What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-04-17 10:31:17 | Autour du monde en 90 jours: les acteurs parrainés par l'État essaient Clickfix Around the World in 90 Days: State-Sponsored Actors Try ClickFix (lien direct) |
Conclusions clés Alors que principalement une technique affiliée à des acteurs cybercrimins, les chercheurs de ProofPoint ont découvert des acteurs parrainés par l'État dans plusieurs campagnes en utilisant la technique d'ingénierie sociale ClickFix pour la première fois. Sur seulement une période de trois mois de la fin de 2024 au début de 2025, des groupes de Corée du Nord, d'Iran et de Russie ont tous été vus en utilisant la technique Clickfix dans leur activité de routine. L'incorporation de ClickFix ne révolutionne pas les campagnes réalisées par TA427, TA450, UNK_Remooterogue et TA422 mais remplace plutôt les étapes d'installation et d'exécution dans les chaînes d'infection existantes. Bien que actuellement limité à quelques groupes parrainés par l'État, la popularité croissante du fixe de clics dans la cybercriminalité au cours de la dernière année ainsi que dans les campagnes d'espionnage au cours des derniers mois suggère que la technique sera probablement plus testée ou adoptée par des acteurs parrainés par l'État. Aperçu Une tendance majeure dans le paysage des menaces est la fluidité des tactiques, des techniques et des procédures (TTPS). Les acteurs de menace partagent, copiernt, voler, adopter et tester les TTP de la métier exposée publiquement ou l'interaction avec d'autres groupes de menaces. Plus précisément, les acteurs parrainés par l'État ont souvent mis à profit les techniques développées et déployées pour la première fois par des acteurs cybercriminaux. Par exemple, les acteurs de la menace nord-coréenne copiant les techniques de la cybercriminalité pour voler la crypto-monnaie au nom du gouvernement, ou des groupes chinois imitant les chaînes d'infection de cybercriminalité pour livrer des logiciels malveillants dans les opérations d'espionnage. L'exemple le plus récent de cette tendance est Clickfix. ClickFix est une technique d'ingénierie sociale qui utilise des boîtes de dialogue avec des instructions pour copier, coller et exécuter des commandes malveillantes sur la machine Target \\. Cette technique créative utilise non seulement de faux messages d'erreur comme problème, mais aussi une alerte faisant autorité et des instructions provenant du système d'exploitation en tant que solution. Principalement observé dans l'activité de la cybercriminalité, la technique Clickfix a été vue pour la première fois début mars 2024 déployé par le courtier d'accès initial TA571 et le cluster Clearfake, après quoi il a inondé le paysage des menaces. Un an plus tard, au moins quatre acteurs de menaces parrainés par l'État ont depuis expérimenté des variations de cette technique dans le cadre de leurs campagnes d'espionnage habituées. Sur environ trois mois d'octobre 2024 à janvier 2025, les acteurs de la menace provenant de trois pays distincts (Corée du Nord, Iran et Russie) ont incorporé Clickfix comme étape de leurs chaînes d'infection. Corée du Nord: TA427 En janvier et février 2025, ProofPoint a d'abord observé les opérateurs TA427 ciblant les individus dans moins de cinq organisations dans le secteur des ateliers avec une nouvelle chaîne d'infection en utilisant la technique ClickFix. Ta427 chevauche avec des tiers de l'activité appelée kimsuky ou grésil émeraude. TA427 a établi un contact initial avec l'objectif grâce à une demande de réunion d'un expéditeur usurpé livré aux cibles traditionnelles TA427 travaillant sur les affaires nord-coréennes. Après une brève conversation pour engager la cible et renforcer la confiance, comme on le voit souvent dans l'activité TA427, les attaquants ont dirigé la cible vers un site contrôlé par l'attaquant où ils ont convaincu la cible d'exécuter une commande PowerShell. Bien qu'une chaîne n'ait pas réussi à récupérer d'autres charges utiles, une autre instance de cette campagne comprenait une chaîne à plusieurs étages qui a exécuté PowerShell, VBS et les scripts par lots, ce qui a finalement conduit à une charge utile finale - Quasarrat | Malware Tool Vulnerability Threat Prediction Cloud | APT 28 | ★★★ |
 |
2025-01-14 14:40:00 | Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (lien direct) | Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin\'s efforts to gather economic and political intelligence in Central Asia.
The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063, which likely shares overlap with APT28, a nation-state group affiliated with Russia\'s General Staff Main
Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin\'s efforts to gather economic and political intelligence in Central Asia. The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063, which likely shares overlap with APT28, a nation-state group affiliated with Russia\'s General Staff Main |
Malware Threat | APT 28 | ★★★ |
|
2024-11-22 17:36:00 | Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (lien direct) | Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe.
Recorded Future\'s Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The
Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe. Recorded Future\'s Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The |
Malware Threat | APT 28 | ★★ |
 |
2024-11-04 12:25:16 | Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical | APT 41 APT 28 APT 31 Guam | ★★★ |
 |
2024-11-01 19:39:00 | Ngioweb reste actif 7 ans plus tard Ngioweb Remains Active 7 Years Later (lien direct) |
Executive Summary Seven years after its first appearance, the proxy server botnet Ngioweb continues its impactful presence on the internet with barely any relevant changes in its original code. Threat actors have continued to actively use Nbioweb extensively to scan for vulnerable devices (including a new arsenal of exploits) which can be turned into new proxies. All infected systems are then sold in the black market for pennies as residential proxies via Nsocks. Key Takeaways: Nsocks offers 30,000 IPs globally and sells them for prices under $1.50 for 24hours of access. The main targets are residential ISP users, representing more than 75% of the infected users. The threat actors behind Ngioweb are using dedicated scanners per vulnerability/device to avoid exposing their whole arsenal. Linear eMerge, Zyxel routers, and Neato vacuums are some of the most targeted devices, but there are many other routers, cameras, and access control systems being targeted. Ngioweb Background In August 2018, Check Point published a report and deep analysis on a new multifunctional proxy server botnet named Ngioweb. The proxy service was being loaded by the banking malware family Ramnit. In their report, Check Point reported that the first sample was observed in the second half of 2017. After the publication of that initial report, additional articles were released. Netlab wrote two blogs that took a deep-dive into the available Ngioweb samples, describing the domain generating algorithm (DGA), communication protocols, command and control (C&C) infrastructure, exploited CVEs for D-Link and Netgear devices, its updated features, and more. For details on the nature of Ngioweb, read Netlab’s blog which includes coverage that remains valid today.[t1] [PA2] Most recently, in 2024 TrendMicro reported how cybercriminals and nation states are leveraging residential proxy providers to perform malicious actions. For example, one of these nation-state actors, Pawn Storm, had been using a network of hundreds of small office and home office (SOHO) routers through January 2024, when the FBI neutralized part of the botnet. During TrendMicro’s investigation of several EdgeOS infected systems, they identified that in addition to Pawn Storm, the Canadian Pharmacy gang and a threat actor using Ngioweb malware were also abusing the infected device. Malware Analysis This last spring 2024, LevelBlue Labs identified scanning activity on vulnerable devices and those devices were carrying Ngioweb as the delivered payload. Depending on the targeted system, the exploit used a downloader for several CPU architectures or directly contained the specific payload for the targeted system. One of the samples obtained during 2024 (be285b77211d1a33b7ae1665623a9526f58219e20a685b6548bc2d8e857b6b44) allowed LevelBlue Labs to determine that the Ngioweb trojan our researchers identified works very similarly to how Ngioweb worked in 2019, with only a few, slight modifications to Ngioweb’s original code added to elude detections or nosy security researchers. DGA domains Domain generation algorithms (DGA) aren’t new to Ngioweb (they have been identified as present in previous reports, specifically when Netlab sinkholed several domains). The Ngioweb sample LevelBlue Labs analyzed uses a very similar algorithm to those that have been identified in the past. The DGA selects domains from a pool of thousands, depending on the malware configurations, and it will then start trying to connect to all of them until it finds a resolving domain. However, in an attempt to avoid the first stage C&C being sinkholed by researchers, the threat actors using the sample LevelBlue Labs analyzed have included a sanity check. All active C&C communications carry a unique and encrypted TXT response that acts as a signature of its authenticity. This response carries | Malware Vulnerability Threat Mobile Technical | APT 28 | ★★★ |
 |
2024-09-10 14:00:00 | Perspectives sur les cyber-menaces ciblant les utilisateurs et les entreprises au Mexique Insights on Cyber Threats Targeting Users and Enterprises in Mexico (lien direct) |
Written by: Aurora Blum, Kelli Vanderlee
Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. By sharing our global perspective, especially during today\'s Google for Mexico event, we hope to enable greater resiliency in mitigating these threats. Cyber Espionage Operations Targeting Mexico As the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People\'s Republic of China (PRC), North Korea, and Russia. 
Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024
The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation.
PRC Cyber Espionage Activity Targeting Mexico
Since 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country.
This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within China\'s Belt and Road Initiative. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher |
Ransomware Malware Tool Vulnerability Threat Mobile Cloud Commercial | APT 28 | ★★ |
|
2024-08-12 10:35:06 | Faits saillants hebdomadaires, 12 août 2024 Weekly OSINT Highlights, 12 August 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ ont mis en évidence plusieurs tendances clés des menaces de cybersécurité.Les attaques de phishing continuent d'être répandues, observées dans plusieurs campagnes utilisant des e-mails trompeurs et de faux sites Web pour voler des informations d'identification et livrer des logiciels malveillants tels que le trojan bancaire Mispadu.Les logiciels malveillants de volée de l'information restent une menace importante, ciblant des données allant des informations d'identification de la plate-forme Google Cloud aux données utilisateur mobiles à l'aide de logiciels spymétriques Android Lianspy.Des incidents de ransomware tels que DeathGrip et Mallox ont également persisté, reflétant les défis continus dans la défense contre la cybercriminalité axée sur l'extorsion. Plusieurs articles comprenaient un lien russe, allant de la blizzard forestier de la Russie, conduisant l'espionnage contre les agences gouvernementales à une campagne impliquant des logiciels malveillants de Strrat, attribués à l'acteur de menace russe Bloody Wolf.Les groupes parrainés par l'État nord-coréen étaient également actifs, en se concentrant sur l'espionnage et en volant la propriété intellectuelle grâce à des attaques ciblées en chaîne d'approvisionnement et à des mises à jour logicielles trojanisées.L'abus de services légitimes à des fins malveillantes et le développement de logiciels malveillants avancés et polymorphes ont souligné l'évolution de la complexité et de la persistance des cyber-menaces. ## Description 1. [Les pirates d'État nord-coréens ciblent les secrets industriels sud-coréens] (https://sip.security.microsoft.com/intel-explorer/articles/9625c1a0): les groupes de Kimsuky et Andariel de la Corée du Nord ont exploité une vulnérabilité du logiciel VPN VPN \\et a lancé des installateurs trojanisés pour enfreindre les réseaux industriels sud-coréens.Leur objectif était de voler des secrets commerciaux dans les secteurs de la construction et des industriels dans le cadre d'un effort soutenu par l'État pour moderniser les industries nord-coréennes. 2. [URSA / Mispadu Banking Trojan cible des utilisateurs d'espagnol et portugais] (https://sip.security.microsoft.com/intel-explorer/articles/c3a30f3b): une campagne de spam est distribué le Trojan URSA / Mispadu pour voler des informations d'identification.des utilisateurs d'Espagne, du Portugal et du Mexique.La campagne utilise des e-mails urgents sur le thème des factures pour inciter les destinataires à télécharger des logiciels malveillants, entraînant des pertes financières importantes. 3. [La campagne polymorphe des logiciels malveillants cible les utilisateurs de Chrome et Edge] (https://sip.security.microsoft.com/intel-explorer/articles/c437b517): RaisonLabs a identifié une campagne répandue avec force d'installation avec force des extensions de navigation qui volent les données et les mises à jour.La campagne cible les utilisateurs de Chrome et Edge, avec plus de 300 000 infections depuis 2021, exploitant des sites Web de téléchargement pour diffuser les logiciels malveillants. 4. [APT group Actor240524 targeting Azerbaijani and Israeli diplomats:](https://sip.security.microsoft.com/intel-explorer/articles/240524) Researchers at NSFOCUS Security Labs uncovered a sophisticated spear-phishing campaign by the newly identifiedAPT Group Actor240524, en utilisant un programme de Troie nommé Abcloader pour cibler les diplomates azerbaïdjanais et israéliens.La campagne impliquait des techniques avancées comme le chiffrement de l'API et le détournement des composants com, visant à voler SEInformations diplomatiques nsitiques. 5. [DeathGrip Ransomware-As-A-Service étend Cybercrime Reach] (https://sip.security.microsoft.com/intel-exPLORER / Articles / 09d168fd): DeathGrip, une opération Ransomware-as-a-Service, permet aux acteurs de menace moins qualifiés de déployer des ransomwares avancés comme Lockbit 3.0.Le service alimente une a | Ransomware Spam Malware Tool Vulnerability Threat Mobile Industrial Cloud | APT 28 | ★★ |
|
2024-08-05 21:26:54 | Russian APT Fighting Ursa cible les diplomates avec des logiciels malveillants de tête à l'aide de fausses annonces de vente de voitures Russian APT Fighting Ursa Targets Diplomats with HeadLace Malware Using Fake Car Sale Ads (lien direct) |
#### Industries ciblées - agences et services gouvernementaux - Diplomatie / relations internationales ## Instantané Les chercheurs de l'unité 42 ont identifié une campagne probablement attribuée à l'acteur de menace russe combattant Ursa (aka [Forest Blizzard] (https://sip.security.microsoft.com/intel-profiles/dd75f93b2a71c9510dceec817b9d34d868c2d1353d08c8c1647d868c2d1353d08c8c1647d868c2d1353d08c8c847De067270f. , Apt28, ours fantaisie) qui a utilisé unAPUTER LA VOLAGE DE VENTE comme un leurre pour distribuer les logiciels malveillants de la porte de la tête.La campagne a ciblé les diplomates et a commencé en mars 2024. ## Description Le leurre initial a été hébergé par le service légitime webhook.site et a conduit à la distribution de la page HTML malveillante.Le logiciel malveillant téléchargé, déguisé en publicité automobile, contenait la porte dérobée de la tête, qui a exécuté par étapes pour échapper à la détection.L'attaque s'appuyait fortement sur les services publics et gratuits pour héberger des leurres et diverses étapes de l'attaque.Le code HTML vérifie les ordinateurs Windows et redirige les visiteurs non-Windows vers une image de leurre sur IMGBB.Le code crée ensuite une archive zip à partir du texte Base64, l'offrant pour le téléchargement et la tentative de l'ouvrir avec la fonction javascript click ().L'archive zip téléchargée contient un fichier avec une double extension de .jpg.exe, qui est une copie du fichier de calculatrice de Windows légitime que Calc.exe a utilisé pour mettre à côté le fichier DLL inclus WindowsCodecs.dll, un composant de la porte arrière de la tête. La lutte contre l'Ursa est connue pour exploiter continuellement des vulnérabilités connues même après que leur couverture a été soufflée.L'infrastructure du groupe \\ évolue constamment, et il devrait continuer à utiliser des services Web légitimes dans son infrastructure d'attaque. ## Analyse Microsoft Cette tactique de l'utilisation de leurres de phishing diplomatique de voitures diplomatiques a été précédemment observée avec d'autres groupes de menaces russes.En septembre 2023, Microsoft Threat Intelligence a observé probablement [Midnight Blizzard]. 831] (https://sip.security.Microsoft.com/intel-explorer/cves/cve-2023-38831/description) Vulnérabilité dans Rarlabs Winrar pour cibler les réseaux de plus de 40 organisations diplomatiques et intergouvernementales (IGO).Les acteurs de la menace ont envoyé des courriels de phishing de lance avec des archives zippées malveillantes, demandant aux destinataires d'ouvrir la pièce jointe pour voir les détails d'une voiture diplomatique à vendre.Lire la suite [ici] (https://sip.security.microsoft.com/intel-explorer/articles/af5bdd1c). ## Détections / requêtes de chasse ** Microsoft Defender Antivirus ** Microsoft Defender Antivirus détecte les composants de menace suivants comme malWare: - [Trojan: script / obfuse] (https://www.microsoft.com/en-us/wdsi/thereats/malware-encycopedia-dercription?name=trojan:js/obfuse) - [Trojan: html / phish] (https://www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=trojan:html/phish) ## Recommandations Investissez dans des solutions avancées et anti-phishing qui surveillent les e-mails entrants et les sites Web visités.[Microsoft Defender pour OFFFICE 365] (https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo?ocid=Magicti_Ta_learnDoc) rassemble une gestion des incidents et des alertes à travers les e-mails, les dispositifset identités, centraliser les enquêtes pour les menaces par courrier électronique.Les organisations peuvent également tirer parti des navigateurs Web qui [Indentify and Block] (https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen?ocid=Magicti_TA_LearnDoc) sont des sites Web malveillants, y compris ceux utilisés dans cette campagne de phishing. • Exécutez la détection et la | Malware Tool Vulnerability Threat | APT 28 | ★★★★ |
 |
2024-08-05 15:01:41 | Cybercriminalité : Fighting Ursa utilise une annonce de vente de voiture comme leurre (lien direct) | Un acteur malveillant russe, suivi par l'Unit 42 sous le nom de Fighting Ursa, cabinet de conseil et de recherche/réponse aux cyber menaces de Palo Alto Networks, a utilisé une annonce de vente de voiture comme leurre pour distribuer le malware backdoor HeadLace. - Malwares | Malware Threat | APT 28 | ★★★ |
 |
2024-08-05 11:38:04 | Russie \\ 'S \\' combattant Ursa \\ 'APT utilise des annonces de voitures pour installer des logiciels malveillants Headlace Russia\\'s \\'Fighting Ursa\\' APT Uses Car Ads to Install HeadLace Malware (lien direct) |
Le programme, du groupe également connu sous le nom d'APT28, consiste à cibler les diplomates d'Europe de l'Est ayant besoin de transport personnel, les tentant avec une bonne affaire sur un SUV Audi Q7 Quattro.
The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation, tempting them with a purported good deal on a Audi Q7 Quattro SUV. |
Malware | APT 28 | ★★★ |
|
2024-08-02 21:46:00 | APT28 cible les diplomates avec des logiciels malveillants de tête via la vente de phishing APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure (lien direct) |
Un acteur de menace lié à la Russie a été lié à une nouvelle campagne qui employait une voiture à vendre comme leurre de phishing pour livrer une porte dérobée de fenêtres modulaires appelée Headlace.
"La campagne a probablement ciblé les diplomates et a commencé dès mars 2024", a déclaré l'unité Palo Alto Networks 42 dans un rapport publié aujourd'hui, l'attribuant avec un niveau moyen à élevé de confiance à l'APT28, qui est également appelé
A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace. "The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as |
Malware Threat | APT 28 | ★★★★ |
|
2024-07-29 10:58:35 | Weekly OSINT Highlights, 29 July 2024 (lien direct) | ## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data. | Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Mobile Industrial Medical | APT 28 APT 36 | ★★ |
|
2024-07-23 20:53:33 | (Déjà vu) UAC-0063 Attaque des institutions de recherche en Ukraine: Hatvibe + Cherryspy + CVE-2024-23692 UAC-0063 attacks research institutions in Ukraine: HATVIBE + CHERRYSPY + CVE-2024-23692 (lien direct) |
#### Targeted Geolocations - Ukraine ## Snapshot The Computer Emergency Response Team of Ukraine (CERT-UA) released reporting on an attack by UAC-0063 against a research institution in Ukraine perpetrated in July 2024. ## Description The attackers accessed an employee\'s email account and sent a compromised email with a macro-embedded document to multiple recipients. When opened, this document created and executed another document and scheduled a task to run the HATVIBE malware. The attackers then used remote control to download a Python interpreter and the CHERRYSPY malware to the victim\'s computer. UAC-0063, linked to the Russian APT28 group, was also detected using a similar attack vector in Armenia. In June 2024, the group exploited a vulnerability in the HFS HTTP File Server ([CVE-2024-23692](https://security.microsoft.com/intel-explorer/cves/CVE-2024-23692/)) to install the HATVIBE backdoor, demonstrating their use of varied initial compromise methods. The attack succeeded due to the institution\'s lack of two-factor authentication, admin privileges for user accounts, and insufficient security policies to block macros and specific executables. ## Additional Analysis Both CHERRYSPY and HATVIBE have previously been used by UAC-0063 to target Ukranian organizations. [In April 2023](https://cert.gov.ua/article/4697016?fbclid=IwAR1B5gj0v-Ve9Q5299ydM5lrInLuKVmvPRosQkUucq6YzcjuTgVnM_x3LjQ), the threat group sent spear-phishing emails to government organizations in Ukraine, likely from the previously compromised email of the Embassy of Tajikistan. ## Recommendations Microsoft recommends the implementation multifactor authentication (MFA) to reduce the impact of this threat and mitigate credential theft from phishing attacks. MFA can be complemented with the following solutions and best practices to protect organizations: - Activate [conditional access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview?ocid=magicti_ta_learndoc) policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by activating policies regarding compliant devices or trusted IP address requirements. - Configure [continuous access evaluation](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc) in your tenant. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-security-center-mdo?ocid=magicti_ta_learndoc) brings together incident and alert management across email, devices, and identities, centralizing investigations for threats in email. Organizations can also leverage web browsers that automatically identify and block malicious websites, including those used in this phishing campaign. To build resilience against phishing attacks in general, organizations can use [anti-phishing policies](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about?view=o365-worldwide) to enable mailbox intelligence settings, as well as configure impersonation protection settings for specific messages and sender domains. Enabling [SafeLinks](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?view=o365-worldwide) ensures real-time protection by scanning at time of delivery and at time of click. - Monitor for suspicious or anomalous activities, and search for sign-in attempts with suspicious characteristics (for example location, internet service provider \[ISP\], user agent, and use of anonymizer services). Activity can be identified and investigated with [Microsoft Defender for Identity](https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-security-center-mdi?ocid=magicti_ta_learndoc), which contributes identity-focus | Malware Vulnerability Threat | APT 28 | ★★★ |
|
2024-07-08 14:00:00 | Enhardi et évolutif: un instantané des cyber-menaces auxquelles l'OTAN est confrontée à l'OTAN Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO (lien direct) |
Written by: John Hultquist
As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges-the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel. NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape. Cyber Espionage NATO\'s adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year\'s summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance\'s defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance\'s strategic advantage and inform adversary leadership on how to anticipate and counteract NATO\'s initiatives and investments. NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders. APT29 (ICECAP) Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and poli |
Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 29 APT 28 | ★★★ |
|
2024-06-12 14:00:00 | Aperçu sur les cyber-menaces ciblant les utilisateurs et les entreprises au Brésil Insights on Cyber Threats Targeting Users and Enterprises in Brazil (lien direct) |
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in carrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry out account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats targeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the geopolitical landscape; one that extends into the cyber realm. As Brazil\'s influence grows, so does its digital footprint, making it an increasingly attractive target for cyber threats originating from both global and domestic actors. This blog post brings together Google\'s collective understanding of the Brazilian threat landscape, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. As Brazil\'s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats. Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no reported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We deploy and constantly update Android detections to protect users\' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated. Cyber Espionage Operations Targeting Brazil Brazil\'s status as a globally influential power and the largest economy in South America have drawn attention from c |
Ransomware Spam Malware Tool Vulnerability Threat Mobile Medical Cloud Technical | APT 28 | ★★ |
|
2024-05-31 15:40:00 | Les pirates russes ciblent l'Europe avec des logiciels malveillants de tête et la récolte d'identification Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting (lien direct) |
L'acteur de menace russe soutenu par GRU APT28 a été attribué comme derrière une série de campagnes ciblant les réseaux à travers l'Europe avec les logiciels malveillants de tête et les pages Web de récolte des informations d'identification.
APT28, également connu sous les noms Bledelta, Fancy Bear, Forest Blizzard, Frozenlake, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy et TA422, est un groupe avancé de menace persistante (APT) affiliée à
The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with |
Malware Threat | APT 28 | ★★★ |
|
2024-05-09 20:50:00 | APT28 soutenu par le Kremlin cible les institutions polonaises dans une campagne de logiciels malveillants à grande échelle Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign (lien direct) |
Les institutions gouvernementales polonaises ont été ciblées dans le cadre d'une campagne de logiciels malveillants à grande échelle orchestrée par un acteur de l'État-nation lié à la Russie appelée & NBSP; APT28.
"La campagne a envoyé des e-mails avec du contenu destiné à susciter l'intérêt du destinataire et à le persuader de cliquer sur le lien", l'équipe d'intervention d'urgence de l'ordinateur, le cert Polska, & nbsp; a dit & nbsp; dans un bulletin du mercredi.
Cliquez sur le lien
Polish government institutions have been targeted as part of a large-scale malware campaign orchestrated by a Russia-linked nation-state actor called APT28. "The campaign sent emails with content intended to arouse the recipient\'s interest and persuade him to click on the link," the computer emergency response team, CERT Polska, said in a Wednesday bulletin. Clicking on the link |
Malware | APT 28 | ★★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
 |
2024-04-23 22:47:49 | Les pirates de la Russie ont exploité Windows Flaw pour déployer & # 8216; GooseEgg & # 8217;Malware Russia’s APT28 Hackers Exploited Windows Flaw To Deploy ‘GooseEgg’ Malware (lien direct) |
Microsoft a récemment révélé que le groupe de menaces russes & # 8220; APT28 & # 8243;utilisé un outil de piratage précédemment inconnu, «GooseEgg & # 8221;Pour exploiter la vulnérabilité Windows Print Spooler pour obtenir un accès élevé aux systèmes cibles et voler des informations d'identification et des informations. Selon l'équipe de renseignement des menaces de Redmond, APT28, également appelée Fancy Bear and Forest Blizzard (anciennement Strontium), utilise l'outil post-compromis depuis au moins juin 2020 et peut-être dès avril 2019Pour exploiter le CVE-2022-38028 (score CVSS: 7.8) Vulnérabilité dans Windows Print Spooler Service. Cet outil modifie un fichier de contraintes JavaScript et l'exécute avec des autorisations au niveau du système. Bien que la société ait abordé la vulnérabilité, CVE-2022-38028, rapportée par la U.S.Mate Security Agency (NSA) dans le cadre de Microsoft & # 8217; s octobre 2022 Patch Mardi Security Mises à jour, elle n'a fait aucune mention du défaut dans son avis . Microsoft a observé APT28 en utilisant GooseEgg dans le cadre des activités post-compromis contre diverses cibles, y compris les organisations gouvernementales, non gouvernementales, de l'éducation et des transports en Ukraine, en Europe occidentale et en Amérique du Nord. Bien que Gooseegg soit une application de lanceur simple, il peut engendrer d'autres applications sur la ligne de commande avec des autorisations élevées. Cela permet aux acteurs de menace de prendre en charge les activités malveillantes telles que l'exécution du code distant, l'installation d'une porte dérobée et le déplacement latéralement à travers des réseaux compromis. Les gouvernements américains et britanniques ont lié Forest Blizzard à l'unité 26165 de la Fédération de Russie \'s Military Intelligence Agency, la principale Direction du renseignement de l'état-major général des Forces armées de la Fédération de Russie (GRU). «Microsoft a observé qu'après avoir obtenu l'accès à un appareil cible, Forest Blizzard utilise GooseEgg pour élever les privilèges dans l'environnement.GooseEgg est généralement déployé avec un script de lot, que nous avons observé en utilisant le nom execute.bat et doit.bat .Ce script de lot écrit le fichier servtask.bat, qui contient des commandes pour enregistrer / compresser les ruches de registre.Le script de lot invoque l'exécutable de GooseEgg apparié et configure la persistance en tant que tâche planifiée conçue pour exécuter servtask.bat », lit le Advisory publié par Microsoft lundi. Les chercheurs de Microsoft ont noté qu'un fichier DLL malveillant intégré généralement, qui comprend l'expression « wayzgoose»; par exemple, wayzgoose23.dll , est une application de lanceur utilisée par la menaceLes acteurs doivent lancer d'autres charges utiles avec des autorisations au niveau du système et installer une porte dérobée, se déplacer latéralement dans le réseau de la victime et exécuter à distance le code sur les systèmes violés. Comme mentionné précédemment, la société a corrigé le défaut de sécurité des spouleurs imprimés en 2022. Il a également corrigé les vulnérabilités imprimées précédemment exploitées en 2021. «Les clients qui n'ont pas encore mis en œuvre ces correctifs sont invités à le faire dès que possible pour la sécurité de leur organisation», a déclaré Microsoft dans son avis. De plus, la société recommande également de dé | Malware Tool Vulnerability Threat | APT 28 | ★★★ |
 |
2024-04-23 12:50:57 | Les cyberespaces russes livrent \\ 'gooseegg \\' malware aux organisations gouvernementales Russian Cyberspies Deliver \\'GooseEgg\\' Malware to Government Organizations (lien direct) |
APT28, lié à la Russie, déploie l'outil post-exploitation d'OeEEGG contre de nombreuses organisations américaines et européennes.
Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations. |
Malware Tool | APT 28 | ★★★ |
|
2024-04-23 09:53:00 | La Russie \\'s APT28 exploite Windows Print Spooler Flaw to déploier \\ 'gooseegg \\' malware Russia\\'s APT28 Exploited Windows Print Spooler Flaw to Deploy \\'GooseEgg\\' Malware (lien direct) |
L'acteur de menace nationale lié à la Russie a suivi comme & nbsp; apt28 & nbsp; a armé un défaut de sécurité dans le composant de spouleur d'impression Microsoft Windows pour fournir un logiciel malveillant personnalisé auparavant inconnu appelé Gooseegg.
L'outil post-compromise, & nbsp; qui est & nbsp;
The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for |
Malware Tool Threat | APT 28 | ★★★ |
 |
2024-04-23 01:15:11 | Old Windows Print Spooler Bug est la dernière cible du gang d'ours sophistiqué de la Russie Old Windows print spooler bug is latest target of Russia\\'s Fancy Bear gang (lien direct) |
Les copains de Poutine \\ utilisent \\ 'gooseegg \' malware pour lancer des attaques que vous pouvez vaincre avec des correctifs ou une suppression Les espions russes exploitent une vulnérabilité de spooler d'impression Windows vieille et utilisent unUn outil personnalisé appelé GooseEgg pour élever les privilèges et voler des informations d'identification sur des réseaux compromis, selon Microsoft Threat Intelligence.…
Putin\'s pals use \'GooseEgg\' malware to launch attacks you can defeat with patches or deletion Russian spies are exploiting a years-old Windows print spooler vulnerability and using a custom tool called GooseEgg to elevate privileges and steal credentials across compromised networks, according to Microsoft Threat Intelligence.… |
Malware Tool Vulnerability Threat | APT 28 | ★★★ |
|
2024-03-05 19:03:47 | Rester en avance sur les acteurs de la menace à l'ère de l'IA Staying ahead of threat actors in the age of AI (lien direct) |
## Snapshot Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI\'s blog on the research [here](https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors). Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors\' usage of AI. However, Microsoft and our partners continue to study this landscape closely. The objective of Microsoft\'s partnership with OpenAI, including the release of this research, is to ensure the safe and responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to protect the community from potential misuse. As part of this commitment, we have taken measures to disrupt assets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users from attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also deeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including [Microsoft Copilot for Security](https://www.microsoft.com/security/business/ai-machine-learning/microsoft-security-copilot), to elevate defenders everywhere. ## Activity Overview ### **A principled approach to detecting and blocking threat actors** The progress of technology creates a demand for strong cybersecurity and safety measures. For example, the White House\'s Executive Order on AI requires rigorous safety testing and government supervision for AI systems that have major impacts on national and economic security or public health and safety. Our actions enhancing the safeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of these models align with the Executive Order\'s request for comprehensive AI safety and security standards. In line with Microsoft\'s leadership across AI and cybersecurity, today we are announcing principles shaping Microsoft\'s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we track. These principles include: - **Identification and action against malicious threat actors\' use:** Upon detection of the use of any Microsoft AI application programming interfaces (APIs), services, or systems by an identified malicious threat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take appropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or limiting access to resources. - **Notification to other AI service providers:** When we detect a threat actor\'s use of another service provider\'s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and share relevant data. This enables the service provider to independently verify our findings and take action in accordance with their own policies. - **Collaboration with other stakeholders:** Microsoft will collaborate with other stakeholders to regularly exchange information a | Ransomware Malware Tool Vulnerability Threat Studies Medical Technical | APT 28 ChatGPT APT 4 | ★★ |
|
2024-02-15 20:29:21 | Le DOJ brise le botnet militaire russe dans le démontage de l'ours fantaisie DoJ Breaks Russian Military Botnet in Fancy Bear Takedown (lien direct) |
Les fédéraux ont perturbé un botnet de routeur Soho Route de renseignement russe notable pour avoir été construit avec des logiciels malveillants Moobot plutôt que du code personnalisé.
The feds disrupted a Russian intelligence SOHO router botnet notable for being built with Moobot malware rather than custom code. |
Malware | APT 28 | ★★ |
|
2024-01-03 19:16:54 | APT28: de l'attaque initiale à la création de menaces à un contrôleur de domaine en une heure APT28: From Initial Attack to Creating Threats to a Domain Controller in an Hour (lien direct) |
#### Description
Entre le 15 et 25 décembre, 2023, une série de cyberattaques a été identifiée impliquant la distribution des e-mails contenant des liens vers des «documents» présumés parmi les organisations gouvernementales.
Cliquer sur ces liens a entraîné une infection des logiciels malveillants.L'enquête a révélé que les liens ont redirigé les victimes vers un site Web où un téléchargement basé sur JavaScript a lancé un fichier de raccourci.L'ouverture de ce fichier a déclenché une commande PowerShell pour télécharger et exécuter un document de leurre, un interprète Python et un fichier Masepie classifié nommé client.py.Par la suite, divers outils, notamment OpenSSH, Steelhook PowerShell Scripts et la porte dérobée OceanMap ont été téléchargés, avec des outils supplémentaires comme Impacket et SMBEXEC créés pour la reconnaissance du réseau et le mouvement latéral.Les tactiques globales, les techniques et les outils utilisés ont indiqué le groupe APT28.Notamment, la stratégie d'attaque a indiqué un plan plus large pour compromettre l'ensemble du système d'information et de communication de l'organisation, mettant l'accent sur la menace potentielle pour l'ensemble du réseau.Des attaques similaires ont également été signalées contre des organisations polonaises.
#### URL de référence (s)
1. https://cert.gov.ua/article/6276894
#### Date de publication
3 janvier 2024
#### Auteurs)
Certificat
#### Description Between December 15-25, 2023, a series of cyberattacks were identified involving the distribution of emails containing links to purported "documents" among government organizations. Clicking on these links resulted in malware infecting computers. Investigation revealed that the links redirected victims to a website where a JavaScript-based download initiated a shortcut file. Opening this file triggered a PowerShell command to download and execute a decoy document, a Python interpreter, and a classified MASEPIE file named Client.py. Subsequently, various tools including OPENSSH, STEELHOOK PowerShell scripts, and the OCEANMAP backdoor were downloaded, with additional tools like IMPACKET and SMBEXEC created for network reconnaissance and lateral movement. The overall tactics, techniques, and tools used pointed to the APT28 group. Notably, the attack strategy indicated a broader plan to compromise the entire organization\'s information and communication system, emphasizing the potential threat to the entire network. Similar attacks were also reported against Polish organizations. #### Reference URL(s) 1. https://cert.gov.ua/article/6276894 #### Publication Date January 3, 2024 #### Author(s) CERT-UA |
Malware Tool Threat | APT 28 | ★★★★ |
 |
2023-12-29 13:18:00 | Nouveau malware trouvé dans l'analyse des hacks russes sur l'Ukraine, en Pologne New malware found in analysis of Russian hacks on Ukraine, Poland (lien direct) |
Les chercheurs ont découvert une nouvelle opération de cyber contre des organisations ukrainiennes et polonaises, l'attribuant au groupe de pirates russes contrôlé par l'État connu sous le nom de Fancy Bear.Lors des attaques de décembre, des pirates russes ont envoyé des courriels de phishing à leurs victimes avec des pièces jointes malveillantes.Une fois ouverts, ces pièces jointes infectées par les appareils ciblés par le nouveau malware Masepie, selon [un
Researchers have discovered a new cyber operation against Ukrainian and Polish organizations, attributing it to the Russian state-controlled hacker group known as Fancy Bear. During the attacks in December, Russian hackers sent phishing emails to their victims with malicious attachments. Once opened, these attachments infected targeted devices with the novel Masepie malware, according to [a |
Malware | APT 28 | ★★★ |
|
2023-12-05 05:00:40 | TA422 \\ Soule d'exploitation dédiée - la même semaine après semaine TA422\\'s Dedicated Exploitation Loop-the Same Week After Week (lien direct) |
Key takeaways Since March 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, in which the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity. The vulnerabilities included CVE-2023-23397-a Microsoft Outlook elevation of privilege flaw that allows a threat actor to exploit TNEF files and initiate NTLM negotiation, obtaining a hash of a target\'s NTLM password-and CVE-2023-38831-a WinRAR remote code execution flaw that allows execution of “arbitrary code when a user attempts to view a benign file within a ZIP archive,” according to the NIST disclosure. Overview Starting in March 2023, Proofpoint researchers have observed the Russian advanced persistent threat (APT) TA422 readily use patched vulnerabilities to target a variety of organizations in Europe and North America. TA422 overlaps with the aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, and is attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). While TA422 conducted traditional targeted activity during this period, leveraging Mockbin and InfinityFree for URL redirection, Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397-a Microsoft Outlook elevation of privilege vulnerability. This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities. Proofpoint researchers also identified TA422 campaigns leveraging a WinRAR remote execution vulnerability, CVE-2023-38831. Bar chart showing the breakdown of TA422 phishing activity from March 2023 to November 2023. Please attend: CVE-2023-23397-test meeting In late March 2023, TA422 started to launch high volume campaigns exploiting CVE-2023-23397 targeting higher education, government, manufacturing, and aerospace technology entities in Europe and North America. TA422 previously used an exploit for CVE-2023-23397 to target Ukrainian entities as early as April 2022, according to open-source reporting by CERT-EU. In the Proofpoint-identified campaigns, our researchers initially observed small numbers of emails attempting to exploit this vulnerability. The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume. This campaign was very large compared to typical state-aligned espionage campaign activity Proofpoint tracks. Proofpoint observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. It is unclear if this was operator error or an informed effort to collect target credentials. TA422 re-targeted many of the higher education and manufacturing users previously targeted in March 2023. It is unclear why TA422 re-targeted these entities with the same exploit. Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access. Like the high-volume TA422 campaign Proofpoint researchers identified in March 2023, the late summer 2023 messages contained an appointment attachment, using the Transport Neutral Encapsulation Format (TNEF) file. The TNEF file used a fake file extension to masquerade as a CSV, Excel file, or Word document, and contained an UNC path directing traffic to an SMB listener being hosted on a likely compromised Ubiquiti router. TA422 has previously used compromised routers to host the gr | Malware Vulnerability Threat | APT 28 | ★★★ |
 |
2023-06-27 13:00:00 | Cyberheistnews Vol 13 # 26 [Eyes Open] La FTC révèle les cinq dernières escroqueries par SMS CyberheistNews Vol 13 #26 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams (lien direct) |
CyberheistNews Vol 13 #26 | June 27th, 2023
[Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams
The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says.
These are the top five text scams reported by the FTC:
Copycat bank fraud prevention alerts
Bogus "gifts" that can cost you
Fake package delivery problems
Phony job offers
Not-really-from-Amazon security alerts
"People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they\'ll get a call from a phony \'fraud department\' claiming they want to \'help get your money back.\' What they really want to do is make unauthorized transfers.
"What\'s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft."
Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there\'s a problem with a delivery.
"The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small \'redelivery fee.\'"
Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake \'mystery shopper\' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says.
"Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person\'s money – and the phony \'employer\' – are long gone."
Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from \'Amazon,\' asking to verify a big-ticket order they didn\'t place," the FTC says. "Concerned |
Ransomware Spam Malware Hack Tool Threat | FedEx APT 28 APT 15 ChatGPT ChatGPT | ★★ |
|
2023-05-09 13:00:00 | Cyberheistnews Vol 13 # 19 [Watch Your Back] Nouvelle fausse erreur de mise à jour Chrome Attaque cible vos utilisateurs CyberheistNews Vol 13 #19 [Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users (lien direct) |
CyberheistNews Vol 13 #19 | May 9th, 2023
[Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users
Compromised websites (legitimate sites that have been successfully compromised to support social engineering) are serving visitors fake Google Chrome update error messages.
"Google Chrome users who use the browser regularly should be wary of a new attack campaign that distributes malware by posing as a Google Chrome update error message," Trend Micro warns. "The attack campaign has been operational since February 2023 and has a large impact area."
The message displayed reads, "UPDATE EXCEPTION. An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update." A link is provided at the bottom of the bogus error message that takes the user to what\'s misrepresented as a link that will support a Chrome manual update. In fact the link will download a ZIP file that contains an EXE file. The payload is a cryptojacking Monero miner.
A cryptojacker is bad enough since it will drain power and degrade device performance. This one also carries the potential for compromising sensitive information, particularly credentials, and serving as staging for further attacks.
This campaign may be more effective for its routine, innocent look. There are no spectacular threats, no promises of instant wealth, just a notice about a failed update. Users can become desensitized to the potential risks bogus messages concerning IT issues carry with them.
Informed users are the last line of defense against attacks like these. New school security awareness training can help any organization sustain that line of defense and create a strong security culture.
Blog post with links:https://blog.knowbe4.com/fake-chrome-update-error-messages
A Master Class on IT Security: Roger A. Grimes Teaches You Phishing Mitigation
Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they\'re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.
Join Roger A. Grimes, KnowBe4\'s Data-Driven Defense Evangelist, |
Ransomware Data Breach Spam Malware Tool Threat Prediction | NotPetya NotPetya APT 28 ChatGPT ChatGPT | ★★ |
|
2023-05-02 06:37:07 | L'APT28 de la Russie cible le gouvernement ukrain Russia\\'s APT28 targets Ukraine government with bogus Windows updates (lien direct) |
e-mails désagréables conçus pour infecter les systèmes avec des logiciels malveillants de vol d'informations Le groupe de menaces soutenu par le Kremlin, APT28, inonde les agences gouvernementales ukrainiennes avec des e-mails sur les mises à jour de Bogus Windows dans l'espoir de supprimer des logiciels malveillants qui exfiltront le systèmedonnées.…
Nasty emails designed to infect systems with info-stealing malware The Kremlin-backed threat group APT28 is flooding Ukrainian government agencies with email messages about bogus Windows updates in the hope of dropping malware that will exfiltrate system data.… |
Malware Threat | APT 28 APT 28 | ★★ |
 |
2023-04-28 16:36:57 | L'acteur de menace APT28 cible les routeurs Cisco avec une vieille vulnérabilité Threat actor APT28 targets Cisco routers with an old vulnerability (lien direct) |
> Les États-Unis, l'Europe et l'Ukraine seraient des cibles dans cette menace malveillante.Apprenez à protéger les routeurs Cisco affectés.
>The U.S., Europe and Ukraine are reportedly targets in this malware threat. Learn how to protect affected Cisco routers. |
Malware Vulnerability Threat | APT 28 APT 28 | ★★ |
|
2023-04-25 13:00:00 | Cyberheistnews Vol 13 # 17 [Head Start] Méthodes efficaces Comment enseigner l'ingénierie sociale à une IA CyberheistNews Vol 13 #17 [Head Start] Effective Methods How To Teach Social Engineering to an AI (lien direct) |
CyberheistNews Vol 13 #16 | April 18th, 2023
[Finger on the Pulse]: How Phishers Leverage Recent AI Buzz
Curiosity leads people to suspend their better judgment as a new campaign of credential theft exploits a person\'s excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard.
Veriti writes "These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the Redline Stealer (aka RedStealer) malware is activated and is capable of stealing passwords and downloading further malware onto the user\'s device."
Veriti describes the capabilities of the Redline Stealer malware which, once downloaded, can take sensitive information like credit card numbers, passwords, and personal information like user location, and hardware. Veriti added "The malware can upload and download files, execute commands, and send back data about the infected computer at regular intervals."
Experts recommend using official Google or OpenAI websites to learn when their products will be available and only downloading files from reputable sources. With the rising use of Google and Facebook ads as attack vectors experts also suggest refraining from clicking on suspicious advertisements promising early access to any product on the Internet.
Employees can be helped to develop sound security habits like these by stepping them through monthly social engineering simulations.
Blog post with links:https://blog.knowbe4.com/ai-hype-used-for-phishbait
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist
Now there\'s a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!
The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters with |
Spam Malware Hack Threat | APT 28 ChatGPT ChatGPT | ★★★ |
 |
2023-04-20 11:23:59 | APT28 exploite la vulnérabilité Cisco au déploiement de logiciels malveillants dans la campagne d'espionnage APT28 Exploits Cisco Vulnerability to Deploy Malware in Espionage Campaign (lien direct) |
> Les acteurs de l'État-nation russe utilisent une vulnérabilité de code à distance correcée dans les appareils de réseau Cisco pour mener ...
>Russian nation-state actors are using a patched remote code execution vulnerability in Cisco network appliances to conduct... |
Malware Vulnerability | APT 28 | ★★ |
|
2023-04-19 21:40:00 | Russian Fancy Bear APT a exploité les routeurs de Cisco non corrigés pour nous pirater, UE Gov \\ 't agences Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov\\'t Agencies (lien direct) |
Le groupe de menaces de scène nationale a déployé des logiciels malveillants personnalisés sur les versions archaïques du système d'exploitation du routeur de Cisco \\.Les experts préviennent que de telles attaques ciblant les infrastructures du réseau sont en augmentation.
The nation-stage threat group deployed custom malware on archaic versions of Cisco\'s router operating system. Experts warn that such attacks targeting network infrastructure are on the rise. |
Malware Hack Threat | APT 28 | ★★ |
 |
2023-04-18 17:42:45 | US, Royaume-Uni avertissant des pirates de gouvernement utilisant des logiciels malveillants personnalisés sur les routeurs Cisco US, UK warn of govt hackers using custom malware on Cisco routers (lien direct) |
Les États-Unis, le Royaume-Uni et Cisco avertissent les pirates de pirates APT28 parrainés par l'État russe déploiement d'un logiciel malveillant personnalisé nommé \\ 'Jaguar Tooth \' sur les routeurs Cisco IOS, permettant un accès non authentifié à l'appareil.[...]
The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named \'Jaguar Tooth\' on Cisco IOS routers, allowing unauthenticated access to the device. [...] |
Malware | APT 28 | ★★ |
|
2023-04-18 13:00:00 | Cyberheistnews Vol 13 # 16 [doigt sur le pouls]: comment les phishers tirent parti de l'IA récent Buzz CyberheistNews Vol 13 #16 [Finger on the Pulse]: How Phishers Leverage Recent AI Buzz (lien direct) |
CyberheistNews Vol 13 #16 | April 18th, 2023
[Finger on the Pulse]: How Phishers Leverage Recent AI Buzz
Curiosity leads people to suspend their better judgment as a new campaign of credential theft exploits a person\'s excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard.
Veriti writes "These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the Redline Stealer (aka RedStealer) malware is activated and is capable of stealing passwords and downloading further malware onto the user\'s device."
Veriti describes the capabilities of the Redline Stealer malware which, once downloaded, can take sensitive information like credit card numbers, passwords, and personal information like user location, and hardware. Veriti added "The malware can upload and download files, execute commands, and send back data about the infected computer at regular intervals."
Experts recommend using official Google or OpenAI websites to learn when their products will be available and only downloading files from reputable sources. With the rising use of Google and Facebook ads as attack vectors experts also suggest refraining from clicking on suspicious advertisements promising early access to any product on the Internet.
Employees can be helped to develop sound security habits like these by stepping them through monthly social engineering simulations.
Blog post with links:https://blog.knowbe4.com/ai-hype-used-for-phishbait
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist
Now there\'s a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!
The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leav |
Spam Malware Hack Threat | APT 28 ChatGPT ChatGPT | ★★★ |
 |
2022-09-28 21:15:00 | APT28 attack uses old PowerPoint trick to download malware (lien direct) | >Categories: NewsTags: APT28 Tags: Fancy Bear Tags: PowerPoint Tags: PowerShell Tags: One Drive Tags: SyncAppvPublishingServer The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros (Read more...) | Malware | APT 28 | |
|
2022-09-28 15:39:00 | Hackers Using PowerPoint Mouseover Trick to Infect System with Malware (lien direct) | The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a | Malware Threat | APT 28 | ★★★ |
 |
2022-09-28 13:47:10 | APT28 relies on PowerPoint Mouseover to deliver Graphite malware (lien direct) | >The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware. The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported. Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used […] | Malware | APT 28 | |
 |
2022-08-06 10:46:21 | CISO workshop slides (lien direct) | A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142): | Malware Vulnerability Threat Patching Guideline Medical Cloud | Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam | |
 |
2022-08-02 15:17:00 | Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”
(published: July 28, 2022)
Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension
Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits
(published: July 27, 2022)
Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se |
Malware Tool Vulnerability Threat Patching Guideline Cloud | APT 37 APT 28 | |
|
2022-06-28 19:11:00 | Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: API hammering, APT, China, Phishing, Ransomware, Russia, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed
(published: June 24, 2022)
ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.
Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware
There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families
(published: June 24, 2022)
Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.
Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: malware:BazarLoad |
Ransomware Spam Malware Tool Vulnerability Threat | APT 28 APT 23 | |
 |
2022-06-23 12:21:33 | Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug (lien direct) | The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers. | Malware Threat | APT 28 | |
|
2022-06-21 15:25:09 | Russia\'s APT28 uses fear of nuclear war to spread Follina docs in Ukraine (lien direct) | Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. | Malware | APT 28 | |
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
|
2022-04-26 16:24:00 | Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
(published: April 25, 2022)
Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables.
Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | |
Ransomware Malware Tool Vulnerability Threat Guideline Medical | Uber APT 38 APT 28 | |
|
2022-04-19 15:00:00 | Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Lazarus Targets Chemical Sector
(published: April 14, 2022)
In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.
Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector
Old Gremlins, New Methods
(published: April 14, 2022)
Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode |
Ransomware Spam Malware Vulnerability Threat Guideline Medical | APT 38 APT 28 | |
 |
2022-04-01 14:09:48 | AcidRain Wiper Suspected in Satellite Broadband Outage in Europe (lien direct) | FortiGuard Labs is aware a report that a new wiper malware was deployed and destroyed data on modems and routers for KA-SAT satellite broadband services, resulting in service outages across Europe on February 24th, 2022. The service interruption also caused the disconnection of remote access to 5,800 wind turbines in Europe. According to security vendor SentinelOne, AcidRain wiper shares similarities with a VPNFilter stage 3 destructive plugin. The Federal Bureau of Investigation (FBI) and Department of Justice disrupted the VPNFilter botnet by seizing a domain that was part of the Command-and-Control (C2) infrastructure. The Russian-connected the Sofacy threat actor (also known as APT28, Sednit, Pawn Storm, Fancy Bear, and Tsar) is believed to have operated the VPNFilter botnet. Why is this Significant?This is significant not only because a new wiper malware was used in the attack but also because the attack caused service interruption for satellite broadband services in Europe, including Ukraine, and 5,800 wind turbines in Europe were knocked offline.Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory on March 17th, 2022, warning of cyberattacks on U.S. and international satellite communication (SATCOM) networks. What Happened?According to the statement released by Viasat, a provider of KA-SAT satellite broadband services, the attack occurred in two phases.1. On February 24th, 2022, "malicious traffic were detected emanating from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment (CPE) physically located within Ukraine and serviced by one of the KA-SAT consumer-oriented network partitions. This targeted denial of service attack made it difficult for many modems to remain online." 2. Then, the company started to observe a gradual decline of the connected modems. Subsequently, a large number of additional modems across much of Europe exited the network and they did not re-enter to the network. The statement continues as saying that the attacker gained remote access to the trusted management segment of the KA-SAT network through a misconfigured VPN appliance. The threat actor moved laterally through the network and ultimately sent "legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable."The belief is that "these destructive commands" refer to AcidRain wiper malware.What is VPNFilter malware?VPNFilter is a IoT malware that was first reported in mid-2018 and targeted home and Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices. The malware is not only capable of performing data exfiltration but also rendering devices completely inoperable.FortiGuard Labs published a research blog series on VPNFilter malware in 2018. See the Appendix for a link to "VPNFilter Malware - Critical Update" and "VPNFilter Update - New Attack Modules Documented".What is the threat actor Sofacy?Sofacy is a threat actor who is believed to operate for Russian interests. The threat actor has been in operation since at least 2007 and targets a wide range of sectors including government, military and security organizations.One of the most infamous activities carried out by the Sofacy group is their alleged involvement in hacking "networks and endpoints associated with the U.S. election" in 2016, in which the FBI the US Department of Homeland Security (DHS) released a join advisory on December 29th, 2016.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against AcidRain wiper malware believed to have been used in the attack:ELF/AcidRain.A!tr | Malware Threat | VPNFilter VPNFilter APT 28 | |
|
2022-03-15 16:46:00 | Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Excel add-ins, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Webinar on Cyberattacks in Ukraine – Summary and Q&A
(published: March 14, 2022)
As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.
Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.
MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Alert (AA21-265A) Conti Ransomware (Updated)
(published: March 9, 2022)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.
Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t |
Ransomware Malware Tool Vulnerability Threat | APT 28 | |
|
2022-01-28 01:24:28 | North Korean Hackers Using Windows Update Service to Infect PCs with Malware (lien direct) | The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives. The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North | Malware Medical | APT 38 APT 28 |
To see everything:
Our RSS (filtrered)
