SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2024-03-26 19:39:28	MALWORE SIGN1: analyse, historique de la campagne et indicateurs de compromis Sign1 Malware: Analysis, Campaign History & Indicators of Compromise (lien direct)	#### Description Une nouvelle campagne de logiciels malveillants appelée Sign1 a été découverte par Sucuri et Godaddy Infosec.Le malware a été trouvé sur plus de 2 500 sites au cours des deux derniers mois.Le malware est injecté dans des widgets HTML personnalisés WordPress que les attaquants ajoutent aux sites Web compromis.Le malware est injecté à l'aide d'un plugin CSS et JS personnalisé légitime.Le malware est conçu pour rediriger les visiteurs vers des sites d'escroquerie.Le malware est basé sur le temps et utilise du code JavaScript dynamique pour générer des URL qui changent toutes les 10 minutes.Le logiciel malveillant cherche spécifiquement à voir si le visiteur provient de sites Web majeurs tels que Google, Facebook, Yahoo, Instagram, etc. Si le référent ne correspond pas à ces principaux sites, alors le malware ne s'exécutera pas. #### URL de référence (s) 1. https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-odi-cocompromis.html #### Date de publication 20 mars 2024 #### Auteurs) Ben Martin #### Description A new malware campaign called Sign1 has been discovered by Sucuri and GoDaddy Infosec. The malware has been found on over 2,500 sites in the past two months. The malware is injected into WordPress custom HTML widgets that the attackers add to compromised websites. The malware is injected using a legitimate Simple Custom CSS and JS plugin. The malware is designed to redirect visitors to scam sites. The malware is time-based and uses dynamic JavaScript code to generate URLs that change every 10 minutes. The malware is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc. If the referrer does not match to these major sites, then the malware will not execute. #### Reference URL(s) 1. https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html #### Publication Date March 20, 2024 #### Author(s) Ben Martin	Malware	Yahoo	★★
	2023-05-10 10:00:00	RSAC 2023 \|La recherche sur la cybersécurité sur l'informatique Edge génère un grand intérêt RSAC 2023 \| Cybersecurity research on edge computing generates big interest (lien direct)	RSAC 2023 was a huge success. We launched our 2023 AT&T Cybersecurity Insights Report, which was met with enthusiasm by the industry and the media. In fact, Will Townsend, writing for Forbes, noted that our report joined other great research by industry peers who are striving to do more than just provide security solutions. “RSAC 2023 could be best characterized by its emphasis on the advantages and disadvantages of AI and numerous published cybersecurity reports designed to raise awareness of threats and subsequent remediation, in addition to cybersecurity platform enhancements. These subjects are a definite departure from the past few RSAC events, which seemed to be zero-trust "me too” conventions. It is a welcome change, given that the emphasis on improving security outcomes benefits everyone.” Read more >> Townsend perfectly captures the AT&T Cybersecurity mission to help business leaders understand both the business and security landscape - and how it’s evolving as technology continues to change the way we work and live. After listening to the challenges organizations are encountering, it’s clear that research and understanding the business landscape are essential parts of a responsible cybersecurity vendor strategy. DDoS versus ransomware – how does edge computing change the equation? I participated in a panel discussion hosted by Channel Futures examining the challenges of securing critical infrastructure. The discussion kicked off with a Gartner prediction, “by 2025, 30% of critical infrastructure organizations will experience a security breach resulting in the halting of operations and/or mission-critical cyber-physical system.,” I spoke about our research findings that indicate a change in perceived attacks: when it comes to edge computing, DDoS is perceived as a greater attack concern than ransomware. “One of the reasons cybercriminals are gravitating to DDoS is it’s cheaper and easier than ransomware.” Read more >> I did a video interview with BankInfoSecurity.com discussing how edge computing and innovative use cases are changing the way we’re dealing with cyber resilience. "Organizations are investing in the edge but they also know that their endpoints are changing," said Lanowitz. "They want to make sure they are futureproofing themselves and going to be dynamic in their cyber resilience. That\'s because the security edge is not linear or a straight line. It\'s a circuitous, often confusing, and an often-changing environment that you will have to live with." Learn more >> Watch the webcast discussing the AT&T Cybersecurity Insights Report findings. If you prefer to listen to the research results,	Ransomware Malware	Yahoo	★★
	2022-11-22 11:00:00	10 Ways to spot a phishing attempt (lien direct)	The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Phishing attacks are becoming more and more common, and they're only getting more sophisticated. While there are a variety of ways to defend yourself against phishing attacks, one of the best methods is simply to be able to spot them. With that in mind, here are 10 common signs that an email or other communication may be a phishing attempt. Calls from an unknown number If you get a call from an unknown number, and the caller claims to be from your bank or another organization, be very careful. This is a classic phishing tactic. The caller will try to obtain personal information from you, such as your credit card number or Social Security number. They might also try to get you to click on a link that will install malware on your computer. Don't give out any personal information to someone who calls you out of the blue. And if they try to get you to click on a link, don't do it. Hang up and call the organization they claimed to be from using a number you know to be legitimate (e.g., the number on the back of your credit card or from the organization's website). What’s more, consider doing a reverse phone lookup on them to see where the number is actually originating from. The message is not personalized If you receive an email that doesn't address you by name or refers to you as "Dear User" or "Dear Valued Customer," be wary. Phishing emails often use generic greetings in an attempt to seem more widespread - and less suspicious - than they actually are. That's because they are usually sent out en masse as part of a massive automated campaign. Phishers usually just have a list of email addresses and the idea isn't to find out the name of the person it belongs to or do any kind of in-depth personalization, but to get as many people as possible to click on the links in their message. The sender's email address doesn't match the organization they're claiming to represent This is a pretty straightforward way to spot a phishing attempt. If you get an email purporting to be from your bank, but the email address it comes from is something like johnsmith12345@gmail.com, then it's pretty clear that something is not right. Organizations won’t send out official communications from a Gmail or Hotmail address. They will always use their own domain name (e.g., WellsFargo.com, PayPal.com). So, if the email you receive is coming from anything other than an organization's official domain, it's a huge red flag. There are grammatical errors or typos in the email If you receive an email that is full of grammatical errors, typos, or just generally seems to be poorly written, it's a good indicator that it's a phishing email. Phishers often send out their emails quickly and without much care or attention to detail. So if an email looks like it was dashed off in a hurry, with no regard for proper spelling or grammar, it's probably a phishing email. Phishing scams also originate overseas, and the architects of these scams aren't native English speakers. So another giveaway that an email might be a phishing attempt is if it contains poor grammar or strange phrasing. The message is urgent or includes a sense of urgency Phishers often try to create a sense of urgency in their emails in order to get people to act quickly without thinking. They might say that your account is about to be closed, or that you need to take action immediately to prevent	Malware	Deloitte Yahoo	★★★★
	2022-09-07 15:00:00	Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (published: September 5, 2022) Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Proxy - T1090 \| [MITRE ATT&CK] Supply Chain Compromise - T1195 Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain Ragnar Locker Ransomware Targeting the Energy Sector (published: September 1, 2022) Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind. Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and teste	Ransomware Malware Tool Threat Patching Guideline	Yahoo
	2022-08-30 08:00:09	ModernLoader delivers multiple stealers, cryptominers and RATs (lien direct)	By Vanja SvajcerCisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Technical detailsInitial findingsIn June 2022, Cisco Talos identified an unusual command line execution in our telemetry. The decoded base64 command is below:Initial finding: A command executed on the system.The 31.41.244[.]231 IP is a Russian IP and hosts several other URLs with similar naming conventions. Autostart commandFollowing the discovery of the initial command, we identified two other command lines. They are a result of an autorun registered executable and the execution of a scheduled task.	Malware Tool Threat	Yahoo
	2022-08-23 07:50:00	Google Uncovers Tool Used by Iranian Hackers to Steal Data from Email Accounts (lien direct)	The Iranian government-backed actor known as Charming Kitten has added a new tool to its malware arsenal that allows it to retrieve user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Dubbed HYPERSCRAPE by Google Threat Analysis Group (TAG), the actively in-development malicious software is said to have been used against less than two dozen accounts in Iran, with the oldest known	Malware Tool Threat Conference	Yahoo APT 35
	2022-06-21 15:03:00	Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT35, CrescentImp, Follina, Gallium, Phosphorous, and Sandworm. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 \| [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E	Ransomware Malware Tool Vulnerability Threat Guideline Conference	Yahoo APT 35
	2021-01-12 11:00:00	Why cybersecurity awareness is a team sport (lien direct)	Image Source This blog was written by an independent guest blogger. Cybersecurity may be different based on a person's viewpoint. One may want to simply protect and secure their social media accounts from hackers, and that would be the definition of what cybersecurity is to them. On the other hand, a small business owner may want to protect and secure credit card information gathered from their point-of-sale registers and that is what they define as cybersecurity. Despite differences in implementation, at its core, cybersecurity pertains to the mitigation of potential intrusion of unauthorized persons into your system(s). It should encompass all aspects of one’s digital experience--whether you are an individual user or a company. Your cyber protection needs to cover your online platforms, devices, servers, and even your cloud storage. Any unprotected area of your digital journey can serve as an exploit point for hackers and cyber criminals intent on finding vulnerabilities. People assume that it is the responsibility of the IT Department to stop any intrusion. That may be true up to a certain point, cybersecurity responsibility rests with everyone, in reality. Cybersecurity should be everybody’s business. The cybersecurity landscape is changing. With 68% of businesses saying that their cybersecurity risks have increased, it is no wonder that businesses have been making increased efforts to protect from, and mitigate attacks. During the height of the pandemic, about 46% of the workforce shifted to working from home. We saw a surge in cybersecurity attacks - for example, RDP brute-force attacks increased by 400% around the same time. This is why cybersecurity must be and should be everybody’s business. According to the 2019 Cost of Cybercrime Study, cyberattacks often are successful due to employees willingly participating as an internal actors or or employees and affiliates carelessly clicking a link by accident. Sadly, it is still happening today. Unsuspecting employees can be caught vulnerable and cause a corporate-wide cyberattack by opening a phishing email or bringing risks into the company’s network in a BYOD (Bring Your Own Device) system. Just a decade ago, Yahoo experienced a series of major data breaches, via a backdoor to their network system established by a hacker (or a group of hackers). Further digital forensic investigation shows the breach started from a phishing email opened by an employee. Another example was Equifax when it experienced a data breach in 2017 and was liable for fines amounting to $425 million by the Federal Trade Commission (FTC). Companies continue to double up on their investments in cybersecurity and privacy protection today to ensure that incidents like these do not happen to their own networks. But a network is only as strong as its weakest link. Hackers continue to innovate, making their attacks more and mo	Ransomware Data Breach Malware Vulnerability Guideline	Equifax Equifax Yahoo Yahoo
	2019-09-03 11:55:00	Report: Iranian \'Mole\' Carried Stuxnet to Iranian Nuclear Facility (lien direct)	An engineer recruited by the Dutch intelligence agency AIVD helped bring to Iran's Natanz nuclear facility the malware via USB that ultimately infected systems there and sabotaged centrifuges, according to an exclusive report from Yahoo News.	Malware	Yahoo

Last update at: 2024-05-10 14:08:03
See our sources.

To see everything: Our RSS (filtrered)