What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-04-29 05:00:00 | Bonjour 0 jours, mon vieil ami: une analyse d'exploitation du 2024 zéro-jour Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis (lien direct) |
Écrit par: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov
Résumé exécutif GoogleThreat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. Scope This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. aside_block Key Takeaways Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged |
Malware Tool Vulnerability Threat Patching Mobile Prediction Cloud Commercial | APT 37 | ★★ |
 |
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-15 15:40:32 | Hackers use macOS extended file attributes to hide malicious code (lien direct) | ## Snapshot
Researchers at Group-IB have identified a new trojan targeting macOS, dubbed RustyAttr, that leverages extended attributes (EAs) in macOS files to conceal malicious code.
## Description
EA is meta data associated with files and directories in different file systems. This code smuggling is reminiscent of the [Bundlore adware approach in 2020](https://security.microsoft.com/intel-explorer/articles/71a3eed3), which also targeted macOS by hiding payloads in resource forks. Resource forks were mostly deprecated and replaced by the application bundle structure and EA. The RustyAttr malware uses the Tauri framework to build malicious apps that execute a shell script stored within an EA named \'test.\' Tauri creates lightweight desktop apps with a web frontend (HTML, CSS, JavaScript) and a Rust backend. These apps run a JavaScript that retrieves the shell script from the \'test\' EA and executes it. Some samples simultaneously launch decoy PDFs or error dialogs to distract the user. The decoy PDFs, and one of the malicious application bundles, were sourced from a pCloud instance containing cryptocurrency-related content. The applications were likely signed with a leaked certificate that Apple has since revoked. MacOS Gatekeeper currently blocks these applications from running unless the user actively chooses to override these malware protections.
Although Group-IB couldn\'t analyze the next-stage malware, they found that the staging server connects to a known North Korean threat actor group Lazarus\' (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) infrastructure endpoint. Group-IB researchers suggest that Lazarus is trying out new ways to deliver malware. This discovery comes alongside a similar [report from SentinelLabs](https://security.microsoft.com/intel-explorer/articles/aea544a9) about the North Korean threat actor BlueNoroff (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which has been using related evasion techniques on macOS, including cryptocurrency-themed phishing and modified \'Info.plist\' files to retrieve second-stage payloads. It remains unclear if the RustyAttr and BlueNoroff campaigns are connected, but it highlights a trend of North Korean hackers focusing on macOS systems for their operations.
## Recommendations
Group-IB recommends keeping macOS Gatekeeper enabled to protect your system from harmful software.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat.
• Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store.
• Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources.
• Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it.
• To learn more about preventing trojans or other malware from affecting individual devices, [read about preventing malware infection](https://www.microsoft.com/security/business/security-101/what-is-malware).
## References
[Hackers use macOS extended file attributes to hide malicious code](https://www.bleepingcomputer.com/news/security/hackers-use-macos-extended-file-attributes-to-hide-malicious-code/). Bleeping Computer (accessed 2024-11-14)
[Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/). Group-IB (accessed 2024-11-14)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at Group-IB have ide |
Malware Threat Prediction | APT 38 | ★★ |
|
2024-11-04 12:25:16 | Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical | APT 41 APT 28 APT 31 Guam | ★★★ |
|
2024-10-28 11:27:40 | Faits saillants hebdomadaires, 28 octobre 2024 Weekly OSINT Highlights, 28 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ sont mettant en évidence un éventail de types d'attaques dirigés par des acteurs sophistiqués parrainés par l'État et des menaces criminelles, avec des attaques notables ciblant les secteurs de la crypto-monnaie, du gouvernement et des infrastructures critiques.Les principaux vecteurs d'attaque incluent des campagnes de phishing, l'exploitation des vulnérabilités logicielles et des logiciels malveillants avancés et des outils tels que la grève de Cobalt, le ransomware et les botnets, tirant parti des CVE connus et des défauts d'exécution spéculatifs.Des groupes APT alignés par l'État, tels que les acteurs de la menace alignés par Lazare et la Russie, ont mené des attaques contre les plateformes de crypto-monnaie et les entités politiques, tandis que les opérations d'influence liées à la Russie ont utilisé du contenu généré par l'IA pour amplifier les récits de division avant les élections américaines de 2024.Pendant ce temps, les botnets et les modèles de ransomwares en tant que service comme Beast Raas ont démontré des progrès techniques dans la persistance, le chiffrement et les techniques d'exfiltration des données. ## Description 1. [Campagne Heptax] (https://sip.security.microsoft.com/intel-explorer/articles/CE9F9A25): la recherche Cyble a découvert la campagne Heptax ciblant les organisations de soins de santé par le biais de fichiers LNK malveillants distribués par e-mails de phishing.Les attaquants utilisent des scripts PowerShell pour réduire les paramètres de sécurité, permettant un accès à distance, une extraction de mot de passe et une surveillance du système pour une exfiltration de données prolongée. 2. [Wrnrat Malware] (https://sip.security.microsoft.com/intel-explorer/articles/118a2c8f): AhnLab a identifié WRNRAT malware distribué via de faux sites de jeu de jeu, destiné à la thèse de données motivés financièrement et au contrôle des systèmes infectés infectés.Une fois téléchargé, le malware capture les écrans utilisateur, envoie des informations système et met fin aux processus spécifiques tout en se déguisant en un processus Internet Explorer. 3. [Fortimanager Exploit] (https://sip.security.microsoft.com/intel-explorer/articles/2f35a4ca): Mandiant a rapporté UNC5820 \\ 's Exploitation of a fortimanager vulnérabilité zéro-jour (CVE-2024-47575)Pour exécuter du code et voler des données de configuration.L'attaque a ciblé les dispositifs FortiGate dans plusieurs industries, posant un risque de mouvement latéral grâce à des informations d'identification récoltées et à des informations sur les appareils. 4. [Black Basta \'s Social Engineering] (https://sip.security.microsoft.com/intel-explorer/articles/b231776f): Reliaquest documenté Black Basta Ransomware \\ est une ingénierie sociale avancée, y comprisSpam par e-mail de masse et imitations des équipes Microsoft, pour inciter les utilisateurs à installer des outils RMM ou à scanner les codes QR.Ces tactiques facilitent le déploiement des ransomwares via AnyDesk, soulignant la nécessité d'un e-mail et d'un compte vigilantsécurité. 5. [Ransomware embargo] (https://sip.security.microsoft.com/intel-explorer/articles/b7f0fd7b): eset identifiéEmbargo, un groupe Ransomware-as-a-Service ciblant les sociétés américaines, utilisant des outils basés sur la rouille comme Mdeployer et Ms4killer.En utilisant des tactiques à double extorsion, l'embargo personnalise des outils pour désactiver les systèmes de sécurité, chiffrer les fichiers et obtenir de la persistance via des redémarrages en mode sûr et des tâches planifiées. 6. [Lazarus Chrome Exploit Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/e831e4ae): les chercheurs de Kaspersky ont identifié une campagne de Lazarus APT et Bluenoroff (Diamond Sheet and Saphire Sleet), Exploriting A A et Bluenoroff.Vulnérabilité zéro-jour dans Google Chrome pour cibler les amateurs de crypto-monnaie.L'attaque utilise un fau | Ransomware Spam Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 38 Guam | ★★ |
 |
2024-10-15 15:49:31 | Trend Micro révèle la Terre Simnavaz APT cible les organisations de Golf à l'aide de la porte dérobée de Microsoft Exchange Server Trend Micro reveals Earth Simnavaz APT targets Gulf organizations using Microsoft Exchange server backdoor (lien direct) |
Nouvelles recherches par Trend Micro ont révélé que le groupe iranien du cyber-espionnage Earth Simnavaz, également connu sous le nom d'APT34 ...
New research by Trend Micro disclosed that the Iranian cyber espionage group Earth Simnavaz, also known as APT34... |
Prediction | APT 34 | ★★ |
|
2024-10-11 21:41:42 | Earth Simnavaz (alias Apt34) prélève des cyberattaques avancées contre les régions des EAU et du Golfe Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions (lien direct) |
#### Géolocations ciblées
- Émirats arabes unis
## Instantané
Les chercheurs de Trend Micro ont identifié une campagne de cyber-espionnage par Earth Simnavaz, également connu sous le nom d'APT34 et suivi par Microsoft comme [Hazel Sandstorm] (https: //security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d), ciblant les entités gouvernementales enLes EAU et la région du Golfe.
## Description
Le groupe utilise des tactiques sophistiquées pour maintenir la persistance et exfiltrer des données sensibles, en utilisant une porte dérobée qui exploite les serveurs d'échange Microsoft pour le vol d'identification et le tirage de vulnérabilités comme le CVE-2024-30088 pour l'escalade des privilèges.Ils utilisent un mélange d'outils .NET personnalisés, de scripts PowerShell et de logiciels malveillants basés sur IIS, tels que la porte dérobée de Karkoff, pour mélanger l'activité malveillante avec le trafic réseau normal et l'évasion de la détection.
La méthode d'infiltration initiale consiste à télécharger un shell Web sur un serveur Web vulnérable, permettant l'exécution du code PowerShell et des transferts de fichiers pour se développer.Les acteurs de la menace télécharge ensuite l'outil de gestion à distance NGROK pour faciliter le mouvement latéral et atteindre le contrôleur de domaine.Le groupe enregistre une DLL de filtre de mot de passe pour capturer les modifications de mot de passe et exfiltrant les informations d'identification cryptées via des serveurs d'échange gouvernementaux légitimes à l'aide d'un outil identifié comme Stealhook.Ils utilisent également une tâche planifiée exécutant un script nommé "U.PS1" pour persévérance et sont connus pour remplacer ce script par un script non fonctionnel pour entraver les efforts d'enquête.
## Recommandations
Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.
- durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau.
- Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues.
- Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exploits et hébergent des logiciels malveillants.
## Détections / requêtes de chasse
### Microsoft Defender pour le point de terminaison
Les alertes avec les titres suivants dans le centre de sécurité peuvent indiquer une activité de menace sur votre réseau:
- Activité de l'acteur de sable noisette détectée
## références
[Earth Simnavaz (alias APT34) LEVIES CYBERATTADES AVANCÉES AVANT LES ÉMORS ET GULFERégions] (https://www.trendmicro.com/en_us/research/24/j/arth-simnavaz-cyberattacks-uae-gulf-regions.html).Trendmicro (consulté en 2024-10-11)
[Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977cc2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e2d).Microsoft (consulté en 2024-10-11)
## Copyright
**&copie;Microsoft 2024 **.Tousdroits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
#### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif |
Malware Tool Vulnerability Threat Prediction | APT 34 | ★★★ |
|
2024-10-07 16:54:11 | Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud | APT 37 APT 45 | ★★ |
|
2024-09-16 11:20:34 | Faits saillants hebdomadaires, 16 septembre 2024 Weekly OSINT Highlights, 16 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlighted a broad array of cyber threats, with ransomware activity and espionage campaigns prominently featured. Russian and Chinese APT groups were particularly in the spotlight, with Aqua Blizzard targeting Ukrainian military personnel and Twill Typhoon affecting governments in Southeast Asia. RansomHub, a ransomware-as-a-service (RaaS) variant, and the newly emerged Repellent Scorpius also exploited known vulnerabilities and abused legitimate tools, employing double extortion tactics. Emerging malware, including infostealers like YASS and BLX Stealer, underscores the growing trend of targeting sensitive consumer data and cryptocurrency wallets, demonstrating the adaptability of threat actors in an evolving digital landscape. ## Description 1. [TIDRONE Targets Taiwanese Military](https://sip.security.microsoft.com/intel-explorer/articles/14a1a551): Trend Micro reports that the Chinese-speaking threat group, TIDRONE, has targeted Taiwanese military organizations, particularly drone manufacturers, since early 2024. Using advanced malware (CXCLNT and CLNTEND), the group infiltrates systems through ERP software or remote desktops, engaging in espionage. 2. [Predator Spyware Resurfaces with New Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/b0990b13): Insikt Group reports that Predator spyware, often used by government entities, has resurfaced in countries like the Democratic Republic of the Congo and Angola. With upgraded infrastructure to evade detection, Predator targets high-profile individuals such as politicians and activists through one-click and zero-click attack vectors. 3. [Ransomware Affiliates Exploit SonicWall](https://sip.security.microsoft.com/intel-explorer/articles/07f23184): Akira ransomware affiliates exploited a critical SonicWall SonicOS vulnerability (CVE-2024-40766) to gain network access. Targeting firewalls, they bypassed security via local accounts, leading to breaches in organizations with disabled multifactor authentication. 4. [RansomHub Ransomware Threatens Critical Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/650541a8): RansomHub ransomware-as-a-service has attacked over 210 victims across critical infrastructure sectors since early 2024, using double extortion tactics. The group gains entry via phishing, CVE exploits, and password spraying, and exfiltrates data using tools like PuTTY and Amazon S3. 5. [YASS Infostealer Targets Sensitive Data](https://sip.security.microsoft.com/intel-explorer/articles/d056e554): Intezer discovered "Yet Another Silly Stealer" (YASS), a variant of CryptBot, deployed through a multi-stage downloader called “MustardSandwich.” YASS targets cryptocurrency wallets, browser extensions, and authentication apps, using obfuscation and encrypted communications to evade detection. 6. [WhatsUp Gold RCE Attacks](https://sip.security.microsoft.com/intel-explorer/articles/b89cbab7): Exploiting vulnerabilities in WhatsUp Gold (CVE-2024-6670, CVE-2024-6671), attackers executed PowerShell scripts via NmPoller.exe to deploy RATs like Atera Agent and Splashtop. These attacks highlight the risk of delayed patching and underscore the importance of monitoring vulnerable processes. 7. [Repellent Scorpius Expands RaaS Operations](https://sip.security.microsoft.com/intel-explorer/articles/1f424190): Unit 42 reports on the emerging ransomware group Repellent Scorpius, known for using Cicada3301 ransomware in double extortion attacks. The group recruits affiliates via Russian cybercrime forums and uses stolen credentials to execute attacks on various sectors globally. 8. [APT34\'s Advanced Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/6289e51f): Check Point Research identified Iranian-linked APT34 targeting Iraqi government networks with sophisticated malware ("Veaty" and "Spearal"). Using DNS tunneling and backdoors, the group exploited email accounts for C2 communications, reflecting advanced espionage techniques. 9 | Ransomware Malware Tool Vulnerability Threat Patching Prediction Cloud | APT 34 | ★★ |
|
2024-09-09 11:04:46 | Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a broad spectrum of cyber threats with notable trends in malware campaigns, espionage, and ransomware attacks. Phishing remains a dominant attack vector, delivering a variety of payloads like custom backdoors, infostealers, and ransomware. Nation-state actors such as Russia\'s APT29 (Midnight Blizzard) and China\'s Earth Lusca were prominent, focusing on espionage and targeting specific regions like East Asia and the Middle East. Other notable threats included the use of deepfakes for scam campaigns and the exploitation of unpatched vulnerabilities in widely used software like Microsoft Office and WPS Office. The targeting of organizations ranged from government entities to private sector businesses, with some attacks focusing on specific industries like finance, healthcare, and technology. ## Description 1. [Unique Malware Campaign \'Voldemort\'](https://sip.security.microsoft.com/intel-explorer/articles/3cc65ab7): Proofpoint researchers uncovered a phishing campaign distributing custom malware via emails impersonating tax authorities across multiple countries. The malware, likely motivated by espionage, uses advanced techniques like abusing Google Sheets for command-and-control (C2) to avoid detection. 2. [Python-Based Infostealer \'Emansrepo\'](https://sip.security.microsoft.com/intel-explorer/articles/94d41800): FortiGuard Labs identified Emansrepo, a Python-based infostealer targeting browser data and files via phishing emails. The malware has evolved into a sophisticated multi-stage tool, expanding its capabilities to steal sensitive data like cryptocurrency wallets. 3. [Deepfake Scams Using Public Figures](https://sip.security.microsoft.com/intel-explorer/articles/6c6367c7): Palo Alto Networks researchers discovered deepfake scams impersonating public figures to promote fake investment schemes. These scams, involving a single threat actor group, target global audiences with AI-generated videos hosted on domains with significant traffic. 4. [Zero-Day Vulnerabilities in WPS Office](https://sip.security.microsoft.com/intel-explorer/articles/f897577d): ESET researchers identified two zero-day vulnerabilities in Kingsoft WPS Office exploited by the APT-C-60 group. The vulnerabilities allowed attackers to execute arbitrary code in targeted East Asian countries, using malicious documents to deliver a custom backdoor. 5. [KTLVdoor Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/222628fc): Trend Micro uncovered KTLVdoor, a highly obfuscated backdoor developed by Earth Lusca, targeting Windows and Linux systems. The malware allows attackers to fully control infected systems and is primarily linked to Chinese-speaking actors. 6. [Fake Palo Alto GlobalProtect Tool](https://sip.security.microsoft.com/intel-explorer/articles/22951902): Trend Micro identified a campaign targeting Middle Eastern organizations with a fake version of Palo Alto GlobalProtect. The malware executes remote PowerShell commands and exfiltrates files while masquerading as a legitimate security solution. 7. [APT29 Targets Mongolian Government Websites](https://sip.security.microsoft.com/intel-explorer/articles/12b5ac31): Google TAG discovered that Russian APT29 used iOS and Chrome exploits to target Mongolian government websites. The attack, linked to commercial surveillance vendors, involved watering hole attacks to steal authentication cookies from targeted users. 8. [MacroPack-Abused Malicious Documents](https://sip.security.microsoft.com/intel-explorer/articles/cd8dec3b): Cisco Talos found malicious documents leveraging MacroPack to deliver payloads like Havoc and PhantomCore RAT. These documents used obfuscated macros and lures in multiple languages, complicating attribution to any single threat actor. 9. [Underground Ransomware by RomCom Group](https://sip.security.microsoft.com/intel-explorer/articles/e2a44c7c): FortiGuard Labs identified the Underground ransomware targeting Windows systems, deployed by the Russia-based RomCom | Ransomware Malware Tool Vulnerability Threat Prediction Medical Commercial | APT 38 APT 29 | ★★ |
|
2024-09-04 18:51:15 | Fake Palo Alto GlobalProtect used as lure to backdoor enterprises (lien direct) | ## Instantané Les chercheurs de Trend Micro ont identifié une campagne où les acteurs de la menace utilisent une fausse version de l'outil Palo Alto GlobalProtect, ciblant les organisations du Moyen-Orient. ## Description Le malware, déguisé en solution de sécurité légitime, peut exécuter des commandes PowerShell distantes, télécharger et exfiltrate des fichiers, crypter les communications et contourner des solutions de sable.La méthode de livraison des logiciels malveillants n'est pas claire, mais il est soupçonné d'avoir fait partie d'une attaque de phishing qui trompe les victimes de croire qu'elles installent un agent GlobalProtect légitime.L'attaque conduit la victime à exécuter un fichier nommé \\ 'setup.exe, \' qui déploie les fichiers malveillants \\ 'globalprotect.exe \' et de configuration.Le malware transmet ensuite les informations de profilage à un serveur de commande et de contrôle (C2), en utilisant la norme de chiffrement avancée (AES) pour l'évasion.De plus, le malware pivote vers une URL nouvellement enregistrée, "Sharjahconnect", conçue pour ressembler à un portail VPN légitime pour une entreprise basée aux Émirats arabes unis (EAU).Le logiciel malveillant communique avec les acteurs de la menace utilisant l'outil d'Open-source InteractSh pour le beconning, la communication avec des noms d'hôtes spécifiques pour signaler les progrès de l'infection et recueillir des informations sur les victimes.Trend Micro évalue que la campagne cible les entités du Moyen-Orient en raison de la concentration régionale spécifique du domaine et de l'origine de la soumission. ## Analyse Microsoft Microsoft évalue cette activité malveillante est attribuée à [Hazel Sandstorm] (https://security.microsoft.com/intel-profiles/6cea89977c2795bb1a80cad76f4de2ffff256ac3989e757c530047912450e ministère de l'intelligence etSécurité (MOIS), la principale agence de renseignement civil en Iran.Les sous-groupes sont [Storm-0133] (https://security.microsoft.com/intel-pROFILES / 0299FEDD0F9F7671535556AAE448F01EF9C3A75648558CC5A22BA6641C619939), Storm-0150, [Storm-0166] (HTTTP 4d191e57d1f933c13d5e6b87c304985edfb13fb4033), [Storm-0755] (https://security.microsoft.com/intel-Profils / DFE14233E7FE59A1099C5B41AB0E4D8ED24AEBED38BC0615B15B9C71F98D5189) et [Storm-0861] (https://security.microsoft.com/intel-pleROFILES / E75C30DAC03473D46BF83D32CEFA79CDBD4F16EE8FD4EB62CF714D7BA9C8DE00).Les opérateurs de Hazel Sandstorm sont connus pour poursuivre des cibles dans les secteurs public et privé en Europe, au Moyen-Orient et en Amérique du Nord.Dans les opérations passées, Hazel Sandstorm a utilisé une combinaison d'outils de coutume et de produits de base dans leurs intrusions, probablement comme moyen de recueillir des renseignements pour soutenir les objectifs nationaux iraniens.Activité Microsoft suit dans le cadre du grand parapluie de Sandstorm Hazel chevauche des rapports publics sur l'APT34, le Cobalt Gypsy, Helix Kitten et Oilrig. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - durcir les actifs orientés Internet et identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder à votre réseau. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-antivirus) dans Microsoft Defender Antivirus ou leÉquivalent pour que votre produit antivirus couvre des outils et techniques d'attaquant en évolution rapide.Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'escroquerie et des sitesqui contiennent des exp | Malware Tool Threat Prediction | APT 34 | ★★ |
 |
2024-08-20 09:00:00 | Packers liés à l'IRGC package malware modulaire en Troie monolithique IRGC-Linked Hackers Package Modular Malware in Monolithic Trojan (lien direct) |
Le chaton charmant devient rétro et consolide sa porte dérobée dans un ensemble plus serré, abandonnant la tendance du cadre de logiciels malveillants.
Charming Kitten goes retro and consolidates its backdoor into a tighter package, abandoning the malware framework trend. |
Malware Prediction | APT 35 | ★★ |
 |
2024-07-01 18:30:00 | Caprarat Spyware déguisé en applications populaires menace les utilisateurs d'Android CapraRAT Spyware Disguised as Popular Apps Threatens Android Users (lien direct) |
L'acteur de menace connu sous le nom de Tribe Transparent a continué de déclencher des applications Android liées aux logiciels malveillants dans le cadre d'une campagne d'ingénierie sociale pour cibler les individus d'intérêt.
"Ces APK continuent la tendance du groupe d'intégration des logiciels espions dans les applications de navigation vidéo organisées, avec une nouvelle extension ciblant les joueurs mobiles, les amateurs d'armes et les fans de Tiktok", a déclaré le chercheur de sécurité Sentinélone Alex
The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group\'s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex |
Threat Mobile Prediction | APT 36 | ★★★ |
|
2024-05-22 14:00:00 | Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (lien direct) |
Written by: Michael Raggi
Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp |
Malware Tool Vulnerability Threat Prediction Cloud Commercial | APT 15 APT 5 APT 31 | ★★★ |
 |
2023-11-28 00:00:00 | Enquêter sur le risque de références compromises et d'actifs exposés à Internet explorez le rapport révélant les industries et les tailles d'entreprise avec les taux les plus élevés d'identification compromises et d'actifs exposés à Internet.En savoir plus Investigating the Risk of Compromised Credentials and Internet-Exposed Assets Explore the report revealing industries and company sizes with the highest rates of compromised credentials and internet-exposed assets. Read More (lien direct) |
IntroductionIn this report, Kovrr collected and analyzed data to better understand one of the most common initial access vectors (1) - the use of compromised credentials (Valid Accounts - T1078) (2) to access internet-exposed assets (External Remote Services - T113) (3). The toxic combination of these two initial access vectors can allow malicious actors to gain a foothold in company networks before moving on to the next stage of their attack, which can be data theft, ransomware, denial of service, or any other action. There are numerous examples of breaches perpetrated by many attack groups that have occurred using this combination, for example, breaches by Lapsus (4) and APT39 (5), among others. âThis report seeks to demonstrate which industries and company sizes have the highest percentage of compromised credentials and number of internet-exposed assets and face a higher risk of having their networks breached by the toxic combination of the initial access vectors mentioned above.âIt should be noted that having an asset exposed to the internet does not inherently pose a risk or indicate that a company has poor security. In our highly digitized world, companies are required to expose services to the internet so their services can be accessed by customers, vendors, and remote employees. These services include VPN servers, SaaS applications developed by the company, databases, and shared storage units. However, there are some common cases when having an asset exposed to the internet can be extremely risky, for example:âWhen a company unintentionally exposes an asset due to misconfiguration.When a malicious third party obtains compromised credentials of a legitimate third party and accesses an exposed asset.  âTo limit unnecessary internet exposure, companies should employ the following possible mitigations:âUse Multi-Factor Authentication (MFA) for any services or assets that require a connection so that compromised credentials on their own will not be enough to breach an exposed asset.Limit access to the asset to only specific accounts, domains, and/or IP ranges.Segment the internal company network and isolate critical areas so that even if a network is breached through access to an external asset, attackers will not be able to use that access to reach wider or more sensitive areas of the company network. âSummaryâThe following are the main findings from the collected data:âThe Services industry is by far the most exposed to attackers. Companies from that industry have the highest percentage of compromised credentials (74%). However, they have a relatively low amount of internet-exposed assets per company (34%). However, given that an average cyber loss in this industry has been shown to be about $45M, this is highly concerning (6). The Services industry (SIC Division I) is followed by Division E (Transportation, Communications, Electric, Gas, and Sanitary Services, with an average loss of around $58M), which is followed by Division D (Manufacturing, with an average loss of around $25M). The revenue range for companies with the highest number of compromised credentials is $1M-$10M, followed by $10M-$50M. A similar trend is also observed when evaluating company size by the number of employees. Indeed, companies with fewer employees have a higher share of compromised credentials. On average, the larger the company (both in terms of revenue and number of employees (7)), the greater the number of internet-exposed assets.There is a correlation between the industries and revenue ranges of companies targeted by ransomware and those with the highest share of compromised credentials.   âMethodologyâThe data for this research was collected as follows:âData regarding compromised credentials was first collected from Hudson Rock, a provider of various cybercrime data. Data was collected for the previous six months, beginning March 2023. This data | Ransomware Threat Studies Prediction Cloud | APT 39 APT 39 APT 17 | ★★★ |
 |
2023-10-23 02:22:16 | 2023 août & # 8211;Rapport de tendance des menaces sur les groupes APT 2023 Aug – Threat Trend Report on APT Groups (lien direct) |
août 2023 Problèmes majeurs sur les groupes de l'APT 1) Andariel 2) APT29 3) APT31 4) amer 5)Bronze Starlight 6) Callisto 7) Cardinbee 8) Typhoon de charbon de bois (Redhotel) 9) Terre estrie 10) Typhon de lin 11) Groundpeony 12) Chisel infâme 13) Kimsuky 14) Lazarus 15)Moustachedbouncher 16) Éléphant mystérieux (APT-K-47) 17) Nobelium (Blizzard de minuit) 18) Red Eyes (APT37) Aug_Thereat Trend Rapport sur les groupes APT
August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 38 APT 37 APT 29 APT 31 | ★★★ |
|
2023-09-30 14:51:00 | Iranian APT Group OilRig Utilisation de nouveaux logiciels malveillants Menorah pour les opérations secrètes Iranian APT Group OilRig Using New Menorah Malware for Covert Operations (lien direct) |
Les cyber-acteurs sophistiqués soutenus par l'Iran connu sous le nom de OilRig ont été liés à une campagne de phistes de lance qui infecte les victimes d'une nouvelle souche de malware appelé Menorah.
"Le malware a été conçu pour le cyberespionnage, capable d'identifier la machine, de lire et de télécharger des fichiers à partir de la machine, et de télécharger un autre fichier ou un malware", Trend Micro Researchers Mohamed Fahmy et Mahmoud Zohdy
Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy |
Malware Prediction | APT 34 | ★★★ |
|
2023-09-11 05:02:48 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juillet 2023 Threat Trend Report on APT Groups – July 2023 (lien direct) |
juillet 2023 Problèmes majeurs sur les groupes APT 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Chicheur charmant 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Eyes rouges 13) Pirates d'espace 14) Turla 15) ATIP_2023_JUL_JULAT RAPPORT D'APTER LE Rapport sur les APT
July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 29 APT 29 APT 28 APT 28 APT 31 | ★★ |
|
2023-08-16 06:46:45 | Rapport de tendance des menaces sur les groupes APT & # 8211;Juin 2023 Threat Trend Report on APT Groups – June 2023 (lien direct) |
Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT
APT Group Trends – June 2023 1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups |
Threat Prediction | APT 38 APT 37 APT 37 APT 35 APT 35 APT 32 APT 32 APT 28 APT 28 APT 15 APT 15 APT 25 | ★★ |
|
2023-07-07 02:33:29 | Rapport de tendance des menaces sur les groupes APT & # 8211;Mai 2023 Threat Trend Report on APT Groups – May 2023 (lien direct) |
Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609
The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 |
Threat Prediction | APT 41 APT 38 APT 37 APT 37 APT 29 APT 29 APT 28 APT 28 APT 36 APT 36 Guam Guam APT-C-17 APT-C-17 GoldenJackal GoldenJackal APT-C-36 | ★★★ |
 |
2023-05-01 23:16:00 | Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct) |
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Réaction en chaîne: Rokrat & rsquo; s.Lien manquant
(Publié: 1er mai 2023)
Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud.
Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32
Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows
|
Ransomware Malware Tool Vulnerability Threat Prediction Cloud | APT 37 APT 37 APT 35 | ★★ |
 |
2023-02-28 14:00:00 | CyberheistNews Vol 13 #09 [Eye Opener] Should You Click on Unsubscribe? (lien direct) |
CyberheistNews Vol 13 #09 | February 28th, 2023
[Eye Opener] Should You Click on Unsubscribe?
By Roger A. Grimes.
Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?"
The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use.
In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
[CONTINUED] at the KnowBe4 blog:https://blog.knowbe4.com/should-you-click-on-unsubscribe
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approac |
Malware Hack Tool Vulnerability Threat Guideline Prediction | APT 38 ChatGPT | ★★★ |
|
2023-02-03 17:42:00 | Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations (lien direct) | The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. "The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif | Prediction | APT 34 | ★★ |
 |
2023-02-03 15:06:57 | OilRig Hackers Exfiltrate Data From Govt. Agencies Using New Backdoors (lien direct) | In an ongoing cyber espionage campaign that uses a new backdoor to exfiltrate data, the Iranian nation-state hacker group OilRig has continued to target Middle Eastern governments. Researchers at Trend Micro, Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy, explained that the effort “abuses legitimate but hacked email accounts to deliver stolen data to external mail […] | Prediction | APT 34 | ★★★ |
|
2022-09-09 16:48:02 | US Sanctions Iran Over APT Cyberattack Activity (lien direct) | The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities. | Prediction | APT 39 | |
|
2021-10-12 17:41:00 | Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware Malware Tool Threat Guideline Prediction | APT 41 APT 41 APT 39 APT 29 APT 29 APT 28 | |
 |
2021-05-10 06:00:29 | Ep. 145 – Baking a Human Behavior Cake with Jack Schafer (lien direct) | In this episode, Chris Hadnagy and Maxie Reynolds are joined by industry professional Jack Schafer, PhD. Dr. Schafer is a psychologist, professor, intelligence consultant, and former FBI Special Agent. Dr. Schafer spent fifteen years conducting counter-intelligence and counterterrorism investigations, and seven years as a behavioral analyst for the FBI’s National Security Division’s Behavioral Analysis Program. May 10, 2021 Download Ep. 145 […] | Prediction | APT 39 | |
 |
2020-09-17 23:41:21 | US sanctions Iranian government front company hiding major hacking operations (lien direct) | US says the Iranian government used the "Rana Intelligence Computing Company" as a front for the APT39 hacking group. | Prediction | APT 39 | |
|
2020-09-17 17:10:00 | Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data (lien direct) | Also, the US Treasury sanctioned Iranian attack group APT39 following a years-long malware campaign. | Malware Prediction | APT 39 | |
 |
2020-07-24 13:00:18 | Check Point CloudGuard Connect Protects Microsoft Azure Branch Office Internet Connections from Cyber Attacks (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms Enterprises are moving their applications, workloads and services out of the data center into the cloud. As enterprises become more distributed, organizations need flexible solutions that deliver secure and predictable application performance across a global footprint. Companies need to securely connect their branch offices to the… | Prediction | APT 39 | |
|
2020-07-17 10:00:58 | Check Point IoT Protect Uses Automation and Threat Intelligence to Prevent the most advanced IoT cyber-attacks (lien direct) | Integrated solution prevents attacks at both IoT network and device level, even on unpatchable devices: protects critical infrastructure, industrial, healthcare, smart city and smart building environments By Russ Schafer, Head of Product Marketing, Security Platforms It is estimated that over 41 billion IoT devices will be connected in the next few years. Given 127 new… | Threat Prediction | APT 39 | |
 |
2020-05-21 11:49:49 | Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia (lien direct) | Cybersecurity researchers uncovered an Iranian cyber espionage campaign conducted by Chafer APT and aimed at critical infrastructures in Kuwait and Saudi Arabia. Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia. The cyber espionage campaigns were carried out by Iran-linked Chafer […] | Prediction | APT 39 | |
|
2020-05-21 01:11:42 | Iranian APT Group Targets Governments in Kuwait and Saudi Arabia (lien direct) | Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.
Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal |
Threat Prediction | APT 39 | |
|
2020-05-20 13:00:40 | Check Point and Citrix: Securing the SD-WAN Edge with Multi-layered Security (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms The coronavirus has challenged enterprises to quickly enable their employees to work productively from home. Enterprises are turning away from traditional WAN architectures and adopting SD-WAN to provide better support for cloud SaaS applications. SD-WAN enables users to connect through their local Internet providers instead of… | Prediction | APT 39 | |
|
2019-12-06 13:00:09 | Protect Your Network Edge with VMware SD-WAN and Check Point Security (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms, published December 6th, 2019 As enterprise branch offices expand their use of cloud applications, they are adopting software defined wide area networking (SD-WAN) to improve application performance by intelligently routing traffic directly to the Internet without passing it through the data center. Connecting branch offices directly… | Prediction | APT 39 | |
|
2019-11-05 19:13:49 | Check Point Protects Branch Office Microsoft Azure Internet Connections and SaaS Applications from Cyber Attacks (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms, published November 5, 2019 Enterprises are moving their applications, workloads and services out of the data center into the cloud. As enterprises become more distributed, organizations need flexible solutions that deliver secure and predictable application performance across a global footprint. Companies need to securely connect their… | Prediction | APT 39 | |
|
2019-10-01 15:00:44 | Check Point and VMware Partner to Secure Branch Office SD-WAN Connections to the Cloud (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms As more applications move from the datacenter to the cloud, enterprise users rely on these applications to do their daily jobs. These SaaS applications range from productivity software like Office 365 to virtual meeting and collaboration tools like Zoom and Slack. Applications that include voice and… | Prediction | APT 39 | |
|
2019-09-05 13:00:43 | (Déjà vu) Check Point, VMware and Silver Peak Transform Branch Office SD-WAN with Cloud Security Services (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms Enterprise security solutions enable branch offices to connect safely and reliably to the data center, the Internet and cloud applications. In the past, branches relied on centralized security gateways at their data center to protect the entire enterprise. Enterprises sent branch traffic to the data center… | Prediction | APT 39 | |
|
2019-09-05 13:00:04 | Transforming Branch Security with Top-Rated Threat Prevention Cloud Services Integrated with VMware and Silver Peak SD-WAN (lien direct) | By Russ Schafer, Head of Product Marketing, Security Platforms Enterprise security solutions enable branch offices to connect safely and reliably to the data center, the Internet and cloud applications. In the past, branches relied on centralized security gateways at their data center to protect the entire enterprise. Enterprises sent branch traffic to the data center… | Threat Prediction | APT 39 | |
 |
2019-04-12 13:00:00 | Things I hearted this week 12th April 2019 (lien direct) |
Hello again to another weekly security roundup. This week, I have a slightly different spin on the roundup in that the net has been slightly widened to include broader technology topics from more than just this last week. However, all of the articles were written by ladies. With that, let’s dive straight in.
A beginner's guide to test automation
If you’re new to automated testing, you’re probably starting off with a lot of questions: How do I know which tests to automate? Why is automated testing useful for me and my team? How do I choose a tool or framework? The options for automated testing are wide open, and you may feel overwhelmed.
If so, this is a great article on how to get started.
A Beginner's Guide to Test Automation | Sticky Minds
.jpg)
All roads lead to exploratory testing
When I’m faced with something to test – be it a feature in a software application or a collection of features in a release, my general preference is weighted strongly towards exploratory testing. When someone who doesn’t know a great deal about testing wants me or my team to do testing for them, I would love to educate them on why exploratory testing could be a strong part of the test strategy.
All roads lead to exploratory testing | Womentesters
While on the topic of testing
Testing Behaviours — Writing A Good Gherkin Script | Medium, Jo Mahadevan
Single-page, server-side, static… say what?
An emoji-filled learning journey about the trade-offs of different website architectures, complete with gifs, diagrams, and demo apps.
If you’ve been hanging around the internet, trying to build websites and apps, you may have heard some words in conversation like static site or server-side rendered (SSR) or single-page app (SPA).
But what do all of these words mean? How does each type of application architecture differ? What are the tradeoffs of each approach and which one should you use when building your website?
Single-Page, Server-Side, Static… say what? | Marie Chatfield
If, like me you enjoyed this post by Marie, check out some of her other posts which are great. Quick plug to Protocol-andia: Welcome to the Networking Neighborhood. A whimsical introduction to how computers talk to each other, and what exactly your requests are up to.
Strengthen your security posture: start with a cybersecurity framework
The 2017 Equifax data breach is expected to break all previous records for data breach costs, with Larry Ponemon, chairman of the Ponemon Institute, estimating the final cost to be more than $600 million.
Even non-enterprise-level organizations suffer severe consequences for data breaches. According to the National Cyber Security Alliance, mid-market companies pay more than $1 million in post-attack mitigation, and the average cost of a data breach to an SMB is $117,000 per incident. While estimates vary, approximately 60% of businesses who suffer a breach are forced to shut down business within 6 months.
It is mor |
Guideline Prediction | Equifax APT 39 | |
|
2019-04-11 13:00:03 | Protect Your Business by Managing Network Security from the Palm of Your Hand (lien direct) | by Russ Schafer, Head of Product Marketing, Security Platforms, published April 11th 2019 Next generation cyber security attacks can happen at any time to any size business, so you need to be prepared to react immediately. Based on the 2018 Verizon Data Breach report, 58% of security breach victims are categorized as small… | Data Breach Prediction | APT 39 | |
|
2019-03-05 21:23:03 | Iran-Linked Chafer APT recently used python-based backdoor (lien direct) | The Iran-linked Chafer APT group used a new Python-based backdoor in recent attacks aimed at a Turkish government entity. The Iran-linked Chafer APT group used a new Python-based backdoor in attacks carried out in November 2018 that targeted a Turkish government entity. The Chafer APT group has distributed data stealer malware since at least mid-2014, […] | Malware Prediction | APT 39 | |
 |
2019-03-05 15:30:05 | Iran-Linked Hackers Use Python-Based Backdoor in Recent Attacks (lien direct) | The Iran-linked Chafer threat group has used a new Python-based backdoor in November 2018 attacks targeting a Turkish government entity, Palo Alto Networks reveals. | Threat Prediction | APT 39 | |
|
2019-01-30 08:58:00 | Iran-Linked APT39 group use off-the-shelf tools to steal data (lien direct) | An Iran-linked cyber-espionage group tracked as APT39 is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools. The APT39 cyberespionage group is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools. The group has been active at least since November 2014, its operations are aligned […] | Prediction | APT 39 | |
 |
2018-03-08 21:11:01 | Chafer : un groupe de cyber attaquants basé en Iran (lien direct) | Un groupe de pirates informatiques, baptisé Chafer s’attaquerait aux entreprises du monde entier. Des amateurs du blackmarket... L'article Chafer : un groupe de cyber attaquants basé en Iran est apparu en premier sur Data Security Breach. | Prediction | APT 39 | |
|
2018-03-01 19:06:00 | Iran-Linked Chafer Group Expands Toolset, Targets List (lien direct) | The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns. | Prediction | APT 39 | |
|
2018-03-01 15:32:02 | Iran Taps Chafer APT Group amid Civil Aviation Crisis (lien direct) | Iran’s Chafer hacking group is targeting aviation repair and maintenance firms in an apparent effort to obtain information needed to shore up the safety of that country’s fleet of domestic aircraft, according to research by the firm Symantec. When an Aseman Airlines flight crashed in bad weather in a mountainous region of southern Iran...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/529622610/0/thesecurityledger -->» | Prediction | APT 39 |
1
We have: 47 articles.
We have: 47 articles.
To see everything:
Our RSS (filtrered)
