SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2025-04-17 10:31:17	Autour du monde en 90 jours: les acteurs parrainés par l'État essaient Clickfix Around the World in 90 Days: State-Sponsored Actors Try ClickFix (lien direct)	Conclusions clés Alors que principalement une technique affiliée à des acteurs cybercrimins, les chercheurs de ProofPoint ont découvert des acteurs parrainés par l'État dans plusieurs campagnes en utilisant la technique d'ingénierie sociale ClickFix pour la première fois. Sur seulement une période de trois mois de la fin de 2024 au début de 2025, des groupes de Corée du Nord, d'Iran et de Russie ont tous été vus en utilisant la technique Clickfix dans leur activité de routine. L'incorporation de ClickFix ne révolutionne pas les campagnes réalisées par TA427, TA450, UNK_Remooterogue et TA422 mais remplace plutôt les étapes d'installation et d'exécution dans les chaînes d'infection existantes. Bien que actuellement limité à quelques groupes parrainés par l'État, la popularité croissante du fixe de clics dans la cybercriminalité au cours de la dernière année ainsi que dans les campagnes d'espionnage au cours des derniers mois suggère que la technique sera probablement plus testée ou adoptée par des acteurs parrainés par l'État. Aperçu Une tendance majeure dans le paysage des menaces est la fluidité des tactiques, des techniques et des procédures (TTPS). Les acteurs de menace partagent, copiernt, voler, adopter et tester les TTP de la métier exposée publiquement ou l'interaction avec d'autres groupes de menaces. Plus précisément, les acteurs parrainés par l'État ont souvent mis à profit les techniques développées et déployées pour la première fois par des acteurs cybercriminaux. Par exemple, les acteurs de la menace nord-coréenne copiant les techniques de la cybercriminalité pour voler la crypto-monnaie au nom du gouvernement, ou des groupes chinois imitant les chaînes d'infection de cybercriminalité pour livrer des logiciels malveillants dans les opérations d'espionnage. L'exemple le plus récent de cette tendance est Clickfix. ClickFix est une technique d'ingénierie sociale qui utilise des boîtes de dialogue avec des instructions pour copier, coller et exécuter des commandes malveillantes sur la machine Target \\. Cette technique créative utilise non seulement de faux messages d'erreur comme problème, mais aussi une alerte faisant autorité et des instructions provenant du système d'exploitation en tant que solution. Principalement observé dans l'activité de la cybercriminalité, la technique Clickfix a été vue pour la première fois début mars 2024 déployé par le courtier d'accès initial TA571 et le cluster Clearfake, après quoi il a inondé le paysage des menaces. Un an plus tard, au moins quatre acteurs de menaces parrainés par l'État ont depuis expérimenté des variations de cette technique dans le cadre de leurs campagnes d'espionnage habituées. Sur environ trois mois d'octobre 2024 à janvier 2025, les acteurs de la menace provenant de trois pays distincts (Corée du Nord, Iran et Russie) ont incorporé Clickfix comme étape de leurs chaînes d'infection. Corée du Nord: TA427 En janvier et février 2025, ProofPoint a d'abord observé les opérateurs TA427 ciblant les individus dans moins de cinq organisations dans le secteur des ateliers avec une nouvelle chaîne d'infection en utilisant la technique ClickFix. Ta427 chevauche avec des tiers de l'activité appelée kimsuky ou grésil émeraude. TA427 a établi un contact initial avec l'objectif grâce à une demande de réunion d'un expéditeur usurpé livré aux cibles traditionnelles TA427 travaillant sur les affaires nord-coréennes. Après une brève conversation pour engager la cible et renforcer la confiance, comme on le voit souvent dans l'activité TA427, les attaquants ont dirigé la cible vers un site contrôlé par l'attaquant où ils ont convaincu la cible d'exécuter une commande PowerShell. Bien qu'une chaîne n'ait pas réussi à récupérer d'autres charges utiles, une autre instance de cette campagne comprenait une chaîne à plusieurs étages qui a exécuté PowerShell, VBS et les scripts par lots, ce qui a finalement conduit à une charge utile finale - Quasarrat	Malware Tool Vulnerability Threat Prediction Cloud	APT 28	★★★
	2024-11-04 12:25:16	Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct)	## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma	Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical	APT 41 APT 28 APT 31 Guam	★★★
	2024-09-10 14:00:00	Perspectives sur les cyber-menaces ciblant les utilisateurs et les entreprises au Mexique Insights on Cyber Threats Targeting Users and Enterprises in Mexico (lien direct)	Written by: Aurora Blum, Kelli Vanderlee Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. By sharing our global perspective, especially during today\'s Google for Mexico event, we hope to enable greater resiliency in mitigating these threats. Cyber Espionage Operations Targeting Mexico As the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People\'s Republic of China (PRC), North Korea, and Russia. Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024 The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation. PRC Cyber Espionage Activity Targeting Mexico Since 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country. This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within China\'s Belt and Road Initiative. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher	Ransomware Malware Tool Vulnerability Threat Mobile Cloud Commercial	APT 28	★★
	2024-08-12 10:35:06	Faits saillants hebdomadaires, 12 août 2024 Weekly OSINT Highlights, 12 August 2024 (lien direct)	## Instantané La semaine dernière, les rapports de \\ ont mis en évidence plusieurs tendances clés des menaces de cybersécurité.Les attaques de phishing continuent d'être répandues, observées dans plusieurs campagnes utilisant des e-mails trompeurs et de faux sites Web pour voler des informations d'identification et livrer des logiciels malveillants tels que le trojan bancaire Mispadu.Les logiciels malveillants de volée de l'information restent une menace importante, ciblant des données allant des informations d'identification de la plate-forme Google Cloud aux données utilisateur mobiles à l'aide de logiciels spymétriques Android Lianspy.Des incidents de ransomware tels que DeathGrip et Mallox ont également persisté, reflétant les défis continus dans la défense contre la cybercriminalité axée sur l'extorsion. Plusieurs articles comprenaient un lien russe, allant de la blizzard forestier de la Russie, conduisant l'espionnage contre les agences gouvernementales à une campagne impliquant des logiciels malveillants de Strrat, attribués à l'acteur de menace russe Bloody Wolf.Les groupes parrainés par l'État nord-coréen étaient également actifs, en se concentrant sur l'espionnage et en volant la propriété intellectuelle grâce à des attaques ciblées en chaîne d'approvisionnement et à des mises à jour logicielles trojanisées.L'abus de services légitimes à des fins malveillantes et le développement de logiciels malveillants avancés et polymorphes ont souligné l'évolution de la complexité et de la persistance des cyber-menaces. ## Description 1. [Les pirates d'État nord-coréens ciblent les secrets industriels sud-coréens] (https://sip.security.microsoft.com/intel-explorer/articles/9625c1a0): les groupes de Kimsuky et Andariel de la Corée du Nord ont exploité une vulnérabilité du logiciel VPN VPN \\et a lancé des installateurs trojanisés pour enfreindre les réseaux industriels sud-coréens.Leur objectif était de voler des secrets commerciaux dans les secteurs de la construction et des industriels dans le cadre d'un effort soutenu par l'État pour moderniser les industries nord-coréennes. 2. [URSA / Mispadu Banking Trojan cible des utilisateurs d'espagnol et portugais] (https://sip.security.microsoft.com/intel-explorer/articles/c3a30f3b): une campagne de spam est distribué le Trojan URSA / Mispadu pour voler des informations d'identification.des utilisateurs d'Espagne, du Portugal et du Mexique.La campagne utilise des e-mails urgents sur le thème des factures pour inciter les destinataires à télécharger des logiciels malveillants, entraînant des pertes financières importantes. 3. [La campagne polymorphe des logiciels malveillants cible les utilisateurs de Chrome et Edge] (https://sip.security.microsoft.com/intel-explorer/articles/c437b517): RaisonLabs a identifié une campagne répandue avec force d'installation avec force des extensions de navigation qui volent les données et les mises à jour.La campagne cible les utilisateurs de Chrome et Edge, avec plus de 300 000 infections depuis 2021, exploitant des sites Web de téléchargement pour diffuser les logiciels malveillants. 4. [APT group Actor240524 targeting Azerbaijani and Israeli diplomats:](https://sip.security.microsoft.com/intel-explorer/articles/240524) Researchers at NSFOCUS Security Labs uncovered a sophisticated spear-phishing campaign by the newly identifiedAPT Group Actor240524, en utilisant un programme de Troie nommé Abcloader pour cibler les diplomates azerbaïdjanais et israéliens.La campagne impliquait des techniques avancées comme le chiffrement de l'API et le détournement des composants com, visant à voler SEInformations diplomatiques nsitiques. 5. [DeathGrip Ransomware-As-A-Service étend Cybercrime Reach] (https://sip.security.microsoft.com/intel-exPLORER / Articles / 09d168fd): DeathGrip, une opération Ransomware-as-a-Service, permet aux acteurs de menace moins qualifiés de déployer des ransomwares avancés comme Lockbit 3.0.Le service alimente une a	Ransomware Spam Malware Tool Vulnerability Threat Mobile Industrial Cloud	APT 28	★★
	2024-07-08 14:00:00	Enhardi et évolutif: un instantané des cyber-menaces auxquelles l'OTAN est confrontée à l'OTAN Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO (lien direct)	Written by: John Hultquist As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges-the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel. NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape. Cyber Espionage NATO\'s adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year\'s summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance\'s defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance\'s strategic advantage and inform adversary leadership on how to anticipate and counteract NATO\'s initiatives and investments. NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders. APT29 (ICECAP) Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and poli	Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical	APT 29 APT 28	★★★
	2024-06-12 14:00:00	Aperçu sur les cyber-menaces ciblant les utilisateurs et les entreprises au Brésil Insights on Cyber Threats Targeting Users and Enterprises in Brazil (lien direct)	Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in carrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry out account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats targeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the geopolitical landscape; one that extends into the cyber realm. As Brazil\'s influence grows, so does its digital footprint, making it an increasingly attractive target for cyber threats originating from both global and domestic actors. This blog post brings together Google\'s collective understanding of the Brazilian threat landscape, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. As Brazil\'s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats. Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no reported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We deploy and constantly update Android detections to protect users\' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated. Cyber Espionage Operations Targeting Brazil Brazil\'s status as a globally influential power and the largest economy in South America have drawn attention from c	Ransomware Spam Malware Tool Vulnerability Threat Mobile Medical Cloud Technical	APT 28	★★
	2024-04-25 10:00:00	Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct)	Written by: Kelli Vanderlee, Jamie Collier Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.	Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical	APT 40 APT 29 APT 28 APT 43 APT 31 APT 42	★★★
	2023-08-14 10:00:00	Construire la cybersécurité dans la chaîne d'approvisionnement est essentiel à mesure que les menaces montent Building Cybersecurity into the supply chain is essential as threats mount (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The supply chain, already fragile in the USA, is at severe and significant risk of damage by cyberattacks. According to research analyzed by Forbes, supply chain attacks now account for a huge 62% of all commercial attacks, a clear indication of the scale of the challenge faced by the supply chain and the logistics industry as a whole. There are solutions out there, however, and the most simple of these concerns a simple upskilling of supply chain professionals to be aware of cybersecurity systems and threats. In an industry dominated by the need for trust, this is something that perhaps can come naturally for the supply chain. Building trust and awareness At the heart of a successful supply chain relationship is trust between partners. Building that trust, and securing high quality business partners, relies on a few factors. Cybersecurity experts and responsible officers will see some familiarity - due diligence, scrutiny over figures, and continuous monitoring. In simple terms, an effective framework of checking and rechecking work, monitored for compliance on all sides. These factors are a key part of new federal cybersecurity rules, according to news agency Reuters. Among other measures are a requirement for companies to have rigorous control over system patching, and measures that would require cloud hosted services to identify foreign customers. These are simple but important steps, and give a hint to supply chain businesses as to what they should be doing; putting in measures to monitor, control, and enact compliance on cybersecurity threats. That being said, it can be the case that the software isn’t in place within individual businesses to ensure that level of control. The right tools, and the right personnel, is also essential. The importance of software Back in April, the UK’s National Cyber Security Centre released details of specific threats made by Russian actors against business infrastructure in the USA and UK. Highlighted in this were specific weaknesses in business systems, and that includes in hardware and software used by millions of businesses worldwide. The message is simple - even industry standard software and devices have their problems, and businesses have to keep track of that. There are two arms to ensure this is completed. Firstly, the business should have a cybersecurity officer in place whose role it is to monitor current measures and ensure they are kept up to date. Secondly, budget and time must be allocated at an executive level firstly to promote networking between the business and cybersecurity firms, and between partner businesses to ensure that even cybersecurity measures are implemented across the chain. Utilizing AI There is something of a digital arms race when it comes to artificial intelligence. As ZDNet notes, the lack of clear regulation is providing a lot of leeway for malicious actors to innovate, but for businesses to act, too. While regulations are now coming in, it remains that there is a clear role for AI in prevention. According t	Threat Cloud	APT 28 ChatGPT	★★
	2023-06-21 20:11:00	Anomali Cyber Watch: Cadet Blizzard - New Gru Apt, Chamedoh Rat Linux Hard à détecter, Cirypto-monnaie furtive de la crypto-monnaie furtive Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency (lien direct)	Les différentes histoires d'intelligence de la menace dans cette itération de l'anomali Cyber Watch Discutez des sujets suivants: Fuites de données, perturbation, extorsion, mascarading, chevaux de Troie à distance, tunneling, et Vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle. Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces événement de sécurité mondiale anomali Intel - Progress Software Vulnerabilities & ndash;Moveit & amp;DataDirect Connect (Publié: 16 juin 2023) Après la découverte de CVE-2023-34362 et son exploitation antérieure par un affilié des ransomwares CLOP, plusieurs vulnérabilités supplémentaires ont été découvertes dans Moveit Transfer (CVE-2023-35036 et CVE-2023-35708) et d'autres produits de logiciels de progrès (CVE et CVE-2023-34363 et CVE-2023-34364).Alors que le site de fuite de Darkweb du groupe (> _clop ^ _- les fuites) a commencé à s'adresser aux entités compromises, l'événement d'exploitation original a été évalué comme un événement de sécurité mondial.Ceci est basé sur la liste croissante des organisations violées connues et l'utilisation de Moveit parmi des milliers d'organisations à travers le monde, y compris les secteurs public, privé et gouvernemental. Commentaire des analystes: Les défenseurs du réseau doivent suivre les étapes d'assainissement des logiciels de progrès qui incluent le durcissement, la détection, le nettoyage et l'installation des récentes correctifs de sécurité de transfert Moveit.Les règles YARA et les indicateurs basés sur l'hôte associés à l'exploitation de déplacement observé sont disponibles dans la plate-forme Anomali pour la détection et la référence historique. mitre att & amp; ck: [mitre att & amp; ck] t1190 - exploiter le publicApplication \| [mitre att & amp; ck] t1036 - masquée \| [mitre att & amp; ck] t1560.001 - Données collectées par les archives: archive via l'utilité Signatures (Sigma Rules): Exploitation potentielle de transfert de déplacement \| exploitation movet . (Règles Yara) lemurloot webshell dll charges utiles - yara by mandiant \| scénarisation de la webshell lemurloot ASP.net - yara par mandiant \| exploitation movet - yara par Florian Roth \| moveit_transfer_exploit_webshell_aspx \| moveit_transfer_exploit_webshell_dll Tags: Target-Software: Moveit Transfer, Vulnérabilité: CVE-2023-34362, Vulnérabilité: CVE-2023-35036, Vulnérabilité: CVE-2023-35708, Vulnérabilité: CVE-2023-34363, Vulnérabilité:CVE-2023-34364, Target-Country: ÉtatsType: ransomware, malware: Lemurloot, Type de logiciels malveillants: webs	Ransomware Tool Threat Cloud	APT 28	★★
	2022-08-18 08:00:00	Ukraine and the fragility of agriculture security (lien direct)	By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H	Ransomware Threat Guideline Cloud	NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2022-08-02 15:17:00	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 \| [MITRE ATT&CK] Email Collection - T1114 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se	Malware Tool Vulnerability Threat Patching Guideline Cloud	APT 37 APT 28
	2022-07-24 13:53:53	Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? (lien direct)	>North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka […]	Threat Cloud	APT 37 APT 28
	2015-04-18 11:10:00	Opération Russiandoll: Adobe & Windows Exploits zéro-day Probablement exploités par APT28 de Russie dans une attaque très ciblée Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\\'s APT28 in Highly-Targeted Attack (lien direct)	Fireeye Labs a récemment détecté une campagne APT limitée exploitant les vulnérabilités zéro-jours dans Adobe Flash et une toute nouvelle à Microsoft Windows.En utilisant le Dynamic Keen Intelligence Cloud (DTI) , les chercheurs de Fireeye ont détecté un modèle d'attaques commençant le 13 avril Th , 2015. Adobe a indépendamment corrigé la vulnérabilité (CVE-2015-3043) dans APSB15-06 .Grâce à la corrélation des indicateurs techniques et des infrastructures de commandement et de contrôle, FireEye évalue que l'APT28 est probablement responsable de cette activité. Microsoft est conscient de la vulnérabilité d'escalade locale exceptionnelle dans Windows FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity. Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows	Vulnerability Threat Cloud	APT 28 APT 28	★★★★

Last update at: 2025-05-10 18:53:10
See our sources.

To see everything: Our RSS (filtrered)