SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-12-01 15:56:58	BadWPAD wpad.software case and DNS threat hunting (lien direct)	In this blog post I would like to show an interesting example of badWPAD attack which resulted in leaking browser history over DNS queries. More detailed description of these kind of attacks with WPAD file has been already presented in one of the last blog entries [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html]. WPAD TLDs First of all we checked TLD list from IANA [https://data.iana.org/TLD/tlds-alpha-by-domain.txt] for first level of wpad domains: 101.37.23.113 wpad.bike 104.18.54.241 wpad.mobi 104.18.55.241 wpad.mobi 104.199.123.6 wpad.ac 104.24.104.177 wpad.online 104.24.104.228 wpad.army 104.24.105.177 wpad.online 104.24.105.228 wpad.army 104.24.120.45 wpad.space 104.24.121.45 wpad.space 104.25.51.128 wpad.world 104.27.176.234 wpad.site 104.27.177.234 wpad.site 104.27.188.57 wpad.co 104.27.189.57 wpad.co 104.28.10.19 wpad.kz 104.28.11.19 wpad.kz 104.31.74.75 wpad.exchange	Malware Threat	APT 32	★★
	2024-09-02 19:54:58	Faits saillants hebdomadaires OSINT, 2 septembre 2024 Weekly OSINT Highlights, 2 September 2024 (lien direct)	## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence un ensemble diversifié de cybermenaces et de méthodologies d'attaque dans plusieurs secteurs et géographies.Les principales tendances comprenaient la sophistication croissante des campagnes de phishing, telles que celles qui tirent parti des logiciels malveillants multiplateformes comme le voleur Cheana et des tactiques innovantes comme le quai via des codes QR.Le déploiement de balises de Cobaltsstrike, les techniques d'injection du gestionnaire de l'Appdomain et l'abus de services légitimes comme Microsoft Sway, les tunnels Cloudflare et les outils de gestion à distance ont également présenté en bonne place, soulignant l'évolution de la boîte à outils des cybercriminels et des acteurs parrainés par l'État.Les entités ciblées s'étendaient sur des industries, notamment les finances, le gouvernement, les soins de santé et les infrastructures critiques, les attaquants utilisant fréquemment des mécanismes de persistance avancés, exploitant des vulnérabilités zéro-jours et en utilisant des ransomwares dans des schémas à double extorsion. ## Description 1. [Utilisateurs coréens ciblés avec des logiciels malveillants à distance] (https://sip.security.microsoft.com/intel-explorer/articles/b920e285): Ahnlab Security Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, lorsqu'un inconnuL'attaquant a déployé des logiciels malveillants à distance, y compris l'asyncrat, et des délais personnalisés comme FXFDOOR et NOMU.L'attaque, potentiellement liée au groupe nord-coréen Kimsuky, s'est concentrée sur le vol d'informations, avec un spearphishing et des vulnérabilités dans IIS et MS Exchange comme points d'entrée possibles. 2. [Campagne de phishing déguisée en sondage RH cible Office 365 Contaliens] (https://sip.security.microsoft.com/intel-explorer/articles/9431aa5a): les chercheurs de Cofense ont identifié une attaque de phishing qui s'est présentée comme un engagement en milieu d'annéeEnquête pour voler les informations d'identification Microsoft Office 365.L'attaque a utilisé un faux e-mail RH réalisant des destinataires vers une page hébergée par Wufoo, conduisant finalement à une page de connexion frauduleuse Microsoft conçue pour récolter les informations d'identification. 3. [Campagne de phishing multiplateforme avec Cheana Stealer] (https://sip.security.microsoft.com/intel-explorer/articles/69d7b49e): Cyble Research and Intelligence Lab (CRIL) a découvert une campagne de phishing ciblant les fenêtres, Linuxet les utilisateurs de macOS avec Cheana Stealer malware, distribué via un site imitant un fournisseur VPN.Les logiciels malveillants visaient à voler des portefeuilles de crypto-monnaie, des mots de passe du navigateur et des clés SSH, en tirant parti d'un canal télégramme pour une distribution généralisée, mettant en évidence les attaquants \\ 'se concentrer sur le compromis de divers systèmes. 4. [Vulnérabilité zéro-jour dans Versa Director exploité par APT] (https://sip.security.microsoft.com/intel-explorer/articles/1af984be): Versa Networks a identifié une vulnérabilité zéro-jour (CVE-2024-39717) Dans le directeur de l'interface graphique de Versa, exploité par un acteur apt pour télécharger des fichiers malveillants déguisés en images PNG.L'attaque a été facilitée par un mauvais durcissement du système et des ports de gestion exposés, ciblant les clients qui n'ont pas réussi à sécuriser correctement leur environnement. 5. [Mallox Ransomware Exploits Cloud Misconfiguration](https://sip.security.microsoft.com/intel-explorer/articles/d9af6464): Trustwave investigated a Mallox	Ransomware Malware Tool Vulnerability Threat Mobile Medical Cloud	APT 41 APT 32	★★
	2024-08-29 21:45:00	Groupe vietnamien des droits de l'homme ciblé dans la cyberattaque pluriannuelle par APT32 Vietnamese Human Rights Group Targeted in Multi-Year Cyberattack by APT32 (lien direct)	Un organisme à but non lucratif soutenant les droits humains vietnamiens a été la cible d'une campagne pluriannuelle conçue pour fournir une variété de logiciels malveillants sur des hôtes compromis. La société de cybersécurité Huntress a attribué l'activité à un cluster de menaces connu sous le nom d'APT32, une équipe de piratage alignée par le Vietnamien qui est également connu sous le nom d'APT-C-00, Canvas Cyclone (anciennement Bismuth), Cobalt Kitty et Oceanlotus.L'intrusion est A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts. Cybersecurity company Huntress attributed the activity to a threat cluster known as APT32, a Vietnamese-aligned hacking crew that\'s also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is	Malware Threat	APT 32	★★★
	2024-08-29 18:15:40	Menace persistante avancée ciblant les défenseurs vietnamiens des droits de l'homme Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders (lien direct)	#### Géolocations ciblées - Vietnam ## Instantané Les chercheurs de Huntress ont découvert une cyber-intrusion à long terme ciblant un défenseur vietnamien des droits de l'homme, soupçonné d'avoir persisté pendant au moins quatre ans. ## Description Selon Huntress, les tactiques, les techniques et les procédures (TTPS) observées dans cette attaque présentent des similitudes avec celles utilisées par APT32 / Oceanlottus, un groupe de cyber-espionnage bien connu suivi par Microsoft comme [Canvas Cyclone] (https: // Security.microsoft.com/intel-profiles/0e86dff295f91628210e11bbd8f2aaf5ccd9d13a1bdb58255463214122b1a133).Les attaquants ont utilisé plusieurs mécanismes de persistance, notamment des tâches programmées, des débiteurs de touche de DLL et des abus d'objets COM, pour maintenir l'accès à des systèmes compromis.Notamment, les attaquants ont utilisé des logiciels malveillants qui se sont masqués comme logiciels légitimes, tels que les binaires Adobe et McAfee, et ont exploité les vulnérabilités dans des exécutables légitimes pour exécuter des charges utiles malveillantes. Au cours de l'enquête, les analystes de Huntress ont identifié plusieurs échantillons de logiciels malveillants qui ont utilisé l'obscurcissement et la stéganographie pour échapper à la détection.Le malware était capable d'injecter du code dans la mémoire et d'effectuer diverses tâches, telles que le vol de cookies de navigateur, le téléchargement de charges utiles supplémentaires et le maintien de l'accès de la porte dérobée.Les acteurs de la menace ont également mis à profit des outils légitimes comme Windows Management Instrumentation (WMI) pour l'exécution de la commande distante et exploité des tuyaux nommés pour l'escalade des privilèges. L'enquête a révélé que les liens avec les infrastructures associées à l'APT32 / Oceanlotus, confirmant davantage l'implication du groupe \\ dans l'attaque.Les attaquants \\ 'les efforts persistants pour cacher leurs activités et maintenir l'accès suggèrent un objectif stratégique aligné sur la collecte de renseignements.Cette affaire démontre les durées auxquelles les acteurs avancés de la menace iront pour atteindre leurs objectifs et met en évidence l'importance de la chasse et de la surveillance des menaces continues pour détecter et répondre à de telles intrusions sophistiquées. ## Analyse Microsoft L'acteur Microsoft suit comme [Canvas Cyclone] (https://security.microsoft.com/intel-profiles/0e86dff295f91628210e11bbd8f2aaf5ccd9d13a1bdb582554632141222b1a133) est un groupe de calice national. Lone est connu pour cibler principalementet les organisations étrangères à travers l'Asie, l'Europe et l'Amérique du Nord, y compris les grandes sociétés multinationales, les gouvernements, les institutions financières, les établissements d'enseignement et les groupes de défense des droits humains et civils.Canvas Cyclone se concentre sur l'espionnage gouvernemental ainsi que sur la collecte de renseignements contre la concurrence des entreprises étrangères. Auparavant, Canvas Cyclone a mené des attaques de compromis en vigueur contre les sites gouvernementaux et les agences de médias en Asie du Sud-Est.Fin 2018, Canvas Cyclone a compromis des cibles à l'aide d'une famille de logiciels malveillants personnalisé connue sous le nom de Kerrdown via des documents malveillants livrés dans les opérations de phission de lance.Canvas Cyclone s'est également appuyé sur des outils couramment utilisés comme la grève du cobalt pour l'exfiltration des données et le mouvement latéral.Depuis 2020, Canvas Cyclone a utilisé le détournement de l'ordre de recherche DLL pour charger du code malveillant en utilisant des binaires légitimes et signés.Canvas Cyclonehas a également déployé des mineurs de crypto-monnaie Monero sur des systèmes ciblés. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allume	Ransomware Malware Tool Vulnerability Threat	APT 32	★★★
	2024-05-01 23:25:26	Les logiciels malveillants ciblent les routeurs pour voler les mots de passe des demandes Web Malware Targets Routers To Steal Passwords From Web Requests (lien direct)	Les chercheurs ont récemment suivi un nouveau malware, "Sweetfish", qui cible les équipements de mise en réseau, en particulier les petits routeurs de bureau / bureau à domicile (SOHO), pour voler le matériel d'authentification trouvé dans les demandes Web qui transitent le routeur de la locale adjacenteréseau régional (LAN). Lumen Technologies & # 8217;Black Lotus Labs, qui a examiné les logiciels malveillants, a déclaré que la seiche crée un tunnel proxy ou VPN via un routeur compromis pour exfiltrer les données en contournant l'analyse basée sur la connexion anormale, puis utilise des informations d'identification volées pour accéder aux ressources ciblées. Le malware a également la capacité d'effectuer un détournement HTTP et DNS pour les connexions aux adresses IP privées, qui sont normalement associées aux communications dans un réseau interne. Les chercheurs déclarent que la plate-forme de logiciels malveillants de secteur offre une approche zéro clique pour capturer les données des utilisateurs et des appareils derrière le bord du réseau ciblé. «Toutes les données envoyées sur les équipements réseau infiltrés par ce malware sont potentiellement exposés.Ce qui rend cette famille de logiciels malveillants si insidie-the-cuttlefish-malware / "data-wpel-link =" external "rel =" nofollow nopenner noreferrer "> avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. »	Malware Threat Cloud Technical	APT 32	★★★★
	2023-08-16 06:46:45	Rapport de tendance des menaces sur les groupes APT & # 8211;Juin 2023 Threat Trend Report on APT Groups – June 2023 (lien direct)	Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT APT Group Trends – June 2023 1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups	Threat Prediction	APT 38 APT 37 APT 37 APT 35 APT 35 APT 32 APT 32 APT 28 APT 28 APT 15 APT 15 APT 25	★★
	2023-08-10 10:00:00	Les systèmes Mac se sont transformés en nœuds de sortie proxy par adcharge Mac systems turned into proxy exit nodes by AdLoad (lien direct)	This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers. Executive summary AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. Key takeaways: AdLoad malware is still present and infecting systems, with a previously unreported payload. At least 150 samples have been observed in the wild during the last year. AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes. The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild. Analysis AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack. These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems. The main purpose of the malware has always been to act as a downloader for subsequent payloads. It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne. In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system. This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code. This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme. AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022. Figure 1. Histogram of AdLoad samples identified by Alien Labs. The vast numb	Spam Malware Threat Cloud	APT 32	★★
	2023-04-06 13:59:23	Assistance technique Pivots de DigitalOcean à StackPath CDN Tech Support Scam Pivots from DigitalOcean to StackPath CDN (lien direct)	> Les attaquants récapitulatifs qui abusaient auparavant DigitalOcean pour héberger une arnaque de support technologique ont élargi l'opération, abusant désormais de StackPath CDN pour distribuer l'arnaque, et sont susceptibles de commencer à abuser des services cloud supplémentaires pour fournir l'arnaque dans un avenir proche.Du 1er février au 16 mars, NetSkope Threat Labs a vu une augmentation de 10x [& # 8230;] >Summary Attackers who were previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future. From February 1 to March 16, Netskope Threat Labs has seen a 10x increase […]	Threat Cloud	APT 32	★★★
	2023-03-09 21:46:24	Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing (lien direct)	>Summary Netskope Threat Labs is tracking a 17x increase in traffic to malicious web pages hosted on DigitalOcean in the last six months. This increase is attributed to new campaigns of a known tech support scam that mimics Windows Defender and tries to deceive users into believing that their computer is infected. The end goal […]	Threat	APT 32	★★
	2022-08-18 08:00:00	Ukraine and the fragility of agriculture security (lien direct)	By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H	Ransomware Threat Guideline Cloud	NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam
	2021-10-06 19:06:00	Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct)	Authored By: Tara Gould Key Findings Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT. The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments. Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. Overview Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials. TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2] Technical Analysis Scripts (/cmd/) Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.	Malware Tool Threat	Uber APT 32
	2021-02-01 03:15:16	New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers (lien direct)	A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors	Malware Threat	APT 32
	2020-12-11 17:05:37	Facebook Shutters Accounts Used in APT32 Cyberattacks (lien direct)	Facebook shut down accounts and Pages used by two separate threat groups to spread malware and conduct phishing attacks.	Malware Threat	APT 32
	2020-12-10 23:42:22	Facebook Tracks APT32 OceanLotus Hackers to IT Company in Vietnam (lien direct)	Cybersecurity researchers from Facebook today formally linked the activities of a Vietnamese threat actor to an IT company in the country after the group was caught abusing its platform to hack into people's accounts and distribute malware. Tracked as APT32 (or Bismuth, OceanLotus, and Cobalt Kitty), the state-aligned operatives affiliated with the Vietnam government have been known for	Hack Threat	APT 32
	2020-04-29 09:49:08	Android Spyware Spread by Google Play (lien direct)	The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia - and could be the work of the OceanLotus APT. A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week. Dubbed PhantomLance by Kaspersky, the campaign […]	Threat	APT 32
	2020-04-22 09:00:00	Acteurs de menace vietnamiens APT32 ciblant le gouvernement de Wuhan et le ministère chinois de la gestion des urgences dans le dernier exemple de l'espionnage lié à Covid-19 Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage (lien direct)	De Janvier à avril 2020, des acteurs vietnamiens présumés APT32 ont mené des campagnes d'intrusion contre les cibles chinoises qui, selon Maniant, mention, ont été conçues pour collecter des renseignements sur la crise de Covid-19.Les messages de phishing de lance ont été envoyés par l'acteur au ministère de la gestion des urgences de la Chine ainsi que par le gouvernement de la province de Wuhan, où Covid-19 a été identifié pour la première fois.Bien que le ciblage de l'Asie de l'Est soit cohérent avec les activité que nous avons précédemment signalée sur APT32 , cet incidentet d'autres intrusions publiquement signalées font partie d'une augmentation mondiale du cyber From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China\'s Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is consistent with the activity we\'ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber	Threat	APT 32 APT 32	★★★★
	2019-07-02 04:54:05	Researchers Analyze Vietnamese Hackers\' Suite of RATs (lien direct)	BlackBerry Cylance security researchers have analyzed a suite of remote access Trojans (RATs) that the Vietnam-linked threat actor OceanLotus has been using in attacks for the past three years.	Threat	APT 32
	2019-04-19 18:37:05	Funky malware format found in Ocean Lotus sample (lien direct)	Recently, one of our researchers presented at the SAS conference on "Funky malware formats"-atypical executable formats used by malware that are only loaded by proprietary loaders. In this post, we analyze one of those formats in a sample called Ocean Lotus from the APT 32 threat group in Vietnam. Categories: Malware Threat analysis Tags: APT 32 atypical malware formats BLOB CAB custom format malware format ocean lotus Vietnam (Read more...)	Malware Threat	APT 32
	2018-10-19 15:30:05	(Déjà vu) Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew (lien direct)	News broke today that newly discovered first-stage implant targeting Korean-speaking victims borrows code from another reconnaissance tool linked to Comment Crew, a Chinese nation-state threat actor that was exposed in 2013 following cyber espionage campaigns against the United States. Dubbed Oceansalt, the threat has been spotted on machines in South Korea, the United States, and Canada. … The ISBuzz Post: This Post Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew	Tool Threat	APT 32 APT 1
	2018-10-19 07:06:03	Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew (lien direct)	Security researchers from McAfee have recently uncovered a cyber espionage campaign, tracked as Operation Oceansalt, targeting South Korea, the United States, and Canada. The threat actors behind Operation Oceansalt are reusing malware previously associated with China-linked cyberespionage group APT1. “McAfee Advanced Threat Research and Anti-Malware Operations teams have discovered another unknown data reconnaissance implant targeting Korean-speaking users.” reads the report. “We […]	Malware Threat	APT 32 APT 1
	2018-08-06 13:00:00	Black Hat 2018 will be Phenomenal! (lien direct)	The AlienVault team is ready to meet and greet visitors at Black Hat USA 2018, August 8th and 9th at the Mandalay Bay Convention Center in Las Vegas! Black Hat is one of the leading security industry events. The conference features the largest and most comprehensive trainings, educational sessions, networking opportunities and a two-day expo packed with exhibitors showcasing the latest in information security solutions from around the world! Visit us at Booth #528! Visit booth #528 located below the large, green alien head! We will be leading theater presentations twice an hour. Attendees will get a cool AlienVault collectors t-shirt, as well as a chance to win a pair of Apple® AirPods during our daily raffle. Stop by and meet the AlienVault team and learn about the recently announced endpoint detection and response capabilities now part of the USM Anywhere platform! USM Anywhere is the ONLY security solution that automates threat hunting everywhere modern threats appear: endpoints, cloud, and on-premises environments – all from one unified platform. Check out this awesome video by Javvad Malik, Community Evangelist for AlienVault, to learn more here! Attend "From the Defender's Dilemma to the Intruder's Dilemma" Session for a chance to win a Nintendo Switch! Join AlienVault VP of Product Marketing Sanjay Ramnath at a Black Hat speaking session. Sanjay will be speaking on Wednesday, August 8th from 10:20am-11:10am in Oceanside E on 'From the Defender's Dilemma to the Intruder's Dilemma'. We will be handing out raffle tickets before the session begins. Be sure to check out this session for the chance to win a Nintendo Switch! Get Access to the Exclusive Security Leaders Party at Black Hat! AlienVault is co-sponsoring one of the hottest security parties at Black Hat! Join us on Wednesday night from 8:00 - 10:00pm - guests will enjoy music, food, and a full open bar at the best venue at Mandalay Bay, Eyecandy Sound Lounge! This will be the most talked about party of BHUSA 2018! We expect to reach capacity, so don't hesitate to get on the list now! Event Details: Date: Wednesday, August 8th Time: 8:00 - 10:00 PM Location: Eyecandy Sound Lounge, Mandalay Bay We can’t wait to see you all at #BHUSA this week!	Threat Guideline	APT 32
	2018-03-13 08:55:02	OceanLotus ships new backdoor using old tricks (lien direct)	To smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package first gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery commonly associated with targeted operations of this kind.	Threat	APT 32
	2017-05-14 17:00:00	Le cyber-espionnage est bien vivant: APT32 et la menace pour les sociétés mondiales Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations (lien direct)	Les acteurs de cyber-espionnage, désormais désignés par Fireeye comme APT32 (Oceanlotus Group), effectuent des intrusions dans des sociétés du secteur privé dans plusieurs industries et ont également ciblé des gouvernements étrangers, des dissidents et des journalistes.FireEye évalue que l'APT32 exploite une suite unique de logiciels malveillants entièrement tracés, en conjonction avec des outils disponibles commercialement, pour mener des opérations ciblées qui sont alignées sur les intérêts de l'État vietnamien. APT32 et Réponse communautaire de Fireeye \\ Au cours des enquêtes sur les intrusions dans plusieurs sociétés ayant des intérêts commerciaux au Vietnam Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. APT32 and FireEye\'s Community Response In the course of investigations into intrusions at several corporations with business interests in Vietnam	Threat	APT 32 APT 32	★★★★

Last update at: 2025-05-10 18:53:10
See our sources.

To see everything: Our RSS (filtrered)