What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-03-11 12:30:00 | Sidewinder APT cible les secteurs maritime, nucléaire et informatique à travers l'Asie, le Moyen-Orient et l'Afrique SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa (lien direct) |
Les sociétés maritimes et logistiques en Asie du Sud et du Sud-Est, au Moyen-Orient et en Afrique sont devenues la cible d'un groupe avancé de menace persistante (APT) surnommée Sidewinder.
Les attaques, observées par Kaspersky en 2024, se sont répandues à travers le Bangladesh, le Cambodge, Djibouti, l'Égypte, les Émirats arabes unis et le Vietnam. Les autres cibles d'intérêt comprennent les centrales nucléaires et l'énergie nucléaire
Maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa have become the target of an advanced persistent threat (APT) group dubbed SideWinder. The attacks, observed by Kaspersky in 2024, spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Other targets of interest include nuclear power plants and nuclear energy |
Threat | APT-C-17 | ★★★ |
 |
2025-03-10 16:01:11 | Sidewinder devient nucléaire, cours de graphiques pour le chaos maritime dans le changement de tactique Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift (lien direct) |
Le phishing et les vulns anciennes font encore l'affaire pour l'un des groupes les plus prolifiques autour de , les chercheurs disent que la cyber-équipage offensive de Sidewinder commence à cibler les organisations maritimes et nucléaires.…
Phishing and ancient vulns still do the trick for one of the most prolific groups around Researchers say the Sidewinder offensive cyber crew is starting to target maritime and nuclear organizations.… |
APT-C-17 | ★★ | |
 |
2025-03-10 10:00:36 | Sidewinder cible les secteurs maritimes et nucléaires avec un ensemble d'outils mis à jour SideWinder targets the maritime and nuclear sectors with an updated toolset (lien direct) |
Dans cet article, nous discutons des outils et des TTP utilisés dans les attaques de Sidewinder apt \\ dans H2 2024, ainsi que des changements dans ses cibles, comme une augmentation des attaques contre les secteurs maritime et logistique.
In this article, we discuss the tools and TTPs used in the SideWinder APT\'s attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors. |
Tool | APT-C-17 | ★★★ |
 |
2024-10-21 11:41:26 | Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 (lien direct) |
## Instantané La semaine dernière, les rapports OSINT de \\ mettent en évidence une gamme diversifiée de cybermenaces et d'évolution des vecteurs d'attaque.L'ingénierie sociale reste une tactique répandue, avec des campagnes telles que ClickFix tirant parti de faux messages d'erreur pour distribuer des logiciels malveillants, tandis que la campagne d'interview contagieuse CL-Sta-240 cible les demandeurs d'emploi en utilisant des logiciels malveillants déguisés en applications d'appel vidéo.Les voleurs d'informations, tels que Lumma et Meduza, continuent de proliférer et de tirer parti des plates-formes distribuées comme Telegram et Github.Les acteurs de ransomware exploitent les services cloud, comme le montre la campagne Ransomware abusant Amazon S3.Des groupes de l'État-nation, dont la Corée du Nord, l'Iran et la Chine, persistent à cibler des infrastructures critiques et des entités gouvernementales utilisant des techniques d'évasion sophistiquées et des outils open source, tandis que les acteurs motivés financièrement se concentrent sur les chevaux de Troie bancaires et le vol de crypto-monnaie.Ces tendances soulignent la sophistication et la diversité croissantes des acteurs de la menace \\ 'tactiques, à la fois avec les APT de l'État-nation et les cybercriminels ciblant un large éventail de secteurs. ## Description 1. [ClickFix Social Engineering Tactic] (https://sip.security.microsoft.com/intel-explorer/articles/6d79c4e3): Les chercheurs de Sekoia ont identifié Clickfix, une nouvelle tactique d'ingénierie sociale tirant parti de faux messages d'erreur de navigateur pour exécuter Male PowerShell malveillantCommandes.Il a été utilisé par des groupes comme l'Empire national slave et Scamquerteo pour distribuer des infostelleurs, des rats et des botnets ciblant la crypto-monnaie et les utilisateurs de Web3. 2. [Lumma Stealer Distribution via Hijackloader] (https://sip.security.microsoft.com/intel-explorer/articles/ef6514e6): les chercheurs de HarfangLab ont observé une augmentation de la distribution de voleur Lumma en utilisant Hijackloader avec des certificats de signature de code pour les défenses de bypass Lumma.Ces campagnes ont ciblé les utilisateurs à travers de fausses pages CAPTCHA, conduisant à une exécution de logiciels malveillants avec des certificats signés de sociétés légitimes. 3. [Meduza Stealer Spread via Telegram] (https://sip.security.microsoft.com/intel-explorer/articles/ac988484): CERT-UA a rapporté le voleur de Meduza distribué par des messages télégramme, exhortant les utilisateurs à télécharger "Special Special.logiciel."Les logiciels malveillants ont ciblé les entreprises ukrainiennes et volé des documents avant l'auto-délétion pour éviter la détection. 4. [Ransomware exploitant Amazon S3] (https://sip.security.microsoft.com/intel-explorer/articles/f5477a4): TrendMicro a identifié une campagne de ransomware exploitant la fonction d'accélération d'Amazon S3 \\ S pour l'expiltration de données.Déguisé en Lockbit, ce ransomware cible Windows et MacOS, en utilisant des informations d'identification AWS pour les téléchargements de données tout en tirant parti des techniques de chiffrement aux victimes de pression. 5. [AI abusité dans les opérations cyber] (https://sip.security.microsoft.com/intel-explorer/articles/e46070dd): OpenAI a rapporté plus de 20 cas d'utilisation abusive de l'IA par des acteurs malveillants pour le développement de logiciels malveillants, la désinformation et la lancePhishing.Les acteurs de la menace, dont Storm-0817 et SweetSpecter, ont exploité l'IA pour des tâches telles que la reconnaissance et le débogage du code, tandis que les IOS secrets ont été retracés en Iran et au Rwanda. 6. [Variants de trojan bancaires Trickmo] (https://sip.security.microsoft.com/intel-explorer/articles/1f1ea18b): les chercheurs de zimpérium ont découvert 40 variantes de tro-bancs Trickmo capables de l'interception OTP, de l'enregistrement de l'écran et de dispositif de dispositif de dispos | Ransomware Malware Tool Vulnerability Threat Cloud | APT 38 APT 37 APT-C-17 | ★★ |
|
2024-10-17 15:45:00 | Sidewinder APT frappe le Moyen-Orient et l'Afrique avec une attaque à plusieurs étapes furtive SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack (lien direct) |
Un acteur avancé de menace persistante (APT) ayant des liens présumés avec l'Inde est sorti avec une rafale d'attaques contre les entités de grande envergure et les infrastructures stratégiques au Moyen-Orient et en Afrique.
L'activité a été attribuée à un groupe suivi en tant que Sidewinder, qui est également connu sous le nom d'APT-C-17, Baby Elephant, Hardcore Nationalist, LeafperForator, RattleSnake, Razor Tiger et T-APT-04.
"
An advanced persistent threat (APT) actor with suspected ties to India has sprung forth with a flurry of attacks against high-profile entities and strategic infrastructures in the Middle East and Africa. The activity has been attributed to a group tracked as SideWinder, which is also known as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, and T-APT-04. " |
Threat | APT-C-17 | ★★★ |
 |
2024-10-16 10:01:41 | Sidewinder jette un large filet géographique dans la dernière attaque d'attaque Sidewinder Casts Wide Geographic Net in Latest Attack Spree (lien direct) |
Le groupe cyber-menace long-actif et parrainé par l'Inde a ciblé plusieurs entités à travers l'Asie, l'Afrique, le Moyen-Orient et même l'Europe dans une récente vague d'attaque qui a démontré l'utilisation d'un outil post-exploitant précédemment inconnu appelé Stealerbot.
The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot. |
Tool | APT-C-17 | ★★★ |
|
2024-10-15 19:57:54 | (Déjà vu) Beyond the Surface: the evolution and expansion of the SideWinder APT group (lien direct) | #### Targeted Geolocations - Bangladesh - Djibouti - Jordan - Malaysia - Maldives - Myanmar - Nepal - Pakistan - Saudi Arabia - Sri Lanka - Türkiye - United Arab Emirates - Afghanistan - France - China - India - Indonesia - Morocco - Middle East - North Africa - Sub-Saharan Africa - South Asia - Southeast Asia #### Targeted Industries - Government Agencies & Services - Defense - Diplomacy/International Relations - Education - Higher Education - Financial Services ## Snapshot SideWinder, also known as T-APT-04 or RattleSnake, is a highly active advanced persistent threat (APT) group that has been targeting entities in South and Southeast Asia since 2012. Its primary targets have included military and government institutions in countries such as Pakistan, Sri Lanka, and Nepal. Recently, SideWinder expanded its reach, launching new attacks on strategic infrastructures and other high-profile entities in the Middle East and Africa. ## Description A hallmark of SideWinder\'s newly observed activities is its use of spear-phishing emails to deliver malicious files, often Microsoft OOXML documents or ZIP archives containing malicious LNK files. Once these files are opened, they initiate a multi-stage infection process, which ultimately installs the StealerBot espionage tool. This tool is designed for post-compromise activities, such as stealing sensitive information, capturing screenshots, logging keystrokes, and stealing credentials. SideWinder\'s tactics include exploiting vulnerabilities like [CVE-2017-11882](https://security.microsoft.com/intel-explorer/cves/CVE-2017-11882/) through malicious RTF files. The group also utilizes public exploits, malicious scripts, and remote template injection. Their malware employs multiple evasion techniques, such as detecting sandboxes and using encrypted payloads to avoid detection. SideWinder\'s infrastructure includes numerous domains and servers, often hosted on virtual private servers (VPS) for short periods of time. The group primarily targets government, military, and infrastructure sectors, as well as diplomatic entities in several countries. While much is known about their initial infection techniques, according to Kapersky, their post-compromise operations remain less well-understood. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender fo | Ransomware Malware Tool Vulnerability Threat | APT-C-17 | ★★★ |
|
2024-10-15 10:00:54 | Au-delà de la surface: l'évolution et l'expansion du groupe Sidewinder APT Beyond the Surface: the evolution and expansion of the SideWinder APT group (lien direct) |
Kaspersky analyse l'activité récente de Sidewinder APT \\: de nouvelles cibles au Moyen-Orient et en Afrique, outils et techniques post-exploitation.
Kaspersky analyzes SideWinder APT\'s recent activity: new targets in the MiddleEast and Africa, post-exploitation tools and techniques. |
Tool | APT-C-17 | ★★ |
|
2024-08-05 10:51:17 | Faits saillants hebdomadaires, 5 août 2024 Weekly OSINT Highlights, 5 August 2024 (lien direct) |
## Instantané La semaine dernière, les rapports de \\ de Osint mettent en évidence plusieurs tendances clés du paysage cyber-menace, caractérisées par des tactiques d'attaque sophistiquées et des acteurs de menace adaptables.Les types d'attaques prédominants impliquent le phishing, l'ingénierie sociale et l'exploitation des vulnérabilités des logiciels, avec des vecteurs courants, y compris des pièces jointes malveillantes, des sites Web compromis, l'empoisonnement du DNS et la malvertisation.Les campagnes notables ont ciblé les utilisateurs de l'UKR.NET, les clients de la BBVA Bank et les pages de médias sociaux détournées pour imiter les éditeurs de photos populaires de l'IA.De plus, l'exploitation des erreurs de configuration dans des plates-formes largement utilisées telles que Selenium Grid et TryCloudflare Tunnel indique une focalisation stratégique sur la mise en œuvre d'outils légitimes à des fins malveillantes. Les acteurs de la menace vont de groupes d'État-nation comme les acteurs nord-coréens, l'APT41 et le Sidewinder, aux cybercriminels et à des groupes hacktiviste motivés financièrement tels que Azzasec.Les techniques d'évasion avancées et les stratégies d'ingénierie sociale sont utilisées par des acteurs comme l'UAC-0102, Black Basta et ceux qui exploitent les problèmes de mise à jour de la crowdsstrike.Les objectifs sont diversifiés, couvrant des organisations gouvernementales et militaires, des institutions financières, des réseaux d'entreprise, des petites et moyennes entreprises et des utilisateurs individuels dans diverses régions. ## Description 1. [Campagne révisée de dev # popper] (https://sip.security.microsoft.com/intel-explorer/articles/9f6ee01b): les acteurs de la menace nord-coréenne ciblent les développeurs de logiciels à l'aide de fausses entretiens d'emploi pour distribuer des logiciels malveillants via des packages de fichiers zip.La campagne, affectant plusieurs systèmes d'exploitation et régions, utilise des tactiques avancées d'obscurcissement et d'ingénierie sociale pour le vol de données et la persistance. 2. [Specula Framework exploite Outlook] (https://sip.security.microsoft.com/intel-explorer/articles/4b71ce29): un nouveau cadre post-exploitation appelé "Specula" lever.En dépit d'être corrigé, cette méthode est utilisée par l'APT33 parrainé par l'iranien pour atteindre la persistance et le mouvement latéral dans les systèmes Windows compromis. 3. [Phishing with Sora AI Branding] (https://sip.security.microsoft.com/intel-explorer/articles/b90cc847): les acteurs de menace exploitent l'excitation autour de Sora AI inédite en créant des sites de phishing pour se propager des logiciels malveillants.Ces sites, promus via des comptes de médias sociaux compromis, déploient des voleurs d'informations et des logiciels d'extraction de crypto-monnaie. 4. [vulnérabilité VMware ESXi exploitée] (https: //sip.security.microsoft.com/intel-explorer/articles/63b1cec8): des gangs de ransomware comme Storm-0506 et Octo Tempest Exploiter un VMware ESXi Authentification Typass VULnerabilité pour l'accès administratif.Cette vulnérabilité, ajoutée au catalogue exploité des vulnérabilités exploitées \\ 'connues, est utilisée pour voler des données, se déplacer latéralement et perturber les opérations. 5. [APT41 cible la recherche taïwanaise] (https://sip.security.microsoft.com/intel-explorer/articles/d791dc39): le groupe APT41, suivi comme Typhoon de brass.La campagne consiste à exploiter une vulnérabilité de Microsoft Office et à utiliser la stéganographie pour échapper à la détection. 6. [Trojans bancaire en Amérique latine] (https://sip.security.microsoft.com/intel-explorer/articles/767518e9): Une campagne ciblant les organisations financières utilise des troyens bancaires distribués via des URL géo-frisées.Le malware utilise l'injection de processus et se connecte aux serveurs de commandement et de contrôle pour voler des informations sensibles. 7. [MINT STACER MALWARED] ( | Ransomware Spam Malware Tool Vulnerability Threat Mobile | APT33 APT 41 APT 33 APT-C-17 | ★★★ |
|
2024-07-31 06:00:00 | Le groupe Sidewinder lié à l'Inde pivotait le piratage des cibles maritimes India-Linked SideWinder Group Pivots to Hacking Maritime Targets (lien direct) |
Le groupe d'espionnage de l'État-nation connu pour avoir attaqué le Pakistan a étendu sa portée aux cibles en Égypte et au Sri Lanka.
The nation-state espionage group known for attacking Pakistan has expanded its reach to targets in Egypt and Sri Lanka. |
APT-C-17 | ★★★ | |
|
2024-07-30 17:42:47 | (Déjà vu) SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea (lien direct) | #### Targeted Geolocations - Pakistan - Egypt - Sri Lanka - Bangladesh - Myanmar - Nepal - Maldives #### Targeted Industries - Transportation Systems - Maritime Transportation ## Snapshot The BlackBerry Threat Research and Intelligence team has uncovered a new campaign by the nation-state threat actor SideWinder, also known as Razor Tiger and Rattlesnake, which has upgraded its infrastructure and techniques since mid-2023. ## Description The campaign targets ports and maritime facilities in the Indian Ocean and Mediterranean Sea, with specific focus on Pakistan, Egypt, and Sri Lanka initially, and expanding to Bangladesh, Myanmar, Nepal, and the Maldives. SideWinder employs spear-phishing emails using familiar logos and themes to lure victims into opening malicious documents, which exploit vulnerabilities in Microsoft Office to gain access to systems. The group\'s objective is believed to be espionage and intelligence gathering, consistent with its past campaigns targeting military, government, and business entities in South Asia. The malicious documents use visual bait, such as fake port authority letters, to provoke fear and urgency, leading victims to download malware. The documents exploit a known vulnerability ([CVE-2017-0199](https://security.microsoft.com/intel-explorer/cves/CVE-2017-0199/)) in Microsoft Office, relying on outdated or unpatched systems to deliver their payload. Once opened, the documents download additional malicious files that execute shellcode to ensure the system is not a virtual environment, before proceeding with further stages of the attack. The campaign\'s infrastructure includes the use of Tor nodes to mask network traffic and protective DNS data to evade detection. ## Detections/Hunting Queries ### Microsoft Defender Antivirus Microsoft Defender Antivirus detects threat components as the following malware: - [Exploit:O97M/CVE-2017-0199](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:O97M/CVE-2017-0199!MSR) - [Trojan:Win32/Casdet](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Casdet!rfn) ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Turn on [cloud-delivered protection](https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences) in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats. - Run [EDR in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Allow [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - [Enable](https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders) controlled folder access. - Ensure that [tamper protection](https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#how-do-i-configure-or-manage-tamper-protection) is enabled in Microsoft Defender for Endpoint. - Enable [network protection](https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection) in Microsoft Defender for Endpoint. - Follow the credential hardening recom | Ransomware Malware Tool Vulnerability Threat | APT-C-17 | ★★★ |
|
2024-07-30 13:02:00 | Nouvelles cyberattaques Sidewinder ciblent les installations maritimes dans plusieurs pays New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries (lien direct) |
L'acteur de menace nationale connue sous le nom de Sidewinder a été attribué à une nouvelle campagne de cyber-espionnage ciblant les ports et les installations maritimes dans l'océan Indien et la mer Méditerranée.
L'équipe Blackberry Research and Intelligence, qui a découvert l'activité, a déclaré que les cibles de la campagne de phisces de lance comprennent des pays comme le Pakistan, l'Égypte, le Sri Lanka, le Bangladesh, le Myanmar, le Népal et le
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the |
Threat | APT-C-17 | ★★★ |
 |
2024-07-25 08:01:00 | Sidewinder utilise de nouvelles infrastructures pour cibler les ports et les installations maritimes en mer Méditerranée SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea (lien direct) |
Dans le cadre de nos efforts de chasse à la menace continue, l'équipe de recherche et de renseignement sur les menaces de BlackBerry a découvert une nouvelle campagne de l'acteur de menace Sidewinder, ciblant les ports et les installations maritimes dans l'océan Indien et la mer Méditerranée.
As part of our continuous threat hunting efforts, the BlackBerry Threat Research and Intelligence team has discovered a new campaign by the threat actor SideWinder, targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. |
Threat | APT-C-17 | ★★★ |
 |
2023-07-19 19:36:00 | Les pirates liés à la Chine ciblent les appareils mobiles avec Wyrmspy et DragOnegg Spyware China-linked hackers target mobile devices with WyrmSpy and DragonEgg spyware (lien direct) |
Le tristement célèbre groupe de piratage chinois suivi en tant qu'APT41 a utilisé deux souches de logiciels espions nouvellement identifiées pour infecter les appareils Android, ont déclaré des chercheurs en cybersécurité.APT41, également connu sous le nom de Winnti et Brass Typhoon (anciennement Barium), est un groupe d'espionnage parrainé par l'État qui a été actif pour Plus d'une décennie et est connu pour cibler les organisations gouvernementales pour le renseignement
The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said. APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence |
APT 41 APT 41 APT-C-17 | ★★ | |
 |
2023-07-07 02:33:29 | Rapport de tendance des menaces sur les groupes APT & # 8211;Mai 2023 Threat Trend Report on APT Groups – May 2023 (lien direct) |
Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609
The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 |
Threat Prediction | APT 41 APT 38 APT 37 APT 37 APT 29 APT 29 APT 28 APT 28 APT 36 APT 36 Guam Guam APT-C-17 APT-C-17 GoldenJackal GoldenJackal APT-C-36 | ★★★ |
|
2023-05-17 14:10:00 | Infrastructure d'attaque secrète du groupe de piratage de l'État parrainé par l'État découvert State-Sponsored Sidewinder Hacker Group\\'s Covert Attack Infrastructure Uncovered (lien direct) |
Les chercheurs en cybersécurité ont mis au jour les infrastructures d'attaque non documentées précédemment utilisées par le prolifique du groupe de groupe parrainé par l'État pour frapper des entités situées au Pakistan et en Chine.
Cela comprend un réseau de 55 domaines et adresses IP utilisés par l'acteur de menace, les sociétés de cybersécurité Group-IB et Bridewell ont déclaré dans un rapport conjoint partagé avec les nouvelles de Hacker.
"Le phishing identifié
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China. This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News. "The identified phishing |
Threat | APT-C-17 | ★★ |
|
2023-05-09 15:09:00 | Les chercheurs découvrent la dernière technique du polymorphisme basé sur le serveur de Sidewinder \\ Researchers Uncover SideWinder\\'s Latest Server-Based Polymorphism Technique (lien direct) |
L'acteur avancé de menace persistante (APT) connue sous le nom de Sidewinder a été accusé d'avoir déployé une porte dérobée dans des attaques dirigées contre les organisations gouvernementales pakistanaises dans le cadre d'une campagne qui a commencé fin novembre 2022.
"Dans cette campagne, le groupe de menace persistante avancée (APT) Advanced Advanced Advance
The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022. "In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry |
Threat | APT-C-17 | ★★★ |
|
2023-05-09 14:30:00 | Sidewinder frappe les victimes au Pakistan, la Turquie en plusieurs attaques polymorphes SideWinder Strikes Victims in Pakistan, Turkey in Multiphase Polymorphic Attack (lien direct) |
L'APT exploite un défaut d'injection de modèle éloigné pour livrer des documents malveillants qui attirent les responsables du gouvernement et d'autres cibles avec des sujets d'intérêt potentiel.
The APT is exploiting a remote template injection flaw to deliver malicious documents that lure in government officials and other targets with topics of potential interest. |
APT-C-17 | ★★★ | |
|
2023-05-08 08:01:00 | Sidewinder utilise le polymorphisme côté serveur pour attaquer les représentants du gouvernement pakistanais - et vise maintenant la Turquie SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials - and Is Now Targeting Turkey (lien direct) |
L'équipe BlackBerry Research and Intelligence a suivi activement le groupe Sidewinder APT, dont la dernière campagne cible les organisations gouvernementales pakistanaises en utilisant une technique de polymorphisme basée sur le serveur pour livrer la charge utile.
The BlackBerry Research and Intelligence team has been actively monitoring the SideWinder APT group, whose latest campaign targets Pakistan government organizations by using a server-based polymorphism technique to deliver the payload. |
APT-C-17 APT-C-17 | ★★★ | |
|
2023-02-16 23:46:00 | Researchers Link SideWinder Group to Dozens of Targeted Attacks in Multiple Countries (lien direct) | The prolific SideWinder group has been attributed as the nation-state actor behind attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. Targets included government, military, law enforcement, banks, and other organizations, according to an exhaustive report published by Group-IB, which also found links between the adversary | APT-C-17 | ★★★ | |
|
2023-02-16 16:41:00 | SideWinder APT Spotted Stealing Crypto (lien direct) | The nation-state threat group has been attacking a wider range of victims and regions than previously thought. | Threat | APT-C-17 | ★★ |
 |
2023-02-15 09:30:00 | SideWinder APT Attacks Regional Targets in New Campaign (lien direct) | Indian threat group conducts hundreds of operations in a short time-span | Threat | APT-C-17 | ★★ |
|
2022-10-24 11:55:00 | SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan (lien direct) | SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk. "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection | Malware | APT-C-17 | |
 |
2022-07-13 11:00:06 | A Hit is made: Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets (lien direct) | >Check Point Research (CPR) reported evidence suggesting that Pakistan Air Force's Headquarters was a victim of a successful attack conducted by Sidewinder, a suspected India-based APT group. During May 2022, several malware samples and two encrypted files, related to the attack were uploaded to Virus Total. After decrypting the encrypted files, CPR saw that one… | Malware | APT-C-17 | |
 |
2022-06-02 13:09:56 | SideWinder Targets Pakistani Entities With Phishing Attacks (lien direct) |
|
APT-C-17 | ||
|
2022-06-02 01:38:51 | SideWinder Hackers Use Fake Android VPN Apps to Target Pakistani Entities (lien direct) | The threat actor known as SideWinder has added a new custom tool to its arsenal of malware that's being used in phishing attacks against Pakistani public and private sector entities. "Phishing links in emails or posts that mimic legitimate notifications and services of government agencies and organizations in Pakistan are primary attack vectors of the gang," Singapore-headquartered cybersecurity | Malware Tool Threat | APT-C-17 | |
 |
2022-06-01 09:10:12 | SideWinder hackers plant fake Android VPN app in Google Play Store (lien direct) | Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. [...] | Tool Threat | APT-C-17 | |
 |
2022-05-31 14:28:17 | SideWinder carried out over 1,000 attacks since April 2020 (lien direct) | >SideWinder, an aggressive APT group, is believed to have carried out over 1,000 attacks since April 2020, Kaspersky reported. Researchers from Kaspersky have analyzed the activity of an aggressive threat actor tracked as SideWinder (aka RattleSnake and T-APT-04). The group stands out for the high frequency and persistence of its attacks, researchers believe that the […] | Threat | APT-C-17 | |
|
2022-05-31 00:30:39 | SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years (lien direct) | An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their | Threat | APT-C-17 | |
|
2022-05-05 15:04:29 | 1,000+ Attacks in 2 Years: How the SideWinder APT Sheds Its Skin (lien direct) | Researcher to reveal fresh details at Black Hat Asia on a tenacious cyber-espionage group attacking specific military, law enforcement, aviation, and other entities in Central and South Asia. | APT-C-17 | ||
 |
2022-02-15 20:01:00 | Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?
(published: February 9, 2022)
A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.
Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566
Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government
Fake Windows 11 Upgrade Installers Infect You With RedLine Malware
(published: February 9, 2022)
Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.
Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: RedLine, Windows 11, Infostealer
|
Ransomware Malware Tool Vulnerability Threat Guideline | Uber APT 43 APT 36 APT-C-17 | |
 |
2021-07-07 12:00:06 | SideCopy cybercriminals use new custom Trojans in attacks against India\'s military (lien direct) | SideCopy imitates Sidewinder, poaching the same infection chains to deliver different malicious tools. | APT-C-17 | ||
 |
2021-07-07 05:01:04 | InSideCopy: How this APT continues to evolve its arsenal (lien direct) | By Asheer Malhotra and Justin Thattil.
Cisco Talos is tracking an increase in SideCopy's activities targeting government personnel in India using themes and tactics similar to APT36 (aka Mythic Leopard and Transparent Tribe).SideCopy is an APT group that mimics the Sidewinder APT's infection...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
APT 36 APT-C-17 | ||
 |
2021-01-13 11:00:00 | A Global Perspective of the SideWinder APT (lien direct) |
AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012.
Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry.
SideWinder is a highly active adversary primarily making use of email spear phishing, document exploitation, and DLL Side Loading techniques to evade detection and to deliver targeted implants. The adversary activity remains at a consistent rate and AT&T Alien Labs recommends the deployment of detections and retrospective analysis of shared indicators of compromise (IOCs) for past undetected activity. In this report we are providing a timeline of known campaigns and their associated IOCs, in addition to a large number of campaigns/IOCs which have not been previously reported or publicly identified.
Full reports and IOCs are available here.
      |
Threat | APT-C-17 | |
 |
2020-12-09 19:53:13 | SideWinder APT Targets Nepal, Afghanistan in Wide-Ranging Spy Campaign (lien direct) | Convincing email-credentials phishing, emailed backdoors and mobile apps are all part of the groups latest effort against military and government targets. | APT-C-17 | ||
 |
2020-12-09 00:00:00 | Mobile Threats Analyst (lien direct) | While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.
|
APT-C-17 | ||
 |
2020-03-25 07:00:00 | Ce n'est pas un test: APT41 lance une campagne d'intrusion mondiale en utilisant plusieurs exploits This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits (lien direct) |
À partir de cette année, Fireeye a observé chinoisL'acteur APT41 Effectuer l'une des campagnes les plus larges d'un acteur de cyber-espionnage chinois que nous avons observé ces dernières années.Entre le 20 janvier et le 11 mars, Fireeye a observé apt41 Exploiter les vulnérabilités dans Citrix NetScaler / ADC , les routeurs Cisco, et Zoho ManageEngine Desktop Central dans plus de 75 clients Fireeye.Les pays que nous avons vus ciblés comprennent l'Australie, le Canada, le Danemark, la Finlande, la France, l'Inde, l'Italie, le Japon, la Malaisie, le Mexique, les Philippines, la Pologne, le Qatar, l'Arabie saoudite, Singapour, la Suède, la Suisse, les Émirats arabes unis, le Royaume-Uni et les États-Unis.Le suivant
Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we\'ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following |
Vulnerability | APT 41 APT 41 APT-C-17 | ★★★ |
|
2020-01-07 08:41:42 | 3 Google Play Store Apps Exploit Android Zero-Day Used by NSO Group (lien direct) | Watch out! If you have any of the below-mentioned file managers and photography apps installed on your Android phone-even if downloaded from the official Google Store store-you have been hacked and being tracked.
These newly detected malicious Android apps are Camero, FileCrypt, and callCam that are believed to be linked to Sidewinder APT, a sophisticated hacking group specialized in cyber |
APT-C-17 | ||
|
2020-01-06 17:20:00 | Malicious Google Play Apps Linked to SideWinder APT (lien direct) | The active attack involving three malicious Android applications is the first exploiting CVE-2019-2215, Trend Micro researchers report. | APT-C-17 | ||
|
2020-01-06 13:00:34 | First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group (lien direct) |  We found three malicious apps in the Google Play store that work together to compromise a victim's device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability.
|
Vulnerability | APT-C-17 | |
|
2019-10-15 09:15:00 | Lowkey: Chasse pour l'ID de série de volume manquant LOWKEY: Hunting for the Missing Volume Serial ID (lien direct) |
En août 2019, Fireeye a publié le « Double Dragon » Rapport sur notre nouveau groupe de menaces gradué: APT41.Un groupe à double espionnage en Chine-Nexus et un groupe financièrement axé sur les financières, APT41 cible des industries telles que les jeux, les soins de santé, la haute technologie, l'enseignement supérieur, les télécommunications et les services de voyage.
Ce billet de blog concerne la porte dérobée passive sophistiquée que nous suivons en tant que Lowkey, mentionnée dans le rapport APT41 et récemment dévoilée au Fireeye Cyber Defense Summit .Nous avons observé le dispositif de ciel utilisé dans des attaques très ciblées, en utilisant des charges utiles qui fonctionnent uniquement sur des systèmes spécifiques.Famille de logiciels malveillants supplémentaires
In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report and recently unveiled at the FireEye Cyber Defense Summit. We observed LOWKEY being used in highly targeted attacks, utilizing payloads that run only on specific systems. Additional malware family |
Malware Threat | APT 41 APT-C-17 | ★★★★ |
 |
2018-08-18 13:00:00 | Owning Guns Is Sort of Like Owning Rattlesnakes (lien direct) | Author Michael Bishop's 'Rattlesnakes and Men' is about a town where everyone owns a dangerous ophidian. | APT-C-17 |
1
We have: 42 articles.
We have: 42 articles.
To see everything:
Our RSS (filtrered)
