What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-26 11:00:00 | Cybersécurité pour les systèmes de contrôle industriel: meilleures pratiques Cybersecurity for Industrial Control Systems: Best practices (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). Although ICSs significantly improve health and safety by automating dangerous tasks, facilitating remote monitoring and control, and activating safety protocols in the case of emergency, they’re increasingly exposed to cybersecurity threats. In 2022, there was a 2,000% increase in adversarial reconnaissance targeting Modbus/TCP port 502 — a widely-used industrial protocol — allowing malicious actors to exploit vulnerabilities in operational technology systems. Fortunately, by taking steps to improve and maintain ICS cybersecurity, manufacturers can successfully reduce the attack surface of their critical infrastructure and keep threats (including phishing, denial-of-service attacks, ransomware, and malware) at bay. ICS cyberattacks on the rise ICS cyberattacks are on the rise, with almost 27% of ICS systems affected by malicious objects in the second quarter of 2023, data from Kaspersky reveals. Cyberattacks have the power to devastate ICS systems, damage equipment and infrastructure, disrupt business, and endanger health and safety. For example, the U.S. government has warned of a malware strain called Pipedream: “a modular ICS attack framework that contains several components designed to give threat actors control of such systems, and either disrupt the environment or disable safety controls”. Although Pipedream has the ability to devastate industrial systems, it fortunately hasn’t yet been used to that effect. And, last year, a notorious hacking group called Predatory Sparrow launched a cyberattack on an Iranian steel manufacturer, resulting in a serious fire. In addition to causing equipment damage, the hackers caused a malfunctioning foundry to start spewing hot molten steel and fire. This breach only highlights the importance of safety protocols in the manufacturing and heavy industry sectors. By leveraging the latest safety tech and strengthening cybersecurity, safety, security, and operational efficiency can all be improved. Segment networks By separating critical systems from the internet and other non-critical systems, network segmentation plays a key role in improving ICS cybersecurity. Network segmentation is a security practice that divides a network into smaller, distinct subnetworks based on security level, functionality, or access control, for example. As a result, you can effectively prevent attacker lateral movement within your network — this is a common way hackers disguise themselves as legitimate users and their activities as expected traffic, making it hard to spot this method. Network segmentation also lets you create tailored and unique security policies and controls for each segment based on their defined profile. Each individual segment is therefore adequately protected. And, since network segmentation also provides you with increased visibility in terms of network activity, you’re also better able to spot and respond to problems with greater speed and efficiency. When it comes to | Ransomware Malware Vulnerability Threat Patching Industrial | ★★★ | |
 |
2024-01-25 23:58:06 | Trickbot Malware Scumbag obtient cinq ans pour infecter les hôpitaux, les entreprises Trickbot malware scumbag gets five years for infecting hospitals, businesses (lien direct) |
Le reste de l'équipage toujours en général Un ancien développeur TrickBot a été envoyé depuis cinq ans et quatre mois pour son rôle dans l'infecticule des hôpitaux et des entreprises américaines avec des ransomwares et d'autres logiciels malveillants, ce qui coûte aux victimes des dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizaines de dizainesdes millions de dollars de pertes…
Rest of the crew still at large A former Trickbot developer has been sent down for five years and four months for his role in infecting American hospitals and businesses with ransomware and other malware, costing victims tens of millions of dollars in losses.… |
Ransomware Malware | ★★★ | |
 |
2024-01-25 22:19:57 | HP revendique le monopole de l'encre, allègue un risque de logiciel malveillant cartouche tiers HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk (lien direct) |
> Par deeba ahmed
Le PDG de HP Enrique Lores a défendu la pratique des imprimantes de briques de HP \\ lorsqu'elle est chargée avec de l'encre tierce.
Ceci est un article de HackRead.com Lire la publication originale: HP revendique le monopole de l'encre, allègue un risque de logiciel malveillant cartouche tiers
>By Deeba Ahmed HP CEO Enrique Lores defended HP\'s practice of bricking printers when loaded with third-party ink. This is a post from HackRead.com Read the original post: HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk |
Malware | ★★★ | |
 |
2024-01-25 20:49:47 | Le développeur russe de Trickbot Malware condamné à cinq ans de prison Russian developer of Trickbot malware sentenced to five years in prison (lien direct) |
Un développeur russe de Trickbot Malware a été condamné à cinq ans et quatre mois de prison, le département américain de la Justice a déclaré jeudi.Selon des documents judiciaires, Vladimir Dunaev, 40 ans, a été impliqué dans le développement et le déploiement du logiciel malveillant pour lancer des cyberattaques contre les hôpitaux, les écoles et les entreprises américains.Dunaev a été extradé du sud
A Russian developer of Trickbot malware has been sentenced to five years and four months in prison, the U.S. Department of Justice said on Thursday. According to court documents, 40-year-old Vladimir Dunaev was involved in developing and deploying the malicious software to launch cyberattacks against American hospitals, schools and businesses. Dunaev was extradited from South |
Malware Legislation | ★★★ | |
 |
2024-01-25 19:53:00 | L'analyse du serveur C2 de SystemBC Malware \\ expose les astuces de livraison de charge utile SystemBC Malware\\'s C2 Server Analysis Exposes Payload Delivery Tricks (lien direct) |
Les chercheurs en cybersécurité ont mis en lumière le serveur de commande et de contrôle (C2) d'une famille de logiciels malveillants connue appelée & nbsp; SystemBC.
"SystemBC peut être acheté sur des marchés souterrains et est fourni dans une archive contenant l'implant, un serveur de commande et de contrôle (C2) et un portail d'administration Web écrit en PHP", Kroll & Nbsp; Said & NBSP; dans une analyse publiée la semaine dernière.
Le risque et
Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week. The risk and |
Malware | ★★★ | |
 |
2024-01-25 19:48:09 | Parrot TDS: une campagne de logiciels malveillants persistants et évolutives Parrot TDS: A Persistent and Evolving Malware Campaign (lien direct) |
#### Description
Le Parrot TDS (Traffic Redirect System) a augmenté sa campagne depuis octobre 2021, utilisant des techniques sophistiquées pour éviter la détection et potentiellement impactant des millions de personnes par le biais de scripts malveillants sur des sites Web compromis.
Identifiée par les chercheurs de l'unité 42, Parrot TDS injecte des scripts malveillants dans le code JavaScript existant sur les serveurs, le profilage stratégique des victimes avant de fournir des charges utiles qui redirigent les navigateurs vers un contenu malveillant.Notamment, la campagne TDS présente une large portée, ciblant les victimes à l'échelle mondiale sans limites basées sur la nationalité ou l'industrie.Pour renforcer les tactiques d'évasion, les attaquants utilisent plusieurs lignes de code JavaScript injecté, ce qui rend plus difficile pour les chercheurs en sécurité de détecter.Les attaquants, utilisant probablement des outils automatisés, exploitent les vulnérabilités connues, en mettant l'accent sur les serveurs compromis à l'aide de WordPress, Joomla ou d'autres systèmes de gestion de contenu.
#### URL de référence (s)
1. https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/#post-132073-_jt3yi5rhpmao
#### Date de publication
19 janvier 2024
#### Auteurs)
Zhanglin he
Ben Zhang
Billy Melicher
Qi Deng
Boqu
Brad Duncan
#### Description The Parrot TDS (Traffic Redirect System) has escalated its campaign since October 2021, employing sophisticated techniques to avoid detection and potentially impacting millions through malicious scripts on compromised websites. Identified by Unit 42 researchers, Parrot TDS injects malicious scripts into existing JavaScript code on servers, strategically profiling victims before delivering payloads that redirect browsers to malicious content. Notably, the TDS campaign exhibits a broad scope, targeting victims globally without limitations based on nationality or industry. To bolster evasion tactics, attackers utilize multiple lines of injected JavaScript code, making it harder for security researchers to detect. The attackers, likely employing automated tools, exploit known vulnerabilities, with a focus on compromising servers using WordPress, Joomla, or other content management systems. #### Reference URL(s) 1. https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/#post-132073-_jt3yi5rhpmao #### Publication Date January 19, 2024 #### Author(s) Zhanglin He Ben Zhang Billy Melicher Qi Deng Bo Qu Brad Duncan |
Malware Tool Vulnerability Threat | ★★★ | |
 |
2024-01-25 17:40:00 | \\ 'Cherryloader \\' Les logiciels malveillants permettent une exécution sérieuse de privilèges \\'CherryLoader\\' Malware Allows Serious Privilege Execution (lien direct) |
Un téléchargeur sportif et modulaire permet aux pirates de choisir leurs exploits - dans ce cas, deux outils puissants pour obtenir un accès administrateur dans un système Windows.
A sporty, modular downloader allows hackers to cherry-pick their exploits - in this case, two powerful tools for gaining admin access in a Windows system. |
Malware Tool | ★★★ | |
|
2024-01-25 17:00:00 | Lodeinfo MALWWare inférieur évolue avec une anti-analyse et des astuces de code distantes LODEINFO Fileless Malware Evolves with Anti-Analysis and Remote Code Tricks (lien direct) |
Les chercheurs en cybersécurité ont découvert une version mise à jour d'une porte dérobée appelée & nbsp; lodeinfo & nbsp; qui \\ est distribuée via des attaques de phisseur de lance.
Les résultats proviennent de la société japonaise Itochu Cyber & amp;L'intelligence, qui & nbsp; a dit & nbsp; le malware "a été mis à jour avec de nouvelles fonctionnalités, ainsi que des modifications des techniques anti-analyse (évitement de l'analyse)".
Lodeinfo (versions 0,6,6 et 0,6.7
Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that\'s distributed via spear-phishing attacks. The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware "has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques." LODEINFO (versions 0.6.6 and 0.6.7 |
Malware | ★★★ | |
 |
2024-01-25 15:30:26 | Blackwood Hackers Hijack WPS Office Mise à jour pour installer des logiciels malveillants Blackwood hackers hijack WPS Office update to install malware (lien direct) |
Un acteur de menace avancé auparavant inconnu suivi comme \\ 'Blackwood \' utilise des logiciels malveillants sophistiqués appelés NSPX30 dans des attaques de cyberespionnage contre les entreprises et les particuliers.[...]
A previously unknown advanced threat actor tracked as \'Blackwood\' is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. [...] |
Malware Threat | ★★★ | |
|
2024-01-25 13:52:21 | Russian Trickbot Malware Dev condamné à 64 mois de prison Russian TrickBot malware dev sentenced to 64 months in prison (lien direct) |
Le National Russian Vladimir Dunaev a été condamné à cinq ans et quatre mois de prison pour son rôle dans la création et la distribution du malware Trickbot utilisé dans les attaques contre les hôpitaux, les entreprises et les particuliers du monde entier.[...]
Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the Trickbot malware used in attacks against hospitals, companies, and individuals worldwide. [...] |
Malware Legislation | ★★★ | |
 |
2024-01-25 13:04:51 | La sophistication des cybercriminels s'intensifie avec les stratégies émergentes pour encaisser ou provoquer le chaos The sophistication of cybercriminals intensifies with emerging strategies for cashing in or causing chaos (lien direct) |
Bien que des tactiques éprouvées comme le phishing et les logiciels malveillants soient là pour rester, il y a toujours de nouvelles approches à surveiller dans l'espace de cybersécurité.Les prévisions annuelles de l'industrie annuelle de la violation annuelle de Experian \\ comprennent six prédictions pour 2024 qui concentrent un objectif mondial sur ce que Savvy déplace les cybercriminels de près et de loin peut potentiellement pour pénétrer les organisations [& # 8230;]
le post La sophistication des cybercriminels s'intensifie avec des stratégies émergentes pour encaisser ou provoquer le chaos est apparu pour la première fois sur guru de sécurité informatique .
While tried and true tactics like phishing and malware are here to stay, there are always new approaches to watch out for in the cybersecurity space. Experian\'s 11th annual Data Breach Industry Forecast includes six predictions for 2024 that focuses a global lens on what savvy moves cybercriminals from near and far will potentially make to penetrate organisations […] The post The sophistication of cybercriminals intensifies with emerging strategies for cashing in or causing chaos first appeared on IT Security Guru. |
Malware | ★★★ | |
|
2024-01-25 12:51:00 | New Cherryloader Malware imite Cherrytree pour déployer des exploits PRIVESC New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits (lien direct) |
Un nouveau chargeur de logiciels malveillants basée sur GO appelée & nbsp; Cherryloader & nbsp; a été découvert par les chasseurs de menaces dans la nature pour fournir des charges utiles supplémentaires sur des hôtes compromis pour l'exploitation de suivi.
L'Arctic Wolf Labs, qui a découvert le nouvel outil d'attaque dans deux intrusions récentes, a déclaré que l'icône et le nom du chargeur \\ se sont masqué
A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader\'s icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims |
Malware Tool Threat | ★★★ | |
 |
2024-01-25 12:47:19 | Sceau de malware 101: Comprendre les différentes variantes et familles Stealer Malware 101: Understanding the Different Variants and Families (lien direct) |
> Dans le domaine de la cybersécurité, les logiciels malveillants (malware) continue d'évoluer, avec différents types ciblant ...
>In the realm of cybersecurity, malicious software (malware) continues to evolve, with various types targeting... |
Malware | ★★★ | |
|
2024-01-25 12:02:44 | QR Code phishing monte 587%: les utilisateurs sont victimes de victimes d'escroqueries en génie social QR Code Phishing Soars 587%: Users Falling Victim to Social Engineering Scams (lien direct) |
> Par deeba ahmed
QR Le phishing du code a bondi par 587%, les escrocs l'exploitant pour voler des informations d'identification de connexion et déployer des logiciels malveillants.
Ceci est un article de HackRead.com Lire le post original: QR Code Phishing monte 587%: les utilisateurs sont victimes d'escroqueries d'ingénierie sociale
>By Deeba Ahmed QR Code Phishing has surged by a staggering 587%, with scammers exploiting it to steal login credentials and deploy malware. This is a post from HackRead.com Read the original post: QR Code Phishing Soars 587%: Users Falling Victim to Social Engineering Scams |
Malware | ★★★ | |
|
2024-01-25 11:00:00 | Le côté obscur de la cybersécurité 2023: évolution des logiciels malveillants et cyber-menaces The dark side of 2023 Cybersecurity: Malware evolution and Cyber threats (lien direct) |
In the ever-evolving cybersecurity landscape, 2023 witnessed a dramatic surge in the sophistication of cyber threats and malware. AT&T Cybersecurity Alien Labs reviewed the big events of 2023 and how malware morphed this year to try new ways to breach and wreak havoc. This year\'s events kept cybersecurity experts on their toes, from expanding malware variants to introducing new threat actors and attack techniques. Here are some of the most compelling developments, highlighting malware\'s evolving capabilities and the challenges defenders face. Highlights of the year: Emerging trends and notable incidents As the year unfolded, several trends and incidents left an indelible mark on the cybersecurity landscape: Exploiting OneNote for malicious payloads Cybercriminals leveraged Microsoft OneNote to deliver many malicious payloads to victims, including Redline, AgentTesla, Quasar RAT, and others. This previously underutilized Office program became a favored tool due to its low suspicion and widespread usage. SEO poisoning and Google Ads Malicious actors resorted to SEO poisoning tactics, deploying phishing links through Google Ads to deceive unsuspecting victims. These links led to cloned, benign web pages, avoiding Google\'s detection and remaining active for extended periods. Prominent malware families, including Raccoon Stealer and IcedID, capitalized on this strategy. Exploiting geopolitical events Cybercriminals exploited the geopolitical climate, particularly the Middle East conflict, as a lure for their attacks. This trend mirrored the previous year\'s Ukraine-related phishing campaigns and crypto scams. APTs: State-sponsored espionage continues to present challenges Advanced Persistent Threats (APTs) continued to pose a significant threat in 2023: Snake: CISA reported on the Snake APT, an advanced cyber-espionage tool associated with the Russian Federal Security Service (FSB). This malware had been in use for nearly two decades. Volt Typhoon: A campaign targeting critical infrastructure organizations in the United States was attributed to Volt Typhoon, a state-sponsored actor based in China. Their focus lay on espionage and information gathering. Storm-0558: This highly sophisticated intrusion campaign, orchestrated by the Storm-0558 APT from China, infiltrated the email accounts of approximately 25 organizations, including government agencies. Ransomware\'s relentless rise Ransomware remained a prevalent and lucrative threat throughout the year: Cuba and Snatch: Ransomware groups like Cuba and Snatch targeted critical infrastructure in the United States, causing concern for national security. ALPHV/BlackCat: Beyond SEO poisoning, this group compromised the computer systems of Caesar and MGM casinos. They also resorted to filing complaints with the US Securities and Exchange Commission (SEC) against their victims, applying additional pressure to pay ransoms. Exploiting new vulnerabilities: Cybercriminals wasted no time exploiting newly discovered vulnerabilities, such as CVE-2023-22518 in Atlassian\'s Confluence, CVE-2023-4966 (Citrix bleed), and others. These vulnerabilities became gateways for ransomware attacks. Evolving ransom | Ransomware Spam Malware Tool Vulnerability Threat Prediction | Guam | ★★★ |
|
2024-01-25 10:35:39 | Écrire des règles Yara avec des GPT personnalisés et une plate-forme Socradar Writing YARA Rules with Custom GPTs and SOCRadar Platform (lien direct) |
> Les règles YARA se distinguent comme des instruments essentiels pour identifier et classer les logiciels malveillants.Ces règles sont ...
>YARA rules stand out as essential instruments for identifying and classifying malware. These rules are... |
Malware | ★★★ | |
|
2024-01-24 20:59:31 | Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks (lien direct) | #### Description
Ahnlab Security Intelligence Center (ASEC) a récemment observé les circonstances d'un acteur de menace de Coinmin appelé MIMO exploitant diverses vulnérabilités pour installer des logiciels malveillants.MIMO, également surnommé HezB, a été retrouvé pour la première fois lorsqu'ils ont installé des co -miners grâce à une exploitation de vulnérabilité Log4Shell en mars 2022.
L'acteur MIMO Threat a installé divers logiciels malveillants, notamment MIMUS Ransomware, Proxyware et Inverse Shell MALWWare, en plus du mimo de mineur.La majorité des attaques de l'acteur de menace de MIMO ont été des cas qui utilisent XMRIG Coinmin, mais des cas d'attaque par ransomware ont également été observés en 2023.
Le ransomware Mimus a été installé avec le malware par lots et a été fabriqué sur la base du code source révélé sur GitHub par le développeur «Mauri870» qui a développé les codes à des fins de recherche.Le ransomware a été développé en Go, et l'acteur de menace l'a utilisé pour développer des ransomwares et l'a nommé Mimus Ransomware.MIMUS Ransomware n'a pas de différences particulières par rapport au code source de Mauricrypt \\.Seule l'adresse C&C de l'acteur de menace, l'adresse du portefeuille, l'adresse e-mail et d'autres données de configuration ont été modifiées.
#### URL de référence (s)
1. https://asec.ahnlab.com/en/60440/
#### Date de publication
17 janvier 2024
#### Auteurs)
Sanseo
#### Description AhnLab SEcurity intelligence Center (ASEC) recently observed circumstances of a CoinMiner threat actor called Mimo exploiting various vulnerabilities to install malware. Mimo, also dubbed Hezb, was first found when they installed CoinMiners through a Log4Shell vulnerability exploitation in March 2022. The Mimo threat actor has installed various malware, including Mimus ransomware, proxyware, and reverse shell malware, besides the Mimo miner. The majority of the Mimo threat actor\'s attacks have been cases that use XMRig CoinMiner, but ransomware attack cases were also observed in 2023. The Mimus ransomware was installed with the Batch malware and was made based on the source code revealed on GitHub by the developer “mauri870” who developed the codes for research purposes. The ransomware was developed in Go, and the threat actor used this to develop ransomware and named it Mimus ransomware. Mimus ransomware does not have any particular differences when compared to MauriCrypt\'s source code. Only the threat actor\'s C&C address, wallet address, email address, and other configuration data were changed. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60440/ #### Publication Date January 17, 2024 #### Author(s) Sanseo |
Ransomware Malware Vulnerability Threat | ★★ | |
 |
2024-01-24 17:15:00 | Chatgpt Cybercrime Surge révélé dans 3000 articles Web sombres ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts (lien direct) |
Kaspersky a déclaré que les cybercriminels exploraient des schémas pour implémenter le chatppt dans le développement de logiciels malveillants
Kaspersky said cybercriminals are exploring schemes to implement ChatGPT in malware development |
Malware | ChatGPT | ★★ |
|
2024-01-24 06:26:08 | Les avertissements NCSC de GCHQ \\ de la possibilité réaliste \\ 'AI aideront à détection d'évasion des logiciels malveillants soutenus par l'État GCHQ\\'s NCSC warns of \\'realistic possibility\\' AI will help state-backed malware evade detection (lien direct) |
Cela signifie que les espions britanniques veulent la capacité de faire exactement cela, hein? L'idée que l'IA pourrait générer des logiciels malveillants super potentiels et indétectables a été bandé depuis des années & # 8211;et aussi déjà démystifié .Cependant, un article Publié aujourd'hui par le Royaume-Uni National Cyber Security Center (NCSC) suggère qu'il existe une "possibilité réaliste" que d'ici 2025, les attaquants les plus sophistiqués \\ 's'amélioreront considérablement grâce aux modèles d'IA informés par des données décrivant une cyber-cyberHits.… | Malware Tool | ChatGPT | ★★★ |
|
2024-01-24 00:03:25 | Distribution de Venomrat (asyncrat) imitation des sociétés informatiques coréennes Distribution of VenomRAT (AsyncRAT) Impersonating Korean IT Companies (lien direct) |
Ahnlab Security Intelligence Center (ASEC) a trouvé un fichier de raccourci (.lnk) qui télécharge Asyncrat (Venomrat).Pour que le fichier LNK se déguise en fichier Word normal, il a été distribué avec le nom & # 8216; Survey.docx.lnk & # 8217;à l'intérieur d'un fichier compressé qui contenait également un fichier texte normal.Surtout, les utilisateurs doivent rester vigilants, car le fichier exécutable (blues.exe) utilisé dans l'attaque est déguisé en certificat coréen.Le processus de fonctionnement global du malware est comme indiqué ci-dessous ....
AhnLab SEcurity intelligence Center (ASEC) found a shortcut file (.lnk) that downloads AsyncRAT (VenomRAT). In order for the LNK file to disguise itself as a normal Word file, it was distributed with the name ‘Survey.docx.lnk’ inside a compressed file which also contained a normal text file. Above all, users need to remain vigilant, as the executable file (blues.exe) used in the attack is disguised as a Korean company’s certificate. The overall operation process of the malware is as shown below.... |
Malware | ★★ | |
|
2024-01-23 21:00:00 | MacOS malware cible Bitcoin, Exodus cryptowallets MacOS Malware Targets Bitcoin, Exodus Cryptowallets (lien direct) |
Le malware remplace les applications authentiques par des versions compromises, permettant aux attaquants de piloter des informations d'identification et des phrases de récupération, accédant ainsi aux portefeuilles et à leur contenu.
The malware substitutes genuine apps with compromised versions, enabling attackers to pilfer credentials and recovery phrases, thus gaining access to wallets and their contents. |
Malware | ★★ | |
|
2024-01-23 20:03:00 | Vextrio: The Uber of Cybercrime - Broking Malware pour plus de 60 affiliés VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates (lien direct) |
Les acteurs de la menace derrière Clearfake, Socgholish et des dizaines d'autres acteurs ont établi des partenariats avec une autre entité connue sous le nom de & nbsp; Vextrio & nbsp; dans le cadre d'un «programme d'affiliation criminelle» massif », révèlent les nouvelles conclusions d'Infoblox.
Le dernier développement démontre "l'étendue de leurs activités et la profondeur de leurs liens au sein de l'industrie de la cybercriminalité", a déclaré la société,
The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said, |
Malware Threat | Uber | ★★★★ |
|
2024-01-23 17:57:00 | Alerte "Activateur": MacOS malware se cache dans des applications fissurées, ciblant les portefeuilles crypto "Activator" Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets (lien direct) |
Des logiciels fissurés ont été observés en infectant les utilisateurs d'Apple MacOS avec un malware de voleur auparavant sans papiers capable de récolter des informations sur le système et des données de portefeuille de crypto-monnaie.
Kaspersky, qui a identifié les artefacts dans la nature, & nbsp; dit & nbsp; ils sont conçus pour cibler des machines exécutant macOS Ventura 13.6 et plus tard, indiquant la capacité du malware \\ à infecter les Mac sur Intel et
Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware\'s ability to infect Macs on both Intel and |
Malware | ★★ | |
 |
2024-01-23 12:51:12 | Le paysage des menaces est toujours en train de changer: à quoi s'attendre en 2024 The Threat Landscape Is Always Changing: What to Expect in 2024 (lien direct) |
Gather \'round, cyber friends, and I\'ll let you in on a little secret: no one knows what the Next Big Thing on the threat landscape will be. But we can look back on 2023, identify notable changes and actor behaviors, and make educated assessments about what 2024 will bring. This month on the DISCARDED podcast my co-host Crista Giering and I sat down with our Threat Research leaders Daniel Blackford, Alexis Dorais-Joncas, Randy Pargman, and Rich Gonzalez, leaders of the ecrime, advanced persistent threat (APT), threat detection, and Emerging Threats teams, respectively. We discussed what we learned over the last year, and what\'s on the horizon for the future. While the discussions touched on different topics and featured different opinions on everything from artificial intelligence (AI) to living off the land binaries (LOLBins) to vulnerability exploitation to ransomware, there were some notable themes that are worth writing down. We can\'t say for sure what surprises are in store, but with our cyber crystals balls fully charged – and a deep knowledge of a year\'s worth of threat actor activity based on millions of email threats per day – we can predict with high confidence what\'s going to be impactful in the coming year. 1: Quick response (QR) codes will continue to proliferate 2023 was the year of the QR code. Although not new, QR codes burst on the scene over the last year and were used in many credential phishing and malware campaigns. The use was driven by a confluence of factors, but ultimately boiled down to the fact that people are now way more accustomed to scanning QR codes for everything from instructions to menus. And threat actors are taking advantage. Proofpoint recently launched new in-line sandboxing capabilities to better defend against this threat, and our teams anticipate seeing more of it in 2024. Notably, however, Dorais-Joncas points out that QR codes still just exist in the realm of ecrime – APT actors have not yet jumped on the QR code bandwagon. (Although, some of those APT actors bring ecrime energy to their campaigns, so it\'s possible they may start QR code phishing, too.) 2: Zero-day and N-day vulnerability exploitation A theme that appeared throughout our conversations was the creative use of vulnerabilities – both known and unreported – in threat actor activity. APT actors used a wide variety of exploits, from TA473 exploiting publicly-facing webmail servers to espionage actors using a zero-day in an email security gateway appliance that ultimately forced users to rip out and reinstall physical hardware. But ecrime actors also exploited their share of vulnerabilities, including the MOVEit file transfer service vulnerability from the spring of 2023 that had cascading repercussions, and the ScreenConnect flaw announced in the fall of 2023 – both of which were used by ecrime actors before being officially published. Proofpoint anticipates vulnerability exploitation will continue, driven in part by improved defense making old school techniques – like macro-enabled documents – much less useful, as well as the vast financial resources now available to cybercriminals that were once just the domain of APT. Pargman says the creativity from ecrime threat actors is a direct response of defenders imposing cost on our adversaries. 3: Continuing, unexpected behavior changes Avid listeners of the podcast know I have regularly said the ecrime landscape is extremely chaotic, with TA577 demonstrating the most chaotic vibes of them all. The tactics, techniques, and procedures (TTPs) of some of the most sophisticated actors continue to change. The cost imposed on threat actors that Pargman mentioned – from law enforcement takedowns of massive botnets like Qbot to improved detections and automated defenses – have forced threat actors, cybercriminals in particular, to regularly change their behaviors to figure out what is most effective. For example, recently Proofpoint has observed the increased use of: traffic dis | Ransomware Malware Tool Vulnerability Threat Prediction | ★★★ | |
 |
2024-01-23 12:23:00 | Comment éviter les logiciels malveillants sur les systèmes Linux How to avoid malware on Linux systems (lien direct) |
Gather \'round, cyber friends, and I\'ll let you in on a little secret: no one knows what the Next Big Thing on the threat landscape will be. But we can look back on 2023, identify notable changes and actor behaviors, and make educated assessments about what 2024 will bring. This month on the DISCARDED podcast my co-host Crista Giering and I sat down with our Threat Research leaders Daniel Blackford, Alexis Dorais-Joncas, Randy Pargman, and Rich Gonzalez, leaders of the ecrime, advanced persistent threat (APT), threat detection, and Emerging Threats teams, respectively. We discussed what we learned over the last year, and what\'s on the horizon for the future. While the discussions touched on different topics and featured different opinions on everything from artificial intelligence (AI) to living off the land binaries (LOLBins) to vulnerability exploitation to ransomware, there were some notable themes that are worth writing down. We can\'t say for sure what surprises are in store, but with our cyber crystals balls fully charged – and a deep knowledge of a year\'s worth of threat actor activity based on millions of email threats per day – we can predict with high confidence what\'s going to be impactful in the coming year. 1: Quick response (QR) codes will continue to proliferate 2023 was the year of the QR code. Although not new, QR codes burst on the scene over the last year and were used in many credential phishing and malware campaigns. The use was driven by a confluence of factors, but ultimately boiled down to the fact that people are now way more accustomed to scanning QR codes for everything from instructions to menus. And threat actors are taking advantage. Proofpoint recently launched new in-line sandboxing capabilities to better defend against this threat, and our teams anticipate seeing more of it in 2024. Notably, however, Dorais-Joncas points out that QR codes still just exist in the realm of ecrime – APT actors have not yet jumped on the QR code bandwagon. (Although, some of those APT actors bring ecrime energy to their campaigns, so it\'s possible they may start QR code phishing, too.) 2: Zero-day and N-day vulnerability exploitation A theme that appeared throughout our conversations was the creative use of vulnerabilities – both known and unreported – in threat actor activity. APT actors used a wide variety of exploits, from TA473 exploiting publicly-facing webmail servers to espionage actors using a zero-day in an email security gateway appliance that ultimately forced users to rip out and reinstall physical hardware. But ecrime actors also exploited their share of vulnerabilities, including the MOVEit file transfer service vulnerability from the spring of 2023 that had cascading repercussions, and the ScreenConnect flaw announced in the fall of 2023 – both of which were used by ecrime actors before being officially published. Proofpoint anticipates vulnerability exploitation will continue, driven in part by improved defense making old school techniques – like macro-enabled documents – much less useful, as well as the vast financial resources now available to cybercriminals that were once just the domain of APT. Pargman says the creativity from ecrime threat actors is a direct response of defenders imposing cost on our adversaries. 3: Continuing, unexpected behavior changes Avid listeners of the podcast know I have regularly said the ecrime landscape is extremely chaotic, with TA577 demonstrating the most chaotic vibes of them all. The tactics, techniques, and procedures (TTPs) of some of the most sophisticated actors continue to change. The cost imposed on threat actors that Pargman mentioned – from law enforcement takedowns of massive botnets like Qbot to improved detections and automated defenses – have forced threat actors, cybercriminals in particular, to regularly change their behaviors to figure out what is most effective. For example, recently Proofpoint has observed the increased use of: traffic dis | Malware | ★★★ | |
|
2024-01-22 20:39:42 | Livraison de logiciels malveillants de l'installateur MSIX à la hausse MSIX Installer Malware Delivery on the Rise (lien direct) |
#### Description
À partir de juillet 2023, Red Canary a commencé à enquêter sur une série d'attaques par des adversaires tirant parti des fichiers MSIX pour fournir des logiciels malveillants.MSIX est un format d'installation de packages d'applications Windows que les équipes et les développeurs informatiques utilisent de plus en plus pour fournir des applications Windows au sein des entreprises.
Les adversaires de chaque intrusion semblaient utiliser une publicité malveillante ou un empoisonnement SEO pour attirer les victimes, qui pensaient qu'ils téléchargeaient des logiciels légitimes tels que Grammarly, Microsoft Teams, Notion et Zoom.Les victimes s'étendent sur plusieurs industries, ce qui suggère que les attaques de l'adversaire sont opportunistes plutôt que ciblées.
#### URL de référence (s)
1. https://redcanary.com/blog/msix-installers/
#### Date de publication
16 janvier 2024
#### Auteurs)
Tony Lambert
#### Description Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom. Victims span multiple industries, suggesting that the adversary\'s attacks are opportunistic rather than targeted. #### Reference URL(s) 1. https://redcanary.com/blog/msix-installers/ #### Publication Date January 16, 2024 #### Author(s) Tony Lambert |
Malware Threat | ★★ | |
|
2024-01-22 17:41:52 | The Fake Fix: New Chae 4,1 $ de logiciels malveillants dans les téléchargements de pilotes The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads (lien direct) |
> Par deeba ahmed
Le dernier CHAE 4,1 $ envoie un message direct aux chercheurs en cybersécurité de Morphisec dans le code source.
Ceci est un article de HackRead.com Lire la publication originale: la fausse correction: nouveau chae 4,1 $ de logiciels malveillants dans les téléchargements de pilotes
>By Deeba Ahmed The latest Chae$ 4.1 sends a direct message to the cybersecurity researchers at Morphisec within the source code. This is a post from HackRead.com Read the original post: The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads |
Malware | ★★★ | |
|
2024-01-22 17:27:24 | Les applications macOS fissurées vidaient les portefeuilles à l'aide de scripts récupérés à partir des enregistrements DNS Cracked macOS apps drain wallets using scripts fetched from DNS records (lien direct) |
Les pirates utilisent une méthode furtive pour livrer aux logiciels malveillants de vol d'informations sur les utilisateurs de MacOS via des enregistrements DNS qui masquent les scripts malveillants.[...]
Hackers are using a stealthy method to deliver to macOS users information-stealing malware through DNS records that hide malicious scripts. [...] |
Malware | ★★★ | |
|
2024-01-22 16:52:00 | NS-Stealer utilise Discord Bots pour exfiltrer vos secrets des navigateurs populaires NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers (lien direct) |
Les chercheurs en cybersécurité ont découvert un nouveau voleur d'informations "sophistiqué" basé sur Java qui utilise un bot Discord pour exfiltrer les données sensibles des hôtes compromis.
Le malware, nommé & nbsp; ns-voleur, se propage via des archives ZIP se faisant passer pour un logiciel craqué, le chercheur en sécurité Trellix Gurumoorthhi Ramanathan & nbsp; dit & nbsp; dans une analyse publiée la semaine dernière.
Le fichier zip contient
Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. The ZIP file contains |
Malware | ★★ | |
|
2024-01-22 16:30:00 | De nouveaux cibles malware macOS ciblent les applications fissurées New macOS Malware Targets Cracked Apps (lien direct) |
Kaspersky a déclaré que le malware ciblait MacOS Ventura 13.6 et les versions plus récentes
Kaspersky said the malware targeted macOS Ventura 13.6 and newer versions |
Malware | ★★★ | |
 |
2024-01-22 16:00:00 | Packages de vol d'informations cachés dans PYPI Info Stealing Packages Hidden in PyPI (lien direct) |
Un auteur de malware PYPI de vol d'informations a été identifié de téléchargement discrètement des packages malveillants.Apprendre encore plus.
An info-stealing PyPI malware author was identified discreetly uploading malicious packages. Learn more. |
Malware | ★★★ | |
 |
2024-01-22 13:00:52 | Un guide étape par étape pour repérer et prévenir les injections de cadre A Step-by-Step Guide to Spotting and Preventing Frame Injections (lien direct) |
> Imaginez une jungle numérique florissante où les applications sur le Web sont la faune abondante, et les cybercriminels qui se cachent sont des cybercriminels, toujours prêts à bondir.Parmi leurs méthodes astucieuses, il y a & # 8216; injection de cadre, & # 8217;Une tactique sournoise qui transforme les applications Web en pavés de lancement pour le phishing et les logiciels malveillants s'ils ne sont pas rapidement détectés et écrasés.Considérez Rapid7, une sentinelle de cybersécurité basée dans le Massachusetts.Ils ont récemment découvert et corrigé un dangereux défaut d'injection SQL dans Nexpose, leur logiciel de gestion des vulnérabilités local.Si ce trou était resté caché, il pourrait être devenu la scène parfaite pour une attaque XSS.Heureusement, il existe des méthodes pour atténuer efficacement les attaques d'injection de cadre.Armé [& # 8230;]
>Imagine a thriving digital jungle where web-based applications are the abundant wildlife, and lurking amongst them are cybercriminals, ever ready to pounce. Among their crafty methods is ‘frame injection,’ a sneaky tactic that turns web applications into launchpads for phishing and malware if not quickly detected and squashed. Consider Rapid7, a cybersecurity sentinel based in Massachusetts. They recently discovered and fixed a dangerous SQL injection flaw in Nexpose, their home-grown vulnerability management software. If this hole had stayed hidden, it could’ve become the perfect stage for an XSS attack. Thankfully, there are methods to mitigate frame injection attacks effectively. Armed […] |
Malware Vulnerability | ★★★ | |
 |
2024-01-22 08:00:49 | Le logiciel fissuré bat Gol Cracked software beats gold: new macOS backdoor stealing cryptowallets (lien direct) |
Nous passons en revue une nouvelle porte dérobée macOS qui se reproduit sur un logiciel Cracked pour remplacer les portefeuilles Bitcoin et Exodus par des logiciels malveillants.
We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware. |
Malware | ★★★ | |
|
2024-01-22 06:00:26 | Types de menaces et d'attaques d'identité que vous devez être consciente Types of Identity Threats and Attacks You Should Be Aware Of (lien direct) |
It\'s easy to understand why today\'s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user\'s valid credentials, they don\'t have to worry about finding creative ways to break into an environment. They are already in. Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it\'s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach. To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay. Types of identity-based attacks and methods Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats. 1. Credential stuffing Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites. Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites. 2. Password spraying Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames. Password spraying isn\'t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here\'s how this identity attack usually unfolds: The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means. They then select a small set of commonly used or easily guessable passwords. Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success. Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks. 3. Phishing Here\'s a classic and very effective tactic that\'s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker\'s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data. Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective. 4. Social engineering Social engineering is more of an ingredient in an identity attack. It\'s all about the deception and manipulation of users, and it\'s a feature in | Malware Vulnerability Threat Patching Technical | ★★ | |
|
2024-01-20 14:36:08 | Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware (lien direct) | It\'s easy to understand why today\'s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user\'s valid credentials, they don\'t have to worry about finding creative ways to break into an environment. They are already in. Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it\'s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach. To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay. Types of identity-based attacks and methods Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats. 1. Credential stuffing Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites. Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites. 2. Password spraying Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames. Password spraying isn\'t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here\'s how this identity attack usually unfolds: The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means. They then select a small set of commonly used or easily guessable passwords. Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success. Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks. 3. Phishing Here\'s a classic and very effective tactic that\'s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker\'s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data. Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective. 4. Social engineering Social engineering is more of an ingredient in an identity attack. It\'s all about the deception and manipulation of users, and it\'s a feature in | Malware | ★★★ | |
|
2024-01-20 07:46:00 | Alerte de phishing de la facture: TA866 déploie un logiciel malveillant Wasabiseed & Capethotter Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware (lien direct) |
L'acteur de menace a suivi comme & nbsp; TA866 & nbsp; a refait surface après une interruption de neuf mois avec une nouvelle campagne de phishing en grand volume pour livrer des familles de logiciels malveillants connues telles que Wasabseed et Capshotter.
La campagne, observée plus tôt ce mois-ci et bloquée par Proofpoint le 11 janvier 2024, a consisté à envoyer des milliers d'e-mails sur le thème des factures ciblant l'Amérique du Nord portant des fichiers PDF leurres.
"Les PDF
The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter. The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files. "The PDFs |
Malware Threat | ★★ | |
|
2024-01-19 21:05:18 | Le groupe de menaces russes Coldriver étend son ciblage des responsables occidentaux pour inclure l'utilisation de logiciels malveillants Russian Threat Group COLDRIVER Expands its Targeting of Western Officials to Include the Use of Malware (lien direct) |
#### Description
Le groupe de menaces russes Coldriver, également connu sous le nom de UNC4057, Star Blizzard et Callisto, a élargi son ciblage des responsables occidentaux pour inclure l'utilisation de logiciels malveillants.Le groupe s'est concentré sur les activités de phishing des conférences contre des personnes de haut niveau dans les ONG, les anciens officiers de renseignement et militaire et les gouvernements de l'OTAN.Coldriver a utilisé des comptes d'identité pour établir un rapport avec la cible, augmentant la probabilité du succès de la campagne de phishing \\, et finit par envoyer un lien ou un document de phishing contenant un lien.
Coldriver a été observé en envoyant des cibles des documents PDF bénins à partir de comptes d'identité, présentant ces documents comme un nouveau éditorial ou un autre type d'article que le compte d'identité cherche à publier, demandant des commentaires de la cible.Lorsque l'utilisateur ouvre le PDF bénin, le texte apparaît crypté.Si l'objectif répond qu'ils ne peuvent pas lire le document chiffré, le compte d'identité Coldriver répond par un lien, généralement hébergé sur un site de stockage cloud, à un utilitaire de «décryptage» à l'utilisation de la cible.Cet utilitaire de décryptage, tout en affichant un document de leurre, est en fait une porte dérobée, suivie en tant que SPICA, donnant à Coldriver l'accès à la machine de la victime.
#### URL de référence (s)
1. https://blog.google/thereat-analysis-group/google-tag-coldriver-russian-phishing-malware/
#### Date de publication
18 janvier 2024
#### Auteurs)
Wesley Shields
#### Description Russian threat group COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto, has expanded its targeting of Western officials to include the use of malware. The group has been focused on credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments. COLDRIVER has been using impersonation accounts to establish a rapport with the target, increasing the likelihood of the phishing campaign\'s success, and eventually sends a phishing link or document containing a link. COLDRIVER has been observed sending targets benign PDF documents from impersonation accounts, presenting these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim\'s machine. #### Reference URL(s) 1. https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/ #### Publication Date January 18, 2024 #### Author(s) Wesley Shields |
Malware Threat Cloud | ★★ | |
|
2024-01-19 18:18:00 | Les experts mettent en garde contre la porte dérobée macOS cachée dans les versions piratées de logiciels populaires Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software (lien direct) |
Des applications piratées ciblant les utilisateurs d'Apple MacOS ont été observées contenant une porte dérobée capable d'accorder des attaquants à distance aux machines infectées.
"Ces applications sont hébergées sur des sites de piratage chinois afin de gagner des victimes", a déclaré les chercheurs de Lamf Threat Labs Ferdous Saljooki et Jaron Bradley & NBSP.
"Une fois explosé, le malware téléchargea et exécutera plusieurs charges utiles
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. "These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said. "Once detonated, the malware will download and execute multiple payloads |
Malware Threat | ★★★ | |
|
2024-01-19 14:30:52 | 71 millions de courriels ajoutés pour avoir été à partir de la liste de compte naz.api volée 71 Million Emails Added to Have I Been Pwned From Naz.API Stolen Account List (lien direct) |
Près de 71 millions d'adresses e-mail liées à des comptes compromis de l'ensemble de données NAZ.API ont été incorporés dans le service de notification de violation de données.L'ensemble de données NAZ.API, composé de 1 milliard d'identification, est une compilation approfondie dérivée des listes de rembourrage des informations d'identification et des données pilinées par des logiciels malveillants de vol d'information.Les listes de bourrage d'identification comprennent la connexion [& # 8230;]
Le message 71 millions de courriels ajoutés pour que je sois venu de la liste de compte naz.api apparu pour la première fois sur Guru de sécurité informatique.
Almost 71 million email addresses linked to compromised accounts from the Naz.API dataset have been incorporated into the data breach notification service of Have I Been Pwned. The Naz.API dataset, consisting of 1 billion credentials, is an extensive compilation derived from credential stuffing lists and data pilfered by information-stealing malware. Credential stuffing lists comprise login […] The post 71 Million Emails Added to Have I Been Pwned From Naz.API Stolen Account List first appeared on IT Security Guru. |
Data Breach Malware | ★★★ | |
|
2024-01-19 11:00:00 | Les pirates russes Coldriver déploient des logiciels malveillants pour cibler les responsables occidentaux Russian Coldriver Hackers Deploy Malware to Target Western Officials (lien direct) |
Google a averti que le Coldriver lié à la Russie a élargi son ciblage des responsables occidentaux en déployant des logiciels malveillants pour exfiltrer des données sensibles
Google has warned that the Russia-linked Coldriver has expanded its targeting of Western officials by deploying malware to exfiltrate sensitive data |
Malware | ★★ | |
|
2024-01-19 00:32:31 | Distribution de smokeloader ciblant le gouvernement et les entreprises ukrainiens Distribution of SmokeLoader Targeting Ukrainian Government and Companies (lien direct) |
Ahnlab Security Intelligence Center (ASEC) a découvert que plusieurs souches de malware smokeloder sont distribuées au gouvernement ukrainien etentreprises.Il semble que le nombre d'attaques ciblant l'Ukraine ait récemment augmenté.Les objectifs confirmés jusqu'à présent comprennent le ministère ukrainien de la Justice, les institutions publiques, les compagnies d'assurance, les institutions médicales, les entreprises de construction et les entreprises de fabrication.L'e-mail distribué suit le format illustré à la figure 1 écrite en ukrainien.Le corps comprenait des informations liées à une facture, incitant le lecteur à exécuter ...
AhnLab SEcurity intelligence Center (ASEC) discovered that multiple SmokeLoader malware strains are being distributed to the Ukrainian Government and companies. It seems that the number of attacks targeting Ukraine has increased recently. The targets confirmed so far include the Ukrainian Department of Justice, public institutions, insurance companies, medical institutions, construction companies, and manufacturing companies. The distributed email follows the format shown in Figure 1 written in Ukrainian. The body included information related to an invoice, prompting the reader to execute... |
Malware Medical | ★★★ | |
|
2024-01-18 23:00:00 | Google: Coldriver apt de Russie \\ se déchaîne \\ 'spica \\' malware Google: Russia\\'s ColdRiver APT Unleashes Custom \\'Spica\\' Malware (lien direct) |
Juste à temps pour la saison électorale américaine, l'un des groupes d'espionnage de hack-and-fuite préférés du Kremlin - Star Blizzard - a développé sa toute première porte dérobée personnalisée.
Just in time for the US election season, one of the Kremlin\'s favorite hack-and-leak spy groups - Star Blizzard - has developed its very first custom backdoor. |
Malware | ★★ | |
|
2024-01-18 22:01:00 | Nouveau docker malware vole le processeur pour la crypto et le trafic de faux site Web New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic (lien direct) |
Les services vulnérables Docker sont ciblés par une nouvelle campagne dans laquelle les acteurs de la menace déploient un mineur de crypto-monnaie XMRIG ainsi que le logiciel du téléspectateur 9HITS dans le cadre d'une stratégie de monétisation à plusieurs volets.
"Il s'agit du premier cas documenté de logiciels malveillants déploiement de l'application 9HITS en tant que charge utile", a déclaré Cado, la société de sécurité cloud, ajoutant que le développement est un signe que les adversaires sont
Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy. "This is the first documented case of malware deploying the 9Hits application as a payload," cloud security firm Cado said, adding the development is a sign that adversaries are |
Malware Threat Cloud | ★★ | |
|
2024-01-18 20:19:00 | Les pirates russes Coldriver se développent au-delà du phishing avec des logiciels malveillants personnalisés Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware (lien direct) |
L'acteur de menace lié à la Russie connue sous le nom de Coldriver a été observé, a fait évoluer son métier pour aller au-delà de la récolte d'identification pour livrer ses tout premiers logiciels malveillants personnalisés écrits dans le langage de programmation de la rouille.
Le groupe d'analyse des menaces de Google (TAG), qui a partagé les détails de la dernière activité, a déclaré que les chaînes d'attaque exploitent les PDF en tant que documents de leurre pour déclencher la séquence d'infection.Les leurres sont
The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language. Google\'s Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are |
Malware Threat | ★★★ | |
 |
2024-01-18 18:44:20 | AndroxGH0st malware botnet vole AWS, les informations d'identification Microsoft et plus Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More (lien direct) |
Le botnet malware AndroxGH0st est utilisé pour l'identification et l'exploitation des victimes dans les réseaux ciblés, ainsi que pour la collecte des informations d'identification.Lisez les conseils du FBI / CISA \\ pour protéger contre cette menace malveillante.
The Androxgh0st malware botnet is used for victim identification and exploitation in targeted networks, as well as credentials collection. Read the FBI/CISA\'s tips for protecting against this malware threat. |
Malware Threat | ★★ | |
|
2024-01-18 16:30:00 | Une nouvelle campagne de logiciels malveillants exploite 9hits dans Docker Assault New Malware Campaign Exploits 9hits in Docker Assault (lien direct) |
Découvert par Cado Security, la campagne déploie deux conteneurs à des instances de Docker vulnérables
Discovered by Cado Security, the campaign deploys two containers to vulnerable Docker instances |
Malware | ★★ | |
|
2024-01-18 15:44:00 | Nouveau nouveau macOS MacOs Backdoor sur les sites Web chinois Stealthy New macOS Backdoor Hides on Chinese Websites (lien direct) |
Les logiciels malveillants modifiés du projet open source KHEPRI qui partage des similitudes avec le voleur de données Zuru récoltent les données et diminuent des charges utiles supplémentaires.
Modified malware from the Khepri open source project that shares similarities with the ZuRu data stealer harvests data and drops additional payloads. |
Malware | ★★★ | |
|
2024-01-18 15:15:00 | \\ 'chaes \\' Le code d'infostealer contient des notes d'amour de chasse à la menace cachée \\'Chaes\\' Infostealer Code Contains Hidden Threat Hunter Love Notes (lien direct) |
L'analyse de l'infostaler malware version 4.1 comprend un art ASCII caché et un cri remerciant des chercheurs en cybersécurité.
Analysis of the infostealer malware version 4.1 includes hidden ASCII art and a shout-out thanking cybersecurity researchers. |
Malware Threat | ★★ | |
|
2024-01-18 15:00:00 | Google: des pirates d'État russes déploient des logiciels malveillants dans des attaques d'espionnage à travers l'Europe Google: Russian state hackers deploying malware in espionage attacks around Europe (lien direct) |
Les pirates d'État russes tentent de plus en plus de déployer des délais sur les appareils des cibles dans les pays de l'OTAN et l'Ukraine, selon Nouvelles recherches du groupe d'analyse des menaces de Google \\.Les chercheurs ont constaté que les tactiques des pirates du Centre 18, une unité au sein du Federal Security Service (FSB) de Russie, ont évolué ces derniers mois à des derniers mois
Russian state hackers are increasingly attempting to deploy backdoors on the devices of targets in NATO countries and Ukraine, according to new research from Google\'s Threat Analysis Group. The researchers found that the tactics of hackers from Center 18, a unit within Russia\'s Federal Security Service (FSB), have evolved in recent months to more sophisticated |
Malware Threat | ★★ | |
 |
2024-01-18 14:06:53 | L'APT russe connu pour les attaques de phishing développe également des logiciels malveillants, prévient Google Russian APT Known for Phishing Attacks Is Also Developing Malware, Google Warns (lien direct) |
> Le groupe de menaces russes Colriver a développé SPICA, un malware qui lui permet de compromettre les systèmes et de voler des informations.
>Russian threat group ColdRiver has developed Spica, a malware that enables it to compromise systems and steal information. |
Malware Threat | ★★★ |
To see everything:
Our RSS (filtrered)
