What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2016-09-22 23:15:53 | (Déjà vu) DarkReading: Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Usershttp://ubm.io/2d0Aju4Â (lien direct) | DarkReading: Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Usershttp://ubm.io/2d0Aju4Â | Yahoo | ||
|
2016-09-22 23:03:08 | DarkReading: Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users http://ubm.io/2d7R1wr #yahoo (lien direct) | DarkReading: Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users http://ubm.io/2d7R1wr #yahoo | Yahoo | ||
 |
2016-09-22 22:26:10 | (Déjà vu) State-sponsored actors suspected in historic Yahoo breach; at least 500 million accounts affected (lien direct) | On the cusp of a $4.8 billion acquisition by Verizon, Yahoo today disclosed a data breach in which a state-sponsored actor is believed to have stolen a copy of data linked to at least 500 million accounts. |
Yahoo | ||
|
2016-09-22 22:26:10 | (Déjà vu) Yahoo breach; State-sponsored actors suspected, at least 500 million accounts affected (lien direct) | On the cusp of a $4.8 billion acquisition by Verizon, Yahoo today disclosed a data breach in which a state-sponsored actor is believed to have stolen a copy of data linked to at least 500 million accounts. |
Yahoo | ||
 |
2016-09-22 21:21:09 | Yahoo Says 500M Users\' Account Info Stolen by State-Sponsored Actor (lien direct) | Yahoo says a state-sponsored actor stole the account information for at least 500 million of its users in a breach that occurred back in late-2014. On 22 September, Yahoo CISO Bob Lord confirmed that the hack might have compromised several pieces of its users’ account information: “We have confirmed that a copy of certain user […]… Read More | Yahoo | ||
 |
2016-09-22 20:21:43 | Yahoo says half a billion accounts breached by nation-sponsored hackers (lien direct) | One of the biggest compromises ever exposes names, e-mail addresses, and much more. | Yahoo | ||
 |
2016-09-22 19:47:01 | 500 Million Yahoo Accounts Stolen By State-Sponsored Hackers (lien direct) | Yahoo confirmed that in 2014 state-sponsored hackers stole information associated with 500 million accounts from its network. | Yahoo | ||
 |
2016-09-22 19:40:04 | Yahoo confirms 500M accounts leaked in massive data breach (lien direct) | Yahoo recently confirmed that a suspected breach in 2014 affected hundreds of millions of users, and was believed to be carried out by a 'state-sponsored actor.' | Yahoo | ||
 |
2016-09-22 19:39:15 | Yahoo uncovered breach after probing a black market sale (lien direct) | A hacker's attempt to sell user data he claimed was stolen from Yahoo actually led the company to uncover a far more severe breach.Yahoo confirmed Thursday a data breach, which affects at least 500 million users, but it could be unrelated to the black market sale of alleged Yahoo accounts, according to a source familiar with the matter.The information comes even as security experts have been questioning why Yahoo took so long to warn the public when it was known that a hacker was claiming to be selling the data online around early August.To read this article in full or to leave a comment, please click here | Yahoo | ||
 |
2016-09-22 19:08:03 | Yahoo Confirms Massive Data Breach of 500 Million Accounts (lien direct) | Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014. | Yahoo | ||
 |
2016-09-22 19:01:25 | Yahoo confirms: at least 500 million accounts hacked in 2014 data breach (lien direct) | Yahoo CISO Bob Lord writes: We have confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. My advice? Reset your Yahoo password. Make it a strong, complex password - and make sure that you are not using the same password anywhere else on the net. If you were using the same password in multiple places, you need to get out of that habit right now. Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials. Invest in a decent password manager program to generate random, hard-to-crack passwords, store them securely and remember them for you. If you haven't already done so, enable two-step verification on your Yahoo account. Watch out for phishing emails that pretend to come from Yahoo. More as this news develops. | Yahoo | ||
 |
2016-09-22 17:57:04 | Yahoo hit with a Massive 500 Million Account Data Breach (lien direct) | In what could be the largest data breach in history, Yahoo announced today that attackers infiltrated their servers and walked away with account information for at least 500 million users. This stolen information may include names, email addresses, telephone numbers, encrypted passwords, and more. [...] | Yahoo | ||
|
2016-09-22 17:33:46 | Hackers have a treasure trove of data with the Yahoo breach (lien direct) | The massive breach at Yahoo means that a treasure trove of stolen data is in the hands of hackers -- putting millions of internet users at risk.At least half a billion Yahoo accounts have been affected in one of the biggest data breaches in history. Information including names, email addresses, telephone numbers and hashed passwords may have been stolen.Yahoo has blamed the attack on a "state-sponsored actor," but it's far from clear who hacked the internet company and how the culprits pulled off the attack.Blaming it on a state-sponsored actor, however, indicates that Yahoo may have found evidence that the hackers were targeting the company over a long period of time, said Vitali Kremez, a cybercrime analyst at security firm Flashpoint.To read this article in full or to leave a comment, please click here | Yahoo | ||
|
2016-09-22 16:40:00 | Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users (lien direct) | But still unconfirmed is whether the newly revealed attack is related to recently dumped Yahoo user credentials in an online cybercrime forum. | Yahoo | ||
|
2016-09-22 16:31:27 | Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials (lien direct) | Yahoo is expected to confirm a data breach that exposed hundreds of millions of credentials dating back to 2012. | Yahoo | ||
 |
2016-09-22 16:15:44 | Hack Brief: Yahoo Looks Set to Confirm a Big, Old Data Breach (lien direct) |  The company is reportedly about to admit that a four-year-old collection 200 million user accounts up for sale on the dark web is real, stolen data. The post Hack Brief: Yahoo Looks Set to Confirm a Big, Old Data Breach |
Yahoo | ||
|
2016-09-22 15:42:11 | Purported data from 200 million Yahoo accounts may be legit (lien direct) | Supposedly hacked data surfaced on underground website for sale in August. | Yahoo | ||
|
2016-09-22 13:36:47 | The massive Yahoo hack ranks as the world\'s biggest -- so far (lien direct) | When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn't just admitting to a huge failing in data security -- it was admitting to the biggest hack the world has ever seen.Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.And only three breaches had ranked above the 100 million level:LinkedIn reported a loss of 167 million email addresses and passwords. They were originally stolen in 2012 but not publicly disclosed until 2016, again after the data was offered on an underground "dark market" site.To read this article in full or to leave a comment, please click here | Yahoo | ||
|
2016-09-22 12:16:27 | Yahoo data breach affects at least 500 million users (lien direct) | A massive breach at Yahoo compromised account details from at least 500 million users, and the company is blaming the attack on state-sponsored hackers.Names, email addresses, telephone numbers, and hashed passwords may have been stolen as part of the hack, which occurred in late 2014, Yahoo said.The company reported the breach on Thursday, after a stolen database from the company went on sale on the black market last month.However, the hacker behind the sale claimed that the stolen database involved only 200 million users and was likely obtained in 2012.To read this article in full or to leave a comment, please click here | Yahoo | ||
 |
2016-09-22 08:46:25 | Joseph Cox: Original report here: Yahoo said, "We are committed to protecting the security of our users’ information"https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web … (lien direct) | Joseph Cox: Original report here: Yahoo said, "We are committed to protecting the security of our users’ information"https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web … | Yahoo | ||
|
2016-09-22 08:41:24 | Joseph Cox: Might have been better to warn users, reset passwords, back when we contacted Yahoo in, you know, July?http://www.recode.net/2016/9/22/13012836/yahoo-is-expected-to-confirm-massive-data-breach-impacting-hundreds-of-millions-of-users … (lien direct) | Joseph Cox: Might have been better to warn users, reset passwords, back when we contacted Yahoo in, you know, July?http://www.recode.net/2016/9/22/13012836/yahoo-is-expected-to-confirm-massive-data-breach-impacting-hundreds-of-millions-of-users … | Yahoo | ||
|
2016-09-22 08:24:29 | Yahoo \'expected to confirm massive data breach\', says Recode (lien direct) |  As Yahoo poises to sell up to Verizon, it may have some bad news to share. Recode reports that "several hundred million" account credentials may have been impacted by a data breach.
|
Yahoo | ||
|
2016-09-22 08:03:00 | Yahoo reportedly to confirm massive data breach (lien direct) | Following reports that Yahoo will confirm a data breach that affects hundreds of millions of accounts, some users reported Thursday on Twitter and elsewhere that they were prompted to change their email password when trying to log in.Yahoo launched an investigation into a possible breach in early August after someone offered to sell a data dump of over 200 million Yahoo accounts on an underground market, including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.The company has since determined that the breach is real and that it's even worse than initially believed, news website Recode reported Thursday, citing unnamed sources familiar with the investigation.To read this article in full or to leave a comment, please click here | Yahoo | ||
|
2016-09-14 09:10:00 | Google, Facebook, Twitter, Petition Congress To Support ICANN Transition (lien direct) | Google, Facebook, Twitter, Yahoo and other tech companies to Congress to not oppose the scheduled October 1 transfer of Internet control to global community. | Yahoo | ||
|
2016-09-07 14:48:00 | Election exploits: What you need to know [infographic] (lien direct) | In late August, an FBI alert warning state election officials about an attack on voter registration databases from Illinois and Arizona was leaked and posted in a report on Yahoo News.'According to the FBI's alert, 'an unknown actor' attacked a state election database by using widely available penetrating testing tools, including Acunetix, SQLMap, and DirBuster,' wrote Michael Kan. 'The hackers then found an SQL injection vulnerability -- a common attack point in websites -- and exploited it to steal the data. The FBI has traced the attacks to eight IP addresses, which appear to be hosted from companies based in Bulgaria, the Netherlands, and Russia.'To read this article in full or to leave a comment, please click here | Yahoo | ||
|
2016-09-06 13:46:12 | 98 million passwords from 2012 breach of “Russia\'s Yahoo†Rambler.ru leaked (lien direct) | News, e-mail portal used no encryption to protect passwords (at least before breach). | Yahoo | ★★★★★ | |
|
2016-09-06 11:33:18 | Mega Breach Strikes Rambler.ru with Leak of Nearly 100M User Records (lien direct) | Russian e-mail service provider Rambler.ru suffered a mega breach when someone leaked close to 100 million of its users’ login credentials online. Data breach monitoring service LeakedSource said the 98,167,935 leaked credentials are real, information which someone allegedly stole in a hack against the “Russian version of Yahoo” during a security incident that occurred on 17 […]… Read More | Yahoo | ||
 |
2016-09-06 00:28:22 | Russia\'s Largest Portal HACKED; Nearly 100 Million Plaintext Passwords Leaked (lien direct) | Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru.
Rambler.ru, also known as Russia's Yahoo, suffered a massive data breach in 2012 in which an unknown hacker or a group of hackers managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords.
The copy of the hacked database
|
Yahoo | ||
 |
2016-09-01 12:46:53 | Yahoo email privacy lawsuit settled (lien direct) | Yahoo can no longer intercept your emails in transit but can still analyze them after they hit your inbox. |
Yahoo | ||
 |
2016-08-30 08:00:37 | Canary – Un client mail nouvelle génération pour OSX (lien direct) | Je suis toujours à la recherche du client mail parfait, et voici le petit nouveau pour OSX sur lequel je viens de tomber. Son nom : Canary. Il permet de configurer facilement un compte iCloud, Yahoo, Outlook, Office 365, Exchange (IMAP), FastMail, Zoho, Yandex, ou IMAP et propose des fonctionnalités intéressantes comme : Du pixel > Lire la suite Cet article merveilleux et sans aucun égal intitulé : Canary – Un client mail nouvelle génération pour OSX ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents. | Yahoo | ||
|
2016-08-29 13:20:00 | Report: Hackers Breach Two State Election Databases, FBI Warns (lien direct) | FBI's need-to-know-only advisory doesn't specify, but Yahoo News' sources say it refers to 'suspected foreign hackers' targeting voter registration databases in Arizona and Illinois. | Yahoo | ||
|
2016-08-29 10:36:10 | FBI warns that hackers are targeting state election systems (lien direct) | The FBI has reportedly found evidence that foreign hackers breached two state election databases in recent weeks.An FBI alert warning election officials about the breach was leaked, and it was posted in a report by Yahoo News on Monday. Voter registration databases from both Illinois and Arizona were targeted in the hacks, according to the report.In the Illinois case, personal data on 200,000 voters was stolen. In July, an official with the state's board of elections warned on Facebook that the voting system had fallen to a cyberattack, forcing a shutdown.To read this article in full or to leave a comment, please click here | Yahoo | ||
 |
2016-08-24 16:13:46 | United Airlines Sets Minimum Bar on Security (lien direct) | United Airlines has rolled out a series of updates to its Web site that the company claims will help beef up the security of customer accounts. But at first glance, the core changes -- moving from a 4-digit PINs to password and requiring customers to pick five different security questions and answers -- may seem like a security playbook copied from Yahoo.com, circa 2009. Here's a closer look at what's changed in how United authenticates customers, and hopefully a bit of insight into what the nation's fourth-largest airline is trying to accomplish with its new system. | Yahoo | ||
 |
2016-08-03 14:03:50 | 200 millions d\'identifiants Yahoo en vente pour 3 bitcoins (lien direct) |  Cela faisait un petit moment que le cybercriminel "Peace of Mind" n'avait pas fait parlé de lui sur la Toile. Voila qui est chose faite après la publication d'une annonce sur le marché noir mettant en vente plus de 200 millions identifiants Yahoo au prix de 3 BTC. |
Yahoo | ||
|
2016-08-03 13:00:23 | Yahoo investigating claimed breach and data dump of 200 million users (lien direct) | Black hat hacker is selling the dump on the dark Web; Yahoo won't confirm or deny it. | Yahoo | ||
|
2016-08-02 17:10:04 | Hacker Selling Credentials of 200 Million Yahoo Users (lien direct) | A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins. | Yahoo | ||
|
2016-08-02 16:51:25 | Yahoo Investigates 200 Million Alleged Accounts For Sale On Dark Web (lien direct) | Yahoo says that it is investigating an alleged massive breach of its users' credential that are available for sale online. | Yahoo | ||
 |
2016-08-02 16:37:31 | Yahoo looks into major data breach claims (lien direct) | Yahoo is looking into claims that it has become the latest high-profile victim of a major data breach. It is thought up to 200 million accounts are affected. | Yahoo | ||
|
2016-07-26 21:26:33 | Yahoo Ordered to Explain Data Gathering Procedures in Deleted Email Case (lien direct) | Yahoo has been given until August 31 to comply with a court order asking how the company was able to recover emails that were thought to be deleted. | Yahoo | ||
|
2016-07-26 10:45:00 | Yahoo ordered to show how it recovered ‘deleted’ emails in drug case (lien direct) | In spite of what its own policy says, Yahoo managed to hand over 6 months of messages that conspirators in a drug trafficking case thought had been deleted. |
Yahoo | ||
|
2016-07-25 19:43:40 | New evidence suggests DNC hackers penetrated deeper than previously thought (lien direct) | Consultant's Yahoo Mail suspected of being targeted by state-sponsored hackers. | Yahoo | ||
 |
2016-07-18 19:30:00 | Meet the hacker who tries to break Yahoo every day (lien direct) | No matter how strong a company's defenses, the red team should "always win." | Yahoo | ||
 |
2016-06-08 16:28:10 | Télégrammes : Cisco regarde Nutanix; Nuxeo lève 10 millions de dollars; SFR se lance dans la visioconférence; Yahoo vend ses brevets (lien direct) | Contrairement à Maria Sharapova, les télégrammes du soir n'ont pas besoin de dopage pour rester performants. | Yahoo | ||
|
2016-06-07 16:26:00 | Télégrammes : IBM vole en Emirates ; Microsoft adopte Spark ; Verizon lorgne vers Yahoo ; Office 365 organise vos projets (lien direct) | Les cheminots reconduisent la grève ? Nous reconduisons la publication des télex, pour ne rien louper de l'actualité IT de la journée. | Yahoo | ||
|
2016-06-01 17:29:49 | Yahoo Discloses Contents of Three National Security Letters (lien direct) | Yahoo today disclosed the contents of three National Security Letters it received in 2013 and 2015, becoming the first company under reforms afforded by the USA FREEDOM Act to do so. | Yahoo | ||
|
2016-05-12 17:00:00 | Fearing ransomware, House bans Google-hosted apps, Yahoo Mail (lien direct) | Concern for hacking prompted the U.S. House of Representatives to block lawmakers from accessing software apps residing on a Google cloud service. |
Yahoo | ||
|
2016-05-10 11:00:51 | Yahoo Releases Second Wave of Unsealed FISC Documents (lien direct) | Yahoo releases a second wave of unsealed documents tied to its battle with the secret Foreign Intelligence Surveillance Court. | Yahoo | ||
 |
2016-04-26 17:57:41 | An Introduction to Mac memory forensics, (Tue, Apr 26th) (lien direct) | Unfortunately when its come to the memory forensics Mac in environment doesnt have the luxury that we have in the Windows environment.The first step of the memory forensics is capturing the memory, while in Windows we have many tools to achieve this, in Mac we have very few options.OSXPmem is the only available option for memory capturing that support El Capitan,https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zipNow let">cd osxpmem.app/">chown -R root:wheel MacPmem.kext/">kextload MacPmem.kext/">./osxpmem c none -o mem.dumpThe ">bulk_extractor -o bulkdir/ mem.dumpThe ">ls lS bulkdir/">total 1520-rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt-rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt-rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt-rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml-rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt-rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt-rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt-rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt-rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt-rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt-rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt-rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txtNow let"># BANNER FILE NOT PROVIDED (-b option)# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)# Feature-Recorder: domain# Filename: mem.dump# Histogram-File-Version: 1.1n=821 www.apple.comn=218 crl.apple.comn=4 www.iec.chn=4 www.w3.orgn=3 3.2.1.3n=2 aff4.orgn=2 bugreporter.apple.comn=2 lists.sourceforge.netn=2 schemas.xmlsoap.orgn=2 support.apple.comn=2 www.ietf.orgn=1 2.0.2.3n=1 4.2.6.1n=1 6.4.0.7n=1 tempuri.orgsh-3.2#">n=12633 @yahoo.comn=6135 @isc.sans.edun=4820 @imap.mail.yahoo.comn=4544 @lists.sans.orgn=3255 @sans.edun=2563 @sans.orgn=2546 @incidents.orgn=2253 @gmail.comn=1319 @isc.sans.orgn=866 @mail.gmail.comn=811 @web1d.den.giac.net">720717488 192.168.1.3 struct ip L (src) cksum-ok720717488 192.168.1.5 struct ip R (dst) cksum-ok720719296 192.168.1.3 struct ip L (src) cksum-ok720719296 192.168.1.5 struct ip R (dst) cksum-ok720719536 192.168.1.3 struct ip L (src) cksum-ok720719536 192.168.1.5 struct ip R (dst) cksum-ok720720304 192.168.1.3 struct ip L (src) cksum-ok720720304 192.168.1.5 struct ip R (dst) cksum-ok720721832 192.168.1.3 struct ip L (src) cksum-ok720721832 192.168.1.5 struct ip R (dst) cksum-ok720722352 192.168.1.3 struct ip L (src) cksum-ok720722352 192.168.1.5 struct ip R (dst) cksum-ok720723112 192.168.1.3 struct ip L (src) cksum-ok720723112 192.168.1.5 struct ip R (dst) cksum-ok720727976 192.168.1.3 struct ip L (src) cksum-ok720727976 192.168.1.5 struct ip R (dst) cksum-ok (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Yahoo | ||
 |
2016-02-24 14:00:00 | Operation BlockBuster unveils the actors behind the Sony attacks (lien direct) | Today, a coordinated coalition involving AlienVault and several other security companies led by Novetta is announcing Operation BlockBuster. This industry initiative was created to share information and potentially disrupt the infrastructure and tools from an actor named the Lazarus Group. The Lazarus Group has been responsible for several operations since at least 2009, including the attack that affected Sony Pictures Entertainment in 2014.Part of our research on this actor was presented at the Kaspersky Security Analyst Summit (SAS) in Tenerife, Spain on February 9th, 2016 as a joint talk between AlienVault and Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group. This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection. We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema. |
Medical | Yahoo APT 38 | |
 |
2013-09-09 00:21:11 | Sandbox MIMIng. CVE-2012-0158 in MHTML samples and analysis (lien direct) |  WikipediaUpdate - Sept 4, 2013I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes - it does not start with lv|I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.CVE #CVE-2012-0158The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2 |
Yahoo |
To see everything:
Our RSS (filtrered)
