What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-11-25 12:11:18 | Weekly OSINT Highlights, 25 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting reveals a persistent focus on sophisticated attacks targeting diverse sectors, from critical infrastructure to financial services and national defense. Attack types ranged from ransomware and phishing to cyberespionage and supply chain attacks, often leveraging advanced malware like LODEINFO, Asyncshell, and DEEPDATA. Threat vectors predominantly exploit unpatched vulnerabilities, malvertising, supply chain attacks, and credential harvesting, with phishing and social engineering remaining prominent tactics. Notable actors include APT groups such as Gelsemium and BrazenBamboo, alongside cybercriminal collectives like Ignoble Scorpius and Water Barghest, targeting organizations across the US, Europe, and Asia. The findings underscore the growing complexity of cyber threats, emphasizing the need for proactive threat intelligence and robust cybersecurity defenses. ## Description 1. [Helldown Ransomware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/2af97093): Sekoia researchers detailed the Helldown ransomware exploiting a Zyxel firewall vulnerability (CVE-2024-42057) to infiltrate corporate networks. Primarily targeting SMBs in the US and Europe, the attackers deploy Linux and Windows ransomware variants for data extortion and VM encryption. 1. [APT-K-47 Asyncshell Malware](https://sip.security.microsoft.com/intel-explorer/articles/aac966a9): Knownsec reported APT-K-47\'s use of Hajj-themed lures and malicious CHM files to distribute Asyncshell malware. The campaign, targeting South Asian countries, utilizes upgraded stealth tactics and evolving C2 infrastructure for long-term espionage. 1. [Linux Backdoors by Gelsemium](https://sip.security.microsoft.com/intel-explorer/articles/fc22b3bb): ESET researchers identified WolfsBane and FireWood backdoors used by the China-linked APT group Gelsemium for cyberespionage. These tools enable stealthy, persistent access to Linux systems, targeting sensitive data and emphasizing APT trends toward exploiting Linux environments. 1. [Lottie-Player Supply Chain Attack](https://sip.security.microsoft.com/intel-explorer/articles/86e2a9b6): ReversingLabs discovered a supply chain attack on the npm package @lottiefiles/lottie-player, compromising web3 wallets through malicious code. This incident highlights vulnerabilities in open-source ecosystems and the risk of compromised developer credentials. 1. [VMware Vulnerabilities Exploited](https://sip.security.microsoft.com/intel-explorer/articles/2eda898d): CISA added two VMware vulnerabilities, CVE-2024-38812 and CVE-2024-38813, to the Known Exploited Vulnerabilities Catalog. These flaws, involving heap overflow and privilege escalation, threaten vCenter Server and Cloud Foundation environments, emphasizing the need for immediate patching. 1. [Phishing Campaign Targeting Telecom and Financial Sectors](https://sip.security.microsoft.com/intel-explorer/articles/29972b65): EclecticIQ reported a phishing campaign using Google Docs and Weebly to bypass detection, targeting telecom and financial sectors. Threat actors employed tailored lures, fake MFA prompts, and SIM-swapping tactics to steal sensitive data. 1. [Lumma Stealer Distributed via Telegram](https://sip.security.microsoft.com/intel-explorer/articles/f250caee): McAfee researchers observed Lumma Stealer disguised as cracked software and distributed through Telegram channels. The malware targets users in India, the US, and Europe, stealing cryptocurrency and personal data via sophisticated injection techniques. 1. [Rise of ClickFix Social Engineering](https://sip.security.microsoft.com/intel-explorer/articles/67d03ba9): Proofpoint researchers identified ClickFix, a social engineering tactic that tricks users into executing malicious PowerShell commands, leading to malware infections such as AsyncRAT and DarkGate. Used by groups like TA571 and ClearFake, the method targets Ukrainian entities and employs malvertising, GitHub notifications, and CAPTCHA phishing lures. | Ransomware Malware Tool Vulnerability Threat Patching Industrial Prediction Cloud | APT 10 | ★★ |
|
2024-11-19 21:54:53 | Spot the Difference: Earth Kasha\'s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella (lien direct) | #### Targeted Geolocations - Japan - India - Taiwan #### Targeted Industries - Government Agencies & Services - Information Technology - Transportation Systems - Aviation - Education ## Snapshot Trend Micro has released a report detailing the activities of Earth Kasha, a cyberespionage group known for leveraging the LODEINFO malware, primarily targeting entities in Japan. While some researchers suggest a connection to APT10, Trend Micro considers Earth Kasha a distinct entity within the "APT10 Umbrella," a term denoting groups linked to APT10\'s operational methods. This distinction arises from shared tactics and malware but insufficient direct evidence to conflate the two groups entirely. APT10 is tracked by Microsoft as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&). ## Description Since early 2023, Earth Kasha has expanded its operations beyond Japan to include high-profile targets in Taiwan and India, focusing on government agencies and advanced technology industries. Their recent campaigns exhibit a strategic evolution, using vulnerabilities in public-facing enterprise applications, such as FortiOS/FortiProxy and Array AG, to gain initial access. Post-exploitation activities emphasize persistence, lateral movement, and credential theft, deploying backdoors like LODEINFO, NOOPDOOR, and the Cobalt Strike framework. The LODEINFO malware, central to Earth Kasha\'s campaigns, has undergone continuous development, with new versions observed in recent attacks. This malware is used alongside tools like MirrorStealer, which extracts credentials from browsers and email clients, and NOOPDOOR, a sophisticated backdoor with advanced evasion techniques. These tools enable extensive data theft and infiltration of victim networks. Comparative analysis highlights overlaps between Earth Kasha and other APT10-associated campaigns, particularly in tactics like exploiting SSL-VPN vulnerabilities and abusing legitimate tools for credential harvesting. However, toolsets differ, suggesting operational independence while potentially sharing resources or operators.Trend Micro\'s medium-confidence attribution of Earth Kasha underscores its ties to the broader APT10 network but stops short of confirming direct control. The group\'s distinct operational focus and adaptive methods indicate a specialized role within this cyber threat ecosystem. These findings highlight the complexity of attribution in modern cyber warfare and the evolving capabilities of threat actors like Earth Kasha. ## Microsoft Analysis and Additional OSINT Context The threat actor Microsoft tracks as [Purple Typhoon](https://security.microsoft.com/intel-profiles/e2ce50467bf60953a8838cf5d054caf7f89a0a7611f65e89a67e0142211a1745?tab=description&) is a long-running, targeted activity group which has had success in compromising targets from as early as 2009. This activity group has targeted various government entities and industry sectors such as engineering, critical manufacturing, communications infrastructure, and defense. Most of its activity has been spread across a wide geographic area; however, localized targeting using specific malware families has been observed, which suggests possible subgroups are contained within the wider Purple Typhoon group. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so tha | Malware Tool Vulnerability Threat Prediction | APT 10 | ★★ |
 |
2024-11-19 00:00:00 | Spot the Difference: Earth Kasha\\'s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella (lien direct) | LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals. |
Malware Prediction | APT 10 | ★★ |
|
2024-09-23 16:05:03 | Faits saillants hebdomadaires OSINT, 23 septembre 2024 Weekly OSINT Highlights, 23 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a landscape dominated by complex, multi-layered attacks targeting critical infrastructure, financial sectors, and cloud environments. Nation-state actors, like China\'s Flax Typhoon and Iran\'s UNC1860, leverage botnets, IoT exploits, and sophisticated backdoors to infiltrate government, military, and industrial targets. The emergence of groups such as Earth Baxia highlights the continued exploitation of vulnerabilities like CVE-2024-36401 and spear-phishing tactics in the Asia-Pacific region. Meanwhile, cybercriminals, including SCATTERED SPIDER (Octo Tempest) and those behind the Lumma Stealer campaigns, utilize social engineering, fake CAPTCHA pages, and WebDAV for malware distribution to evade detection and deploy ransomware and infostealers. Exploits underscore the increasing use of open-source vulnerabilities, with attackers targeting a diverse range of industries, including IT, telecommunications, and finance. These attacks highlight evolving tactics, advanced persistence mechanisms, and stealthy malware being used to target sensitive data globally. ## Description 1. [Raptor Train Botnet Operated by Flax Typhoon](https://sip.security.microsoft.com/intel-explorer/articles/9118dcb6): Black Lotus Labs uncovered the massive Raptor Train botnet, operated by Chinese nation-state group Flax Typhoon. This IoT botnet, consisting of compromised routers, cameras, and other devices, has targeted U.S. and Taiwanese entities across sectors like military and government, making it one of the largest Chinese state-sponsored botnets to date. 2. [Exploitation of GeoServer Vulnerability (CVE-2024-36401)](https://sip.security.microsoft.com/intel-explorer/articles/e7a82171): Threat actors are exploiting a remote code execution (RCE) vulnerability in GeoServer to deliver malware such as GOREVERSE, SideWalk, and CoinMiner. Campaigns have targeted IT, telecom, and government sectors across multiple countries, using sophisticated backdoors and botnets to compromise systems. 3. [WebDAV Used to Distribute Emmenthal Loader](https://sip.security.microsoft.com/intel-explorer/articles/6dec4139): Cybercriminals are using WebDAV servers to distribute the Emmenthal loader (aka PeakLight), which delivers infostealers via malicious .lnk files. This infrastructure is likely part of a larger cybercrime operation offering infrastructure as a service (IaaS), and its stealthy, memory-only execution technique poses a significant threat to global cybersecurity. 4. [Iran\'s UNC1860 Targets Middle Eastern Networks](https://sip.security.microsoft.com/intel-explorer/articles/e882507d): Mandiant assesses UNC1860 is likely linked to Iran\'s Ministry of Intelligence and Security (MOIS) and focuses on persistent access to government and telecom organizations in the Middle East. The group leverages sophisticated tools, such as TEMPLEPLAY and VIROGREEN, and exploits internet-facing servers to evade detection. 5. [Cuckoo Spear Campaign Tied to APT10](https://sip.security.microsoft.com/intel-explorer/articles/8f34c36c): Cybereason discovered the "Cuckoo Spear" campaign, attributed to APT10, targeting Japanese manufacturing and political sectors. The attackers used advanced tools like LODEINFO and NOOPLDR to maintain long-term espionage operations, employing tactics like DLL side-loading and phishing. 6. [PondRAT Campaign Linked to North Korean Group](https://sip.security.microsoft.com/intel-explorer/articles/906408c8): Unit 42 identified the PondRAT campaign, attributed to Gleaming Pisces (Citrine Sleet), which targets Linux and macOS systems through infected PyPI packages. The goal is to compromise the supply chain, particularly in the cryptocurrency sector, by delivering backdoor malware to developers\' machines. 7. [Phishing Campaign Distributes Lumma Stealer](https://sip.security.microsoft.com/intel-explorer/articles/3cb5d189): A phishing campaign abuses GitHub repositories by filing false security vulnerability reports to lure users into downloading the Lumma Stealer malware. The | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction Cloud Conference | APT 10 | ★★ |
 |
2024-06-26 00:00:00 | Attaquants dans le profil: Menupass et Alphv / Blackcat Attackers in Profile: menuPass and ALPHV/BlackCat (lien direct) |
Pour tester l'efficacité des services gérés comme notre offre de détection et de réponse à la micro-géré, Mitre Encenuity ™ a combiné les outils, les techniques et les pratiques de deux méchants acteurs mondiaux: Menupass et alphv / blackcat.Ce blog raconte pourquoi ils ont été choisis et ce qui en fait des menaces à compter.
To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. This blog tells the story of why they were chosen and what makes them threats to be reckoned with. |
Tool Prediction | APT 10 | ★★★ |
|
2024-06-18 00:00:00 | Pas juste un autre score de 100%: Mitre Engeniuty ATT & CK Not Just Another 100% Score: MITRE ENGENIUTY ATT&CK (lien direct) |
Les dernières évaluations d'atténuité à mitres ATT & AMP; CK ont opposé les services de détection et de réponse gérés (MDR) de premier plan aux menaces modélisées sur les groupes adversaires MenuPass et BlackCat / AlphV.Trend Micro a atteint une détection de 100% entre les 15 étapes d'attaque majeures avec un taux de 86% exploitable pour ces étapes - équilibrant les détections et priorités commerciales, y compris la continuité opérationnelle et les perturbations minimisées.
The latest MITRE Engenuity ATT&CK Evaluations pitted leading managed detection and response (MDR) services against threats modeled on the menuPass and BlackCat/AlphV adversary groups. Trend Micro achieved 100% detection across all 15 major attack steps with an 86% actionable rate for those steps- balancing detections and business priorities including operational continuity and minimized disruption. |
Prediction | APT 10 | ★★ |
 |
2024-05-22 14:00:00 | Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (lien direct) |
Written by: Michael Raggi
Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp |
Malware Tool Vulnerability Threat Prediction Cloud Commercial | APT 15 APT 5 APT 31 | ★★★ |
 |
2023-11-28 00:00:00 | Enquêter sur le risque de références compromises et d'actifs exposés à Internet explorez le rapport révélant les industries et les tailles d'entreprise avec les taux les plus élevés d'identification compromises et d'actifs exposés à Internet.En savoir plus Investigating the Risk of Compromised Credentials and Internet-Exposed Assets Explore the report revealing industries and company sizes with the highest rates of compromised credentials and internet-exposed assets. Read More (lien direct) |
IntroductionIn this report, Kovrr collected and analyzed data to better understand one of the most common initial access vectors (1) - the use of compromised credentials (Valid Accounts - T1078) (2) to access internet-exposed assets (External Remote Services - T113) (3). The toxic combination of these two initial access vectors can allow malicious actors to gain a foothold in company networks before moving on to the next stage of their attack, which can be data theft, ransomware, denial of service, or any other action. There are numerous examples of breaches perpetrated by many attack groups that have occurred using this combination, for example, breaches by Lapsus (4) and APT39 (5), among others. âThis report seeks to demonstrate which industries and company sizes have the highest percentage of compromised credentials and number of internet-exposed assets and face a higher risk of having their networks breached by the toxic combination of the initial access vectors mentioned above.âIt should be noted that having an asset exposed to the internet does not inherently pose a risk or indicate that a company has poor security. In our highly digitized world, companies are required to expose services to the internet so their services can be accessed by customers, vendors, and remote employees. These services include VPN servers, SaaS applications developed by the company, databases, and shared storage units. However, there are some common cases when having an asset exposed to the internet can be extremely risky, for example:âWhen a company unintentionally exposes an asset due to misconfiguration.When a malicious third party obtains compromised credentials of a legitimate third party and accesses an exposed asset.  âTo limit unnecessary internet exposure, companies should employ the following possible mitigations:âUse Multi-Factor Authentication (MFA) for any services or assets that require a connection so that compromised credentials on their own will not be enough to breach an exposed asset.Limit access to the asset to only specific accounts, domains, and/or IP ranges.Segment the internal company network and isolate critical areas so that even if a network is breached through access to an external asset, attackers will not be able to use that access to reach wider or more sensitive areas of the company network. âSummaryâThe following are the main findings from the collected data:âThe Services industry is by far the most exposed to attackers. Companies from that industry have the highest percentage of compromised credentials (74%). However, they have a relatively low amount of internet-exposed assets per company (34%). However, given that an average cyber loss in this industry has been shown to be about $45M, this is highly concerning (6). The Services industry (SIC Division I) is followed by Division E (Transportation, Communications, Electric, Gas, and Sanitary Services, with an average loss of around $58M), which is followed by Division D (Manufacturing, with an average loss of around $25M). The revenue range for companies with the highest number of compromised credentials is $1M-$10M, followed by $10M-$50M. A similar trend is also observed when evaluating company size by the number of employees. Indeed, companies with fewer employees have a higher share of compromised credentials. On average, the larger the company (both in terms of revenue and number of employees (7)), the greater the number of internet-exposed assets.There is a correlation between the industries and revenue ranges of companies targeted by ransomware and those with the highest share of compromised credentials.   âMethodologyâThe data for this research was collected as follows:âData regarding compromised credentials was first collected from Hudson Rock, a provider of various cybercrime data. Data was collected for the previous six months, beginning March 2023. This data | Ransomware Threat Studies Prediction Cloud | APT 39 APT 39 APT 17 | ★★★ |
 |
2023-08-16 06:46:45 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juin 2023 Threat Trend Report on APT Groups – June 2023 (lien direct) |
Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT
APT Group Trends – June 2023 1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 32 APT 32 APT 28 APT 28 APT 15 APT 15 APT 25 | ★★ |
1
We have: 9 articles.
We have: 9 articles.
To see everything:
Our RSS (filtrered)
