What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-05-01 23:25:26 | Les logiciels malveillants ciblent les routeurs pour voler les mots de passe des demandes Web Malware Targets Routers To Steal Passwords From Web Requests (lien direct) |
Les chercheurs ont récemment suivi un nouveau malware, "Sweetfish", qui cible les équipements de mise en réseau, en particulier les petits routeurs de bureau / bureau à domicile (SOHO), pour voler le matériel d'authentification trouvé dans les demandes Web qui transitent le routeur de la locale adjacenteréseau régional (LAN). Lumen Technologies & # 8217;Black Lotus Labs, qui a examiné les logiciels malveillants, a déclaré que la seiche crée un tunnel proxy ou VPN via un routeur compromis pour exfiltrer les données en contournant l'analyse basée sur la connexion anormale, puis utilise des informations d'identification volées pour accéder aux ressources ciblées. Le malware a également la capacité d'effectuer un détournement HTTP et DNS pour les connexions aux adresses IP privées, qui sont normalement associées aux communications dans un réseau interne. Les chercheurs déclarent que la plate-forme de logiciels malveillants de secteur offre une approche zéro clique pour capturer les données des utilisateurs et des appareils derrière le bord du réseau ciblé. «Toutes les données envoyées sur les équipements réseau infiltrés par ce malware sont potentiellement exposés.Ce qui rend cette famille de logiciels malveillants si insidie-the-cuttlefish-malware / "data-wpel-link =" external "rel =" nofollow nopenner noreferrer "> avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » | Malware Threat Cloud Technical | APT 32 | ★★★★ |
 |
2023-08-10 10:00:00 | Les systèmes Mac se sont transformés en nœuds de sortie proxy par adcharge Mac systems turned into proxy exit nodes by AdLoad (lien direct) |
This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.
Executive summary
AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.
Key takeaways:
AdLoad malware is still present and infecting systems, with a previously unreported payload.
At least 150 samples have been observed in the wild during the last year.
AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.
Analysis
AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.
These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.
The main purpose of the malware has always been to act as a downloader for subsequent payloads.
It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
This activity probably represents AdLoad\'s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.
AT&T Alien Labs™ has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.
Figure 1. Histogram of AdLoad samples identified by Alien Labs.
The vast numb |
Spam Malware Threat Cloud | APT 32 | ★★ |
 |
2023-04-06 13:59:23 | Assistance technique Pivots de DigitalOcean à StackPath CDN Tech Support Scam Pivots from DigitalOcean to StackPath CDN (lien direct) |
> Les attaquants récapitulatifs qui abusaient auparavant DigitalOcean pour héberger une arnaque de support technologique ont élargi l'opération, abusant désormais de StackPath CDN pour distribuer l'arnaque, et sont susceptibles de commencer à abuser des services cloud supplémentaires pour fournir l'arnaque dans un avenir proche.Du 1er février au 16 mars, NetSkope Threat Labs a vu une augmentation de 10x [& # 8230;]
>Summary Attackers who were previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future. From February 1 to March 16, Netskope Threat Labs has seen a 10x increase […] |
Threat Cloud | APT 32 | ★★★ |
 |
2022-08-18 08:00:00 | Ukraine and the fragility of agriculture security (lien direct) |  By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H |
Ransomware Threat Guideline Cloud | NotPetya Uber APT 37 APT 32 APT 28 APT 10 APT 21 Guam |
1
We have: 4 articles.
We have: 4 articles.
To see everything:
Our RSS (filtrered)
