direct) | At least the three nation-state actors have targeted seven COVID-19 vaccine makers, they are Strontium, Lazarus Group, and Cerium, Microsoft warns. Microsoft revealed that at least three APT groups have targeted seven companies involved in COVID-19 vaccines research and treatments. “In recent months, we've detected cyberattacks from three nation-state actors targeting seven prominent companies directly […] | Medical | APT 38 APT 28 APT 43 | |
 |
2020-11-13 14:00:00 | Microsoft says three APTs have targeted seven COVID-19 vaccine makers (lien direct) | The three state-sponsored hacker groups (APTs) are Russia's Strontium (Fancy Bear) and North Korea's Zinc (Lazarus Group) and Cerium. | Medical | APT 38 APT 28 APT 43 |
1
We have: 43 articles.
We have: 43 articles.
To see everything:
Our RSS (filtrered)
