What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-02-29 11:00:00 | Échoes de solarwinds dans la nouvelle technique d'attaque \\ 'Silver Saml \\' Echoes of SolarWinds in New \\'Silver SAML\\' Attack Technique (lien direct) |
Successeur de la tactique "Golden Saml" utilisée dans la campagne Solarwinds, cette nouvelle technique exploite la contrefaçon de réponse SAML pour obtenir un accès illégitime aux applications et aux services.
A successor to the "Golden SAML" tactic used in the SolarWinds campaign, this new technique taps SAML response forgery to gain illegitimate access to apps and services. |
Solardwinds | ★★★ | |
 |
2023-10-31 19:43:20 | SEC SUES SOLARWINDS et CISO, dit qu'ils ont ignoré les défauts qui ont conduit à un hack majeur SEC sues SolarWinds and CISO, says they ignored flaws that led to major hack (lien direct) |
Solarwinds a induit en erreur le public sur la sécurité pendant que les pirates ont accédé au réseau, selon SEC.
SolarWinds misled public about security while hackers accessed network, SEC says. |
Hack | Solardwinds | ★★ |
 |
2023-10-31 18:50:52 | La SEC poursuit Solarwinds et CISO pour la fraude SEC sues SolarWinds and CISO for fraud (lien direct) |
> La SEC allègue que Solarwinds a fraudé les investisseurs en omettant de divulguer des lacunes dans leurs pratiques de sécurité exploitées plus tard par les pirates russes.
>The SEC alleges SolarWinds defrauded investors by failing to disclose gaps in their security practices later exploited by Russian hackers. |
Legislation | Solardwinds | ★★ |
 |
2023-10-31 14:24:03 | WSJ: "La SEC poursuit des Solarwinds sur le piratage de 2020 attribué aux Russes" WSJ: "SEC Sues SolarWinds Over 2020 Hack Attributed to Russians" (lien direct) |
30 octobre 2023 Le Wall Street Journal a annoncé que la Commission des États-Unis de sécurité et d'échange a poursuivi Solarwinds.Voici les premiers paragraphes et il y a un lien vers l'article WSJ complet en bas: "La société de logiciels & nbsp; victime de pirates liés à la Russie & nbsp; il y a plus de trois ans, alléguant que la société fraude les actionnaires par des actionnaires à plusieurs reprises par répétition par des actionnaires à plusieurs reprises par répétition par des actionnaires à plusieurs reprises à plusieurs reprises à plusieurs reprises par des actionnaires à plusieurs reprises par la firme à plusieurs reprises par les actionnaires à plusieurs reprises par à plusieurs reprises par des action à plusieurs reprises à plusieurs reprises à plusieurs reprises à plusieurs reprises à plusieurs reprises à plusieurs reprises par la firme francLes tromper sur ses cyber-vulnérabilités et la capacité des attaquants à pénétrer ses systèmes.
October 30, 2023 the Wall street Journal broke news that the United States Security and Exchange Commission sued Solarwinds. Here are the first few paragraphs and there is a link to the full WSJ article at the bottom : "the software company victimized by Russian-linked hackers over three years ago, alleging the firm defrauded shareholders by repeatedly misleading them about its cyber vulnerabilities and the ability of attackers to penetrate its systems. |
Hack Vulnerability | Solardwinds | ★★★ |
 |
2023-10-31 09:30:00 | SEC facture des solarwinds et du RSI avec des investisseurs trompeurs SEC Charges SolarWinds and CISO With Misleading Investors (lien direct) |
La plainte allègue la posture de sécurité surestimée et les risques discrets
Complaint alleges company overstated security posture and understated risks |
Solardwinds | ★★★★ | |
 |
2023-10-31 00:57:46 | Solarwinds chargés après que SEC a déclaré que Biz savait qu'il était furieux avant l'attaque de Sunburst SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack (lien direct) |
Labels du développeur Action \\ 'non fondé \' After Company et Ciso Giflé avec un costume pour les investisseurs trompeurs Solarwinds et son chef de l'InfoSec ont été accusés de fraude par le gardien financier d'Amérique,Ce qui allègue que le fabricant de logiciels savait que sa sécurité était dans un état pauvre avant l'attaque de la chaîne d'approvisionnement de Sunburst.…
Developer labels action \'unfounded\' after company and CISO slapped with suit for misleading investors SolarWinds and its chief infosec officer have been charged with fraud by America\'s financial watchdog, which alleges the software maker knew its security was in a poor state ahead of the SUNBURST supply chain attack.… |
Solardwinds Solardwinds | ★★★ | |
 |
2023-10-30 21:30:00 | SEC facture à Solarwinds CISO avec une fraude pour les investisseurs trompeurs avant la cyberattaque majeure SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack (lien direct) |
La Securities and Exchange Commission (SEC) a annoncé lundi soir qu'elle prévoyait de facturer à Solarwinds le responsable de la sécurité de l'information Timothy Brown avec fraude pour son rôle dans le mensonge prétendument aux investisseurs en «surestimant Solarwinds \\ 'Cybersecurity Practices et en dépréciant ou en omettant de divulguer connu connudes risques."La plainte a été déposée dans le district sud de New
The Securities and Exchange Commission (SEC) announced on Monday evening that it plans to charge SolarWinds Chief Information Security Officer Timothy Brown with fraud for his role in allegedly lying to investors by “overstating SolarWinds\' cybersecurity practices and understating or failing to disclose known risks.” The complaint was filed in the Southern District of New |
Solardwinds | ★★★ | |
 |
2023-10-30 17:54:13 | La SEC poursuit Solarwinds pour les investisseurs trompeurs avant 2020 Hack SEC sues SolarWinds for misleading investors before 2020 hack (lien direct) |
La Commission américaine des Securities and Exchange (SEC) a accusé aujourd'hui des solarwind de frauder les investisseurs en dissimulant prétendument les problèmes de défense de la cybersécurité avant une division de piratage de décembre 2020 à l'APT29, la division de piratage du Russian Foreign Intelligence Service (SVR).[...]
The U.S. Securities and Exchange Commission (SEC) today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division. [...] |
Hack | Solardwinds APT 29 | ★★★ |
 |
2023-08-29 10:00:00 | Lutte contre les logiciels malveillants dans la chaîne d'approvisionnement industrielle Battling malware in the industrial supply chain (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Here\'s how organizations can eliminate content-based malware in ICS/OT supply chains. As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects. A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack: Two distinct types of malware, "Sunburst" and "Supernova," were secretly placed into an authorized software update. Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures. Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection. The C2 traffic was cleverly hidden using steganography, making detection even more challenging. The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations. While this incident led to widespread IT infiltration, it did not directly affect OT systems. In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences. Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems. These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including: Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making. Access control challenges: Proper identity and access management within complex environments are crucial. Compliance with best practices: Adherence to guidelines such as NIST\'s best practices is essential for resilience. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions. Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems. Supply chain defense: The power of content disarm and reconstruction Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious. What does CDR do? In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety. Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while mainta | Malware Vulnerability Threat Industrial Cloud | NotPetya Wannacry Solardwinds | ★★ |
 |
2023-08-10 16:44:00 | Emerging Attaper Exploit: Microsoft Cross-Renant Synchronisation Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization (lien direct) |
Les attaquants continuent de cibler les identités Microsoft pour accéder aux applications Microsoft connectées et aux applications SAAS fédérées.De plus, les attaquants continuent de progresser leurs attaques dans ces environnements, non pas en exploitant les vulnérabilités, mais en abusant de la fonctionnalité native de Microsoft pour atteindre leur objectif.Le groupe d'attaquant Nobelium, lié aux attaques de Solarwinds, a été
Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been |
Cloud | Solardwinds | ★★ |
|
2023-07-10 21:33:00 | Les décideurs doivent affronter l'insécurité du nuage, prévient un nouveau rapport Policymakers must confront cloud insecurity, new report warns (lien direct) |
Les décideurs doivent faire davantage pour affronter la vulnérabilité croissante des infrastructures critiques auxquelles les secteurs des secteurs des secteurs en raison de leur dépendance croissante à l'égard du cloud computing, un nouveau Rapport du Conseil de l'Atlantique Le rapport souligne que le cloud a déjà permis aux «acteurs malveillants» d'espionner les agences gouvernementales, pointant vers le 2020 Sunburst Hack dans lequel les produits cloud, en particulier [Microsoft
Policymakers must do more to confront the increasing vulnerability critical infrastructure sectors face due to their growing reliance on cloud computing, a new Atlantic Council report urges. The report underscores that the cloud has already allowed “malicious actors” to spy on government agencies, pointing to the 2020 Sunburst hack in which cloud products, specifically [Microsoft |
Vulnerability Cloud | Solardwinds | ★★★ |
 |
2023-02-14 12:06:06 | What Will It Take? (lien direct) | What will it take for policy makers to take cybersecurity seriously? Not minimal-change seriously. Not here-and-there seriously. But really seriously. What will it take for policy makers to take cybersecurity seriously enough to enact substantive legislative changes that would address the problems? It's not enough for the average person to be afraid of cyberattacks. They need to know that there are engineering fixes—and that's something we can provide. For decades, I have been waiting for the “big enough” incident that would finally do it. In 2015, Chinese military hackers hacked the Office of Personal Management and made off with the highly personal information of about 22 million Americans who had security clearances. In 2016, the Mirai botnet leveraged millions of Internet-of-Things devices with default admin passwords to launch a denial-of-service attack that disabled major Internet platforms and services in both North America and Europe. In 2017, hackers—years later we learned that it was the Chinese military—hacked the credit bureau Equifax and stole the personal information of 147 million Americans. In recent years, ransomware attacks have knocked hospitals offline, and many articles have been written about Russia inside the U.S. power grid. And last year, the Russian SVR hacked thousands of sensitive networks inside civilian critical infrastructure worldwide in what we're now calling Sunburst (and used to call SolarWinds)... | Ransomware | Equifax Equifax Solardwinds | ★★ |
 |
2023-01-08 10:00:00 | Happy 20th Birthday TaoSecurity Blog (lien direct) |  Happy 20th birthday TaoSecurity Blog, born on 8 January 2003. Thank you BloggerBlogger (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's Schneier on Security is the main one that comes to mind. If not for the wonderful Internet Archive, many blogs from the early days would be lost.StatisticsIn my 15 year post I included some statistics, so here are a few, current as of the evening of 7 January: I think it's cool to see almost 29 million "all time" views, but that's not the whole story.Here are the so-called "all time" statistics: It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years. I don't know what happened on 20 April 2022, when I had almost 1.5 million views?Top Ten Posts Since January 2011 |
Ransomware Studies Guideline | Solardwinds | ★★ |
 |
2022-12-14 17:43:30 | Why Managed Threat Hunting Should Top Every CISO\'s Holiday Wish List (lien direct) | With the end of the year fast approaching, many of us are looking forward to a well-deserved break. However, security practitioners and security leaders worldwide are bracing themselves for what has become a peak period for novel and disruptive threats. In 2020, the holiday season was marked by the SUNBURST incident, and in 2021 the […] | Threat Guideline | Solardwinds | ★★ |
|
2022-07-11 10:00:00 | 5 Common blind spots that make you vulnerable to supply chain attacks (lien direct) | This blog was written by an independent guest blogger. Over the past several years, hackers have gone from targeting only companies to also targeting their supply chain. One area of particular vulnerability is company software supply chains, which are becoming an increasingly common method of gaining access to valuable business information. A study by Gartner predicted that by 2025, 45% of companies will have experienced a supply chain attack. Supply chain attacks can come in various ways, whether by malicious code injected into enterprise software or vulnerabilities in software your company uses. To mitigate this risk, companies must learn about the methods used to execute attacks and understand their company’s blind spots. This article will look at 5 recent software supply chain attacks and how third-party partners can pose a security risk to your company. We’ll make recommendations for how to secure your business against supply chain attacks and how you can engage in early detection to respond to threats before they take down your enterprise. What is a software supply chain attack? The CISA or US Cybersecurity and Infrastructure Security Agency defines a software supply chain attack as an attack that “occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.” A software supply chain includes any company you purchase software from and any open-source software and public repositories from which your developers pull code. It also includes any service organizations that have access to your data. In the aggregate, all of these different suppliers exponentially increase the surface area of a potential attack. Software supply chain attacks are particularly dangerous because the software supply chain acts as an amplifier for hackers. This means that when one vendor is impacted, hackers can potentially reach any of their customers, giving them greater reach than if they attacked a single target corporation. Two primary reasons contribute to the danger, according to CISA: Third-party software products usually require privileged access; They often require frequent communication between the vendor’s own network and the vendor’s software on customer networks. Attackers leverage privileged access and a privileged network access channel as their first point of access. Depending on the level of available access, attackers can easily target many devices and levels of an organization. Some industries, like healthcare, are of particular vulnerability because they possess huge volumes of patient data subject to strict compliance regulations and laws. Five major supply chain attacks In recent memory, software supply chain attacks have gathered increased attention from the public because of how damaging they can be to a company and its reputation. The Log4j vulnerability demonstrated just how vulnerable companies can be to relying on third-party software, for example. Other high-profile attacks like the SolarWinds SUNBURST attack and Kaseya VSA (REvil) attack also provided painful reminders of how damaging supply chain attacks can be. The SolarWinds SUNBURST backdoor On December 13th, 2020, the SUNBURST backdoor was first disclosed. The attack utilized the popular SolarWinds Orion IT monitorin | Ransomware Data Breach Vulnerability Threat Patching | Solardwinds | |
 |
2022-06-29 16:25:00 | SolarWinds creates new software build system in wake of Sunburst attack (lien direct) | SolarWinds became the poster child for attacks on software supply chains last year when a group of threat actors injected malicious code known as Sunburst into the company's software development system. It was subsequently distributed through an upgrade to it Orion product to thousands of government and enterprise customers worldwide.SolarWinds learned from the experience and has introduced new software development practices and technology to strengthen the integrity of its build environment. It includes what SolarWinds says is the first-of-its-kind “parallel build” process, where the software development takes place through multiple highly secure duplicate paths to establish a basis for integrity checks.To read this article in full, please click here | Threat | Solardwinds | |
 |
2022-06-23 05:29:00 | SolarWinds unveils new development model to avoid a repeat of Sunburst (lien direct) | SolarWinds became the poster child for attacks on software supply chains last year when a group of threat actors injected malicious code known as Sunburst into the company's software development system. It was subsequently distributed through an upgrade to it Orion product to thousands of government and enterprise customers worldwide.SolarWinds learned from the experience and has introduced new software development practices and technology to strengthen the integrity of its build environment. It includes what SolarWinds says is the first-of-its-kind “parallel build” process, where the software development takes place through multiple highly secure duplicate paths to establish a basis for integrity checks.To read this article in full, please click here | Solardwinds | ||
|
2022-06-13 11:30:00 | BrandPost: Five Blind Spots That Leave You Open to Supply Chain Vulnerabilities (lien direct) | Software supply chain attacks have received increased attention over the past year with high-profile examples such as the SolarWinds SUNBURST attack, the Kaseya VSA (REvil) attack, or the Log4j vulnerability making headlines and impacting thousands of enterprises. It isn't that a handful of examples happen to make the news: Supply chain attacks are growing more common. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain.To read this article in full, please click here | Solardwinds | ||
|
2022-06-09 19:00:00 | #RSAC: Lessons Learned From the Solarwinds Sunburst Attack (lien direct) | A panel discussion explained that businesses must transform in order to meet the cyber threats of tomorrow | Threat | Solardwinds | |
|
2022-06-03 08:16:58 | Detecting Poisoned Python Packages: CTX and PHPass (lien direct) | The software supply chain remains a weak link for an attacker to exploit and gain access to an organization. According to a report in 2021, supply chain attacks increased by 650%, and some of the attacks have received a lot of limelight, such as SUNBURST in 2020 and Dependency Confusion in 2021. On May 21, […] | Solardwinds | ||
 |
2022-04-27 09:00:00 | Assemblage de la poupée de nidification russe: UNC2452 a fusionné dans APT29 Assembling the Russian Nesting Doll: UNC2452 Merged into APT29 (lien direct) |
Mandiant a recueilli des preuves suffisantes pour évaluer que l'activité a suivi comme unc2452, le nom de groupe utilisé pour suivre le Solarwinds Compromis en décembre 2020 , est attribuable à APT29. Cette conclusion correspond aux instructions d'attribution précédemment faites par le u.s.Gouvernement que le compromis de la chaîne d'approvisionnement de Solarwinds a été réalisé par APT29, un groupe d'espionnage basé en Russie évalué comme parrainé par le Russian Foreign Intelligence Service (SVR).Notre évaluation est basée sur des données de première main recueillies par Mandiant et est le résultat d'une comparaison et d'une revue approfondies de UNC2452 et de notre | Solardwinds APT 29 APT 29 | ★★★ | |
 |
2022-04-07 11:33:30 | Improving software supply chain security with tamper-proof builds (lien direct) | Posted by Asra Ali and Laurent Simon, Google Open Source Security Team (GOSST)Many of the recent high-profile software attacks that have alarmed open-source users globally were consequences of supply chain integrity vulnerabilities: attackers gained control of a build server to use malicious source files, inject malicious artifacts into a compromised build platform, and bypass trusted builders to upload malicious artifacts. Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume. Currently, provenance generation is not widely supported, and solutions that do exist may require migrating build processes to services like Tekton Chains.This blog post describes a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore's signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy. ProvenanceSLSA ("Supply-chain Levels for Software Artifacts”) is a framework to help improve the integrity of your project throughout its development cycle, allowing consumers to trace the final piece of software you release all the way back to the source. Achieving a high SLSA level helps to improve the trust that your artifacts are what you say they are.This blog post focuses on build provenance, which gives users important information about the build: who performed the release process? Was the build artifact protected against malicious tampering? Source provenance describes how the source code was protected, which we'll cover in future blog posts, so stay tuned.Go prototype to generate non-forgeable build provenanceTo create tamperless evidence of the build and allow consumer verification, you need to:Isolate the provenance generation from the build process;Isolate against maintainers interfering in the workflow;Provide a mechanism to identify the builder during provenance verification.The full isolation described in the first two points allows consumers to trust that the provenance was faithfully recorded; entities that provide this guarantee are called trusted builders.Our Go prototype solves all three challenges. It also includes running the build inside the trusted builder, which provides a strong guarantee that the build achieves SLSA 3's ephemeral and isolated requirement.How does it work?The following steps create the trusted builder that is necessar | Solardwinds | ||
 |
2022-04-05 18:29:26 | How to add a data source to Redash (lien direct) | Redash can create dashboards from various data sources that display charts, pivot tables, cohorts, boxplots, counters, funnels, maps, sankeys, sunbursts and word clouds. Here's how to use it. | Solardwinds | ||
|
2022-01-27 08:00:06 | Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign (lien direct) | StellarParticle is a campaign tracked by CrowdStrike as related to the SUNSPOT implant from the SolarWinds intrusion in December 2020 and associated with COZY BEAR (aka APT29, “The Dukes”). The StellarParticle campaign has continued against multiple organizations, with COZY BEAR using novel tools and techniques to complete their objectives, as identified by CrowdStrike incident responders […] | Solardwinds Solardwinds APT 29 APT 29 | ||
|
2021-12-15 15:00:00 | Un an en revue avec Kevin Mandia A Year in Review with Kevin Mandia (lien direct) |
Avec 2021 presque derrière nous, nous ne pouvions pas penser à une meilleure façon de fermer cette année de podcasts de la sécurité que de provoquer l'individu responsable de la fondation de Mandiant plusIl y a 17 ans, Kevin Mandia.Au-delà de la direction de notre entreprise en tant que PDG depuis 2016, Kevin est simplement un puits de connaissances en cybersécurité, avec une expérience de première ligne datant des années 90 lorsqu'il a servi comme responsable de la sécurité informatique dans la United States Air Force.
Il est difficile de croire, mais cela a été un an depuis que nous avons annoncé le Solarwinds incident .La discussion démarre avec l'hôte de Kevin Luke McNamara
With 2021 nearly behind us, we could think of no better way to close out this year of Eye on Security podcasts than to bring on the individual responsible for founding Mandiant more than 17 years ago, Kevin Mandia. Beyond leading our company as CEO since 2016, Kevin is simply a well of cyber security knowledge, with frontline experience dating back to the 90s when he served as a computer security officer in the United States Air Force. It\'s hard to believe, but it\'s been one year since we announced the SolarWinds incident. The discussion kicks off with Kevin telling host Luke McNamara |
Solardwinds | ★★★ | |
|
2021-12-06 10:00:00 | Activité russe présumée ciblant le gouvernement et les entités commerciales du monde entier Suspected Russian Activity Targeting Government and Business Entities Around the Globe (lien direct) |
Mise à jour (mai 2022): Nous avons fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29.
comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par
UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by |
Threat | Solardwinds APT 29 | ★★★ |
 |
2021-10-05 18:28:00 | Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware Malware Tool Vulnerability Threat Guideline | Solardwinds Solardwinds APT 27 | |
 |
2021-09-30 11:07:22 | SAS 2021 Tomiris – Le groupe de hackers à l\'origine de la cyberattaque Sunburst est de nouveau actif (lien direct) | SAS2021 : La porte dérobée Tomiris suggérerait que le groupe de hackers à l'origine de la cyberattaque Sunburst est de nouveau actif. The post SAS 2021 Tomiris – Le groupe de hackers à l'origine de la cyberattaque Sunburst est de nouveau actif first appeared on UnderNews. | Solardwinds Solardwinds | ||
|
2021-09-02 07:30:30 | Autodesk reveals it was targeted by Russian SolarWinds hackers (lien direct) | Autodesk has confirmed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain attack, almost nine months after discovering that one of its servers was backdoored with Sunburst malware. [...] | Solardwinds | ||
|
2021-08-12 19:20:18 | This teardrop trailer could be perfect for electric vehicle camping (lien direct) | It has a low-drag shape and a 75 kWh battery, plus DC fast charging. | Solardwinds Solardwinds | ||
|
2021-06-23 12:00:00 | Pouvez-vous prouver que votre prochain cyber-investissement aborde le plus de risques? Can You Prove Your Next Cyber Investment Addresses the Most Risk? (lien direct) |
Une grande majorité (87%) des dirigeants de la sécurité affirment que leurs organisations sont Ne pas suffisamment aborder les cyber-risques , selon l'étude CSO 2020 Les priorités de sécurité .
Ce n'est pas nécessairement surprenant étant donné la sophistication des menaces aujourd'hui.Le paysage des attaques se développe rapidement, avec des attaques à l'état national telles que SolarWinds et hafnium causant des défis pour de nombreux CISO du secteur public et CSOS.
Le gouvernement américain a pris note et vient d'approuver le financement pour améliorer considérablement les capacités fédérales de la cybersécurité des succursales et la capacité du gouvernement fédéral à
A large majority (87%) of security leaders say their organizations are not sufficiently addressing cyber risks, according to the CSO 2020 Security Priorities Study. That\'s not necessarily surprising given the sophistication of threats today. The attack landscape is quickly expanding, with nation-state attacks such as SolarWinds and HAFNIUM causing challenges for many public sector CISOs and CSOs. The U.S. government has taken notice and has just approved the funding to dramatically improve federal executive branch cyber security capabilities and the capacity for the federal government to |
Solardwinds | ★★★ | |
|
2021-06-02 15:00:00 | Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New Sophisticated Email-based Attack From NOBELIUM
(published: May 28, 2021)
NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.
Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193
Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military
Evolution of JSWorm Ransomware
(published: May 25, 2021)
JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.
Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197 |
Ransomware Malware Threat Medical | Solardwinds APT 38 APT 28 | |
|
2021-05-28 11:20:29 | The Misaligned Incentives for Cloud Security (lien direct) | Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts and pilfer emails and files. Hackers said by the US government to have been working for the Kremlin targeted a widely used Microsoft cloud service that synchronizes user identities. The hackers ... | Solardwinds | ||
 |
2021-05-28 10:56:54 | Microsoft details new sophisticated spear-phishing attacks from NOBELIUM (lien direct) | Microsoft experts uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind SolarWinds hack. Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign conducted by NOBELIUM APT. The NOBELIUM APT is the threat actor that conducted supply chain attack against SolarWinds which involved multiple families of implants, including the SUNBURST […] | Threat | Solardwinds | ★★ |
|
2021-05-26 17:20:00 | Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles (lien direct) | Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles. Big Data Conundrum with Threat Intelligence Platforms The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches prese | Tool Threat Guideline | Solardwinds Solardwinds | |
|
2021-05-15 12:20:41 | RSAC insights: Deploying SOAR, XDR along with better threat intel stiffens network defense (lien direct) | Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet. Related: The undermining of the global supply chain But there's … (more…) | Malware Threat | Solardwinds Solardwinds | |
|
2021-04-16 11:15:00 | The Secret IR Insider\'s Diary – from Sunburst to DarkSide (lien direct) | Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet. Related: The undermining of the global supply chain But there's … (more…) | Solardwinds Solardwinds | ||
|
2021-04-13 04:04:13 | Detecting the "Next" SolarWinds-Style Cyber Attack (lien direct) | The SolarWinds attack, which succeeded by utilizing the sunburst malware, shocked the cyber-security industry. This attack achieved persistence and was able to evade internal systems long enough to gain access to the source code of the victim.
Because of the far-reaching SolarWinds deployments, the perpetrators were also able to infiltrate many other organizations, looking for intellectual |
Solardwinds Solardwinds | ||
|
2021-03-16 12:53:25 | (Déjà vu) Mimecast: SolarWinds hackers stole some of our source code (lien direct) | Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. [...] | Solardwinds Solardwinds | ||
|
2021-03-16 12:53:25 | Mimecast: SolarWinds hackers used Sunburst malware for initial intrusion (lien direct) | Email security company Mimecast has confirmed today that the state-sponsored SolarWinds hackers who breached its network earlier this year used the Sunburst backdoor during the initial intrusion. [...] | Malware | Solardwinds Solardwinds | |
|
2021-03-09 02:42:07 | Cybersecurity Webinar - SolarWinds Sunburst: The Big Picture (lien direct) | The SolarWinds Sunburst attack has been in the headlines since it was first discovered in December 2020.
As the so-called layers of the onion are peeled back, additional information regarding how the vulnerability was exploited, who was behind the attack, who is to blame for the attack, and the long-term ramifications of this type of supply chain vulnerabilities continue to be actively |
Vulnerability | Solardwinds Solardwinds | |
|
2021-03-02 14:59:00 | Anomali February Product Release: Moving Beyond Tactical Intelligence (lien direct) | We are happy to announce the Anomali Product Release for February 2021. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to supporting security teams in their further move beyond a reliance on tactical, technical intelligence to a holistic, threat-model-driven approach by allowing them to work with threat models like the MITRE ATT&CK framework inside Anomali ThreatStream easily and productively. A further highlight directed at augmenting collaboration across teams and with external peers, leveraging our popular Trusted Circles capabilities, is the advent of full-featured chat within the Anomali ThreatStream threat intelligence platform, while maintaining privacy controls.
Enhancements in this latest release include:
MITRE ATT&CK Framework Integration
As a follow-up to the recent release of support for MITRE ATT&CK framework techniques, we’ve added the ability to import content from the MITRE ATT&CK Navigator tool and store your framework capabilities inside ThreatStream. Users can use the MITRE capability in ThreatStream's Investigations feature to help prioritize investigative activity and decision-making, making security teams more efficient and responsive.
Advanced Search Functionality for Threat Models
This month we’ve extended advanced search to Threat Model content in ThreatStream - providing the same flexibility and features for finding and refining content in our platform as for observable content. Users can now create advanced search queries with conditions and operators, and some additional capabilities specific to our Threat Model content, to find relevant intelligence quickly, as well as save their complex searches for future use at a click.
Collaboration via Full-Featured ThreatStream Chat
Customers now have the benefit of real-time, protected communication within ThreatStream for their internal teams and with Trusted Circle collaborators via the use of a full-featured chat client. With this built-in chat functionality, analysts can communicate and share tactical information as well as more strategic aspects of analysis and response quickly and easily with colleagues and peers at organizations that are members of common Trusted Circles--from inside the ThreatStream platform, where it can be easily shared and investigated. Most importantly, the collaboration remains anonymized and privacy is ensured.
Clone Custom Themed Dashboards
Extending the custom themed dashboards developed by the Anomali Threat Research (ATR) team and released in December, we are now offering the ability to not only access a custom themed dashboard (for COVID, Sunburst or other specific themes), but also to clone (or create a copy) of that dashboard, which you can now further customize or tailor to your specific needs and preferences. Once a dashboard is cloned a user can change, for a given widget, the saved query upon which the widget is based, as well as add their own custom widgets.
Intelligence Enrichment Inside of Investigations
We continue to refine the display of critical information to the user at the appropriate point of their research in order to ensure analysts have the right intelligence |
Tool Threat | Solardwinds Solardwinds | |
|
2021-02-26 17:36:35 | (Déjà vu) Microsoft releases open-source CodeQL queries to assess Solorigate compromise (lien direct) | Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack Microsoft has announced the availability of open-source CodeQL queries that the IT giant used during its investigation into the SolarWinds attack. In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint […] | Solardwinds Solardwinds | ||
 |
2021-02-26 13:42:41 | Microsoft Releases Open Source Resources for Solorigate Threat Hunting (lien direct) | Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack. | Threat | Solardwinds Solardwinds | |
 |
2021-02-19 14:11:33 | Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code (lien direct) | However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation. | Solardwinds Solardwinds | ||
 |
2021-02-18 16:00:00 | Microsoft Internal Solorigate Investigation – Final Update (lien direct) | We believe the Solorigate incident is an opportunity to work with the community, to share information, strengthen defenses and respond to attacks. We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidence of access to production services or customer … Microsoft Internal Solorigate Investigation – Final Update Read More " | Solardwinds Solardwinds | ||
 |
2021-02-05 18:52:59 | 6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign (lien direct) | 
1. Attackers have a plan, with clear objectives and outcomes in mind. Do you have one? Clearly this was a motivated and patient adversary. They spent many months in the planning and execution of an attack that was not incredibly sophisticated in its tactics, but rather used multiple semi-novel attack methods combined with persistent, stealthy […]
|
Threat | Solardwinds Solardwinds | |
|
2021-02-04 17:20:56 | SOCwise Series: Practical Considerations on SUNBURST (lien direct) | 
This blog is part of our SOCwise series where we’ll be digging into all things related to SecOps from a practitioner’s point of view, helping us enable defenders to both build context and confidence in what they do. Although there's been a lot of chatter about supply chain attacks, we're going to bring you a slightly different […]
|
Solardwinds Solardwinds | ★★ | |
|
2021-02-03 12:46:59 | SolarWinds Sunburst, la plus grande cyberattaque de l\'histoire ciblant la supply chain de l\'industrie du logiciel (lien direct) | Ces dernières semaines, l'une des plus grandes attaques lancées contre la supply chain de l'industrie du logiciel a fait les gros titres. Il s'agit d'un véritable assaut dirigé contre un grand nombre d'entreprises publiques et privées, ayant frappé environ 18 000 victimes à travers le monde. Elle s'est ensuite concentrée sur des cibles plus réputées telles que Microsoft, FireEye ainsi que de nombreuses administrations. C'est là un rappel de la nécessité pour l'industrie du logiciel d'en faire davantage. The post SolarWinds Sunburst, la plus grande cyberattaque de l'histoire ciblant la supply chain de l'industrie du logiciel first appeared on UnderNews. | Solardwinds | ||
|
2021-02-03 12:10:45 | More SolarWinds News (lien direct) | Microsoft analyzed details of the SolarWinds attack: Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network. Other related malware includes Teardrop aka Raindrop. Details are in the Microsoft blog: We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the ... | Malware | Solardwinds |
To see everything:
Our RSS (filtrered)
