What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-02-11 20:00:00 | Cybercrime: A Multifaceted National Security Threat (lien direct) | Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders\' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups. While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions. A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care. Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be. These examples are particularly salient today, as criminals increasingly target and leak data from hospitals. Healthcare\'s share of posts on data leak sites has doubled over the past three years, even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year. The impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it. Cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption. Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine. GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine and CIGAR (aka RomCom), a group that historically focused on cybercrime, has conducted espionage operations against the Ukrainian government since 2022. However, this is not limited to Russia. Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims\' crypto wallets. Despite the overlaps in effects and collaboration with states, tackling the root causes of cybercrime requires fundamentally different solutions. Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty. Any solution requires international cooperation by both law enforcement and intelligence agencies to track, arrest, and prosecute these criminals. Individual takedowns can have important temporary effects, but the collaborative nature of cybercrime means that the disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts. aside_block | Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 41 APT 38 APT 29 APT 43 APT 44 | ★★★ |
 |
2024-12-30 12:02:43 | Weekly OSINT Highlights, 30 December 2024 (lien direct) | ## Snapshot
Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging social engineering, compromised software repositories, and ransomware-as-a-service to achieve their objectives. These campaigns predominantly target high-value organizations and unpatched systems, emphasizing the importance of addressing known vulnerabilities and monitoring for sophisticated attack chains.
## Description
1. [StealBit Data Exfiltration Tool](https://sip.security.microsoft.com/intel-explorer/articles/68a374b4): The LockBit ransomware group employs StealBit as part of its ransomware-as-a-service program, facilitating data theft in double extortion attacks. Recent updates to the tool broaden its target base and enhance efficiency, allowing faster data exfiltration and streamlined operations.
1. [FICORA and CAPSAICIN Botnets](https://sip.security.microsoft.com/intel-explorer/articles/77c183a0): FortiGuard Labs observed global activity from the FICORA and CAPSAICIN botnets, exploiting long-standing vulnerabilities in D-Link devices. These botnets, targeting unpatched systems, leverage DDoS capabilities and advanced features to dominate infected devices, focusing on East Asia and other global regions.
1. [OtterCookie and the Contagious Interview Campaign](https://sip.security.microsoft.com/intel-explorer/articles/b5a152a8): North Korean actors deploy OtterCookie malware through fake job offers to developers, targeting cryptocurrency wallets and sensitive data. Infection methods include compromised GitHub and npm projects, with evolving variants enhancing data theft and lateral movement.
1. [TraderTraitor\'s $308 Million Cryptocurrency Heist](https://sip.security.microsoft.com/intel-explorer/articles/9cd8b8b5): The North Korean TraderTraitor group stole $308 million from Japan\'s DMM Bitcoin, leveraging LinkedIn for social engineering and GitHub for malware delivery. By compromising a Japanese cryptocurrency wallet company, the group infiltrated systems to manipulate legitimate transactions.
1. [Lazarus Group\'s DeathNote Campaign](https://sip.security.microsoft.com/intel-explorer/articles/3b7cea68): Lazarus Group continues targeting industries like aerospace and cryptocurrency through Operation DreamJob, using trojanized tools and DLL side-loading techniques. Recent attacks deploy advanced malware strains to evade detection, establish persistence, and enable lateral movement within targeted systems.
1. [Cloud Atlas 2024 Campaigns](https://sip.security.microsoft.com/intel-explorer/articles/caa75881): Cloud Atlas targets Eastern Europe and Central Asia with phishing emails exploiting Equation Editor vulnerabilities, delivering VBShower and VBCloud malware. These tools use PowerShell scripts for data theft, lateral movement, and exfiltration, with region-specific tactics to avoid detection.
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging |
Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 | ★★ |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-11 12:45:44 | Faits saillants hebdomadaires, 11 novembre 2024 (lien direct) | ## Instantané La semaine dernière, le rapport \\\\\\\\\\\\\ \ \ ait le rapport a mis en évidence un paysage à multiples facettes de cybermenaces motivé par diverses tactiques, vecteurs et cibles. L'analyse a souligné l'utilisation persistante du phishing comme vecteur dominant, allant de la lance sophistiquée ciblant les entités sud-coréennes par APT37 à des campagnes à grande échelle en Ukraine par l'UAC-0050. Des groupes avancés de menace persistante (APT) comme Sapphire Sleet, APT-36 et TA866 ont utilisé des méthodes furtives, y compris des logiciels malveillants modulaires et des outils RMM, pour atteindre l'espionnage et le gain financier. Les vulnérabilités d'infrastructures critiques, comme celles des systèmes Synology NAS et Palo Alto, ont en outre souligné les risques pour les dispositifs d'entreprise et de consommation. Les acteurs de la menace, notamment des groupes parrainés par l'État et des cybercriminels, des outils à effet de levier comme les logiciels malveillants de cryptomine, les botnets sophistiqués et les nouveaux rats pour étendre leur contrôle sur les systèmes, tandis que les élections influencent les opérations par des entités russes et iraniennes ont mis en lumière les dimensions géopolitiques des cyber-activités. Dans l'ensemble, la semaine a révélé un paysage de menaces en évolution marqué par des méthodes d'attaque adaptatives ciblant les institutions financières, les agences gouvernementales et les utilisateurs de tous les jours. ## Description 1. [Attaque silencieuse de l'écumeur] (https://sip.security.microsoft.com/intel-explorer/articles/2f001d21): l'unité 42 a suivi un compromis de serveur Web ciblant une organisation multinationale nord-américaine, liée à la campagne silencieuse de la campagne Skimmer Volet données de paiement en ligne. Les attaquants ont utilisé des vulnérabilités de Telerik UI, établi la persistance via des coquilles Web et des données exfiltrées à l'aide d'outils de tunneling. 1. [Bundle Steelfox Crimeware] (https://sip.security.microsoft.com/intel-explorer/articles/0661f634): une nouvelle étendue de paquet de logiciels malveillants via de faux activateurs de logiciels effectue une attaque multi-étages impliquant un theft de données et une cryptominage. Il cible principalement les utilisateurs du monde entier en exploitant les vulnérabilités de Windows pour élever les privilèges et maintenir la persistance. 1. [CloudComptation \\\\\\\\\\\\\\ ’scolatics d’espionnage évolutif] (https://sip.security.microsoft.com/intel-explorer/articles/792a6266): SecureList de Kaspersky a rapporté que CloudComputation (backdoordiplomacy) est passé à l'utilisation du framework QSC, un malware multi-plugine Outil conçu pour l'exécution des modules en mémoire, améliorant la furtivité et la persistance. Les attaques du groupe \\\\\\\\\\\\\ \\\ \ \\\\\\\\\ \ \ \ \ opérations système. 1. [Remcos Rat Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/d36e3ff1): Fortiguard Labs a découvert une campagne de phishing déploiement des rat remcos via des documents Ole Excel ole excel qui exploitent les vulnérabilités de Microsoft. Cette attaque tire parti des techniques d'anti-analyse, de la livraison de charge utile sans fil et de la manipulation du système pour la persistance, permettant aux attaquants de contrôler les appareils de victime, de collecter des données et de communiquer avec un serveur de commandement et de contrôle à l'aide de canaux cryptés. 1. [Wish Stealer Malware] (https://sip.security.microsoft.com/intel-explorer/articles/a11d08f6): Cyfirma a découvert un voleur d'informations Windows ciblant la discorde, les navigateurs Web et les portefeuilles de crypto-monnaie. Il utilise le détournement de presse-papiers, les fonctionnalités anti-détection et la discorde pour l'exfiltration des données, posant des risques à la sécurité des utilisateurs. 1. [Apt37 ciblant la Corée du Sud] (https://sip.security.microsoft.com/in | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | APT 37 | ★★★ |
|
2024-11-04 19:39:03 | Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT (lien direct) | #### Géolocations ciblées - Inde ## Instantané APT-36, un acteur de menace basé au Pakistan, a activement ciblé les systèmes indiens avec un logiciel malveillant sophistiqué connu sous le nom d'Elizarat. ## Description Ce malware, identifié pour la première fois en 2023, a considérablement évolué, utilisant des tactiques d'évasion avancées et une infrastructure de commande et de contrôle basée sur le cloud (C2), notamment Google Drive, Telegram et Slack.APT-36 a récemment introduit une nouvelle charge utile, Apolostealer, qui est conçue pour collecter et exfiltrer des fichiers sensibles à partir de systèmes infectés. Elizarat utilise des fichiers de panneaux de commande (CPL) distribués par phishing pour initier les infections, avec une communication C2 ultérieure souvent gérée via des services cloud ou d'autres.Le malware enregistre les victimes en stockant leurs informations d'identification et de système, en enregistrant périodiquement le C2 pour les nouvelles commandes.Ces commandes peuvent inclure des tâches comme le téléchargement de fichiers, la prise de captures d'écran et la collecte d'informations système. Apolostealer, un ajout à la campagne, cible d'autres fichiers avec des extensions spécifiques telles que .pdf, .doc et .jpg, stockant les métadonnées dans une base de données SQLite pour l'exfiltration.Notamment, il surveille également les lecteurs externes, collectant des fichiers pertinents pour la récupération ultérieure.L'infrastructure cloud d'Elizarat \\ et l'utilisation de services Web courants rendent la détection difficile, car elle se mélange à une activité de réseau légitime. En 2024, l'APT-36 a mené de multiples campagnes contre des objectifs de haut niveau en Inde, chacun montrant des améliorations techniques d'Elizarat.Ces campagnes ont utilisé des variantes distinctes d'Elizarat et d'apolostealer avec des techniques sophistiquées, soulignant l'intention ciblée de l'APT-36 \\ sur le cyber-espionnage contre les organisations indiennes. ## Analyse Microsoft et contexte OSINT supplémentaire L'APT36, également connu sous le nom de Tribe Transparent, est un groupe de menaces basé au Pakistan qui se concentre principalement sur le cyberespionnage contre le gouvernement indien, la défense et les secteurs de l'éducation.Notamment, le groupe a été observé ciblant le gouvernement indien et les militaires en utilisant [des APK malveillants imitant YouTube] (https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-Enthousiastes /) et [INDIAN ENDUCTION INSTRUCTIONS] (http://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html) en utilisant des logiciels malveillants personnalisés. Le groupe utilise un large éventail d'outils, notamment des chevaux de Troie (rats) à un accès à distance sur mesure pour les fenêtres, des cadres de commande et de contrôle open source modifiés, des installateurs maltraités qui imitent les applications gouvernementales indiennes, les applications Android malveillantes et les sites de phishing ciblant les Indiens indiensofficiels.Les logiciels malveillants notables liés à l'APT36 comprennent Elizarat, Caprarat, Poséidon, Crimsonrat, Obliquerat, Darkcomet et Peppy. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid | Ransomware Malware Tool Threat Mobile Cloud Technical | APT 36 | ★★ |
|
2024-11-04 12:25:16 | Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical | APT 41 APT 28 APT 31 Guam | ★★★ |
|
2024-10-30 18:25:16 | (Déjà vu) Rekoobe Backdoor découverte dans le répertoire ouvert, ciblant éventuellement les utilisateurs de TradingView Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users (lien direct) |
## Instantané Une enquête récente a découvert la présence de Rekoobe, une porte dérobée initialement utilisée par APT31, suivie parMicrosoft comme [Violet Typhoon] (https://security.microsoft.com/intel-profiles/978d728039ed98462546859f2ac987e77a6c7da15d760e7ac0aaf173AC486), dans les répertoires ouverts. ## Description Rekoobe, basé en partie sur Tiny Shell, a évolué avec un chiffrement avancé et des paramètres de commande et de contrôle uniques, ce qui rend la détection difficile.Les chercheurs ont trouvé deux échantillons de rekoobe sur un répertoire ouvert lié à l'adresse IP 27.124.45 \ [. \] 146, révélant des binaires de logiciels malveillants étiquetés selon l'architecture et la date.Ces binaires ont tenté de se connecter avec le serveur d'hébergement via un port spécifique, suivant les modèles observés dans d'autres logiciels malveillants Rekoobe. Une analyse plus approfondie a identifié plusieurs domaines de sosie imitant le site Web populaire de TradingView, suggérant des efforts de phishing potentiels ciblant la communauté financière.Ces domaines présentent de légères variations typographiques, peut-être pour l'ingénierie sociale ou les attaques de phishing.Bien qu'aucun contenu actif n'ait été observé, le chevauchement de ces domaines avec une activité Rekoobe suggère une campagne coordonnée. L'enquête a également lié d'autres serveurs dans la même infrastructure basée à Hong Kong à l'aide de clés SSH partagées, renforçant la notion d'une configuration malveillante plus large.De plus, un outil de sécurité, Yakit, connu pour son équipe rouge légitime, a été trouvé sur un serveur, soulevant des questions sur son utilisation dans ce contexte.Collectivement, ces résultats révèlent une opération malveillante potentiellement étendue destinée aux plateformes financières, exigeant un examen minutieux. ## Analyse Microsoft et contexte OSINT supplémentaire L'acteur Microsoft suit comme [Violet Typhoon] (https://security.microsoft.com/intel-profiles/978d728039ed98462546859f2ac987e7ec77a6c7da15d760e7ac0aaf173ac486). Phoon est connu principalementcibler l'ancien gouvernement et le personnel militaire, les ONG et les groupes de réflexion aux États-Unis.Violet Typhoon se concentre sur l'espionnage.L'acteur est connu pour effectuer une analyse de vulnérabilité pour identifier l'infrastructure Web exposée à Internet, telles que les serveurs Web, la gestion de contenu ou les portails de gestion, puis exploiter ces vulnérabilités pour installer des shells Web.De plus, Violet Typhoon utilise la technique de reconnaissance des bogues Web. Le typhon Violet a également été observé à l'aide de courriels de phisseur de lance contenant un lien qui redirige vers les pages de connexion de récolte des informations d'identification.Après avoir obtenu un accès initial, le typhon Violet utilise des techniques d'adversaire dans le milieu et des capacités de fenêtres intégrées pour le mouvement latéral et l'escalade des privilèges.Microsoft a également observé le groupe à l'aide d'exploits de jours zéro pour l'escalade des privilèges.Violet Typhoon est suivi par d'autres sociétés de sécurité en tant qu'APT31. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, m | Ransomware Malware Tool Vulnerability Threat | APT 31 | ★★ |
|
2024-10-28 11:27:40 | Faits saillants hebdomadaires, 28 octobre 2024 Weekly OSINT Highlights, 28 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ sont mettant en évidence un éventail de types d'attaques dirigés par des acteurs sophistiqués parrainés par l'État et des menaces criminelles, avec des attaques notables ciblant les secteurs de la crypto-monnaie, du gouvernement et des infrastructures critiques.Les principaux vecteurs d'attaque incluent des campagnes de phishing, l'exploitation des vulnérabilités logicielles et des logiciels malveillants avancés et des outils tels que la grève de Cobalt, le ransomware et les botnets, tirant parti des CVE connus et des défauts d'exécution spéculatifs.Des groupes APT alignés par l'État, tels que les acteurs de la menace alignés par Lazare et la Russie, ont mené des attaques contre les plateformes de crypto-monnaie et les entités politiques, tandis que les opérations d'influence liées à la Russie ont utilisé du contenu généré par l'IA pour amplifier les récits de division avant les élections américaines de 2024.Pendant ce temps, les botnets et les modèles de ransomwares en tant que service comme Beast Raas ont démontré des progrès techniques dans la persistance, le chiffrement et les techniques d'exfiltration des données. ## Description 1. [Campagne Heptax] (https://sip.security.microsoft.com/intel-explorer/articles/CE9F9A25): la recherche Cyble a découvert la campagne Heptax ciblant les organisations de soins de santé par le biais de fichiers LNK malveillants distribués par e-mails de phishing.Les attaquants utilisent des scripts PowerShell pour réduire les paramètres de sécurité, permettant un accès à distance, une extraction de mot de passe et une surveillance du système pour une exfiltration de données prolongée. 2. [Wrnrat Malware] (https://sip.security.microsoft.com/intel-explorer/articles/118a2c8f): AhnLab a identifié WRNRAT malware distribué via de faux sites de jeu de jeu, destiné à la thèse de données motivés financièrement et au contrôle des systèmes infectés infectés.Une fois téléchargé, le malware capture les écrans utilisateur, envoie des informations système et met fin aux processus spécifiques tout en se déguisant en un processus Internet Explorer. 3. [Fortimanager Exploit] (https://sip.security.microsoft.com/intel-explorer/articles/2f35a4ca): Mandiant a rapporté UNC5820 \\ 's Exploitation of a fortimanager vulnérabilité zéro-jour (CVE-2024-47575)Pour exécuter du code et voler des données de configuration.L'attaque a ciblé les dispositifs FortiGate dans plusieurs industries, posant un risque de mouvement latéral grâce à des informations d'identification récoltées et à des informations sur les appareils. 4. [Black Basta \'s Social Engineering] (https://sip.security.microsoft.com/intel-explorer/articles/b231776f): Reliaquest documenté Black Basta Ransomware \\ est une ingénierie sociale avancée, y comprisSpam par e-mail de masse et imitations des équipes Microsoft, pour inciter les utilisateurs à installer des outils RMM ou à scanner les codes QR.Ces tactiques facilitent le déploiement des ransomwares via AnyDesk, soulignant la nécessité d'un e-mail et d'un compte vigilantsécurité. 5. [Ransomware embargo] (https://sip.security.microsoft.com/intel-explorer/articles/b7f0fd7b): eset identifiéEmbargo, un groupe Ransomware-as-a-Service ciblant les sociétés américaines, utilisant des outils basés sur la rouille comme Mdeployer et Ms4killer.En utilisant des tactiques à double extorsion, l'embargo personnalise des outils pour désactiver les systèmes de sécurité, chiffrer les fichiers et obtenir de la persistance via des redémarrages en mode sûr et des tâches planifiées. 6. [Lazarus Chrome Exploit Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/e831e4ae): les chercheurs de Kaspersky ont identifié une campagne de Lazarus APT et Bluenoroff (Diamond Sheet and Saphire Sleet), Exploriting A A et Bluenoroff.Vulnérabilité zéro-jour dans Google Chrome pour cibler les amateurs de crypto-monnaie.L'attaque utilise un fau | Ransomware Spam Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 38 Guam | ★★ |
|
2024-10-25 16:11:10 | The Crypto Game of Lazarus APT: Investors vs. Zero-days (lien direct) | ## Snapshot Researchers at Kaspersky identified a cyberattack campaign by the Lazarus APT (tracked by Microsoft as [Diamond Sleet](https://security.microsoft.com/intel-profiles/b982c8daf198d93a2ff52b92b65c6284243aa6af91dda5edd1fe8ec5365918c5)) group and its BlueNoroff subgroup (tracked by Microsoft as [Sapphire Sleet](https://security.microsoft.com/intel-profiles/45e4b0c21eecf6012661ef6df36a058a0ada1c6be74d8d2011ea3699334b06d1)), which exploited a zero-day vulnerability in Google Chrome to execute remote code through a fake decentralized finance (DeFi) game targeting individuals in the cryptocurrency space. ## Description The attackers used a type confusion in V8 vulnerability in Google Chrome\'s Maglev optimizing compiler, [CVE-2024-4947](https://security.microsoft.com/intel-explorer/cves/CVE-2024-4947/), to gain read/write access to the entire address space of the Chrome process. They bypassed the V8 sandbox by exploiting a vulnerability in the Irregexp VM, allowing attackers to access memory outside the bounds of the register arrays, and to manipulate pointers and execute shellcode. The campaign involved social engineering tactics, including a malicious website that offered to download a beta version of the computer game called "DeTankZone" as a lure, which was a modified version of a legitimate game called DeFiTankLand. The initial infiltration was done through a hidden script on the website that exploited the Chrome vulnerabilities, allowing attackers to gain full control of the victim\'s device. The attackers built a presence on social media platforms and attempted to contact cryptocurrency influencers to promote their malicious website. Kaspersky reported the zero-day vulnerability to Google, which [released an update](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html) to fix the issue in May 2024 on Chrome version 125.0.6422.60/.61. ## Microsoft Analysis and Additional OSINT Context [Microsoft](https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/) attributes this activity to [Moonstone Sleet](https://security.microsoft.com/intel-profiles/8ba84cecf73bd9aca4e4ff90230dc1f277c039f78c40c1938b6f74b1b7cce20f), a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned. Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using the malicious tank game DeTankWar, also called DeFiTankWar, DeTankZone, or TankWarsZone. The game is portrayed as a nonfungible token (NFT)-enabled play-to-earn game, available on Windows, Mac, and Linux. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms, such as LinkedIn and Telegram, or by email with a link to download the game. When targeted users launch the game, the ZIP file is downloaded, and multiple malicious DLLs are loaded. This leads to connections to command-and-control (C2) infrastructure using a custom malware loader Microsoft calls YouieLoad. YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft. The threat actors presented themselves as game developers seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies like one called C.C. Waterfall, a purported IT consulting organization. Moonstone Sleet created a robust public campaign that includes the websites detankwar\[.\]com and defitankzone\[.\]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself. In a similar campaign, Moonstone Sleet sent emails, also using its fake company C.C. Waterfall, where they emailed higher education organizations, again, claiming the company was | Ransomware Malware Tool Vulnerability Threat | APT 38 | ★★ |
|
2024-10-21 11:41:26 | Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ mettent en évidence une gamme diversifiée de cybermenaces et d'évolution des vecteurs d'attaque.L'ingénierie sociale reste une tactique répandue, avec des campagnes telles que ClickFix tirant parti de faux messages d'erreur pour distribuer des logiciels malveillants, tandis que la campagne d'interview contagieuse CL-Sta-240 cible les demandeurs d'emploi en utilisant des logiciels malveillants déguisés en applications d'appel vidéo.Les voleurs d'informations, tels que Lumma et Meduza, continuent de proliférer et de tirer parti des plates-formes distribuées comme Telegram et Github.Les acteurs de ransomware exploitent les services cloud, comme le montre la campagne Ransomware abusant Amazon S3.Des groupes de l'État-nation, dont la Corée du Nord, l'Iran et la Chine, persistent à cibler des infrastructures critiques et des entités gouvernementales utilisant des techniques d'évasion sophistiquées et des outils open source, tandis que les acteurs motivés financièrement se concentrent sur les chevaux de Troie bancaires et le vol de crypto-monnaie.Ces tendances soulignent la sophistication et la diversité croissantes des acteurs de la menace \\ 'tactiques, à la fois avec les APT de l'État-nation et les cybercriminels ciblant un large éventail de secteurs. ## Description 1. [ClickFix Social Engineering Tactic] (https://sip.security.microsoft.com/intel-explorer/articles/6d79c4e3): Les chercheurs de Sekoia ont identifié Clickfix, une nouvelle tactique d'ingénierie sociale tirant parti de faux messages d'erreur de navigateur pour exécuter Male PowerShell malveillantCommandes.Il a été utilisé par des groupes comme l'Empire national slave et Scamquerteo pour distribuer des infostelleurs, des rats et des botnets ciblant la crypto-monnaie et les utilisateurs de Web3. 2. [Lumma Stealer Distribution via Hijackloader] (https://sip.security.microsoft.com/intel-explorer/articles/ef6514e6): les chercheurs de HarfangLab ont observé une augmentation de la distribution de voleur Lumma en utilisant Hijackloader avec des certificats de signature de code pour les défenses de bypass Lumma.Ces campagnes ont ciblé les utilisateurs à travers de fausses pages CAPTCHA, conduisant à une exécution de logiciels malveillants avec des certificats signés de sociétés légitimes. 3. [Meduza Stealer Spread via Telegram] (https://sip.security.microsoft.com/intel-explorer/articles/ac988484): CERT-UA a rapporté le voleur de Meduza distribué par des messages télégramme, exhortant les utilisateurs à télécharger "Special Special.logiciel."Les logiciels malveillants ont ciblé les entreprises ukrainiennes et volé des documents avant l'auto-délétion pour éviter la détection. 4. [Ransomware exploitant Amazon S3] (https://sip.security.microsoft.com/intel-explorer/articles/f5477a4): TrendMicro a identifié une campagne de ransomware exploitant la fonction d'accélération d'Amazon S3 \\ S pour l'expiltration de données.Déguisé en Lockbit, ce ransomware cible Windows et MacOS, en utilisant des informations d'identification AWS pour les téléchargements de données tout en tirant parti des techniques de chiffrement aux victimes de pression. 5. [AI abusité dans les opérations cyber] (https://sip.security.microsoft.com/intel-explorer/articles/e46070dd): OpenAI a rapporté plus de 20 cas d'utilisation abusive de l'IA par des acteurs malveillants pour le développement de logiciels malveillants, la désinformation et la lancePhishing.Les acteurs de la menace, dont Storm-0817 et SweetSpecter, ont exploité l'IA pour des tâches telles que la reconnaissance et le débogage du code, tandis que les IOS secrets ont été retracés en Iran et au Rwanda. 6. [Variants de trojan bancaires Trickmo] (https://sip.security.microsoft.com/intel-explorer/articles/1f1ea18b): les chercheurs de zimpérium ont découvert 40 variantes de tro-bancs Trickmo capables de l'interception OTP, de l'enregistrement de l'écran et de dispositif de dispositif de dispos | Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 APT 37 APT-C-17 | ★★ |
|
2024-10-07 16:54:11 | Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud | APT 37 APT 45 | ★★ |
|
2024-09-30 13:21:55 | Faits saillants hebdomadaires OSINT, 30 septembre 2024 Weekly OSINT Highlights, 30 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlighted diverse cyber threats involving advanced attack vectors and highly adaptive threat actors. Many reports centered on APT groups like Patchwork, Sparkling Pisces, and Transparent Tribe, which employed tactics such as DLL sideloading, keylogging, and API patching. The attack vectors ranged from phishing emails and malicious LNK files to sophisticated malware disguised as legitimate software like Google Chrome and Microsoft Teams. Threat actors targeted a variety of sectors, with particular focus on government entities in South Asia, organizations in the U.S., and individuals in India. These campaigns underscored the increased targeting of specific industries and regions, revealing the evolving techniques employed by cybercriminals to maintain persistence and evade detection. ## Description 1. [Twelve Group Targets Russian Government Organizations](https://sip.security.microsoft.com/intel-explorer/articles/5fd0ceda): Researchers at Kaspersky identified a threat group called Twelve, targeting Russian government organizations. Their activities appear motivated by hacktivism, utilizing tools such as Cobalt Strike and mimikatz while exfiltrating sensitive information and employing ransomware like LockBit 3.0. Twelve shares infrastructure and tactics with the DARKSTAR ransomware group. 2. [Kryptina Ransomware-as-a-Service Evolution](https://security.microsoft.com/intel-explorer/articles/2a16b748): Kryptina Ransomware-as-a-Service has evolved from a free tool to being actively used in enterprise attacks, particularly under the Mallox ransomware family, which is sometimes referred to as FARGO, XOLLAM, or BOZON. The commoditization of ransomware tools complicates malware tracking as affiliates blend different codebases into new variants, with Mallox operators opportunistically targeting \'timely\' vulnerabilities like MSSQL Server through brute force attacks for initial access. 3. [North Korean IT Workers Targeting Tech Sector:](https://sip.security.microsoft.com/intel-explorer/articles/bc485b8b) Mandiant reports on UNC5267, tracked by Microsoft as Storm-0287, a decentralized threat group of North Korean IT workers sent abroad to secure jobs with Western tech companies. These individuals disguise themselves as foreign nationals to generate revenue for the North Korean regime, aiming to evade sanctions and finance its weapons programs, while also posing significant risks of espionage and system disruption through elevated access. 4. [Necro Trojan Resurgence](https://sip.security.microsoft.com/intel-explorer/articles/00186f0c): Kaspersky\'s Secure List reveals the resurgence of the Necro Trojan, impacting both official and modified versions of popular applications like Spotify and Minecraft, and affecting over 11 million Android devices globally. Utilizing advanced techniques such as steganography to hide its payload, the malware allows attackers to run unauthorized ads, download files, and install additional malware, with recent attacks observed across countries like Russia, Brazil, and Vietnam. 5. [Android Spyware Campaign in South Korea:](https://sip.security.microsoft.com/intel-explorer/articles/e4645053) Cyble Research and Intelligence Labs (CRIL) uncovered a new Android spyware campaign targeting individuals in South Korea since June 2024, which disguises itself as legitimate apps and leverages Amazon AWS S3 buckets for exfiltration. The spyware effectively steals sensitive data such as SMS messages, contacts, images, and videos, while remaining undetected by major antivirus solutions. 6. [New Variant of RomCom Malware:](https://sip.security.microsoft.com/intel-explorer/articles/159819ae) Unit 42 researchers have identified "SnipBot," a new variant of the RomCom malware family, which utilizes advanced obfuscation methods and anti-sandbox techniques. Targeting sectors such as IT services, legal, and agriculture since at least 2022, the malware employs a multi-stage infection chain, and researchers suggest the threat actors\' motives might have s | Ransomware Malware Tool Vulnerability Threat Patching Mobile | ChatGPT APT 36 | ★★ |
|
2024-09-27 19:44:31 | (Déjà vu) OSINT ENQUÊTE: Chasse des infrastructures malveillantes liées à la tribu transparente OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe (lien direct) |
#### Géolocations ciblées - Inde #### Industries ciblées - agences et services gouvernementaux ## Instantané Des chercheurs de Cyfirma ont identifié des infrastructures malveillantes exploitées par une tribu transparente, également connue sous le nom d'APT36. ## Description Cette infrastructure comprend 15 hôtes malveillants hébergés par DigitalOcean, exécutant des serveurs mythiques C2.Transparent Tribe utilise le cadre d'exploitation mythique, conçu à l'origine pour faire équipe rouge, pour gérer les systèmes compromis.Le groupe vise des individus en Inde, probablement des représentants du gouvernement, en distribuant des fichiers d'entrée de bureau Linux déguisés en PDF.Ces fichiers téléchargent et exécutent des agents mythiques de Poséidon Binaires-Golang conçus pour les plates-formes Linux et MacOS X64, ce qui permet aux acteurs de la menace d'établir de la persistance et d'échapper à la détection. La tribu transparente est connue pour ses méthodes persistantes et évolutives, et cette campagne démontre leur ciblage accru des environnements Linux, en particulier ceux utilisés par le gouvernement indien.Cyfirma note que ces résultats mettent l'accent sur la nécessité d'une vigilance accrue et de mesures de défense proactives contre des menaces aussi sophistiquées et adaptatives. ## Analyse supplémentaire Opérationnel depuis 2013, [Tribu transparente] (https://attack.mitre.org/groups/g0134/) est un groupe de menaces basé au Pakistan qui cible principalement le gouvernement indien, la défense et l'éducation.La principale motivation du groupe est de mener un cyberespionnage et exploite une variété d'outils pour atteindre cet objectif, notamment des rats sur mesure ciblant les fenêtres, des cadres C2 open source armées, des installateurs de trojanisés imitants d'empruntSites de phishing conçus pour cibler les fonctionnaires du gouvernement indien.Le groupe a été observé en utilisant une variété de logiciels malveillants, notamment Elizarat, Caprarat, Poséidon, Crimsonrat, Oblicherat, Darkcomet et Peppy, entre autres. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [enquête et correction] (https: //learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft Defender le point de terminaison de prendre des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-Or-Manage-Tamper-Protection) est activé dans Microsoft Defender pour Endpoint. - Activer [Protection réseau] (https://learn.microsoft.com/en- | Ransomware Malware Tool Threat Mobile | APT 36 | ★★★ |
|
2024-09-16 11:20:34 | Faits saillants hebdomadaires, 16 septembre 2024 Weekly OSINT Highlights, 16 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlighted a broad array of cyber threats, with ransomware activity and espionage campaigns prominently featured. Russian and Chinese APT groups were particularly in the spotlight, with Aqua Blizzard targeting Ukrainian military personnel and Twill Typhoon affecting governments in Southeast Asia. RansomHub, a ransomware-as-a-service (RaaS) variant, and the newly emerged Repellent Scorpius also exploited known vulnerabilities and abused legitimate tools, employing double extortion tactics. Emerging malware, including infostealers like YASS and BLX Stealer, underscores the growing trend of targeting sensitive consumer data and cryptocurrency wallets, demonstrating the adaptability of threat actors in an evolving digital landscape. ## Description 1. [TIDRONE Targets Taiwanese Military](https://sip.security.microsoft.com/intel-explorer/articles/14a1a551): Trend Micro reports that the Chinese-speaking threat group, TIDRONE, has targeted Taiwanese military organizations, particularly drone manufacturers, since early 2024. Using advanced malware (CXCLNT and CLNTEND), the group infiltrates systems through ERP software or remote desktops, engaging in espionage. 2. [Predator Spyware Resurfaces with New Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/b0990b13): Insikt Group reports that Predator spyware, often used by government entities, has resurfaced in countries like the Democratic Republic of the Congo and Angola. With upgraded infrastructure to evade detection, Predator targets high-profile individuals such as politicians and activists through one-click and zero-click attack vectors. 3. [Ransomware Affiliates Exploit SonicWall](https://sip.security.microsoft.com/intel-explorer/articles/07f23184): Akira ransomware affiliates exploited a critical SonicWall SonicOS vulnerability (CVE-2024-40766) to gain network access. Targeting firewalls, they bypassed security via local accounts, leading to breaches in organizations with disabled multifactor authentication. 4. [RansomHub Ransomware Threatens Critical Infrastructure](https://sip.security.microsoft.com/intel-explorer/articles/650541a8): RansomHub ransomware-as-a-service has attacked over 210 victims across critical infrastructure sectors since early 2024, using double extortion tactics. The group gains entry via phishing, CVE exploits, and password spraying, and exfiltrates data using tools like PuTTY and Amazon S3. 5. [YASS Infostealer Targets Sensitive Data](https://sip.security.microsoft.com/intel-explorer/articles/d056e554): Intezer discovered "Yet Another Silly Stealer" (YASS), a variant of CryptBot, deployed through a multi-stage downloader called “MustardSandwich.” YASS targets cryptocurrency wallets, browser extensions, and authentication apps, using obfuscation and encrypted communications to evade detection. 6. [WhatsUp Gold RCE Attacks](https://sip.security.microsoft.com/intel-explorer/articles/b89cbab7): Exploiting vulnerabilities in WhatsUp Gold (CVE-2024-6670, CVE-2024-6671), attackers executed PowerShell scripts via NmPoller.exe to deploy RATs like Atera Agent and Splashtop. These attacks highlight the risk of delayed patching and underscore the importance of monitoring vulnerable processes. 7. [Repellent Scorpius Expands RaaS Operations](https://sip.security.microsoft.com/intel-explorer/articles/1f424190): Unit 42 reports on the emerging ransomware group Repellent Scorpius, known for using Cicada3301 ransomware in double extortion attacks. The group recruits affiliates via Russian cybercrime forums and uses stolen credentials to execute attacks on various sectors globally. 8. [APT34\'s Advanced Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/6289e51f): Check Point Research identified Iranian-linked APT34 targeting Iraqi government networks with sophisticated malware ("Veaty" and "Spearal"). Using DNS tunneling and backdoors, the group exploited email accounts for C2 communications, reflecting advanced espionage techniques. 9 | Ransomware Malware Tool Vulnerability Threat Patching Prediction Cloud | APT 34 | ★★ |
|
2024-09-09 11:04:46 | Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights a broad spectrum of cyber threats with notable trends in malware campaigns, espionage, and ransomware attacks. Phishing remains a dominant attack vector, delivering a variety of payloads like custom backdoors, infostealers, and ransomware. Nation-state actors such as Russia\'s APT29 (Midnight Blizzard) and China\'s Earth Lusca were prominent, focusing on espionage and targeting specific regions like East Asia and the Middle East. Other notable threats included the use of deepfakes for scam campaigns and the exploitation of unpatched vulnerabilities in widely used software like Microsoft Office and WPS Office. The targeting of organizations ranged from government entities to private sector businesses, with some attacks focusing on specific industries like finance, healthcare, and technology. ## Description 1. [Unique Malware Campaign \'Voldemort\'](https://sip.security.microsoft.com/intel-explorer/articles/3cc65ab7): Proofpoint researchers uncovered a phishing campaign distributing custom malware via emails impersonating tax authorities across multiple countries. The malware, likely motivated by espionage, uses advanced techniques like abusing Google Sheets for command-and-control (C2) to avoid detection. 2. [Python-Based Infostealer \'Emansrepo\'](https://sip.security.microsoft.com/intel-explorer/articles/94d41800): FortiGuard Labs identified Emansrepo, a Python-based infostealer targeting browser data and files via phishing emails. The malware has evolved into a sophisticated multi-stage tool, expanding its capabilities to steal sensitive data like cryptocurrency wallets. 3. [Deepfake Scams Using Public Figures](https://sip.security.microsoft.com/intel-explorer/articles/6c6367c7): Palo Alto Networks researchers discovered deepfake scams impersonating public figures to promote fake investment schemes. These scams, involving a single threat actor group, target global audiences with AI-generated videos hosted on domains with significant traffic. 4. [Zero-Day Vulnerabilities in WPS Office](https://sip.security.microsoft.com/intel-explorer/articles/f897577d): ESET researchers identified two zero-day vulnerabilities in Kingsoft WPS Office exploited by the APT-C-60 group. The vulnerabilities allowed attackers to execute arbitrary code in targeted East Asian countries, using malicious documents to deliver a custom backdoor. 5. [KTLVdoor Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/222628fc): Trend Micro uncovered KTLVdoor, a highly obfuscated backdoor developed by Earth Lusca, targeting Windows and Linux systems. The malware allows attackers to fully control infected systems and is primarily linked to Chinese-speaking actors. 6. [Fake Palo Alto GlobalProtect Tool](https://sip.security.microsoft.com/intel-explorer/articles/22951902): Trend Micro identified a campaign targeting Middle Eastern organizations with a fake version of Palo Alto GlobalProtect. The malware executes remote PowerShell commands and exfiltrates files while masquerading as a legitimate security solution. 7. [APT29 Targets Mongolian Government Websites](https://sip.security.microsoft.com/intel-explorer/articles/12b5ac31): Google TAG discovered that Russian APT29 used iOS and Chrome exploits to target Mongolian government websites. The attack, linked to commercial surveillance vendors, involved watering hole attacks to steal authentication cookies from targeted users. 8. [MacroPack-Abused Malicious Documents](https://sip.security.microsoft.com/intel-explorer/articles/cd8dec3b): Cisco Talos found malicious documents leveraging MacroPack to deliver payloads like Havoc and PhantomCore RAT. These documents used obfuscated macros and lures in multiple languages, complicating attribution to any single threat actor. 9. [Underground Ransomware by RomCom Group](https://sip.security.microsoft.com/intel-explorer/articles/e2a44c7c): FortiGuard Labs identified the Underground ransomware targeting Windows systems, deployed by the Russia-based RomCom | Ransomware Malware Tool Vulnerability Threat Prediction Medical Commercial | APT 38 APT 29 | ★★ |
|
2024-09-06 20:50:58 | (Déjà vu) APT Lazarus: castors cryptographiques avides, appels vidéo et jeux APT Lazarus: Eager Crypto Beavers, Video calls and Games (lien direct) |
## Instantané Group-IB a publié un rapport détaillant l'activité du groupe de Lazare qui cible les demandeurs d'emploi par de fausses entretiens.La campagne attire des victimes de téléchargement du logiciel malveillant déguisé en projet Node.js, qui contient le malware de Beavertail, conduisant finalement au déploiement d'une porte dérobée python connue sous le nom d'invisibleferret. ## Description La chaîne d'infection commence lorsque les victimes sont contactées via des plateformes de recherche d'emploi comme LinkedIn, Moonlight ou Upwork.Les conversations sont ensuite souvent déplacées vers Telegram, où les victimes sont trompées pour télécharger une fausse application de conférence vidéo ou un projet Node.js pour une tâche d'entrevue supposée.Ces applications sont en fait malveillantes, contenant des charges utiles qui volent des données sensibles aux navigateurs, aux portefeuilles de crypto-monnaie et à d'autres sources. BEAVERTail Malware, initialement développé par les acteurs de la menace en tant qu'outil basé sur JavaScript, a évolué pour inclure les versions macOS et Python natives.La version Windows arrive via un fichier d'installation nommé FCCCALL, qui se présente comme une application de vidéoconférence légitime.Lors de l'exécution, FccCall imite les interfaces logicielles légitimes tout en exécutant des processus d'arrière-plan malveillants qui exfiltrent les informations d'identification du navigateur, les données de portefeuille de crypto-monnaie, etc. La variante Beavertail Python a introduit des composants modulaires, nommés collectivement CIVETQ, qui élargissent les capacités du malware \\.Les modules CIVETQ se concentrent sur des tâches telles que le keylogging, le vol de presse-papiers, l'exfiltration des données du navigateur et l'établissement de persistance sur les plates-formes Windows, MacOS et Linux.La version Python configure également AnyDesk pour un accès sans surveillance, permettant aux attaquants de maintenir un pied sur des systèmes compromis sans interaction utilisateur. InvisibleFerret, une porte arrière basée sur Python, est un autre composant important utilisé dans ces campagnes.Il dispose de la télécommande, de la clé de clés et des capacités de vol de données du navigateur, avec des mises à jour récentes incorporant des techniques d'obfuscation plus avancées et des méthodes supplémentaires d'exfiltration de données, y compris via Telegram.Beavertail et InvisibleFerret sont en cours de développement actif, les mises à jour fréquentes étant déployées pour améliorer la furtivité et l'efficacité. Le groupe Lazare utilise également des référentiels malveillants sur les plates-formes de partage de code pour distribuer des projets Node.js transversaux.Ces référentiels ciblent souvent les professionnels des secteurs de la crypto-monnaie et des jeux en se faisant passer pour des projets de développement légitimes.Lazarus met à jour en permanence ces référentiels, en utilisant des techniques d'obscurcissement et en manipulant la visibilité du référentiel pour échapper à la détection. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Micr | Ransomware Malware Tool Threat | APT 38 | ★★ |
|
2024-09-02 19:54:58 | Faits saillants hebdomadaires OSINT, 2 septembre 2024 Weekly OSINT Highlights, 2 September 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence un ensemble diversifié de cybermenaces et de méthodologies d'attaque dans plusieurs secteurs et géographies.Les principales tendances comprenaient la sophistication croissante des campagnes de phishing, telles que celles qui tirent parti des logiciels malveillants multiplateformes comme le voleur Cheana et des tactiques innovantes comme le quai via des codes QR.Le déploiement de balises de Cobaltsstrike, les techniques d'injection du gestionnaire de l'Appdomain et l'abus de services légitimes comme Microsoft Sway, les tunnels Cloudflare et les outils de gestion à distance ont également présenté en bonne place, soulignant l'évolution de la boîte à outils des cybercriminels et des acteurs parrainés par l'État.Les entités ciblées s'étendaient sur des industries, notamment les finances, le gouvernement, les soins de santé et les infrastructures critiques, les attaquants utilisant fréquemment des mécanismes de persistance avancés, exploitant des vulnérabilités zéro-jours et en utilisant des ransomwares dans des schémas à double extorsion. ## Description 1. [Utilisateurs coréens ciblés avec des logiciels malveillants à distance] (https://sip.security.microsoft.com/intel-explorer/articles/b920e285): Ahnlab Security Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, lorsqu'un inconnuL'attaquant a déployé des logiciels malveillants à distance, y compris l'asyncrat, et des délais personnalisés comme FXFDOOR et NOMU.L'attaque, potentiellement liée au groupe nord-coréen Kimsuky, s'est concentrée sur le vol d'informations, avec un spearphishing et des vulnérabilités dans IIS et MS Exchange comme points d'entrée possibles. 2. [Campagne de phishing déguisée en sondage RH cible Office 365 Contaliens] (https://sip.security.microsoft.com/intel-explorer/articles/9431aa5a): les chercheurs de Cofense ont identifié une attaque de phishing qui s'est présentée comme un engagement en milieu d'annéeEnquête pour voler les informations d'identification Microsoft Office 365.L'attaque a utilisé un faux e-mail RH réalisant des destinataires vers une page hébergée par Wufoo, conduisant finalement à une page de connexion frauduleuse Microsoft conçue pour récolter les informations d'identification. 3. [Campagne de phishing multiplateforme avec Cheana Stealer] (https://sip.security.microsoft.com/intel-explorer/articles/69d7b49e): Cyble Research and Intelligence Lab (CRIL) a découvert une campagne de phishing ciblant les fenêtres, Linuxet les utilisateurs de macOS avec Cheana Stealer malware, distribué via un site imitant un fournisseur VPN.Les logiciels malveillants visaient à voler des portefeuilles de crypto-monnaie, des mots de passe du navigateur et des clés SSH, en tirant parti d'un canal télégramme pour une distribution généralisée, mettant en évidence les attaquants \\ 'se concentrer sur le compromis de divers systèmes. 4. [Vulnérabilité zéro-jour dans Versa Director exploité par APT] (https://sip.security.microsoft.com/intel-explorer/articles/1af984be): Versa Networks a identifié une vulnérabilité zéro-jour (CVE-2024-39717) Dans le directeur de l'interface graphique de Versa, exploité par un acteur apt pour télécharger des fichiers malveillants déguisés en images PNG.L'attaque a été facilitée par un mauvais durcissement du système et des ports de gestion exposés, ciblant les clients qui n'ont pas réussi à sécuriser correctement leur environnement. 5. [Mallox Ransomware Exploits Cloud Misconfiguration](https://sip.security.microsoft.com/intel-explorer/articles/d9af6464): Trustwave investigated a Mallox | Ransomware Malware Tool Vulnerability Threat Mobile Medical Cloud | APT 41 APT 32 | ★★ |
|
2024-08-29 18:15:40 | Menace persistante avancée ciblant les défenseurs vietnamiens des droits de l'homme Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders (lien direct) |
#### Géolocations ciblées - Vietnam ## Instantané Les chercheurs de Huntress ont découvert une cyber-intrusion à long terme ciblant un défenseur vietnamien des droits de l'homme, soupçonné d'avoir persisté pendant au moins quatre ans. ## Description Selon Huntress, les tactiques, les techniques et les procédures (TTPS) observées dans cette attaque présentent des similitudes avec celles utilisées par APT32 / Oceanlottus, un groupe de cyber-espionnage bien connu suivi par Microsoft comme [Canvas Cyclone] (https: // Security.microsoft.com/intel-profiles/0e86dff295f91628210e11bbd8f2aaf5ccd9d13a1bdb58255463214122b1a133).Les attaquants ont utilisé plusieurs mécanismes de persistance, notamment des tâches programmées, des débiteurs de touche de DLL et des abus d'objets COM, pour maintenir l'accès à des systèmes compromis.Notamment, les attaquants ont utilisé des logiciels malveillants qui se sont masqués comme logiciels légitimes, tels que les binaires Adobe et McAfee, et ont exploité les vulnérabilités dans des exécutables légitimes pour exécuter des charges utiles malveillantes. Au cours de l'enquête, les analystes de Huntress ont identifié plusieurs échantillons de logiciels malveillants qui ont utilisé l'obscurcissement et la stéganographie pour échapper à la détection.Le malware était capable d'injecter du code dans la mémoire et d'effectuer diverses tâches, telles que le vol de cookies de navigateur, le téléchargement de charges utiles supplémentaires et le maintien de l'accès de la porte dérobée.Les acteurs de la menace ont également mis à profit des outils légitimes comme Windows Management Instrumentation (WMI) pour l'exécution de la commande distante et exploité des tuyaux nommés pour l'escalade des privilèges. L'enquête a révélé que les liens avec les infrastructures associées à l'APT32 / Oceanlotus, confirmant davantage l'implication du groupe \\ dans l'attaque.Les attaquants \\ 'les efforts persistants pour cacher leurs activités et maintenir l'accès suggèrent un objectif stratégique aligné sur la collecte de renseignements.Cette affaire démontre les durées auxquelles les acteurs avancés de la menace iront pour atteindre leurs objectifs et met en évidence l'importance de la chasse et de la surveillance des menaces continues pour détecter et répondre à de telles intrusions sophistiquées. ## Analyse Microsoft L'acteur Microsoft suit comme [Canvas Cyclone] (https://security.microsoft.com/intel-profiles/0e86dff295f91628210e11bbd8f2aaf5ccd9d13a1bdb582554632141222b1a133) est un groupe de calice national. Lone est connu pour cibler principalementet les organisations étrangères à travers l'Asie, l'Europe et l'Amérique du Nord, y compris les grandes sociétés multinationales, les gouvernements, les institutions financières, les établissements d'enseignement et les groupes de défense des droits humains et civils.Canvas Cyclone se concentre sur l'espionnage gouvernemental ainsi que sur la collecte de renseignements contre la concurrence des entreprises étrangères. Auparavant, Canvas Cyclone a mené des attaques de compromis en vigueur contre les sites gouvernementaux et les agences de médias en Asie du Sud-Est.Fin 2018, Canvas Cyclone a compromis des cibles à l'aide d'une famille de logiciels malveillants personnalisé connue sous le nom de Kerrdown via des documents malveillants livrés dans les opérations de phission de lance.Canvas Cyclone s'est également appuyé sur des outils couramment utilisés comme la grève du cobalt pour l'exfiltration des données et le mouvement latéral.Depuis 2020, Canvas Cyclone a utilisé le détournement de l'ordre de recherche DLL pour charger du code malveillant en utilisant des binaires légitimes et signés.Canvas Cyclonehas a également déployé des mineurs de crypto-monnaie Monero sur des systèmes ciblés. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allume | Ransomware Malware Tool Vulnerability Threat | APT 32 | ★★★ |
|
2024-08-14 18:17:06 | EastWind campaign: new CloudSorcerer attacks on government organizations in Russia (lien direct) | #### Targeted Geolocations - Russia #### Targeted Industries - Government Agencies & Services - Information Technology ## Snapshot Researchers at Kapersky identified a targeted cyberattack campaign, named EastWind, that occurred in late July 2024, targeting Russian government organizations and IT companies. ## Description The threat actors utilized phishing emails with malicious shortcut attachments to infect devices, delivering malware that received commands via the Dropbox cloud service. The additional payloads included the VERSION.dll backdoor, GrewApacha RAT used by APT31 (tracked by Microsoft as Violet Typhoon) since 2021, a new version of the CloudSorcerer backdoor, and the PlugY implant, which overlaps with APT27 (tracked by Microsoft as Linen Typhoon) tools. The attackers gained initial access to organizations through spear phishing, sending malicious emails with attached RAR archives containing decoy documents and malicious files. The campaign demonstrated the evolving tactics and techniques employed by threat actors to infiltrate and compromise targeted organizations, emphasizing the ongoing threat of sophisticated cyberattacks targeting government and IT sectors. ## Additional Analysis Kapersky [previously reported](https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/) on the CloudSorcerer backdoor and its use in attacks on government organizations in Russia. Used as a cyberespionage tool, the malware employs public cloud services as its primary command and control (C2) servers. Kaspersky has assessed that CloudSorcerer\'s activities resemble those of the [CloudWizard APT](https://securelist.com/cloudwizard-apt/109722/). However, notable differences in the malware\'s code and functionality suggest that CloudSorcerer is likely a new actor. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/Casdet](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Casdet!rfn) ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recommendations in the [on-premises credential theft overview](https://security.microsoft.com/threatanalytics3/938 | Ransomware Malware Tool Threat Cloud | APT 27 APT 31 | ★★★ |
|
2024-08-05 10:51:17 | Faits saillants hebdomadaires, 5 août 2024 Weekly OSINT Highlights, 5 August 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ de Osint mettent en évidence plusieurs tendances clés du paysage cyber-menace, caractérisées par des tactiques d'attaque sophistiquées et des acteurs de menace adaptables.Les types d'attaques prédominants impliquent le phishing, l'ingénierie sociale et l'exploitation des vulnérabilités des logiciels, avec des vecteurs courants, y compris des pièces jointes malveillantes, des sites Web compromis, l'empoisonnement du DNS et la malvertisation.Les campagnes notables ont ciblé les utilisateurs de l'UKR.NET, les clients de la BBVA Bank et les pages de médias sociaux détournées pour imiter les éditeurs de photos populaires de l'IA.De plus, l'exploitation des erreurs de configuration dans des plates-formes largement utilisées telles que Selenium Grid et TryCloudflare Tunnel indique une focalisation stratégique sur la mise en œuvre d'outils légitimes à des fins malveillantes. Les acteurs de la menace vont de groupes d'État-nation comme les acteurs nord-coréens, l'APT41 et le Sidewinder, aux cybercriminels et à des groupes hacktiviste motivés financièrement tels que Azzasec.Les techniques d'évasion avancées et les stratégies d'ingénierie sociale sont utilisées par des acteurs comme l'UAC-0102, Black Basta et ceux qui exploitent les problèmes de mise à jour de la crowdsstrike.Les objectifs sont diversifiés, couvrant des organisations gouvernementales et militaires, des institutions financières, des réseaux d'entreprise, des petites et moyennes entreprises et des utilisateurs individuels dans diverses régions. ## Description 1. [Campagne révisée de dev # popper] (https://sip.security.microsoft.com/intel-explorer/articles/9f6ee01b): les acteurs de la menace nord-coréenne ciblent les développeurs de logiciels à l'aide de fausses entretiens d'emploi pour distribuer des logiciels malveillants via des packages de fichiers zip.La campagne, affectant plusieurs systèmes d'exploitation et régions, utilise des tactiques avancées d'obscurcissement et d'ingénierie sociale pour le vol de données et la persistance. 2. [Specula Framework exploite Outlook] (https://sip.security.microsoft.com/intel-explorer/articles/4b71ce29): un nouveau cadre post-exploitation appelé "Specula" lever.En dépit d'être corrigé, cette méthode est utilisée par l'APT33 parrainé par l'iranien pour atteindre la persistance et le mouvement latéral dans les systèmes Windows compromis. 3. [Phishing with Sora AI Branding] (https://sip.security.microsoft.com/intel-explorer/articles/b90cc847): les acteurs de menace exploitent l'excitation autour de Sora AI inédite en créant des sites de phishing pour se propager des logiciels malveillants.Ces sites, promus via des comptes de médias sociaux compromis, déploient des voleurs d'informations et des logiciels d'extraction de crypto-monnaie. 4. [vulnérabilité VMware ESXi exploitée] (https: //sip.security.microsoft.com/intel-explorer/articles/63b1cec8): des gangs de ransomware comme Storm-0506 et Octo Tempest Exploiter un VMware ESXi Authentification Typass VULnerabilité pour l'accès administratif.Cette vulnérabilité, ajoutée au catalogue exploité des vulnérabilités exploitées \\ 'connues, est utilisée pour voler des données, se déplacer latéralement et perturber les opérations. 5. [APT41 cible la recherche taïwanaise] (https://sip.security.microsoft.com/intel-explorer/articles/d791dc39): le groupe APT41, suivi comme Typhoon de brass.La campagne consiste à exploiter une vulnérabilité de Microsoft Office et à utiliser la stéganographie pour échapper à la détection. 6. [Trojans bancaire en Amérique latine] (https://sip.security.microsoft.com/intel-explorer/articles/767518e9): Une campagne ciblant les organisations financières utilise des troyens bancaires distribués via des URL géo-frisées.Le malware utilise l'injection de processus et se connecte aux serveurs de commandement et de contrôle pour voler des informations sensibles. 7. [MINT STACER MALWARED] ( | Ransomware Spam Malware Tool Vulnerability Threat Mobile | APT33 APT 41 APT 33 APT-C-17 | ★★★ |
|
2024-07-29 10:58:35 | Weekly OSINT Highlights, 29 July 2024 (lien direct) | ## Snapshot Key trends from last week\'s OSINT reporting include novel malware, such as Flame Stealer and FrostyGoop, the compromise of legitimate platforms like Discord and GitHub, and state-sponsored threat actors conducting espionage and destructive attacks. Notable threat actors, including Russian groups, Transparent Tribe, FIN7, and DPRK\'s Andariel, are targeting a wide range of sectors from defense and industrial control systems to financial institutions and research entities. These attacks exploit various vulnerabilities and employ advanced evasion techniques, leveraging both traditional methods and emerging technologies like AI-generated scripts and RDGAs, underscoring the evolving and persistent nature of the cyber threat landscape. ## Description 1. [Widespread Adoption of Flame Stealer](https://sip.security.microsoft.com/intel-explorer/articles/f610f18e): Cyfirma reports Flame Stealer\'s use in stealing Discord tokens and browser credentials. Distributed via Discord and Telegram, this malware targets various platforms, utilizing evasion techniques like DLL side-loading and data exfiltration through Discord webhooks. 2. [ExelaStealer Delivered via PowerShell](https://sip.security.microsoft.com/intel-explorer/articles/5b4a34b0): The SANS Technology Institute Internet Storm Center reported a threat involving ExelaStealer, downloaded from a Russian IP address using a PowerShell script. The script downloads two PE files: a self-extracting RAR archive communicating with "solararbx\[.\]online" and "service.exe," the ExelaStealer malware. The ExelaStealer, developed in Python, uses Discord for C2, conducting reconnaissance activities and gathering system and user details. Comments in Russian in the script and the origin of the IP address suggest a Russian origin. 3. [FrostyGoop Disrupts Heating in Ukraine](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199): Dragos identified FrostyGoop malware in a cyberattack disrupting heating in Lviv, Ukraine. Linked to Russian groups, the ICS-specific malware exploits vulnerabilities in industrial control systems and communicates using the Modbus TCP protocol. 4. [Rhysida Ransomware Attack on Private School](https://sip.security.microsoft.com/intel-explorer/articles/4cf89ad3): ThreatDown by Malwarebytes identified a Rhysida ransomware attack using a new variant of the Oyster backdoor. The attackers used SEO-poisoned search results to distribute malicious installers masquerading as legitimate software, deploying the Oyster backdoor. 5. [LLMs Used to Generate Malicious Code](https://sip.security.microsoft.com/intel-explorer/articles/96b66de0): Symantec highlights cyberattacks using Large Language Models (LLMs) to generate malware code. Phishing campaigns utilize LLM-generated PowerShell scripts to download payloads like Rhadamanthys and LokiBot, stressing the need for advanced detection against AI-facilitated attacks. 6. [Stargazers Ghost Network Distributes Malware](https://sip.security.microsoft.com/intel-explorer/articles/62a3aa28): Check Point Research uncovers a network of GitHub accounts distributing malware via phishing repositories. The Stargazer Goblin group\'s DaaS operation leverages over 3,000 accounts to spread malware such as Atlantida Stealer and RedLine, targeting both general users and other threat actors. 7. [Crimson RAT Targets Indian Election Results](https://sip.security.microsoft.com/intel-explorer/articles/dfae4887): K7 Labs identified Crimson RAT malware delivered through documents disguised as "Indian Election Results." Transparent Tribe APT, believed to be from Pakistan, targets Indian diplomatic and defense entities using macro-embedded documents to steal credentials. 8. [AsyncRAT Distributed via Weaponized eBooks](https://sip.security.microsoft.com/intel-explorer/articles/e84ee11d): ASEC discovered AsyncRAT malware distributed through weaponized eBooks. Hidden PowerShell scripts within these eBooks trigger the AsyncRAT payload, which uses obfuscation and anti-detection techniques to exfiltrate data. | Ransomware Data Breach Spam Malware Tool Vulnerability Threat Legislation Mobile Industrial Medical | APT 28 APT 36 | ★★ |
|
2024-07-25 14:00:00 | APT45: Machine militaire numérique de la Corée du Nord APT45: North Korea\\'s Digital Military Machine (lien direct) |
Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart
Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators. APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43. Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. 
Shifts in Targeting and Expanding Operations
Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities.
Financial Sector
Like other North Korea |
Ransomware Malware Tool Threat Medical | APT 37 APT 43 | ★★★★★ |
|
2024-07-24 23:34:10 | Onyx Sleet utilise une gamme de logiciels malveillants pour recueillir l'intelligence pour la Corée du Nord Onyx Sleet uses array of malware to gather intelligence for North Korea (lien direct) |
#### Targeted Geolocations - India - Korea - United States - Southeast Asia - North America #### Targeted Industries - Information Technology - Defense Industrial Base - Government Agencies & Services ## Snapshot On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet\'s activity to assess changes following the indictment. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. ## Activity Overview ### Who is Onyx Sleet? Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet [exploited the TeamCity CVE-2023-42793 vulnerability](https://security.microsoft.com/intel-explorer/articles/b4f39b04) [as a part of a targeted attack](https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2023-42793/overview). Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server. Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2). Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2. **Affiliations with other threat actors originating from North Korea** Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed [an overlap](https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/) between Onyx Sleet and [Storm-0530](https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/). Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022. **Onyx Sleet targets** In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent att | Ransomware Malware Tool Vulnerability Threat Industrial Cloud Technical Commercial | APT 38 | ★★★ |
|
2024-07-24 21:28:53 | (Déjà vu) Les acteurs de la menace ciblent les résultats des élections récentes Threat Actors Target Recent Election Results (lien direct) |
#### Géolocations ciblées - Inde ## Instantané Les analystes de K7 Labs ont trouvé un document se faisant passer pour des «résultats des élections indiennes», qui s'est avéré livrer le malware de Troie (rat) à accès à distance cramoisi. ## Description Crimson Rat, couramment utilisé par le groupe Transparent Tribe APT, vole des informations d'identification et d'autres informations sensibles.La tribu transparente, censée opérer à partir du Pakistan, cible les entités diplomatiques, de défense et de recherche en Inde et en Afghanistan. Dans ce cas, l'appât a impliqué des résultats électoraux pour attirer les internautes indiens.Le vecteur d'attaque était un fichier .docm auprès de macros qui a intégré la charge utile de rat Crimson.Lors de l'exécution, le malware décode les fichiers intégrés et installe un fichier d'économiseur d'écran pour établir la persistance.Un autre dossier de leur, déguisé en programme universitaire, a également livré le même logiciel malveillant.Le rat Crimson échappe à la détection en retardant son activité et se connecte à un serveur de commande et de contrôle pour exécuter des commandes et voler des données. ## Analyse supplémentaire Transparent Tribe, également suivi sous le nom de Mythic Leopard et APT36, est un groupe de menaces basé au Pakistan actif depuis 2013. Le groupe cible principalement le gouvernement, la défense et l'éducation en Inde. Transparent Tribe a déjà été observée à l'aide de Crimsonrat pour cibler une variété d'entités indiennes, notamment [l'armée indienne] (https://www.seqrite.com/blog/transparent-tribe-apt-active-leures-indian-army-amidst-Augmentation du ciblage-de l'éducation-institutions /), [établissements d'éducation] (https://blog.talosintelligence.com/transparent-tribe-targets-education/), et [les fonctionnaires du gouvernement] (https: //blog.talosintelligence.com / Transparent-Tribe-New-Campaign /).Selon Cisco Talos, Crimsonrat est l'outil de choix du groupe depuis au moins 2020, en particulier lorsqu'il cherche à établir un accès persistant dans les réseaux cibles.L'outil est souvent déployé par une tribu transparente en utilisant des e-mails de espionnage. ## Détections / requêtes de chasse ### Microsoft Defender Antivirus Microsoft Defender Antivirus les composants de menace suivants comme malware: - [TrojandRopper: O97M / OBFUSE] (https: //www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-dercription?name=trojandropper:o97m/obfuse!mtb) ## Recommandations MIcrosoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécuter [EDR en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=Magicti_TA_LearnDoc)Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https | Ransomware Malware Tool Threat | APT 36 | ★★★ |
|
2024-06-05 14:00:00 | Phishing pour l'or: cyber-menaces auxquelles sont confrontés les Jeux olympiques de Paris 2024 Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics (lien direct) |
Written by: Michelle Cantos, Jamie Collier
Executive Summary Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons: Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified. Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v |
Ransomware Malware Threat Studies Mobile Cloud Technical | APT 15 APT 31 APT 42 | ★★ |
 |
2024-05-29 16:05:00 | Microsoft Uncovers \\ 'Moonstone Sheet \\' - Nouveau groupe de pirates nord Microsoft Uncovers \\'Moonstone Sleet\\' - New North Korean Hacker Group (lien direct) |
Un acteur de menace nord-coréen jamais vu auparavant, le nom de manche de Moonstone Sleet a été attribué comme derrière les cyberattaques ciblant les individus et les organisations dans les secteurs de base industrielle des technologies et des technologies de l'information, de l'éducation et de la défense avec un ransomware et un malware sur mesure auparavant associé au célèbre groupe Lazarus Lazare.
"On observe que le grésil de la pierre de lune installe de fausses entreprises et
A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and |
Ransomware Malware Threat Industrial | APT 38 | ★★ |
 |
2024-05-29 13:00:09 | Corée du Nord pour construire des réserves de trésorerie utilisant des ransomwares, jeux vidéo North Korea building cash reserves using ransomware, video games (lien direct) |
Microsoft dit que l'hermite de Kim \\ pivote les derniers outils à mesure qu'il évolue dans le cyberespace un tout nouveau groupe de cybercriminalité que Microsoft lie avec la Corée du Nord trompe des cibles en utilisant de fausses opportunités d'emploi à lancermalware et ransomware, le tout pour un gain financier…
Microsoft says Kim\'s hermit nation is pivoting to latest tools as it evolves in cyberspace A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.… |
Ransomware Malware Tool | APT 37 | ★★ |
|
2024-05-28 17:37:40 | Faits saillants hebdomadaires, 28 mai 2024 Weekly OSINT Highlights, 28 May 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a diverse array of sophisticated cyber threats targeting various sectors, including financial institutions, government entities, and academic organizations. The reports highlight a variety of attack types such as banking trojans, stealers, crypto mining malware, ransomware, and remote access trojans (RATs). Attack vectors include malspam campaigns, spear-phishing emails, search engine advertisements, and trojanized software packages. Threat actors range from financially motivated groups like UAC-0006 and Ikaruz Red Team to state-sponsored entities such as the Chinese-linked "Unfading Sea Haze" and the Iranian Void Manticore. These actors employ advanced techniques like fileless malware, DLL sideloading, and custom keyloggers to achieve persistence and data exfiltration. The targets of these attacks are geographically widespread, encompassing North and South America, the South China Sea region, the Philippines, and South Korea, underscoring the global reach and impact of these threats. ## Description 1. **[Metamorfo Banking Trojan Targets North and South America](https://security.microsoft.com/intel-explorer/articles/72f52370)**: Forcepoint reports that the Metamorfo (Casbaneiro) banking trojan spreads through malspam campaigns, using HTML attachments to initiate system metadata collection and steal user data. This malware targets banking users in North and South America by employing PowerShell commands and various persistence mechanisms. 2. **[Unfading Sea Haze Targets South China Sea Military and Government Entities](https://security.microsoft.com/intel-explorer/articles/c95e7fd5)**: Bitdefender Labs identified a Chinese-linked threat actor, "Unfading Sea Haze," using spear-phishing emails and fileless malware to target military and government entities in the South China Sea region. The campaign employs tools like SerialPktdoor and Gh0stRAT to exfiltrate data and maintain persistence. 3. **[Acrid, ScarletStealer, and Sys01 Stealers](https://security.microsoft.com/intel-explorer/articles/8ca39741)**: Kaspersky describes three stealers-Acrid, ScarletStealer, and Sys01-targeting various global regions. These stealers focus on stealing browser data, cryptocurrency wallets, and credentials, posing significant financial risks by exfiltrating sensitive user information. 4. **[REF4578 Crypto Mining Campaign](https://security.microsoft.com/intel-explorer/articles/c2420a77)**: Elastic Security Labs reports on REF4578, an intrusion set leveraging vulnerable drivers to disable EDRs for deploying Monero crypto miners. The campaign\'s GHOSTENGINE module ensures persistence and termination of security agents, targeting systems for crypto mining. 5. **[SmokeLoader Malware Campaign in Ukraine](https://security.microsoft.com/intel-explorer/articles/7bef5f52)**: CERT-UA observed the UAC-0006 threat actor distributing SmokeLoader malware via phishing emails in Ukraine. The campaign downloads additional malware like Taleshot and RMS, targeting remote banking systems and increasing fraud schemes. 6. **[Ikaruz Red Team Targets Philippines with Modified Ransomware](https://security.microsoft.com/intel-explorer/articles/624f5ce1)**: The hacktivist group Ikaruz Red Team uses leaked LockBit 3 ransomware builders to attack Philippine organizations, aligning with other hacktivist groups like Turk Hack Team. The group engages in politically motivated data leaks and destructive actions. 7. **[Grandoreiro Banking Trojan Campaign](https://security.microsoft.com/intel-explorer/articles/bc072613)**: IBM X-Force tracks the Grandoreiro banking trojan, which operates as Malware-as-a-Service (MaaS) and targets over 1500 global banks. The malware uses advanced evasion techniques and spreads through phishing emails, aiming to commit banking fraud worldwide. 8. **[Void Manticore\'s Destructive Wiping Attacks](https://security.microsoft.com/intel-explorer/articles/d5d5c07f)**: Check Point Research analyzes the Iranian threat actor Void Manticore, conducting destructive wip | Ransomware Malware Hack Tool Threat | APT 34 | ★★★ |
|
2024-05-22 15:21:21 | Bad Karma, No Justice: Void Manticore Destructive Activities in Israel (lien direct) | #### Géolocations ciblées - Israël ## Instantané Check Point Research a publié une analyse de l'acteur de menace iranien Void Manticore, l'acteur Microsoft suit en tant que Storm-0842.Affilié au ministère des Intelligences et de la Sécurité (MOIS), le vide Manticore effectue des attaques d'essuyage destructrices combinées à des opérations d'influence.L'acteur de menace exploite plusieurs personnages en ligne, les plus importants d'entre eux étant la justice de la patrie pour des attaques en Albanie et au Karma pour des attaques menées en Israël. ## Description Il y a des chevauchements clairs entre les cibles de vide manticore et de marminé marqué (aka Storm-0861), avec des indications de remise systématique des cibles entre ces deux groupes lorsqu'ils décident de mener des activités destructrices contre les victimes existantes de Manticore marqué.Les procédures de transfert documentées entre ces groupes suggèrent un niveau de planification cohérent et permettent à un accès vide de manticore à un ensemble plus large d'objectifs, facilité par leurs homologues \\ 'avancés.Les postes de collaboration ont annulé Manticore en tant qu'acteur exceptionnellement dangereux dans le paysage des menaces iraniennes. Void Manticore utilise cinq méthodes différentes pour mener des opérations perturbatrices contre ses victimes.Cela comprend plusieurs essuie-glaces personnalisés pour Windows et Linux, ainsi que la suppression manuelle de fichiers et de lecteurs partagés.Dans leurs dernières attaques, Void Manticore a utilisé un essuie-glace personnalisé appelé Bibi Wiper, faisant référence au surnom du Premier ministre d'Israël, Benjamin Netanyahu.L'essorage a été déployé dans plusieurs campagnes contre plusieurs entités en Israël et dispose de variantes pour Linux et Windows. ## Analyse Microsoft Microsoft Threat Intelligence Tracks void Manticore comme [Storm-0842] (https://security.microsoft.com/intel-profiles/0c1349b0f2bd0e545d4f741eeae18dd89888d3c0fbf99540b7cf623ff5bb2bf5) ministère du renseignement et de la sécurité (MOIS).Depuis 2022, Microsoft a observé plusieurs cas où Storm-0842 a déployé un outil destructeur dans un environnement précédemment compromis par [Storm-0861] (https://security.microsoft.com 8DE00), un autre groupe avec des liens avecLes Mois. Depuis 2022, Microsoft a observé que la majorité des opérations impliquant Storm-0842 ont affecté les organisations en [Albanie] (https://security.microsoft.com/intel-explorer/articles/5491ec4b) et en Israël.En particulier, Microsoft a observé des opérateurs associés à Storm-0842 de manière opportuniste [déploiez l'essuie-glace de Bibi en réponse à la guerre d'Israël-Hamas.] (Https://security.microsoft.com/intel-explorer/articles/cf205f30) ## Détections Microsoft Defender Antivirus détecte plusieurs variantes (Windows et Linux) de l'essuie-glace Bibi comme le malware suivant: - [DOS: WIN32 / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encyclopedia-description?name=dos:win32/wprblightre.b!dha& ;theratid=-2147072872)(Les fenêtres) - [dos: lINUX / WPRBLIGHTRE] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=dos:linux/wprblightre.a& ;threatid = -2147072991) (Linux) ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Lisez notre [Ransomware en tant que blog de service] (https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-udentSanding-the-cybercrim-gig-ecoony-and-Comment-protect-vous-soi / # défendant-against-ransomware) pour des conseils sur le développement d'une posture de sécurité holistique pour prévenir les ransomwares, y compris l'hygiène des informations d'identification et les recommandations de durcissement. - Allumez [Protection en cloud-étirement] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sigh | Ransomware Malware Tool Threat | APT 34 | ★★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
 |
2023-11-28 00:00:00 | Enquêter sur le risque de références compromises et d'actifs exposés à Internet explorez le rapport révélant les industries et les tailles d'entreprise avec les taux les plus élevés d'identification compromises et d'actifs exposés à Internet.En savoir plus Investigating the Risk of Compromised Credentials and Internet-Exposed Assets Explore the report revealing industries and company sizes with the highest rates of compromised credentials and internet-exposed assets. Read More (lien direct) |
IntroductionIn this report, Kovrr collected and analyzed data to better understand one of the most common initial access vectors (1) - the use of compromised credentials (Valid Accounts - T1078) (2) to access internet-exposed assets (External Remote Services - T113) (3). The toxic combination of these two initial access vectors can allow malicious actors to gain a foothold in company networks before moving on to the next stage of their attack, which can be data theft, ransomware, denial of service, or any other action. There are numerous examples of breaches perpetrated by many attack groups that have occurred using this combination, for example, breaches by Lapsus (4) and APT39 (5), among others. âThis report seeks to demonstrate which industries and company sizes have the highest percentage of compromised credentials and number of internet-exposed assets and face a higher risk of having their networks breached by the toxic combination of the initial access vectors mentioned above.âIt should be noted that having an asset exposed to the internet does not inherently pose a risk or indicate that a company has poor security. In our highly digitized world, companies are required to expose services to the internet so their services can be accessed by customers, vendors, and remote employees. These services include VPN servers, SaaS applications developed by the company, databases, and shared storage units. However, there are some common cases when having an asset exposed to the internet can be extremely risky, for example:âWhen a company unintentionally exposes an asset due to misconfiguration.When a malicious third party obtains compromised credentials of a legitimate third party and accesses an exposed asset.  âTo limit unnecessary internet exposure, companies should employ the following possible mitigations:âUse Multi-Factor Authentication (MFA) for any services or assets that require a connection so that compromised credentials on their own will not be enough to breach an exposed asset.Limit access to the asset to only specific accounts, domains, and/or IP ranges.Segment the internal company network and isolate critical areas so that even if a network is breached through access to an external asset, attackers will not be able to use that access to reach wider or more sensitive areas of the company network. âSummaryâThe following are the main findings from the collected data:âThe Services industry is by far the most exposed to attackers. Companies from that industry have the highest percentage of compromised credentials (74%). However, they have a relatively low amount of internet-exposed assets per company (34%). However, given that an average cyber loss in this industry has been shown to be about $45M, this is highly concerning (6). The Services industry (SIC Division I) is followed by Division E (Transportation, Communications, Electric, Gas, and Sanitary Services, with an average loss of around $58M), which is followed by Division D (Manufacturing, with an average loss of around $25M). The revenue range for companies with the highest number of compromised credentials is $1M-$10M, followed by $10M-$50M. A similar trend is also observed when evaluating company size by the number of employees. Indeed, companies with fewer employees have a higher share of compromised credentials. On average, the larger the company (both in terms of revenue and number of employees (7)), the greater the number of internet-exposed assets.There is a correlation between the industries and revenue ranges of companies targeted by ransomware and those with the highest share of compromised credentials.   âMethodologyâThe data for this research was collected as follows:âData regarding compromised credentials was first collected from Hudson Rock, a provider of various cybercrime data. Data was collected for the previous six months, beginning March 2023. This data | Ransomware Threat Studies Prediction Cloud | APT 39 APT 39 APT 17 | ★★★ |
 |
2023-10-30 11:51:07 | Nord-coréen \\ 'lazarus \\' hackers and it Company \\'s billion-won ransomware bater North Korean \\'Lazarus\\' Hackers and IT Company\\'s Billion-Won Ransomware Heist (lien direct) |
Le récent dévoilement d'une alliance sinistre entre une entreprise informatique et des pirates nord-coréens, il est évident que le paysage cyber-menace a pris un [Plus ...]
The recent unveiling of a sinister alliance between an IT company and North Korean hackers, it’s evident that the cyber threat landscape has taken a [more...] |
Ransomware Threat | APT 38 | ★★★ |
 |
2023-06-28 12:39:49 | Kaspersky découvre une nouvelle famille de logiciels malveillants utilisés par Andariel, le sous-groupe de Lazarus (lien direct) | >Kaspersky a mené une enquête approfondie sur les activités d’Andariel, un sous-groupe notoire du groupe Lazarus. Au cours de cette enquête, les chercheurs de Kaspersky ont découvert une nouvelle famille de logiciels malveillants appelée EarlyRat, qui est utilisée par Andariel en plus de leur utilisation connue du malware DTrack et du ransomware Maui. L’analyse des […] The post Kaspersky découvre une nouvelle famille de logiciels malveillants utilisés par Andariel, le sous-groupe de Lazarus first appeared on UnderNews. | Ransomware Malware | APT 38 | ★★★★ |
 |
2023-05-31 17:19:00 | Anomali Cyber Watch: Shadow Force cible les serveurs coréens, Volt Typhoon abuse des outils intégrés, Cosmicenergy Tests Electric Distribution Perturbation Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption (lien direct) |
Les différentes histoires de l'intelligence des menaces dans cette itération de la cyber-montre anomali discutent des sujets suivants: Chine, chargement de DLL, vivant de la terre, technologie opérationnelle, ransomware, et Russie .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
shadowVictiticoor et Coinmin de Force Group \\
(Publié: 27 mai 2023)
Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor.
Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor |
Ransomware Malware Tool Vulnerability Threat | APT 38 Guam CosmicEnergy | ★★ |
|
2023-05-01 23:16:00 | Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct) |
Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle.
Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées.
Cyber News et Intelligence des menaces
Réaction en chaîne: Rokrat & rsquo; s.Lien manquant
(Publié: 1er mai 2023)
Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud.
Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure.
mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32
Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows
|
Ransomware Malware Tool Vulnerability Threat Prediction Cloud | APT 37 APT 37 APT 35 | ★★ |
|
2023-04-25 18:22:00 | Anomali Cyber Watch: Deux attaques de la chaîne d'approvisionnement enchaînées, leurre de communication DNS furtive de chien, Evilextractor exfiltrates sur le serveur FTP Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, and Supply-chain attacks. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters
(published: April 21, 2023)
A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.
Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop
Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:Kubernetes RBAC
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
(published: April 20, 2023)
Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and |
Ransomware Spam Malware Tool Threat Cloud | Uber APT 38 ChatGPT APT 43 | ★★ |
 |
2023-03-22 12:30:00 | Le Royaume-Uni émet une stratégie pour protéger les services de santé nationaux contre les cyberattaques [UK issues strategy to protect National Health Service from cyberattacks] (lien direct) |
Le gouvernement britannique a publié mercredi sa nouvelle stratégie de cybersécurité pour le National Health Service, visant à rendre le secteur de la santé du pays \\ «durcie considérablement à la cyberattaque, au plus tard en 2030».La stratégie vient dans le sillage de la [Wannacry] (https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) Ransomware Attack en 2017, parallèlement à une attaque criminelle contre le fournisseur de logiciels [Advanced] (https://www.bbc.co.uk/news/technology-62725363) l'année dernière,
The British government published on Wednesday its new cybersecurity strategy for the National Health Service, aiming to make the country\'s healthcare sector “significantly hardened to cyber attack, no later than 2030.” The strategy comes in the wake of the [WannaCry](https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) ransomware attack in 2017, alongside a criminal attack on the software supplier [Advanced](https://www.bbc.co.uk/news/technology-62725363) last year, |
Ransomware General Information | Wannacry APT 38 | ★★ |
|
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-02-28 16:15:00 | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery | |
Ransomware Malware Tool Threat Medical Medical Cloud | APT 38 | ★ |
 |
2023-02-02 09:00:00 | Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms (lien direct) | An OpSec slip from the North Korean threat group helps researchers attribute what was first suspected as a ransomware attack to nation-state espionage. | Ransomware Threat | APT 38 | ★★ |
 |
2023-02-02 01:00:00 | APT groups use ransomware TTPs as cover for intelligence gathering and sabotage (lien direct) | State-sponsored threat groups increasingly use ransomware-like attacks as cover to hide more insidious activities. Russian advanced persistent threat (APT) group Sandworm used ransomware programs to destroy data multiple times over the past six months while North Korea's Lazarus group used infrastructure previously associated with a ransomware group for intelligence gathering campaigns.At the same time, some Chinese APTs that were traditionally targeting entities in Asia shifted their focus to European companies, while Iran-based groups that traditionally targeted Israeli companies started going after their foreign subsidiaries. At least one North Korean group that was focused on South Korea and Russia has started using English in its operations. All these operational changes suggest organizations and companies from Western countries are at increased risk from APT activity.To read this article in full, please click here | Ransomware Threat Medical | APT 38 | ★★ |
|
2023-01-31 17:27:00 | Anomali Cyber Watch: KilllSomeOne Folders Invisible in Windows, Everything APIs Abuse Speeds Up Ransomware, APT38 Experiments with Delivery Vectors and Backdoors (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cryptocurrency, Data leak, Iran, North Korea, Phishing, Ransomware, and USB malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese PlugX Malware Hidden in Your USB Devices?
(published: January 26, 2023)
Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it.
Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name.
MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer
Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows
Abraham's Ax Likely Linked to Moses Staff
(published: January 26, 2023)
Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware.
Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
 |
2022-12-22 00:00:00 | Le rapport Threat Lab de WatchGuard révèle que la principale menace emprunte exclusivement des connexions chiffrées (lien direct) | Paris, le 4 janvier 2023 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, publie son dernier Rapport trimestriel sur la sécurité Internet, qui présente les grandes tendances en matière de malwares et de menaces pour la sécurité des réseaux et des endpoints analysées par les chercheurs du Threat Lab de WatchGuard au 3ème trimestre 2022. Ses conclusions clés révèlent notamment que la principale menace du trimestre en matière de logiciels malveillants a été détectée exclusivement via des connexions chiffrées, que les attaques ICS conservent leur popularité, que le logiciel malveillant LemonDuck évolue au-delà du cryptominage, et qu'un moteur de triche Minecraft diffuse une charge utile malveillante. " Nous ne saurions trop insister sur l'importance d'activer l'inspection HTTPS, même si elle nécessite quelques réglages et exceptions pour fonctionner correctement. La majorité des logiciels malveillants utilisent le protocole chiffré HTTPS, et ces menaces ne sont pas détectées en l'absence d'inspection ", a déclaré Corey Nachreiner, Chief Security Officer chez WatchGuard Technologies. " À juste titre, les plus grands objets de convoitise des cybercriminels, comme les serveurs Exchange ou les systèmes de gestion SCADA, méritent également un maximum d'attention. Lorsqu'un correctif est disponible, il est important de procéder immédiatement à la mise à jour, car les cybercriminels finiront par tirer profit de toute organisation qui n'a pas encore mis en œuvre le dernier correctif. " Le rapport sur la sécurité Internet du 3ème trimestre contient d'autres résultats clés, notamment : La grande majorité des logiciels malveillants empruntent des connexions chiffrées – Bien qu'il soit arrivé 3ème dans la liste classique des 10 principaux malwares du 3ème trimestre, Agent.IIQ a pris la tête de la liste des logiciels malveillants chiffrés pour cette même période. De fait, en regardant les détections de ce malware sur ces deux listes, il apparaît que toutes les détections d'Agent.IIQ proviennent de connexions chiffrées. Au 3ème trimestre, si une appliance Firebox inspectait le trafic chiffré, 82 % des logiciels malveillants détectés passaient par une connexion chiffrée, ce qui correspond à seulement 18 % de détections sans chiffrement. Si le trafic chiffré n'est pas inspecté sur Firebox, il est très probable que ce ratio moyen s'applique et que l'entreprise passe à côté d'une énorme partie des logiciels malveillants. Les systèmes ICS et SCADA restent les cibles d'attaques les plus courantes – Ce trimestre, une attaque de type injection SQL ayant touché plusieurs fournisseurs a fait son apparition dans la liste des dix principales attaques réseau. Advantech fait partie des entreprises concernées. Son portail WebAccess est utilisé pour les systèmes SCADA dans une variété d'infrastructures critiques. Un autre exploit sérieux au 3ème trimestre, également classé parmi les cinq principales attaques réseau en termes de volume, a visé les versions 1.2.1 et antérieures du logiciel U.motion Builder de Schneider Electric. Un rappel brutal du fait que les cybercriminels ne se contentent pas d'attendre tranquillement la prochaine opportunité, mais qu'ils cherchent activement à compromettre les systèmes chaque fois que cela est possible. Les vulnérabilités des serveurs Exchange continuent de poser des risques – La C | Ransomware Malware Tool Threat | APT 3 | ★★★ |
|
2022-12-13 16:00:00 | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
|
2022-12-05 17:54:00 | Russian Courts Targeted by New CryWiper Data Wiper Malware Posing as Ransomware (lien direct) | A new data wiper malware called CryWiper has been found targeting Russian government agencies, including mayor's offices and courts. "Although it disguises itself as a ransomware and extorts money from the victim for 'decrypting' data, [it] does not actually encrypt, but purposefully destroys data in the affected system," Kaspersky researchers Fedor Sinitsyn and Janis Zinchenko said in a | Ransomware Malware Medical | APT 38 | ★★★ |
|
2022-11-22 23:47:00 | Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Signed malware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads
(published: November 17, 2022)
From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.
Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment
(published: November 16, 2022)
From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.
Analyst Comment: Evasion through URI fragmentation hides the token value from traff |
Ransomware Malware Tool Threat Guideline Medical | APT 38 | ★★★★ |
|
2022-10-25 16:53:00 | Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Alert (AA22-294A) #StopRansomware: Daixin Team
(published: October 21, 2022)
Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
(published: October 21, 2022)
Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are |
Ransomware Malware Tool Vulnerability Threat Medical | APT 38 | |
|
2022-10-04 18:08:00 | Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia, and Social engineering. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Royal Ransomware Emerges in Multi-Million Dollar Attacks
(published: September 29, 2022)
AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.
Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566
Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering
ZINC Weaponizing Open-Source Software
(published: September 29, 2022)
Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.
Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | |
Ransomware Malware Tool Threat Medical | APT 38 | |
|
2022-09-13 15:00:00 | Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Investigates Iranian Attacks Against the Albanian Government
(published: September 8, 2022)
Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.
Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070
Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona
BRONZE PRESIDENT Targets Government Officials
(published: September 8, 2022)
Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | |
Ransomware Malware Tool Vulnerability Threat Guideline | APT 27 APT 34 | |
|
2022-09-08 11:08:00 | Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group (lien direct) | Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and | Ransomware Threat Conference | APT 35 |
To see everything:
Our RSS (filtrered)
