What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-09-09 11:04:46 | Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a broad spectrum of cyber threats with notable trends in malware campaigns, espionage, and ransomware attacks. Phishing remains a dominant attack vector, delivering a variety of payloads like custom backdoors, infostealers, and ransomware. Nation-state actors such as Russia\'s APT29 (Midnight Blizzard) and China\'s Earth Lusca were prominent, focusing on espionage and targeting specific regions like East Asia and the Middle East. Other notable threats included the use of deepfakes for scam campaigns and the exploitation of unpatched vulnerabilities in widely used software like Microsoft Office and WPS Office. The targeting of organizations ranged from government entities to private sector businesses, with some attacks focusing on specific industries like finance, healthcare, and technology. ## Description 1. [Unique Malware Campaign \'Voldemort\'](https://sip.security.microsoft.com/intel-explorer/articles/3cc65ab7): Proofpoint researchers uncovered a phishing campaign distributing custom malware via emails impersonating tax authorities across multiple countries. The malware, likely motivated by espionage, uses advanced techniques like abusing Google Sheets for command-and-control (C2) to avoid detection. 2. [Python-Based Infostealer \'Emansrepo\'](https://sip.security.microsoft.com/intel-explorer/articles/94d41800): FortiGuard Labs identified Emansrepo, a Python-based infostealer targeting browser data and files via phishing emails. The malware has evolved into a sophisticated multi-stage tool, expanding its capabilities to steal sensitive data like cryptocurrency wallets. 3. [Deepfake Scams Using Public Figures](https://sip.security.microsoft.com/intel-explorer/articles/6c6367c7): Palo Alto Networks researchers discovered deepfake scams impersonating public figures to promote fake investment schemes. These scams, involving a single threat actor group, target global audiences with AI-generated videos hosted on domains with significant traffic. 4. [Zero-Day Vulnerabilities in WPS Office](https://sip.security.microsoft.com/intel-explorer/articles/f897577d): ESET researchers identified two zero-day vulnerabilities in Kingsoft WPS Office exploited by the APT-C-60 group. The vulnerabilities allowed attackers to execute arbitrary code in targeted East Asian countries, using malicious documents to deliver a custom backdoor. 5. [KTLVdoor Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/222628fc): Trend Micro uncovered KTLVdoor, a highly obfuscated backdoor developed by Earth Lusca, targeting Windows and Linux systems. The malware allows attackers to fully control infected systems and is primarily linked to Chinese-speaking actors. 6. [Fake Palo Alto GlobalProtect Tool](https://sip.security.microsoft.com/intel-explorer/articles/22951902): Trend Micro identified a campaign targeting Middle Eastern organizations with a fake version of Palo Alto GlobalProtect. The malware executes remote PowerShell commands and exfiltrates files while masquerading as a legitimate security solution. 7. [APT29 Targets Mongolian Government Websites](https://sip.security.microsoft.com/intel-explorer/articles/12b5ac31): Google TAG discovered that Russian APT29 used iOS and Chrome exploits to target Mongolian government websites. The attack, linked to commercial surveillance vendors, involved watering hole attacks to steal authentication cookies from targeted users. 8. [MacroPack-Abused Malicious Documents](https://sip.security.microsoft.com/intel-explorer/articles/cd8dec3b): Cisco Talos found malicious documents leveraging MacroPack to deliver payloads like Havoc and PhantomCore RAT. These documents used obfuscated macros and lures in multiple languages, complicating attribution to any single threat actor. 9. [Underground Ransomware by RomCom Group](https://sip.security.microsoft.com/intel-explorer/articles/e2a44c7c): FortiGuard Labs identified the Underground ransomware targeting Windows systems, deployed by the Russia-based RomCom | Ransomware Malware Tool Vulnerability Threat Prediction Medical Commercial | APT 38 APT 29 | ★★ |
|
2024-09-04 02:45:48 | Les attaquants soutenus par l'État et les vendeurs de surveillance commerciale utilisent à plusieurs reprises les mêmes exploits State-backed attackers and commercial surveillance vendors repeatedly use the same exploits (lien direct) |
## Snapshot Google\'s Threat Analysis Group (TAG) uncovered in-the-wild exploit campaigns targeting Mongolian government websites between November 2023 and July 2024. TAG attributes the attack to the Russian government-backed actor APT29, tracked by Microsoft as [Midnight Blizzard](https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616). The attackers utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group. ## Description These campaigns delivered n-day exploits for iOS and Chrome, affecting unpatched devices. The initial infection vector was a watering hole attack on compromised websites that delivered iOS WebKit and Chrome exploits. The iOS campaigns delivered an exploit via [CVE-2023-41993](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-41993/) targeting iPhone users running older versions. TAG\'s analysis revealed that the exploit is nearly identical to one used by commercial vendor Intellexa. This exploit loaded the same cookie stealer framework that TAG observed in March 2021, when a Russian state-backed attacker exploited [CVE-2021-1879](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2021-1879/) to steal authentication cookies from major sites like LinkedIn, Gmail, and Facebook. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/4a4ab0bf)about Microsoft\'s coverage of Midnight Blizzard\'s malicious activity exploiting CVE-2021-1879. TAG also discovered a Google Chrome exploit chain that aimed to steal credential cookies from Android users. Similar to the iOS campaigns, this attack began with initial access gained through a watering hole. This attack chain exploited [CVE-2024-5274](http://CVE-2024-5274) to compromise the renderer - an exploit that Chrome Security previously discovered as an in-the-wild 0-day in May 2024 used by the commercial NSO Group. Additionally, the attackers leveraged [CVE-2024-4671](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2024-4671/) to break out of Chrome site isolation. TAG is uncertain how suspected APT29 actors acquired the exploits used by commercial surveillance vendors. ### Additional Analysis Commercial surveillance vendors, including Intellexa and the NSO Group, have been the subject of significant scrutiny and criticism. These companies develop and sell advanced spyware tools to governments and law enforcement agencies for surveillance purposes. However, their products have been linked to unauthorized surveillance activities and [human rights concerns](https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware "https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware"). The NSO Group, known for its [Pegasus spyware](https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/ "https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/"), has faced criticism for its involvement in illegal surveillance. Similarly, Intellexa has been implicated in scandals involving the use of its Predator spyware to monitor U.S. officials, journalists, and policy experts. Both companies have been [sanctioned](https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/ "https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/") for their roles in distributing spyware to authoritarian regimes ## Recommendations Strengthen operating environment configuration - Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version [128.0.6613.84](https://ch | Malware Tool Vulnerability Threat Legislation Mobile Commercial | APT 29 | ★★ |
 |
2024-08-30 10:30:00 | Les pirates russes utilisent des exploits commerciaux de logiciels spy pour cibler les victimes Russian Hackers Use Commercial Spyware Exploits to Target Victims (lien direct) |
Dans une campagne ciblant les sites Web du gouvernement mongol, les exploits à effet de levier APT29 soutenus par la Russie précédemment utilisés par Spyware Vendors NSO Group et Intellexa
In a campaign targeting Mongolian government websites, Russian-backed APT29 leveraged exploits previously used by spyware vendors NSO Group and Intellexa |
Commercial | APT 29 | ★★★ |
 |
2024-08-29 20:03:11 | Oh, super.Les attaques développées par les vendeurs de logiciels espions sont réutilisées par les crétins confortables de la Russie Oh, great. Attacks developed by spyware vendors are being re-used by Russia\\'s Cozy Bear cretins (lien direct) |
Les chercheurs de Google notent les similitudes, ne peuvent pas trouver un lien Le groupe d'analyse des menaces de Google (TAG) a repéré une similitude inquiétante dans les tactiques d'attaque utilisées par les fournisseurs spyware commerciaux et la Russie-Les gangs d'attaque liés.…
Google researchers note the similarities, can\'t find a link Google\'s Threat Analysis Group (TAG) has spotted a disturbing similarity in attack tactics used by commercial spyware vendors and Russia-linked attack gangs.… |
Threat Commercial | APT 29 | ★★★★ |
 |
2024-08-29 13:00:00 | Google attrape les exploits de réutilisation de Russian APT de Spyware Merchants NSO Group, Intellexa Google Catches Russian APT Reusing Exploits From Spyware Merchants NSO Group, Intellexa (lien direct) |
> Google Tag publie des preuves montrant des similitudes identiques ou frappantes entre les exploits utilisés par les fournisseurs de logiciels espions APT29 et commerciaux de Russie.
>Google TAG publishes evidence showing identical or striking similarities between exploits used by Russia\'s APT29 and commercial spyware vendors. |
Commercial | APT 29 | ★★★ |
 |
2024-08-29 09:04:58 | Les pirates russes APT29 utilisent iOS, Chrome Exploits créés par les fournisseurs de logiciels espions Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors (lien direct) |
Le groupe de piratage APT29 parrainé par l'État russe a été observé à l'aide des mêmes exploits iOS et Android créés par des fournisseurs de logiciels spys commerciaux dans une série de cyberattaques entre novembre 2023 et juillet 2024. [...]
The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Android exploits created by commercial spyware vendors in a series of cyberattacks between November 2023 and July 2024. [...] |
Mobile Commercial | APT 29 | ★★★ |
1
We have: 6 articles.
We have: 6 articles.
To see everything:
Our RSS (filtrered)
