SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2025-03-06 23:19:16	Les États-Unis facturent 12 ressortissants chinois pour piratage soutenu par l'État U.S. Charges 12 Chinese Nationals For State-Backed Hacking (lien direct)	Le ministère américain de la Justice (MJ) a inculpé mercredi 12 ressortissants chinois pour avoir prétendument engagé des opérations de cyber-espionnage approfondies au nom du ministère de la Sécurité publique de Chine (MPS) et du ministère de la Sécurité des États (MSS), pour avoir ciblé plus de 100 organisations américaines, y compris le Département du Trésor. . Les suspects comprennent deux officiers de députés, huit employés d'une entreprise de République de Chine (PRC), Axun Information Technology, Ltd. (?????????? Les accusés comprennent des hauts fonctionnaires tels que Wu Haibo (PDG de I-Soon), Chen Cheng (COO de I-Soon), Wang Liyu et Sheng Jing (officiers MPS) et des pirates éminents APT27 comme Yin Kecheng (aka «YKC») et Zhou Shuai (aka «Coldface»). . Selon le DOJ, ces acteurs de menace ont mené des cyber-intrusions à la direction du gouvernement chinois et, parfois, de leur propre chef. Leurs opérations ont consisté à voler des données sensibles, à cibler les critiques et les dissidents du Parti communiste chinois (PCC) et la suppression de la liberté d'expression à l'échelle mondiale. «Ces cyber-acteurs malveillants, agissant en tant que pigistes ou en tant qu'employés de I-Soon, ont mené des intrusions informatiques en direction des députés de la RPC et du ministère de la Sécurité de l'État (MSS) et de leur propre initiative. Les députés et MSS ont payé généreusement pour les données volées ", le doj a dit dans un communiqué de presse mercredi. «Les victimes comprennent les critiques et les dissidents basés aux États-Unis de la RPC, une grande organisation religieuse aux États-Unis, les ministères étrangères de plusieurs gouvernements en Asie et les agences gouvernementales fédérales et étatiques américaines, y compris le Département américain du Trésor (Trésor) fin 2024». Réseau de piratage soutenu par l'État de Chine Selon les documents judiciaires, les députés et MSS ont utilisé I-Soon et d'autres sociétés privées comme front pour mener des opérations de piratage à grande échelle pour pirater et voler des informations. En employant ces pirates pour l'embauche, le gouvernement de la RPC a obscurci son implication directe et leur a permis de profiter en commettant des intrusions d'ordinateur supplémentaires dans le monde. L'acte d'accusation allègue que I-Soon, sous la direction de Wu, a généré des dizaines de millions de dollars de revenus en tant qu'acteur clé de l'écosystème de pirate-pour-location du PRC \\ en pirant des comptes de messagerie, des téléphones portables, des serveurs et des sites Web de diverses organisations de 2016 à 2023. Dans d'autres cas, I-Soon aurait agi indépendamment, vendant des données volées à au moins 43 bureaux différents du MSS ou des députés dans 31 provinces et municipalités en Chine. La société aurait prétendument facturé le MSS et les députés entre environ 10 000 $ et 75 000 $ pour chaque boîte de réception par e-mail qu'il a exploité avec succès. Dans un acte d'accusation séparé, un tribunal fédéral a accusé les pirates de pirates APT27, Yin Kecheng et Zhou Shuai, de participer à des complots sophistiqués de piratage depuis 2011. Ils auraient violé les entreprises, les municipalités et les organisations américaines pour les campagnes d'intrusion d'ordinateurs à but lucratif, le maintien d'un accès persistant via le malware Plugx et la vente de données volées aux clients avec des connexions avec le gouvernement de la RPC et l'armée. Récompenses et crises monétaires Dans le cadre de la répression, le DOJ a saisi quatre domaines liés à i-soon et apt27:	Malware Hack Threat	APT 27	★★
	2024-10-28 09:30:55	Redline, Meta InfostEler Maleware Operations saisies par la police Redline, Meta infostealer malware operations seized by police (lien direct)	La police nationale néerlandaise a saisi l'infrastructure du réseau pour les opérations de logiciels malveillants Redline et Meta Infostaler dans "Operation Magnus", avertissant les cybercriminels que leurs données sont maintenant entre les mains des forces de l'ordre.[...] The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. [...]	Malware Legislation	APT 27	★★★
	2024-09-04 20:38:54	(Déjà vu) Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion (lien direct)	#### Géolocations ciblées - Chine ## Instantané Les chercheurs de Trend Micro ont découvert une nouvelle porte dérobée multiplateforme nommée KTLVVOOR, développée à Golang, ciblant à la fois les environnements Microsoft Windows et Linux. ## Description Ce malware, attribué par Trend Micro à l'acteur de menace chinois Earth Lusca, est très obscurci, en utilisant les noms des services publics de systèmes légitimes comme SSHD, Java et Bash pour éviter la détection.KTLVDOOR permet aux attaquants de contrôler pleinement les systèmes infectés, d'effectuer des commandes distantes, de manipuler des fichiers et de réaliser des analyses de port.Sa configuration utilise des techniques de chiffrement personnalisées pour compliquer l'analyse, en utilisant un format de type TLV unique pour gérer les commandes et les communications réseau.Plus de 50 serveurs de commandement et de contrôle (C&C) associés à cette campagne ont été organisés par une société chinoise, Alibaba.Bien que la Terre Lusca soit liée à bon nombre de ces échantillons, il n'est pas clair si toute l'infrastructure leur est exclusive ou partagée avec d'autres acteurs de langue chinoise. La complexité et l'échelle de l'attaque suggèrent que cela pourrait faire partie des tests en phase de démarrage pour une campagne plus large.Jusqu'à présent, le seul objectif connu est une société commerciale en Chine, indiquant un modèle similaire à d'autres groupes de langue chinois comme Iron Tiger et Void Arachne, qui ont déjà ciblé des entités chinoises. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) dans Microsoft Defender pour le point de terminaison. - Suivez les recommandations de durcissement des informations d'identification dans la [vue d'ensemble du vol d'identification sur prémisse] (https://security.microsoft.com/Thereatanalytics3/9382203E-5155-4B5E-AF74-21562B1004D5/analyStreport) pour défendre contre des techniques de vol de vol de crédits communs comme LSASS comme LSASSE SEASSS Techniques de volet LSASS comme LSASSS comme LSASSS.accéder. - [Activer] (https://learn.microsoft.com/en-us/def	Ransomware Malware Tool Threat Prediction	APT 27	★★★
	2024-08-14 18:17:06	EastWind campaign: new CloudSorcerer attacks on government organizations in Russia (lien direct)	#### Targeted Geolocations - Russia #### Targeted Industries - Government Agencies & Services - Information Technology ## Snapshot Researchers at Kapersky identified a targeted cyberattack campaign, named EastWind, that occurred in late July 2024, targeting Russian government organizations and IT companies. ## Description The threat actors utilized phishing emails with malicious shortcut attachments to infect devices, delivering malware that received commands via the Dropbox cloud service. The additional payloads included the VERSION.dll backdoor, GrewApacha RAT used by APT31 (tracked by Microsoft as Violet Typhoon) since 2021, a new version of the CloudSorcerer backdoor, and the PlugY implant, which overlaps with APT27 (tracked by Microsoft as Linen Typhoon) tools. The attackers gained initial access to organizations through spear phishing, sending malicious emails with attached RAR archives containing decoy documents and malicious files. The campaign demonstrated the evolving tactics and techniques employed by threat actors to infiltrate and compromise targeted organizations, emphasizing the ongoing threat of sophisticated cyberattacks targeting government and IT sectors. ## Additional Analysis Kapersky [previously reported](https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/) on the CloudSorcerer backdoor and its use in attacks on government organizations in Russia. Used as a cyberespionage tool, the malware employs public cloud services as its primary command and control (C2) servers. Kaspersky has assessed that CloudSorcerer\'s activities resemble those of the [CloudWizard APT](https://securelist.com/cloudwizard-apt/109722/). However, notable differences in the malware\'s code and functionality suggest that CloudSorcerer is likely a new actor. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/Casdet](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Casdet!rfn) ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/938	Ransomware Malware Tool Threat Cloud	APT 27 APT 31	★★★
	2023-09-28 15:43:00	Vormage de bourgeon lié à la Chine ciblant les télécommunications du Moyen-Orient et les agences gouvernementales asiatiques China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies (lien direct)	Les entités gouvernementales et de télécommunications ont été soumises à une nouvelle vague d'attaques par un acteur de menace lié à la Chine suivi comme bourgeon à l'aide d'un ensemble d'outils de logiciels malveillants mis à jour. Les intrusions, ciblant une organisation de télécommunications du Moyen-Orient et un gouvernement asiatique, ont eu lieu en août 2023, avec l'adversaire déploiement d'une version améliorée de sa boîte à outils Sysupdate, l'équipe de Hunter de Symantec Threat, Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset. The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team,	Malware Threat	APT 27	★★
	2023-09-28 09:52:38	Budworm Hackers Target Telcos et Govt Orgs avec des logiciels malveillants personnalisés Budworm hackers target telcos and govt orgs with custom malware (lien direct)	Un groupe de piratage de cyber-espionnage chinois suivi en tant que bourgeon a été observé ciblant une entreprise de télécommunications au Moyen-Orient et une entité gouvernementale en Asie en utilisant une nouvelle variante de sa porte dérobée personnalisée \\ 'sysupdate \'.[...] A Chinese cyber-espionage hacking group tracked as Budworm has been observed targeting a telecommunication firm in the Middle East and a government entity in Asia using a new variant of its custom \'SysUpdate\' backdoor. [...]	Malware	APT 27	★★
	2023-03-02 13:33:00	SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics (lien direct)	The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering. Cybersecurity company Trend Micro said	Malware Threat Prediction	APT 27	★★
	2023-03-01 13:44:37	Iron Tiger hackers create Linux version of their custom malware (lien direct)	The APT27 hacking group, aka "Iron Tiger," has prepared a new Linux version of its SysUpdate custom remote access malware, allowing the Chinese cyberespionage group to target more services used in the enterprise. [...]	Malware	APT 27	★★★
	2023-03-01 00:00:00	Iron Tiger\'s SysUpdate Reappears, Adds Linux Targeting (lien direct)	We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.	Malware Threat	APT 27	★
	2022-10-18 15:00:00	Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, Hacktivism, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Ransom Cartel Ransomware: A Possible Connection With REvil (published: October 14, 2022) Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys. Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 \| [MITRE ATT&CK] External Remote Services - T1133 \| [MITRE ATT&CK] Software Deployment Tools - T1072 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Create Account - T1136 \| [MITRE ATT&CK] Account Manipulation - T1098 \| [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 \| [MITRE ATT&CK] BITS Jobs - T1197 \| [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 \| [MITRE ATT&CK] File and Directory Permissions Modification - T1222 \| [MITRE ATT&CK] Modify Registry - T1112 \| [MITRE ATT&CK] Indicator Removal on Host - T1070 \| [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 \| [MITRE ATT&CK] Impair Defenses - T1562 \| [MITRE ATT&CK] Indicator Removal on Host -	Ransomware Malware Tool Threat	APT 27
	2022-09-13 15:00:00	Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Data Encrypted for Impact - T1486 \| [MITRE ATT&CK] Impair Defenses - T1562 \| [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 \|	Ransomware Malware Tool Vulnerability Threat Guideline	APT 27 APT 34
	2022-08-23 17:35:00	Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Reservations Requested: TA558 Targets Hospitality and Travel (published: August 18, 2022) Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR). Analyst Comment: Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] User Execution - T1204 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570 Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments (published: August 18, 2022) On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes. Analyst Comment: Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their I	Ransomware Malware Tool Threat	APT 27
	2022-08-15 09:59:25	Chinese Cyberspies Use Supply Chain Attack to Deliver Windows, macOS Malware (lien direct)	China-linked cyberespionage group Iron Tiger was observed using the compromised servers of a chat application for the delivery of malware to Windows and macOS systems, Trend Micro reports.	Malware	APT 27
	2022-08-12 00:00:00	Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (lien direct)	We found APT group Iron Tiger's malware compromising chat application Mimi's servers in a supply chain attack.	Malware	APT 27
	2022-02-01 14:37:29	CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential (lien direct)		Ransomware Malware Hack Tool Threat Guideline	NotPetya NotPetya Wannacry Wannacry APT 27 APT 27
	2021-11-16 17:34:00	Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (published: November 8, 2021) US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries. Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks. MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Ingress Tool Transfer - T1105 \| [MITRE ATT&CK] Scripting - T1064 \| [MITRE ATT&CK] Valid Accounts - T1078 \| [MITRE ATT&CK] Application Layer Protocol - T1071 \| [MITRE ATT&CK] Credentials in Files - T1081 \| [MITRE ATT&CK] Brute Force - T1110 \| [MITRE ATT&CK] Data Staged - T1074 \| [MITRE ATT&CK] External Remote Services - T1133 \| [MITRE ATT&CK] Hooking - T1179 \| [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 \| [MITRE ATT&CK] Pass the Hash - T1075 Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom (published: November 9, 2021) A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t	Ransomware Data Breach Malware Tool Vulnerability Threat Medical	APT 38 APT 27 APT 1
	2021-10-05 18:28:00	Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now (published: October 1, 2021) Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations. Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program. Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day Hydra Malware Targets Customers of Germany's Second Largest Bank (published: October 1, 2021) A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts. Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using. Tags: Banking and Finance, EU, Hydra, trojan New APT ChamelGang Targets Russian Energy, Aviation Orgs (published: October 1, 2021) A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi	Ransomware Malware Tool Vulnerability Threat Guideline	Solardwinds Solardwinds APT 27
	2021-08-17 17:56:00	Anomali Cyber Watch: Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Colonial Pipeline Reports Data Breach After May Ransomware Attack (published: August 16, 2021) Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide. Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP). MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA Indra — Hackers Behind Recent Attacks on Iran (published: August 14, 2021) Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019. Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system. MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 \| [MITRE ATT&CK] File Deletion - T1107 \|	Ransomware Data Breach Malware Hack Tool Vulnerability Threat Guideline	APT 27 APT 27
	2021-08-10 17:39:00	Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors\' Data Exposed, FatalRat Analysis, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chinese state hackers, Data leak, Ransomware, RAT, Botnets, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Actively Exploited Bug Bypasses Authentication On Millions Of Routers (published: August 7, 2021) The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers. Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure. Tags: CVE-2021-20090, Mirai, China Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware (published: August 7, 2021) The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid. Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack. Tags: RansomEXX, Defray, Ransomware, Taiwan Millions of Senior Citizens' Personal Data Exposed By Misconfiguration (published: August 6, 2021) The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access. Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams. Tags: Data Leak, Phishing, North America, AWS	Malware Vulnerability Threat Guideline	APT 41 APT 41 APT 30 APT 27 APT 23
	2020-03-25 10:10:49	How the Iranian Cyber Security Agency Detects Emissary Panda Malware (lien direct)	Other threat intelligence groups have previously publicised that the Chinese-attributed threat group, Emissary Panda (aka APT27, TG-3390, BRONZE UNION, Iron Tiger and LuckyMouse), have been targeting various sectors in the Middle East, including government organisations. On 15 December 2019, Iran’s Minister of Communications and Information Technology, Mohammad Javad Azari-Jahromi, announced that Iranian authorities had detected foreign spying malware on their government servers which they attributed... Continue Reading →	Malware Threat	APT 27
	2019-02-27 16:45:00	Persistent Attackers Rarely Use Bespoke Malware (lien direct)	Study of the Bronze Union group-also known as APT27 or Emissary Panda-underscores how most advanced persistent threat (APT) groups now use administrative tools or slight variants of well-known tools.	Malware Threat	APT 27
	2018-07-23 09:08:04	CSE Malware ZLab – Chinese APT27 \'s long-term espionage campaign in Syria is still ongoing (lien direct)	Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group. A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications. The folder was found on a compromised website at the following URL: hxxp://chatsecurelite.uk[.]to […]	Malware	APT 27

Last update at: 2025-05-10 20:52:34
See our sources.

To see everything: Our RSS (filtrered)