What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-01-31 19:21:04 | Hackers From China, North Korea, Iran & Russia Are Using Google’s AI For Cyber Ops (lien direct) | Google\'s Threat Intelligence Group (GTIG) has issued a warning regarding cybercriminals from China, Iran, Russia, and North Korea, and over a dozen other countries are using its artificial intelligence (AI) application, Gemini, to boost their hacking capabilities. According to Google\'s TIG report, published on Wednesday, state-sponsored hackers have been using the Gemini chatbot to improve their productivity in cyber espionage, phishing campaigns, and other malicious activities. Google examined Gemini activity linked to known APT (Advanced Persistent Threat) actors and discovered that APT groups from over twenty countries have been using large language models (LLMs) primarily for research, target reconnaissance, the development of malicious code, and the creation and localization of content like phishing emails. In other words, these hackers seem to primarily use Gemini as a research tool to enhance their operations rather than develop entirely new hacking methods. Currently, no hacker has successfully leveraged Gemini to develop entirely new cyberattack methods. “While AI can be a useful tool for threat actors, it is not yet the gamechanger it is sometimes portrayed to be. While we do see threat actors using generative AI to perform common tasks like troubleshooting, research, and content generation, we do not see indications of them developing novel capabilities,” Google said in its report. Google tracked this activity to more than ten Iran-backed groups, more than twenty China-backed groups, and nine North Korean-backed groups. For instance, Iranian threat actors were the biggest users of Gemini, using it for a wide range of purposes, including research on defense organizations, vulnerability research, and creating content for campaigns. In particular, the group APT42 (which accounted for over 30% of Iranian APT actors) focused on crafting phishing campaigns to target government agencies and corporations, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes. Chinese APT groups primarily used Gemini to conduct reconnaissance, script and develop, troubleshoot code, and research how to obtain deeper access to target networks through lateral movement, privilege escalation, data exfiltration, and detection evasion. North Korean APT hackers were observed using Gemini to support multiple phases of the attack lifecycle, including researching potential infrastructure and free hosting providers, reconnaissance on target organizations, payload development, and help with malicious scripting and evasion methods. “Of note, North Korean actors also used Gemini to draft cover letters and research jobs-activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” the company noted. “One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.” Meanwhile, Russian APT actors demonstrated limited use of Gemini, primarily for coding tasks such as converting publicly available malware into different programming languages and incorporating encryption functions into existing code. They may have avoided using Gemini for operational security reasons, opting to stay off Western-controlled platforms to avoid monitoring their activities or using Russian-made AI tools. Google said the Russian hacking group’s use of Gemini has been relatively limited, possibly because it attempted to prevent Western platforms from monitoring its activities | Malware Tool Vulnerability Threat Legislation Cloud | APT 42 | ★★★ |
 |
2025-01-29 14:00:00 | Adversarial Misuse of Generative AI (lien direct) | Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for defenders, from sifting through complex telemetry to secure coding, vulnerability discovery, and streamlining operations. However, some of these same AI capabilities are also available to attackers, leading to understandable anxieties about the potential for AI to be misused for malicious purposes. Much of the current discourse around cyber threat actors\' misuse of AI is confined to theoretical research. While these studies demonstrate the potential for malicious exploitation of AI, they don\'t necessarily reflect the reality of how AI is currently being used by threat actors in the wild. To bridge this gap, we are sharing a comprehensive analysis of how threat actors interacted with Google\'s AI-powered assistant, Gemini. Our analysis was grounded by the expertise of Google\'s Threat Intelligence Group (GTIG), which combines decades of experience tracking threat actors on the front lines and protecting Google, our users, and our customers from government-backed attackers, targeted 0-day exploits, coordinated information operations (IO), and serious cyber crime networks. We believe the private sector, governments, educational institutions, and other stakeholders must work together to maximize AI\'s benefits while also reducing the risks of abuse. At Google, we are committed to developing responsible AI guided by our principles, and we share | Ransomware Malware Tool Vulnerability Threat Studies Legislation Mobile Industrial Cloud Technical Commercial | APT 41 APT 43 APT 42 | ★★★ |
 |
2024-08-30 16:45:00 | Les pirates iraniens ont mis en place un nouveau réseau pour cibler les campagnes politiques américaines Iranian Hackers Set Up New Network to Target U.S. Political Campaigns (lien direct) |
Les chercheurs en cybersécurité ont mis au jour de nouvelles infrastructures de réseau créées par les acteurs iraniens de la menace pour soutenir les activités liées au ciblage récent des campagnes politiques américaines.
Enregistré Future \'s Insikt Group a lié l'infrastructure à une menace qu'il suit en tant que Greencharlie, un groupe de cyber-menace Iran-Nexus qui chevauche l'APT42, le chaton charmant, le chemin de la menthe, la menthe Sandstorm (anciennement
Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future\'s Insikt Group has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly |
Threat | APT 35 APT 42 | ★★★ |
 |
2024-08-30 15:08:41 | I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (lien direct) | #### Géolocations ciblées
- Israël
## Instantané
Mandiant a divulgué les détails d'une campagne de contre-espionnage soupçonnée d'être liée à l'Iran, ciblant les Iraniens et les menaces domestiques perçues qui peuvent collaborer avec des agences de renseignement étrangères, en particulier celles d'Israël.
## Description
L'opération vise à recueillir des données personnelles et professionnelles, aidant potentiellement l'intelligence iranienne dans l'identification des collaborateurs avec les adversaires de l'Iran et le suivi des activités de l'intelligence humaine (Humint) contre l'Iran.La campagne cible probablement les dissidents iraniens, les militants et les locuteurs du FARSI à l'intérieur et à l'extérieur de l'Iran.
Mandiant attribue la campagne à l'Iran avec une grande confiance en raison de ses tactiques, techniques et procédures (TTPS).Maniant Asses Il y a un certain chevauchement avec APT42, un groupe de cyber-espionnage iranien connu associé à l'organisation de renseignement du Guard Révolutionnaire islamique (IRGC).
La campagne diffuse plus de 35 faux sites de recrutement via les médias sociaux, se faisant passer pour des entreprises de ressources humaines israéliennes pour attirer des cibles à fournir des informations sensibles.L'opération est active depuis au moins 2017 et est parallèle aux efforts précédents ciblant les arabes orateurs liés à la Syrie et au Hezbollah, suggérant une stratégie de contre-espionnage plus large.
## références
[J'espionne avec mon petit œil: découvrir une opération de contre-espionnage iranienne] (https://cloud.google.com/blog/topics/thereat-intelligence/uncovening-iranian-counterintelligence-operation/).Mandiant (consulté en 2024-08-29)
## Copyright
**&copie;Microsoft 2024 **.Tous droits réservés.La reproduction ou la distribution du contenu de ce site, ou de toute partie de celle-ci, sans l'autorisation écrite de Microsoft est interdite.
#### Targeted Geolocations - Israel ## Snapshot Mandiant has disclosed details of a counterintelligence campaign suspected to be linked to Iran, targeting Iranians and perceived domestic threats who may collaborate with foreign intelligence agencies, especially those in Israel. ## Description The operation aims to gather personal and professional data, potentially aiding Iranian intelligence in identifying collaborators with Iran\'s adversaries and tracking human intelligence (HUMINT) activities against Iran. The campaign likely targets Iranian dissidents, activists, and Farsi speakers both inside and outside Iran. Mandiant attributes the campaign to Iran with high confidence due to its tactics, techniques, and procedures (TTPs). Mandiant asseses there is some overlap with APT42, a known Iranian cyber-espionage group associated with the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. The campaign disseminates over 35 fake recruitment websites via social media, posing as Israeli human resources firms to lure targets into providing sensitive information. The operation has been active since at least 2017 and has parallels with previous efforts targeting Arabic speakers linked to Syria and Hezbollah, suggesting a broader counterintelligence strategy. ## References [I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation](https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/). Mandiant (accessed 2024-08-29) ## Copyright **© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited. |
Cloud | APT 42 | ★★★ |
|
2024-08-28 14:00:00 | J'espionne avec mon petit œil: découvrir une opération de contre-espionnage iranienne I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation (lien direct) |
Written by: Ofir Rozmann, Asli Koksal, Sarah Bock
Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel. The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran\'s perceived adversarial countries. The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran. Mandiant assesses with high confidence this campaign was operated on behalf of Iran\'s regime, based on its tactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap between this campaign and APT42, an Iran-nexus threat actor suspected to operate on behalf of Iran\'s IRGC Intelligence Organization (IRGC-IO). This campaign\'s activities are in line with Iran\'s IRGC and APT42\'s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. Despite the possible APT42 connection, Mandiant observed no relations between this activity and any U.S. elections-related targeting as previously reported by Google\'s Threat Analysis Group. The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers. The suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the past, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah intelligence and security agencies. This may indicate Iran\'s counterintelligence activities extend beyond its own security and intelligence apparatus, possibly in support of its allies in Syria and Lebanon. Mandiant worked to help ensure this activity was blocked and disrupted, the threat actor\'s accounts were terminated, and Google Chrome users and the users of other browsers were protected. |
Threat Mobile Cloud | APT 42 | ★★★★ |
 |
2024-08-20 05:00:25 | Meilleurs plans posés: TA453 cible la figure religieuse avec un faux podcast invite livrant un nouvel ensemble d'outils de logiciel malveillant forgeron Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset (lien direct) |
Key findings Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation. The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link. The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint. The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration. AnvilEcho contains all of TA453\'s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed. Overview Starting 22 July 2024, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending to be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware. Initial July 2024 approach from TA453. DocSend contents containing the podcast themed text. Proofpoint first observed TA453 spoofing the Institute for the Study of War (ISW) in phishing campaigns targeting other organizations starting in February 2024, almost immediately after registering the domain in late January 2024. The theme of spoofing is consistent with broader TA453 phishing activity reported by Google Threat Intelligence Group in August 2024 TA453 initially sent the fake podcast invitation to the religious figure at multiple email accounts, specifically both the target\'s organizational email address along with their personal email address. Phishing multiple email addresses associated with a target has been observed by a number of state aligned threats, including TA427. TA453 continued to establish their legitimacy by sending emails from understandingthewar[.]org and including a TA453 controlled Hotmail account in the email signature. After another reply from the target, TA453 replied with a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024.zip”. The ZIP contained an LNK titled “Podcast Plan 2024.lnk”. The LNK delivered the BlackSmith toolset which eventually loaded TA453\'s AnvilEcho Powershell Trojan. Fake podcast invitation containing a malicious URL. Malware analysis Old habits die screaming, and TA453 sticks to its habits. Our analysis of the malware from this TA453 campaign demonstrates the developers working for TA453 have not given up on using modular PowerShell backdoors. They continue to attempt to evade detections by convoluting the infection chain in order to limit and avoid detection opportunities while collecting intelligence. The toolset observed in this infection chain is likely the successor of GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The first TA453 backdoor was detected by Proofpoint in Fall 2021. Rather than deploy each Powershell module separately, TA453 attempts to bundle the entire framework into a single large PowerShell script dubbed AnvilEcho by Proofpoint. Timeline of TA453 malware. Infection chain The LNK is used to smuggle additional files. It hides behind a decoy PDF as an overlay and extracts the contents of the ZIP folder to %TEMP%. The ZIP folder contains Beautifull.jpg, mary.dll, qemus (the encrypted AnvilEcho PowerShell script), soshi.dll, and toni.dll. A PDB path of E:\FinalS | Malware Threat Studies | APT 35 APT 42 | ★★★ |
|
2024-08-19 10:58:28 | Faits saillants hebdomadaires OSINT, 19 août 2024 Weekly OSINT Highlights, 19 August 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ ont mis en évidence le phishing comme le vecteur d'attaque le plus courant, initiant souvent des chaînes d'attaque qui comprenaient des déploiements de ransomwares.Les menaces persistantes avancées (APTS) comme Silverfox et Emerald Sleet se sont moquées de phishing ciblé, de logiciels malveillants sophistiqués et d'évasion pour compromettre des objectifs de grande valeur, notamment des organisations gouvernementales, des institutions financières et des groupes de la société civile.Les rapports sur Ransomexx, Mad Liberator et Cronus, qui ont utilisé l'ingénierie sociale, les outils de gestion à distance et les scripts obscurcis pour désactiver les défenses et extorquer les victimes, ont souligné la menace répandue de ransomware.L'abus de surveillance et de gestion à distance (RMM) et d'autres outils légitimes a également émergé comme une tendance clé, les acteurs de menace exploitant des outils comme AnyDesk et Atera pour le vol de données et le déploiement des charges utiles des ransomwares. ## Description 1. [La campagne en cours Valleyrat cible les entreprises chinoises] (https://sip.security.microsoft.com/intel-explorer/articles/f86cace2): Fortiguard Labs a identifié une campagne Valleyrat destinée aux entreprises chinoises dans des secteurs comme le commerce électronique, la financeet gestion.L'attaque, attribuée au groupe APT "Silver Fox", utilise des techniques avancées comme l'exécution de Shellcode, l'obscurcissement du sommeil et le chargement de DLL réfléchissant pour gagner de la persistance et augmenter les privilèges, indiquant une opération très ciblée contre les industries clés en Chine. 2. [Banshee Stealer: une nouvelle menace de macOS des acteurs russes] (https://sip.security.microsoft.com/intel-explorer/articles/36a81450): laboratoires de sécurité élastiques rapportés sur Banshee Stealer, un MacOsware sophistiqué MACOS développé parActeurs de la menace russe.Ce malware, ciblant les architectures x86 \ _64 et ARM64, est conçu pour voler les informations du système, les données du navigateur et les portefeuilles de crypto-monnaie, et il utilise des techniques d'évasion pour éviter la détection, en particulier dans les régions russes. 3Enquête commerciale.Le malware, un puissant voleur d'informations, peut capturer des frappes, voler des informations d'identification et exécuter des charges utiles supplémentaires, tirer parti de l'obscurcissement et du chiffrement pour échapper à la détection. 4. [EDRKILLSHIFTER INDIFIÉS DANS L'ATTAGE DE RANSOMWAGIE ÉCHECTÉE] (https://sip.security.microsoft.com/intel-explorer/articles/f5878aee): les analystes de Sophos ont découvert Edrkillshifter, un utilitaire utiliséDans un ransomware défaillant, tentez de désactiver les outils de détection et de réponse (EDR).L'outil est déployé via une tactique «apporter votre propre conducteur vulnérable» (BYOVD), indiquant une approche sophistiquée pour compromettre les systèmes ciblés. 5[Ransomexx cible le secteur bancaire de l'Inde \\] (https://sip.security.microsoft.com/intel-explorer/articles/ded5ac3e): CloudsekLes chercheurs ont découvert une attaque de ransomware par le groupe Ransomexx, ciblant l'écosystème bancaire de l'Inde \\.L'attaque a exploité un serveur Jenkins mal configuré, tirant parti des algorithmes de chiffrement sophistiqués pour rendre la récupération des données presque impossible. 6. [La campagne Tusk cible les portefeuilles de crypto-monnaie] (https://sip.security.microsoft.com/intel-explorer/articles/f633bbf2): Gert de Kaspersky \\ a identifié la campagne Tusk, dirigée par des acteurs de menace russe,ciblant les portefeuilles de crypto-monnaie et les comptes de jeux.La campagne utilise l'ingénierie sociale et les mécanismes complexes de livraison de logiciels malveillants pour échapper à la détection et aux victimes de compromis. 7. [Les campagnes de phishing APT42 ciblent Israël et les États-Unis] (https://sip.security.mic | Ransomware Malware Tool Threat Prediction | APT 41 APT 42 | ★★★ |
|
2024-08-15 22:02:58 | (Déjà vu) Le groupe soutenu iranien interroge les campagnes de phishing contre Israël, aux États-Unis, les États-Unis Iranian backed group steps up phishing campaigns against Israel, U.S. (lien direct) |
#### Targeted Geolocations - United States - Israel - United Kingdom #### Targeted Industries - Government Agencies & Services - Diplomacy/International Relations - Non-Government Organization - Political and other groups ## Snapshot Researchers at Google\'s Threat Analysis Group (TAG) have identified APT42, an Iranian government-backed threat actor, as the group behind targeted phishing campaigns against Israel and the United States. The activity described by Google in this report as APT42 is tracked by Microsoft as [Mint Sandstorm](https://security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3). ## Description APT42, associated with Iran\'s Islamic Revolutionary Guard Corps (IRGC), has consistently targeted high-profile users in Israel and the U.S., including government officials, political campaigns, diplomats, think tanks, NGOs, and academic institutions. The group\'s tailored credential phishing tactics involve social engineering lures and the use of phishing kits to harvest credentials from various sign-on pages. APT42\'s phishing campaigns heavily target users in Israel and the U.S., with a focus on military, defense, diplomats, academics, and civil society. They have been observed to add additional mechanisms of access once they gain account access. Despite Google\'s efforts to disrupt APT42\'s activities, the group continues to pose a sophisticated and persistent threat, particularly focused on Israel and the U.S. Google assesses that as tensions between Iran and Israel escalate, an increase in APT42\'s campaigns in the region is expected. ## Microsoft Analysis Microsoft Threat Intelligence assesses that this malicious activity is attributed to [Mint Sandstorm](https://security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3) based on our analysis of the IOCs and how the TTPs described in this report closely match previously observed Mint Sandstorm activity. Mint Sandstorm is a group run by the Islamic Revolutionary Guard Corps (IRGC) intelligence unit group known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defense industrial base, journalists, think tanks, universities, and government organizations. Microsoft has been tracking the emergence of significant influence activity by Iranian actors, detailed in the latest election report from the Microsoft Threat Analysis Center (MTAC), "[Iran steps into US election 2024 with cyber-enabled influence operations](https://security.microsoft.com/intel-explorer/articles/523c29ce)." Mint Sandstorm has been observed entering the preparatory stage for likely cyber-enabled influence. Recent targeting by the group is a reminder that senior policymakers should be cognizant of monitoring and following cybersecurity best practices even for legacy or archived infrastructure, as they can be ripe targets for threat actors seeking to collect intelligence, run cyber-enabled influence operations, or both. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-facto | Spam Malware Tool Threat Industrial | APT 42 | ★★★ |
 |
2024-08-15 17:21:38 | Google: le chaton charmant de l'Iran \\ cible les élections présidentielles américaines, militaire israélien Google: Iran\\'s Charming Kitten Targets US Presidential Elections, Israeli Military (lien direct) |
Le groupe de menaces suivi comme APT42 reste sur le chemin de guerre avec diverses campagnes de phishing et d'autres campagnes d'ingénierie sociale, alors que les tensions avec Israël augmentent.
The threat group tracked as APT42 remains on the warpath with various phishing and other social engineering campaigns, as tensions with Israel rise. |
Threat | APT 35 APT 42 | ★★★ |
 |
2024-08-15 16:30:59 | Google Raps Iran \\'s APT42 pour pleuvoir Google raps Iran\\'s APT42 for raining down spear-phishing attacks (lien direct) |
Les politiciens américains et les responsables israéliens parmi les cibles les plus élevées pour le cyber unité de l'IRGC Google a rejoint Microsoft dans la publication des Intel sur l'activité de cyber-influence iranienne après une augmentation récente des attaques qui ont conduit à des donnéesêtre divulgué de la campagne de réélection de Trump.…
US politicians and Israeli officials among the top targets for the IRGC\'s cyber unit Google has joined Microsoft in publishing intel on Iranian cyber influence activity following a recent uptick in attacks that led to data being leaked from the Trump re-election campaign.… |
APT 42 | ★★ | |
 |
2024-08-15 11:10:00 | Google met en garde contre les cyberattaques iraniennes sur les campagnes présidentielles Google Warns of Iranian Cyber-Attacks on Presidential Campaigns (lien direct) |
Google a mis en évidence des attaques de spearphishing sophistiquées de l'acteur d'État iranien APT42 ciblant les individus associés à la campagne présidentielle américaine
Google has highlighted sophisticated spearphishing attacks by Iranian state actor APT42 targeting individuals associated with the US Presidential campaign |
APT 42 | ★★★ | |
|
2024-08-07 10:00:00 | Les managers britanniques améliorent les cyber-connaissances, mais le personnel manque de formation UK Managers Improve Cyber Knowledge but Staff Lack Training (lien direct) |
Une nouvelle étude du Chartered Management Institute trouve que seulement la moitié des entreprises offrent une formation en sécurité régulière
A new study from the Chartered Management Institute finds just half of firms offer regular security training |
Studies | APT 42 | ★★★ |
 |
2024-07-17 13:42:31 | Le sénateur Warner fait pression pour une action immédiate sur les normes de cybersécurité obligatoires pour le secteur des soins de santé Senator Warner pushes for immediate action on mandatory cybersecurity standards for healthcare sector (lien direct) |
U.S.Le sénateur Mark R. Warner appelle l'administration à développer et à mettre en œuvre rapidement des normes de cyber minimum obligatoires ...
U.S. Senator Mark R. Warner calls upon the administration to swiftly develop and implement mandatory minimum cyber standards... |
Industrial Medical | APT 42 | ★★★ |
 |
2024-06-06 20:46:03 | Nouveau Flaw Emailgpt met les données utilisateur en danger: supprimez l'extension maintenant New EmailGPT Flaw Puts User Data at Risk: Remove the Extension NOW (lien direct) |
Synopsys met en garde contre un nouveau hack d'injection rapide impliquant une vulnérabilité de sécurité dans EmailGpt, un e-mail populaire de l'IA & # 8230;
Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email… |
Hack Vulnerability | APT 42 | ★★ |
|
2024-06-05 14:00:00 | Phishing pour l'or: cyber-menaces auxquelles sont confrontés les Jeux olympiques de Paris 2024 Phishing for Gold: Cyber Threats Facing the 2024 Paris Olympics (lien direct) |
Written by: Michelle Cantos, Jamie Collier
Executive Summary Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event. Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons: Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified. Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v |
Ransomware Malware Threat Studies Mobile Cloud Technical | APT 15 APT 31 APT 42 | ★★ |
|
2024-05-13 13:30:14 | Faits saillants hebdomadaires, 13 mai 2024 Weekly OSINT Highlights, 13 May 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ de OSINT mettent en évidence une gamme de cyber-menaces et de tactiques d'attaque en évolution orchestrée par des acteurs de menace sophistiqués.Les articles discutent d'une variété de vecteurs d'attaque, notamment l'exploitation des vulnérabilités logicielles (comme dans les appliances VPN Secure Ivanti Secure et Laravel), le malvertissant via Google Search Ads et les invites de mise à jour de navigateur trompeuses utilisées pour distribuer des logiciels malveillants comme Socgholish.Les acteurs de la menace identifiés dans ces rapports, y compris des groupes APT comme APT42 (Mint Sandstorm) et Kimsuky (Emerald Sleet), démontrent des tactiques d'ingénierie sociale avancées, des portes dérobées et des efforts de reconnaissance persistants ciblant les ONG, les organisations de médias et les entreprises.Les attaquants exploitent les sites Web compromis, les plateformes de médias sociaux et les outils de gestion du système pour établir des anciens et exécuter des commandes distantes, soulignant la nécessité de défenses de cybersécurité robustes et une vigilance accrue pour lutter efficacement ces menaces en évolution. ## Description 1. ** [Nouvelle chaîne d'infection associée à Darkgate Malware] (https://security.microsoft.com/intel-explorer/articles/1db83f2c) **: Les chercheurs de McAfee Labs ont découvert une nouvelle chaîne d'infection liée à Darkgate, une télécommandeAccès à Trojan (rat) commercialisé sur un forum de cybercriminalité en langue russe.Darkgate utilise des fonctionnalités diverses comme l'injection de processus, le keylogging et le vol de données, et il échappe à la détection en utilisant des tactiques d'évasion comme le contournementMicrosoft Defender SmartScreen. 2. ** [Évolution du chargeur de logiciels malveillants Hijackloader] (https://security.microsoft.com/intel-explorer/Articles / 8c997d7c) **: Zscaler rapporte sur l'évolution de Hijackloader, un chargeur de logiciels malveillants modulaire avec de nouvelles techniques d'évasion ciblant l'antivirus Windows Defender et le contrôle des comptes d'utilisateurs (UAC).Hijackloader offre diverses familles de logiciels malveillants comme Amadey, Lumma Stealer et Remcos Rat grâce à des techniques impliquant des images PNG et un décryptage. 3. ** [Kimsuky Group \'s (Emerald Sleet) Sophistiqué Espionage Tactics] (https://security.microsoft.com/intel-explorer/articles/6e7f4a30) **: Kimsuky (suivi sous le nom de Sleet Emerald par Microsoft)Emploie les plateformes de médias sociaux et les outils de gestion des systèmes pour l'espionnage, ciblant les individus des droits de l'homme et des affaires de la sécurité nord-coréennes.Ils utilisent de faux profils Facebook, de faux entretiens d'embauche et des fichiers malveillants de la console de gestion Microsoft (MMC) pour exécuter des commandes distantes et établir des canaux de commande et de contrôle (C2). 4. ** [Distribution des logiciels malveillants via Google Search Ads Exploitation] (https://security.microsoft.com/intel-explorer/articles/1f1ae96f): ** Les acteurs de la menace tirent parti des annonces de recherche Google pour distribuer des logiciels malveillants via des packages MSI, la mascarradagecomme un logiciel légitime comme la notion.Lors de l'interaction, les scripts PowerShell s'exécutent pour injecter des logiciels malveillants Zgrat, démontrant des techniques sophistiquées pour contourner les mesures de sécurité et contrôler les systèmes infectés. 5. **[Exploitation of Ivanti Pulse Secure VPN Vulnerabilities](https://security.microsoft.com/intel-explorer/articles/2d95eb1b):** Attackers exploit vulnerabilities (CVE-2023-46805 and CVE-2024-21887) In Ivanti Pulse Secure VPN Appliances pour livrer le botnet Mirai et d'autres logiciels malveillants.Ces vulnérabilités permettent l'exécution du code distant et le contournement des mécanismes d'authentification, ce qui constitue des menaces importantes à la sécurité du réseau à l'échelle mondia | Spam Malware Tool Vulnerability Threat Cloud | APT 42 | ★★ |
|
2024-05-07 18:55:00 | Les pirates APT42 se présentent en tant que journalistes pour récolter les informations d'identification et accéder aux données du cloud APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data (lien direct) |
La tenue de piratage soutenue par l'État iranien & nbsp; appelé & nbsp; apt42 & nbsp; utilise & nbsp; schémas d'ingénierie sociale améliorés pour infiltrer les réseaux cibles et les environnements cloud.
Les cibles de l'attaque comprennent & NBSP; ONG occidentales et du Moyen-Orient, organisations médiatiques, université, services juridiques et NBSP; et les militants, a déclaré la filiale de Google Cloud Mandiant dans un rapport publié la semaine dernière.
"APT42 était
The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week. "APT42 was |
Cloud | APT 42 | ★★★★ |
|
2024-05-06 19:54:46 | Uncharmed: les opérations APT42 de l'Iran démêle Uncharmed: Untangling Iran\\'s APT42 Operations (lien direct) |
#### Géolocations ciblées - Moyen-Orient - Amérique du Nord - Europe de l'Ouest #### Industries ciblées - agences et services gouvernementaux - Organisation non gouvernementale ## Instantané Mandiant discute des activités de l'APT42, acteur iranien de cyber-espionnage parrainé par l'État, ciblant les ONG occidentales et moyen-orientales, les organisations médiatiques, les universités, les services juridiques et les militants. ** Les activités de l'APT42 se chevauchent avec le suivi de Microsoft \\ de Mint Sandstorm.[En savoir plus ABOut Mint Sandstorm ici.] (https://sip.security.microsoft.com/intel-profiles/05c5c1b864581c264d955df783455ecadf9b98471e408f32947544178e7bd0e3) ** ## descript APT42 utilise des programmes d'ingénierie sociale améliorés pour gagner en confiance et fournir des invitations aux conférences ou aux documents légitimes, leur permettant de récolter des informations d'identification et d'obtenir un accès initial aux environnements cloud.Les opérations récentes impliquent l'utilisation de délais personnalisés tels que NiceCurl et Tamecat, livrés via le phishing de lance. Les opérations cloud d'APT42 \\ impliquent une exfiltration d'exfiltration secrète des environnements Microsoft 365 victimes, en utilisant des schémas d'ingénierie sociale améliorés pour obtenir un accès initial et contourner l'authentification multi-facteurs.L'acteur de menace se précipita comme des ONG légitimes, se fait passer pour le personnel de haut rang et déploie du matériel de leurre pour gagner la confiance de la victime.APT42 déploie également diverses méthodes pour contourner l'authentification multi-facteurs, notamment en utilisant de fausses pages duo et en servant des sites de phishing pour capturer les jetons MFA. APT42 déploie des logiciels malveillants personnalisés tels que Tamecat et NiceCurl pour cibler les ONG, le gouvernement ou les organisations intergouvernementales gantant les problèmes liés à l'Iran et au Moyen-Orient.Ces délais offrent aux opérateurs APT42 un accès initial aux cibles et à une interface de code-Exécution flexible. ## Recommandations Les techniques utilisées par les sous-ensembles de la tempête de menthe peuvent être atténuées à travers les actions suivantes: ### durcissant les actifs orientés Internet et compréhension de votre périmètre Les organisations doivent identifier et sécuriser les systèmes de périmètre que les attaquants pourraient utiliser pour accéder au réseau.Les interfaces de balayage publique, telles que Microsoft Defender External Attack Surface Management, peuvent être utilisées pour améliorer les données. Les vulnérabilités observées dans les campagnes récentes attribuées aux sous-groupes de sable à la menthe que les défenseurs peuvent identifier et atténuer: inclure: - IBM ASPERA FASPEX affecté par CVE-2022-47986: Les organisations peuvent corriger CVE-2022-47986 en mettant à niveau vers FASPEX 4.4.2 Niveau 2 du patch 2 ou en utilisant FasPex 5.x qui ne contient pas cette vulnérabilité. - Zoho ManageEngine affecté par CVE-2022-47966: les organisations utilisant des produits Zoho Manage Engine vulnérables au CVE-2022-47966 devraient télécharger et appliquer des mises à niveau de l'avis officiel dès que possible.Le correctif de cette vulnérabilité est utile au-delà de cette campagne spécifique, car plusieurs adversaires exploitent le CVE-2022-47966 pour l'accès initial. - Apache Log4j2 (aka log4shell) (CVE-2021-44228 et CVE-2021-45046): [Microsoft \\ S GOIDANCE pour les organisations utilisant des applications vulnérables à l'exploitation de log4.com / en-us / security / blog / 2021/12/11 / guidance-for-préventing-détectant et chasseur-pour-CVE-2021-44228-LOG4J-2-Exploitation /) Cette direction est utile pour toutOrganisation avec des applications vulnérables et utile au-delà de cette campagne spécifique, car plusieurs adversaires exploitent Log4Shell pour obten | Malware Vulnerability Threat Patching Cloud | APT 42 | ★★★ |
 |
2024-05-04 10:17:34 | Les pirates iraniens se présentent en tant que journalistes pour pousser les logiciels malveillants de porte dérobée Iranian hackers pose as journalists to push backdoor malware (lien direct) |
L'acteur de menace soutenu par l'État iranien suivi comme APT42 utilise des attaques d'ingénierie sociale, notamment en se faisant passer pour des journalistes, pour violer les réseaux d'entreprise et les environnements cloud des cibles occidentales et du Moyen-Orient.[...]
The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. [...] |
Malware Threat Cloud | APT 42 | ★★★ |
|
2024-05-01 14:00:00 | Uncharmed: Untangling Iran\'s APT42 Operations (lien direct) | Written by: Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, Jonathan Leathery
APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 ( |
Malware Tool Threat Cloud | Yahoo APT 35 APT 42 | ★★ |
|
2024-04-25 10:00:00 | Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections (lien direct) |
Written by: Kelli Vanderlee, Jamie Collier
Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. |
Ransomware Malware Hack Tool Vulnerability Threat Legislation Cloud Technical | APT 40 APT 29 APT 28 APT 43 APT 31 APT 42 | ★★★ |
 |
2024-02-13 14:47:15 | CharmingCypress: innovation de persistance CharmingCypress: Innovating Persistence (lien direct) |
> Grâce à ses offres de services de sécurité gérées, la volexité identifie régulièrement des campagnes de phisseur de lance ciblant ses clients.Un acteur de menace persistant, dont la volexité des campagnes observe fréquemment, est l'acteur de menace d'origine iranienne CharmingCypress (alias Charming Kitten, Apt42, TA453).La volexité évalue que CharmingCypress est chargé de collecter des renseignements politiques contre les cibles étrangères, en particulier en se concentrant sur les groupes de réflexion, les ONG et les journalistes.Dans leurs campagnes de phishing, CharmingCypress utilise souvent des tactiques inhabituelles d'ingénierie sociale, comme engager des cibles dans des conversations prolongées par e-mail avant d'envoyer des liens vers un contenu malveillant.Dans une campagne de lance de lance particulièrement notable observée par volexité, CharmingCypress est allé jusqu'à créer une plate-forme de webinaire entièrement fausse à utiliser dans le cadre de l'attrait.CharmingCypress contrôlé un accès à cette plate-forme, nécessitant des cibles pour installer des applications VPN chargées de logiciels malveillants avant d'accorder l'accès.Remarque: Un contenu dans ce blog a récemment été discuté dans le rapport de Microsoft \\, de nouveaux TTP observés dans la campagne de Sandstorm de Mint ciblant des individus de haut niveau dans les universités et [& # 8230;]
>Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists. In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. In a particularly notable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications prior to granting access. Note: Some content in this blog was recently discussed in Microsoft\'s report, New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and […] |
Threat | APT 35 APT 42 | ★★★ |
 |
2023-07-06 17:42:00 | Des pirates basés en Iran ciblant les experts en sécurité nucléaire via Mac, Windows Malware Iran-based hackers targeting nuclear security experts through Mac, Windows malware (lien direct) |
Les pirates soutenant le gouvernement de l'Iran ciblent des experts des affaires du Moyen-Orient et de la sécurité nucléaire dans une nouvelle campagne qui, selon les chercheurs, impliquait des logiciels malveillants pour les produits Apple et Microsoft.Les experts en cybersécurité de Proofpoint ont attribué la campagne à un groupe qu'ils appellent TA453 mais est également connu sous le nom de Charming Kitten, Mint Sandstorm ou APT42,
Hackers supporting the government of Iran are targeting experts in Middle Eastern affairs and nuclear security in a new campaign that researchers said involved malware for both Apple and Microsoft products. Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42, |
Malware | APT 35 APT 42 | ★★★ |
|
2023-04-30 16:51:00 | Iran apt utilisant \\ 'Bellaciao \\' malware contre les cibles aux États-Unis, en Europe et en Asie Iran APT using \\'BellaCiao\\' malware against targets in US, Europe and Asia (lien direct) |
Un groupe de piratage parrainé par l'État iranien a été accusé d'avoir déployé une nouvelle souche de logiciels malveillants nommé Bellaciao contre plusieurs victimes aux États-Unis, en Europe, en Inde, en Turquie et dans d'autres pays.Des chercheurs de la société de cybersécurité Bitdefender [attribuée] (https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciaooo-a-closer-look-at-irans-latest-malware/) le maline à APT35 / APT42 & #8211;également connu sous le nom de Mint Sandstorm ou Charming Kitten & # 8211;un groupe de menaces persistantes avancé qui
An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries. Researchers from cybersecurity firm Bitdefender [attributed](https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/) the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that |
Malware Threat | APT 35 APT 42 | ★★★ |
 |
2023-03-14 17:32:00 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam (lien direct) |
Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam, and More.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions
(published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.
Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture
Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android
Cobalt Illusion Masquerades as Atlantic Council Employee
(published: March 9, 2023)
A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i |
Ransomware Malware Tool Vulnerability Threat Guideline Conference | APT 35 ChatGPT ChatGPT APT 36 APT 42 | ★★ |
|
2023-01-26 00:01:00 | British cyber agency issues warning over Russian and Iranian espionage campaigns (lien direct) |  Two separate but similar espionage campaigns from Russian and Iranian-linked groups have prompted a warning from Britain's National Cyber Security Centre. In a document published on Thursday local time the NCSC warned how instead of sending surprise phishing emails, the hacking groups – identified as “Russia-based” SEABORGIUM and “Iran-based” APT42, or Charming Kitten – are [… |
Conference | APT 35 APT 42 | ★★ |
 |
2022-12-14 10:20:58 | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research (lien direct) | Iranian-state-aligned threat actor targets new victims in cyberespionage and kinetic campaigns – Proofpoint research Cybersecurity researchers at Proofpoint have released new threat intelligence into Iranian state-aligned threat actor TA453 (AKA Charming Kitten, PHOSPHORUS, APT42), showing how the group has deviated from its traditional phishing techniques and is targeting new victims. - Malware Update | Threat Conference | APT 35 APT 42 | ★★ |
 |
2022-09-14 05:09:00 | Iranian cyberspies use multi-persona impersonation in phishing threads (lien direct) | One of the most prolific state-sponsored Iranian cyber espionage groups is targeting researchers from different fields by setting up sophisticated spear-phishing lures in which they use multiple fake personas inside the same email thread for increased credibility.Security firm Proofpoint tracks the group as TA453, but it overlaps with activity that other companies have attributed to Charming Kitten, PHOSPHORUS and APT42. Incident response company Mandiant recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here | Conference | APT 35 APT 42 | |
 |
2022-09-11 13:31:49 | Iran-linked APT42 is behind over 30 espionage attacks (lien direct) | >Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents. Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788). The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against […] | APT 42 | ||
|
2022-09-11 09:51:00 | Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents (lien direct) | A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps ( | Threat | APT 42 | |
|
2022-09-08 13:20:00 | Researchers Reveal New Iranian Threat Group APT42 (lien direct) | Group has been active since at least 2015 | Threat | APT 42 | |
 |
2022-09-07 16:32:32 | Sprawling, multi-year Iranian cyberespionage and surveillance group exposed in new report (lien direct) | >The Iranian cyberespionage group known as APT 42 is characterized by targeted spear phishing campaigns and extensive surveillance operations. | APT 42 | ||
|
2022-09-07 15:07:57 | Nouveau groupe de cyberespionnage découvert : APT42 - Charmes tortueux, inconvénients et compromis (lien direct) | Nouveau groupe de cyberespionnage découvert : APT42 - Charmes tortueux, inconvénients et compromis. Mandiant publie un rapport détaillé sur le groupe APT42, un groupe de cyberespionnage parrainé par l'État iranien et chargé de mener des opérations de collecte d'informations et de surveillance contre des individus et des organisations présentant un intérêt stratégique pour le gouvernement iranien. - Malwares | APT 42 | ||
|
2022-09-07 14:37:13 | Iran-Linked APT Cozies Up to \'Enemies\' in Trust-Based Spy Game (lien direct) | APT42 is posing as a friend to people considered threats to the government, using a raft of different tools to steal relevant info and perform surveillance. | APT 42 | ||
|
2022-09-07 10:18:39 | New Iranian hacking group APT42 deploys custom Android spyware (lien direct) | A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest. [...] | Malware | APT 42 | |
|
2022-09-07 09:00:00 | APT42: Charmes, inconvénients et compromis tordus APT42: Crooked Charms, Cons, and Compromises (lien direct) |
Aujourd'hui, Mandiant publie un rapport complet détaillant APT42, un groupe de cyber-espionnage parrainé par l'État iranien chargé de mener des opérations de collecte et de surveillance d'informations contre des individus et des organisations d'intérêt stratégique pour le gouvernement iranien.Nous estimons avec une confiance modérée que l'APT42 opère au nom de l'organisation de renseignement de la Garde de la révolution islamique (IRGC) (IRGC-IO) sur la base de modèles de ciblage qui s'alignent avec les mandats et priorités opérationnels de l'organisation \\.
Le rapport complet publié couvre le récent et historique de l'APT42
Today, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)\'s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization\'s operational mandates and priorities. The full published report covers APT42\'s recent and historical |
APT 42 APT 42 | ★★★★ |
1
We have: 36 articles.
We have: 36 articles.
To see everything:
Our RSS (filtrered)
