What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-17 10:00:00 | Le groupe \\ 'Sandworm \\' est la principale unité de cyberattaque de la Russie en Ukraine \\'Sandworm\\' Group Is Russia\\'s Primary Cyberattack Unit in Ukraine (lien direct) |
Mais même avec cet objectif, le groupe de menaces sophistiqué a continué ses opérations contre les cibles dans le monde, y compris les États-Unis, explique Mandiant de Google \\.
But even with that focus, the sophisticated threat group has continued operations against targets globally, including the US, says Google\'s Mandiant. |
Threat | ★★ | |
 |
2024-04-17 07:21:35 | TEHTRIS dévoile les coulisses de l\'économie florissante du Phishing-as-a-Service (PhaaS), dans son nouveau rapport Threat Intelligence (lien direct) | TEHTRIS dévoile les coulisses de l'économie florissante du Phishing-as-a-Service (PhaaS), dans son nouveau rapport Threat Intelligence Au-delà d'une analyse des nouvelles mécaniques de PhaaS utilisées par les cybercriminels et des recommandations pour s'en prémunir, ce rapport lève le voile sur deux affaires inédites : le développement de camps du cybercrime en Asie et les premiers résultats d'une enquête sur le groupe d'attaquants Codex 40. - Malwares | Threat | ★★★★ | |
 |
2024-04-17 02:55:50 | Navigation de l'IA et de la cybersécurité: aperçus du Forum économique mondial (WEF) Navigating AI and Cybersecurity: Insights from the World Economic Forum (WEF) (lien direct) |
La cybersécurité a toujours été un domaine complexe.Sa nature contradictoire signifie que les marges entre l'échec et le succès sont beaucoup plus fines que dans d'autres secteurs.Au fur et à mesure que la technologie évolue, ces marges deviennent encore plus fines, avec les attaquants et les défenseurs qui se précipitent pour les exploiter et gagner un avantage concurrentiel.Cela est particulièrement vrai pour l'IA.En février, le Forum économique mondial (WEF) a publié un article intitulé "AI et cybersécurité: comment naviguer dans les risques et les opportunités", mettant en évidence les impacts existants et potentiels de l'AI \\ sur la cybersécurité.L'essentiel?L'IA profite à la fois les bons et les méchants, donc c'est ...
Cybersecurity has always been a complex field. Its adversarial nature means the margins between failure and success are much finer than in other sectors. As technology evolves, those margins get even finer, with attackers and defenders scrambling to exploit them and gain a competitive edge. This is especially true for AI. In February, the World Economic Forum (WEF) published an article entitled " AI and cybersecurity: How to navigate the risks and opportunities ," highlighting AI\'s existing and potential impacts on cybersecurity. The bottom line? AI benefits both the good and bad guys, so it\'s... |
Threat | ★★ | |
|
2024-04-16 22:00:00 | Comment les planches peuvent se préparer aux ordinateurs quantiques How Boards Can Prepare for Quantum Computers (lien direct) |
L'informatique quantique au niveau qui constitue une menace pour les mesures de cybersécurité actuelles est encore des années de congé.Voici ce que les entreprises peuvent faire maintenant pour éviter les perturbations futures.
Quantum computing on the level that poses a threat to current cybersecurity measures is still years off. Here\'s what enterprises can do now to avoid future disruptions. |
Threat | ★★ | |
 |
2024-04-16 19:09:00 | TA558 Hackers Armez des images pour les attaques de logiciels malveillants à grande échelle TA558 Hackers Weaponize Images for Wide-Scale Malware Attacks (lien direct) |
L'acteur de menace suivi comme & nbsp; TA558 & nbsp; a été observé en tirant la stéganographie comme une technique d'obscuscation pour fournir un large éventail de logiciels malveillants tels que l'agent Tesla, le formbook, Remcos Rat, Lokibot, Guloader, Snake Keylogger et Xworm, entre autres.
"Le groupe a utilisé beaucoup de stéganographie en envoyant des VBS, du code PowerShell, ainsi que des documents RTF avec un exploit intégré, à l'intérieur
The threat actor tracked as TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware such as Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm, among others. "The group made extensive use of steganography by sending VBSs, PowerShell code, as well as RTF documents with an embedded exploit, inside |
Malware Threat | ★★★ | |
|
2024-04-16 18:08:40 | Le duo cybercriminal mondial est en cas d'emprisonnement après le programme de rats Hive Global Cybercriminal Duo Face Imprisonment After Hive RAT Scheme (lien direct) |
Les deux auraient vendu le Trojan sur les forums de piratage, permettant à d'autres acteurs de menace d'obtenir un contrôle non autorisé, de désactiver les programmes, de parcourir les fichiers, d'enregistrer des frappes et de voler des informations d'identification.
The two allegedly sold the Trojan on Hack Forums, allowing other threat actors to gain unauthorized control, disable programs, browse files, record keystrokes, and steal credentials. |
Hack Threat | ★★ | |
 |
2024-04-16 18:00:00 | Couverture des menaces de netskope: ransomware de fourmis maléfique Netskope Threat Coverage: Evil Ant Ransomware (lien direct) |
> Résumé Netskope Threat Labs a récemment analysé une nouvelle souche de ransomware nommée Evil Ant.Evil Ant Ransomware est un logiciel malveillant basé sur Python compilé à l'aide de Pyinstaller qui cherche à crypter tous les fichiers stockés sur les dossiers personnels et les lecteurs externes de la victime.Cette souche de ransomware nécessite la continuité du traitement du chiffrement jusqu'à la récupération du fichier.Redémarrer, fermer ou mettre fin au [& # 8230;]
>Summary Netskope Threat Labs recently analyzed a new ransomware strain named Evil Ant. Evil Ant ransomware is a Python-based malware compiled using PyInstaller that looks to encrypt all files stored on the victim’s personal folders and external drives. This ransomware strain requires process continuity from encryption until file recovery. Rebooting, shutting down, or ending the […] |
Ransomware Malware Threat | ★★ | |
 |
2024-04-16 13:00:44 | Sécuriser le secteur financier avec Check Point Infinity Global Services Securing the Financial Sector with Check Point Infinity Global Services (lien direct) |
> La transformation numérique a une efficacité considérablement améliorée dans le secteur financier, mais non sans élever le paysage cyber-risque.Les résultats récents du Fonds monétaire international (FMI) révèlent une réalité frappante: les cyberattaques ont plus que doublé depuis la pandémie, mettant en lumière la vulnérabilité du secteur financier en raison de sa gestion des données et des transactions sensibles.Les entreprises ont été confrontées à d'énormes sanctions pour les violations de données, les pertes quadruples à 2,5 milliards de dollars depuis 2017. L'interdépendance de l'industrie financière facilite non seulement ces attaques, mais aussi leur potentiel de saper la confiance dans le système financier mondial. Les recherches sur le point de contrôle confirment que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cela confirme que cetteMenace, notre intelligence des menaces a trouvé [& # 8230;]
>The digital transformation has significantly enhanced efficiency within the financial sector, but not without elevating the cyber risk landscape. Recent findings by the International Monetary Fund (IMF) reveal a stark reality: cyberattacks have more than doubled since the pandemic, spotlighting the financial sector’s vulnerability due to its handling of sensitive data and transactions. Companies have faced enormous penalties for data breaches, with losses quadrupling to $2.5 billion since 2017. The financial industry’s interconnectedness not only facilitates these attacks but also their potential to undermine trust in the global financial system. Check Point Research confirms this threat, our threat intelligence found […] |
Vulnerability Threat | ★★ | |
|
2024-04-16 12:59:13 | Crest lance un nouveau guide pour la cyber-menace intelligence CREST launches new guide to cyber threat intelligence (lien direct) |
Crest lance un nouveau guide pour la cyber-menace intelligence
Crest a mis à jour son guide sur les renseignements sur la cyber-menace pour des organisations de conseils sur la façon de garder une longueur d'avance dans la cybersécurité.
-
Livre blanc
/ /
Livreblanchome
CREST launches new guide to cyber threat intelligence CREST has updated its guide on Cyber Threat Intelligence to advice organisations on how to stay one step ahead in cyber security. - WHITE PAPER / livreBlancHome |
Threat | ★★ | |
 |
2024-04-16 12:00:33 | Synergie des solutions avancées de détection et de réponse des menaces d'identité Synergizing Advanced Identity Threat Detection & Response Solutions (lien direct) |
Explorez la synergie de la sécurité duo de Cisco \\ & # 038;Intelligence d'identité, renforçant la cyber-défense avec détection avancée des menaces & # 038;capacités de réponse
Explore the synergy of Cisco\'s Duo Security & Identity Intelligence, bolstering cyber defense with advanced threat detection & response capabilities |
Threat | ★★ | |
 |
2024-04-16 10:00:00 | Facteur humain de la cybersécurité: fusion de la technologie avec des stratégies centrées sur les personnes Cybersecurity\\'s Human Factor: Merging Tech with People-Centric Strategies (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In a digital era marked by rapidly evolving threats, the complexity of cybersecurity challenges has surged, pressing organizations to evolve beyond traditional, tech-only defense strategies. As the cyber landscape grows more intricate, there\'s a pivotal shift towards embracing methods that are not just robust from a technical standpoint but are also deeply human-centric. This also means that a significant percentage of employees, driven by the high demands of operational pressures, may engage in risky cybersecurity behaviors. Such statistics illuminate the urgent need for a more nuanced approach to cybersecurity—one that not only fortifies defenses but also resonates with and supports the people behind the screens. Integrating human-centric design with continuous threat management emerges as a forward-thinking strategy, promising a balanced blend of technical excellence and user empathy to navigate the complex cybersecurity challenges of today and tomorrow. Embracing the Human Element in Cybersecurity Diving into the realm of human-centric security design and culture, it\'s clear that the future of cybersecurity isn\'t just about the latest technology—it\'s equally about the human touch. This approach puts the spotlight firmly on enhancing the employee experience, ensuring that cybersecurity measures don\'t become an unbearable burden that drives people to take shortcuts. By designing systems that people can use easily and effectively, the friction often caused by stringent security protocols can be significantly reduced. Gartner\'s insights throw a compelling light on this shift, predicting that by 2027, half of all Chief Information Security Officers (CISOs) will have formally embraced human-centric security practices. This isn\'t just a hopeful guess but a recognition of the tangible benefits these practices bring to the table—reducing operational friction and bolstering the adoption of essential controls. This strategic pivot also acknowledges a fundamental truth. When security becomes a seamless part of the workflow, its effectiveness skyrockets. It\'s a win-win, improving both the user experience and the overall security posture. CTEM: Your Cybersecurity Compass in Stormy Seas Imagine that your organization\'s cybersecurity landscape isn\'t just a static battleground. Instead, it’s more like the open sea, with waves of threats coming and going, each with the potential to breach your defenses. That\'s where Continuous Threat Exposure Management (CTEM) sails in, serving as your trusted compass, guiding you through these treacherous waters. CTEM isn\'t your average, run-of-the-mill security tactic. It\'s about being proactive, scanning the horizon with a spyglass, looking for potential vulnerabilities before they even become a blip on a hacker\'s radar. Think of it as your cybersecurity early-warning system, constantly on the lookout for trou | Vulnerability Threat Studies Prediction Medical Technical | ★★ | |
 |
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
 |
2024-04-15 20:31:45 | Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) (lien direct) | ## Instantané
Le 10 avril 2024, la volexité a découvert l'exploitation zéro-jour d'une vulnérabilité dans la fonctionnalité GlobalProtect de Palo Alto Networks Pan-OS à l'un de ses clients de surveillance de la sécurité des réseaux (NSM).La vulnérabilité a été confirmée comme un problème d'injection de commande de système d'exploitation et attribué CVE-2024-3400.Le problème est une vulnérabilité d'exécution de code distante non authentifiée avec un score de base CVSS de 10,0.L'acteur de menace, que volexité suit sous l'alias UTA0218, a pu exploiter à distance l'appareil de pare-feu, créer un shell inversé et télécharger d'autres outils sur l'appareil.L'attaquant s'est concentré sur l'exportation des données de configuration des appareils, puis en le tirant en tirant comme point d'entrée pour se déplacer latéralement au sein des organisations victimes.Au cours de son enquête, Volexity a observé que l'UTA0218 avait tenté d'installer une porte dérobée Python personnalisée, que volexité appelle Upstyle, sur le pare-feu.La porte dérobée Upstyle permet à l'attaquant d'exécuter des commandes supplémentaires sur l'appareil via des demandes de réseau spécialement conçues.UTA0218 a été observé en exploitant des appareils de pare-feu pour déployer avec succès des charges utiles malveillantes.Après avoir réussi à exploiter les appareils, UTA0218 a téléchargé des outils supplémentaires à partir de serveurs distants qu'ils contrôlaient afin de faciliter l'accès aux réseaux internes des victimes.Ils se sont rapidement déplacés latéralement à travers les réseaux victimes de victimes, extrait les informations d'identification sensibles et autres fichiers qui permettraient d'accéder pendant et potentiellement après l'intrusion.Le métier et la vitesse employés par l'attaquant suggèrent un acteur de menace hautement capable avec un livre de jeu clair sur quoi accéder pour poursuivre leurs objectifs.Il est probable que l'exploitation du dispositif de pare-feu, suivie d'une activité de planche pratique, a été limitée et ciblée.Cependant, les preuves d'une activité de reconnaissance potentielle impliquant une exploitation plus répandue visant à identifier les systèmes vulnérables semblent avoir eu lieu au moment de la rédaction.
## Les références
[https://security.paloaltonetworks.com/CVE-2024-3400#new_tab.
[https://www.volexity.com/blog/2024/04/12/zero-ay-exploitation-of-unauthenticated-remote-code-execution-vulnerabilité-in-GlobalProtect-CVE-2024-3400 /] (https://www.volexity.com/blog/2024/04/12/zero-kay-exploitation-of-unauthenticated-remote-code-execution-vulnerabilité-in-globalprotect-CVE-2024-3400 /)
## Snapshot On April 10, 2024, Volexity discovered zero-day exploitation of a vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. The vulnerability was confirmed as an OS command injection issue and assigned CVE-2024-3400. The issue is an unauthenticated remote code execution vulnerability with a CVSS base score of 10.0. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. After successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they controlled in order to facilitate access to victims\' internal networks. They quickly moved laterally thr |
Tool Vulnerability Threat | ★★ | |
|
2024-04-15 19:28:57 | Palo Alto Network émet des chaussettes pour un bug zéro-jour dans son pare-feu OS Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS (lien direct) |
Un acteur de menace sophistiqué tire parti du bug pour déployer une porte dérobée Python pour voler des données et exécuter d'autres actions malveillantes.
A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions. |
Vulnerability Threat | ★★ | |
|
2024-04-15 18:59:00 | Les changements de Balance confondus se concentrent sur le SaaS et le nuage pour les attaques d'extorsion et de vol de données Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks (lien direct) |
L'acteur de menace connu sous le nom de & nbsp; Mouddled Balance & NBSP; a été observé activement ciblant les applications logicielles en tant que logiciels (SaaS) et les environnements du fournisseur de services cloud (CSP) dans le but d'exfiltrer des données sensibles.
«Les organisations stockent souvent une variété de données dans les applications SaaS et les services d'utilisation des CSP», Palo Alto Networks Unit 42 & NBSP; Said & NBSP; dans un rapport publié la semaine dernière.
"La menace
The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data. "Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week. "The threat |
Threat Cloud | ★★ | |
 |
2024-04-15 16:43:18 | PALO Alto Networks Relaying Corrections pour les jours zéro alors que les attaquants essaiffent la vulnérabilité VPN Palo Alto Networks releases fixes for zero-day as attackers swarm VPN vulnerability (lien direct) |
L'acteur de menace connu sous le nom de & nbsp; Mouddled Balance & NBSP; a été observé activement ciblant les applications logicielles en tant que logiciels (SaaS) et les environnements du fournisseur de services cloud (CSP) dans le but d'exfiltrer des données sensibles.
«Les organisations stockent souvent une variété de données dans les applications SaaS et les services d'utilisation des CSP», Palo Alto Networks Unit 42 & NBSP; Said & NBSP; dans un rapport publié la semaine dernière.
"La menace
The threat actor known as Muddled Libra has been observed actively targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments in a bid to exfiltrate sensitive data. "Organizations often store a variety of data in SaaS applications and use services from CSPs," Palo Alto Networks Unit 42 said in a report published last week. "The threat |
Vulnerability Threat | ★★★ | |
 |
2024-04-15 16:15:00 | Russie et Ukraine Top Inaugural World Cybercrime Index Russia and Ukraine Top Inaugural World Cybercrime Index (lien direct) |
Une équipe internationale de chercheurs a publié les tout premiers pays de classement des indices par le niveau de menace de cybercriminalité
An international team of researchers published the first-ever index ranking countries by cybercrime threat level |
Threat | ★★ | |
|
2024-04-15 16:07:11 | Des pirates soutenus par l'Iran font exploser des textes menaçants aux Israéliens Iran-Backed Hackers Blast Out Threatening Texts to Israelis (lien direct) |
Handala Threat Group prétend avoir piraté les systèmes radar en Israël à mesure que les tensions augmentent entre les deux nations.
Handala threat group claims to have hacked radar systems in Israel as tensions rise between the two nations. |
Threat | ★★★ | |
|
2024-04-15 15:15:00 | Faits saillants hebdomadaires, 15 avril 2024 Weekly OSINT Highlights, 15 April 2024 (lien direct) |
## Snapshot Last week\'s OSINT reporting reveals a landscape of diverse cyber threats characterized by sophisticated attack tactics and adaptable threat actors. One key trend was the increasing use of artificial intelligence (AI) by cybercriminals, including AI-powered malvertising on social media platforms and suspected LLM-generated content in a malware campaign targeting German organizations. Additionally, several OSINT articles reported on the trend of exploiting popular platforms like YouTube and GitHub to distribute malware. Threat actors demonstrate a keen understanding of user behavior, leveraging enticing content and fake webpages to lure victims into downloading malicious payloads, highlighting the importance of proactive defense strategies to mitigate evolving threats effectively. ## Description 1. **[German Organizations Targeted with Rhadamanthys Malware](https://security.microsoft.com/intel-explorer/articles/119bde85):** Proofpoint identifies TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, representing a shift in techniques for the threat actor. The campaign involves impersonating a German retail company in emails containing password-protected ZIP files containing LNK files triggering PowerShell scripts to load Rhadamanthys into memory, bypassing disk writing. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns. 2. **[Russian-Language Cybercrime Operation Leveraging Fake Web3 Gaming Projects](https://security.microsoft.com/intel-explorer/articles/0cdc08b5):** The Insikt Group uncovers a large-scale Russian-language cybercrime operation distributing infostealer malware through fake Web3 gaming projects targeting both macOS and Windows users. Threat actors entice users with the potential for cryptocurrency earnings, distributing malware like Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro upon visiting imitation Web3 gaming projects\' webpages. 3. **[AI-Powered Malvertising Campaigns on Social Media](https://security.microsoft.com/intel-explorer/articles/1e1b0868):** Bitdefender discusses the use of artificial intelligence (AI) by cybercriminals in malvertising campaigns on social media platforms, impersonating popular AI software to distribute stealers like Rilide, Vidar, IceRAT, and Nova Stealer. These campaigns target European users through fake AI software webpages on Facebook, organized by taking over existing accounts and boosting page popularity through engaging content. 4. **[Exploitation of YouTube Channels for Infostealer Distribution](https://security.microsoft.com/intel-explorer/articles/e9f5e219):** AhnLab identifies a trend where threat actors exploit YouTube channels to distribute Infostealers like Vidar and LummaC2, disguising them as cracked versions of legitimate software. Attackers hijack popular channels with hundreds of thousands of subscribers, distributing malicious links through video descriptions and comments, highlighting concerns about the potential reach and impact of distributed malware. 5. **[VenomRAT Distribution via Phishing Email with Malicious SVG Files](https://security.microsoft.com/intel-explorer/articles/98d69c76):** FortiGuard Labs reveals a threat actor distributing VenomRAT and other plugins through phishing emails containing malicious Scalable Vector Graphics (SVG) files. The email attachment downloads a ZIP file containing an obfuscated Batch file, subsequently loading VenomRAT using ScrubCrypt to maintain a connection with a command and control (C2) server and install plugins on victims\' environments. 6. **[Malware Distribution through GitHub Repositories Manipulation](https://security.microsoft.com/intel-explorer/articles/4d0ffb2c):** Checkmarx reports a cybercriminal attack campaign manipulating GitHub\'s search functionality to distribute malware through repositories. Attackers create repositories with popular names and topics, hiding malicious code withi | Ransomware Spam Malware Tool Threat Prediction | ★★ | |
|
2024-04-15 14:34:00 | Les logiciels espions iOS liés à listes chinoises ciblent les utilisateurs d'iPhone sud-asiatique Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users (lien direct) |
Les chercheurs en cybersécurité ont découvert une campagne de cyber-espionnage "renouvelée" ciblant les utilisateurs en Asie du Sud dans le but de livrer un implant de logiciel espant de l'Apple iOS appelé & nbsp; LightSpy.
"La dernière itération de LightSpy, surnommée \\ 'f_warehouse, \' possède un cadre modulaire avec des fonctionnalités d'espionnage étendues", l'équipe de recherche et de renseignement sur les menaces BlackBerry & NBSP; Said & Nbsp; Dans un rapport publié en dernier
Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy. "The latest iteration of LightSpy, dubbed \'F_Warehouse,\' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last |
Threat Mobile | ★★ | |
|
2024-04-15 14:30:00 | Palo Alto Networks Flaw Zero-Day exploité dans des attaques ciblées Palo Alto Networks Zero-Day Flaw Exploited in Targeted Attacks (lien direct) |
Désigné CVE-2024-3400 et avec un score CVSS de 10,0, la faille permet aux acteurs non autorisés d'exécuter un code arbitraire sur les pare-feu affectés
Designated CVE-2024-3400 and with a CVSS score of 10.0, the flaw enables unauthorized actors to execute arbitrary code on affected firewalls |
Vulnerability Threat | ★★ | |
|
2024-04-15 13:00:33 | Microsoft et Google en tête de liste des attaques de phishing du premier tri Microsoft and Google Top the List in Q1 2024 Phishing Attacks: Check Point Research Highlights a Surge in Cyber Threats (lien direct) |
> L'entrée Airbnb & # 8217; dans le top 10 des marques a imité les signaux élargissant les horizons cybercriminaux dans le paysage en constante évolution des cyber-menaces, les attaques de phishing continuent de présenter un risque important pour les individus et les organisations dans le monde.Check Point Research (RCR), la branche de renseignement des menaces de Check Point & Reg;Software Technologies Ltd., a récemment publié son dernier classement de phishing de marque pour le premier trimestre de 2024. Ce classement a mis en lumière les marques les plus fréquemment imitées par les cybercriminels dans leurs tentatives implacables de tromper et de voler des informations personnelles ou des informations d'identification de paiement.Au cours du premier trimestre de 2024, Microsoft a continué d'être la marque la plus imitée en phishing [& # 8230;]
>Airbnb’s Entry into Top 10 imitated Brands Signals Expanding Cybercriminal Horizons In the ever-evolving landscape of cyber threats, phishing attacks continue to pose a significant risk to individuals and organizations worldwide. Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., has recently released its latest Brand Phishing Ranking for the first quarter of 2024. This ranking shed light on the brands most frequently imitated by cybercriminals in their relentless attempts to deceive and steal personal information or payment credentials. During the first quarter of 2024, Microsoft continued to be the most imitated brand in phishing […] |
Threat | ★★★ | |
|
2024-04-15 11:16:11 | 15 avril & # 8211;Rapport de renseignement sur les menaces 15th April – Threat Intelligence Report (lien direct) |
> Pour les dernières découvertes en cyberLes principales attaques et violation du géant de l'optique japonaise Hoya Corporation ont été victimes d'une attaque de ransomware qui a eu un impact sur sa principale infrastructure informatique et diverses divisions commerciales.Hunters International Ransomware Gang a revendiqué la responsabilité de l'attaque et [& # 8230;]
>For the latest discoveries in cyber research for the week of 15th April, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Japanese optics giant Hoya Corporation has been a victim of a ransomware attack that impacted its major IT infrastructure and various business divisions. Hunters International ransomware gang claimed responsibility for the attack and […] |
Ransomware Threat | ★★ | |
|
2024-04-15 09:39:45 | HarfangLab et Filigran s\'allient pour optimiser la réponse à incidents (lien direct) | HarfangLab et Filigran s'allient pour optimiser la réponse à incidents Les deux experts en cybersécurité s'associent pour aider les équipes cyber de toutes tailles à intégrer et à automatiser la gestion des données sur les menaces afin d'accélérer la détection et les réponses aux incidents. - Business | Threat | ★★ | |
 |
2024-04-15 09:08:44 | L\'impact de l\'intelligence artificielle sur la société et les menaces croissantes des cybercriminels (lien direct) | L'intelligence artificielle (IA) a progressivement infiltré les recoins de nos vies, comme les plus sombres d'internet, transformant de nombreux aspects de notre vie quotidienne. Avec l'augmentation de la demande de logiciels alimentés par l'IA pour les créateurs de contenu, les cybercriminels n'ont... | Threat | ★★ | |
|
2024-04-15 06:00:31 | Comment la protection d'identification de la preuve peut vous aider à répondre aux exigences de conformité CMMC How Proofpoint Impersonation Protection Can Help You Meet CMMC Compliance Requirements (lien direct) |
The Cybersecurity Maturity Model Certification (CMMC) program enforces the protection of sensitive unclassified information that the U.S. Department of Defense (DoD) shares with its contractors and subcontractors. Threat actors know how to hijack your trusted organization communications. They can impersonate you, your brand or your organization partners. And they can make a nice profit doing it. The FBI\'s 2023 Internet Crime Report notes that last year\'s adjusted losses from organization email compromise (BEC) cases exceeded $2.9 billion-up 7.4% from 2022. Bad actors use spoofed domains, lookalike domains, compromised supplier accounts and other tactics in their attacks. So it\'s important to keep communications with trusted partners, customers and suppliers safe. This should be a top focus for government agencies and the organizations that they work with since they are key targets for bad actors. Proofpoint helps you mitigate the risk of impersonation abuse with a holistic, multilayered approach. With Proofpoint Impersonation Protection, you can: Protect your organization\'s communications from impersonation threats Stop attackers from impersonating your brand Detect and defend against risky suppliers, including compromised supplier accounts Secure user and application emails so that they can be trusted We help our federal and defense industrial base customers with Level 3 CMMC controls around the Risk Assessment (RA) and Identification and Authentication (IA) Practices. Here\'s how. CMMC overviews for Level 3 controls In this section, we match CMMC compliance requirements with the capabilities of Proofpoint Impersonation Protection. CMMC Level 3 – Risk Assessment Practice RA.L3-3.11.1e – Threat-Informed Risk Assessment CMMC compliance requirement Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities. RA.L3-3.11.3e – Advanced Risk Identification CMMC compliance requirement Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems and system components. RA.L3-3.11.6e – Supply Chain Risk Response CMMC compliance requirement Assess, respond to and monitor supply chain risks associated with organizational systems and system components. RA.L3-3.11.7e – Supply Chain Risk Plan CMMC compliance requirement Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident. How Proofpoint Impersonation Protection meets the Risk Assessment (RA) Practice needs above Proofpoint Nexus Supplier Risk Explorer gives you insights into supplier risk. This includes threats where attackers are impersonating your agency as well as compromised suppliers and third parties. Supplier Risk can also be used as part of a vendor risk management process when sourcing and choosing new vendors/suppliers. Proofpoint provides visibility into supply chain threats, lookalike detection, and impersonations of your brand with Supplier Risk and Domain Discover. This helps to create the supply chain risk plans that are needed to comply with CMMC. Supplier Risk Explorer identifies supplier domains and shows you which suppliers pose a risk to your organization. As noted above, Supplier Risk Explorer assesses the risk level of supplier domains by evaluating several dimensions, including: Threats sent to your organization Threats sent to other Proofpoint customers The lookalikes of supplier domains Whether a domain was recently registered Whether a domain has a DMARC reject policy By ranking an | Threat Industrial Prediction Commercial | ★★ | |
|
2024-04-13 13:55:00 | Les pirates déploient la porte dérobée Python dans l'attaque de Palo Alto-Day Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (lien direct) |
Les acteurs de la menace ont exploité la faille de zéro jour nouvellement divulguée à Palo
Alto Networks Pan-OS Software datant du 26 mars 2024, près de trois
Des semaines avant, il se révèle hier.
La division Unit 42 de la société de sécurité du réseau est & nbsp; suivi & nbsp; l'activité sous le nom & nbsp; opération MidnightClipse, l'attribuant comme le travail d'un seul acteur de menace de
Threat actors have been exploiting the newly disclosed zero-day flaw in Palo Alto Networks PAN-OS software dating back to March 26, 2024, nearly three weeks before it came to light yesterday. The network security company\'s Unit 42 division is tracking the activity under the name Operation MidnightEclipse, attributing it as the work of a single threat actor of |
Vulnerability Threat | ★★ | |
 |
2024-04-13 10:00:16 | Hacker affirme que la violation des données géantes du tigre, fuit 2,8 m de dossiers en ligne Hacker claims Giant Tiger data breach, leaks 2.8M records online (lien direct) |
Le géant canadien de la chaîne de vente au détail Tiger a révélé une violation de données en mars 2024. Un acteur de menace a maintenant publiquement revendiqué la responsabilité de la violation de données et a divulgué 2,8 millions de dossiers sur un forum de pirates qu'ils prétendent être des clients géants Tiger.[...]
Canadian retail chain Giant Tiger disclosed a data breach in March 2024. A threat actor has now publicly claimed responsibility for the data breach and leaked 2.8 million records on a hacker forum that they claim are of Giant Tiger customers. [...] |
Data Breach Threat | ★★★ | |
|
2024-04-13 08:35:15 | PALO Alto Networks Zero-Day exploité depuis mars dans des pare-feu de porte dérobée Palo Alto Networks zero-day exploited since March to backdoor firewalls (lien direct) |
Les pirates suspects parrainés par l'État ont exploité une vulnérabilité zéro jour dans les pare-feu Palo Alto suivis comme CVE-2024-3400 depuis le 26 mars, en utilisant les appareils compromis pour violer les réseaux internes, voler des données et des informations d'identification.[...]
Suspected state-sponsored hackers have been exploiting a zero-day vulnerability in Palo Alto Networks firewalls tracked as CVE-2024-3400 since March 26, using the compromised devices to breach internal networks, steal data and credentials. [...] |
Vulnerability Threat | ★★★ | |
 |
2024-04-12 22:29:44 | CVE-2024-3400: Ce que vous devez savoir sur le Pan-OS Zero-Day critique CVE-2024-3400: What You Need to Know About the Critical PAN-OS Zero-Day (lien direct) |
MISE À JOUR: Il a été confirmé que la désactivation de la télémétrie ne bloquera pas cet exploit.L'application d'un correctif dès que possible est la correction la plus efficace pour cette vulnérabilité.Des correctifs pour 8 des 18 versions vulnérables ont été publiées;Les correctifs pour les versions vulnérables restantes sont attendues avant le 19 avril.Crowdsstrike travaille constamment à [& # 8230;]
UPDATE: It has been confirmed that disabling telemetry will not block this exploit. Applying a patch as soon as possible is the most effective remediation for this vulnerability. Patches for 8 of the 18 vulnerable versions have been released; patches for the remaining vulnerable versions are expected by April 19th. CrowdStrike is constantly working to […] |
Vulnerability Threat | ★★ | |
|
2024-04-12 20:50:01 | La plate-forme d'analyse des logiciels malveillants de CISA \\ pourrait favoriser une meilleure menace Intel CISA\\'s Malware Analysis Platform Could Foster Better Threat Intel (lien direct) |
Mais la façon dont le gouvernement différencie sa plate-forme des options similaires du secteur privé reste à voir.
But just how the government differentiates its platform from similar private-sector options remains to be seen. |
Malware Threat | ★★ | |
|
2024-04-12 18:11:30 | TA547 cible les organisations allemandes avec Rhadamanthys Stealer TA547 Targets German Organizations with Rhadamanthys Stealer (lien direct) |
#### Géolocations ciblées
- Allemagne
## Instantané
Proofpoint a identifié TA547 lancement d'une campagne de courriel ciblant les organisations allemandes avec Rhadamanthys malware, marquant la première utilisation connue de Rhadamanthys par cet acteur de menace.La campagne consistait à usurper l'identité d'une entreprise de vente au détail allemande dans des e-mails contenant des fichiers ZIP protégés par mot de passe prétendument liés aux factures, ciblant plusieurs industries en Allemagne.
## Description
Les fichiers zip contenaient des fichiers LNK qui, lorsqu'ils sont exécutés, ont déclenché un script PowerShell pour exécuter un script distant chargeant des Rhadamanthys en mémoire, en contournant l'écriture de disque.Le script PowerShell affichait des caractéristiques suggérant un contenu généré par la machine, potentiellement à partir de modèles de langues grands (LLM).
La récente campagne en Allemagne représente un changement dans les techniques de TA547, y compris l'utilisation de LNK comprimés et du voleur Rhadamanthys non observé auparavant.L'incorporation de contenu suspecté de LLM dans la chaîne d'attaque donne un aperçu de la façon dont les acteurs de la menace tirent parti du contenu généré par LLM dans les campagnes de logiciels malveillants, bien qu'il n'ait pas modifié la fonctionnalité ou l'efficacité du malware ou la façon dont les outils de sécurité ont défendu contre lui.
## Recommandations
[Consultez la rédaction de Microsoft \\ sur les voleurs d'informations ici.] (Https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6)
[Consultez OSINT supplémentaire sur Rhadamanthys ici.] (Https://sip.security.microsoft.com/intel-explorer/articles/0131b256)
## Les références
[https://www.poolinpoint.com/us/blog/thereat-insight/security-brief-ta547-targets-geman-organizations-rhadamanthys-tealermenace-insight / sécurité-Brief-Ta547-Targets-German-Organisations-Rhadamanthys-Stealer)
#### Targeted Geolocations - Germany ## Snapshot Proofpoint has identified TA547 launching an email campaign targeting German organizations with Rhadamanthys malware, marking the first known use of Rhadamanthys by this threat actor. The campaign involved impersonating a German retail company in emails containing password-protected ZIP files purportedly related to invoices, targeting multiple industries in Germany. ## Description The ZIP files contained LNK files which, when executed, triggered a PowerShell script to run a remote script loading Rhadamanthys into memory, bypassing disk writing. The PowerShell script displayed characteristics suggestive of machine-generated content, potentially from large language models (LLMs). The recent campaign in Germany represents a shift in techniques for TA547, including the use of compressed LNKs and the previously unobserved Rhadamanthys stealer. The incorporation of suspected LLM-generated content into the attack chain provides insight into how threat actors are leveraging LLM-generated content in malware campaigns, although it did not change the functionality or efficacy of the malware or the way security tools defended against it. ## Recommendations [Check out Microsoft\'s write-up on information stealers here.](https://sip.security.microsoft.com/intel-profiles/2296d491ea381b532b24f2575f9418d4b6723c17b8a1f507d20c2140a75d16d6) [Check out additional OSINT on Rhadamanthys here.](https://sip.security.microsoft.com/intel-explorer/articles/0131b256) ## References [https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer) |
Malware Tool Threat | ★★ | |
 |
2024-04-12 17:02:59 | Exploitation zéro-jour de la vulnérabilité d'exécution du code distant non authentifié dans GlobalProtect (CVE-2024-3400) Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) (lien direct) |
> La volexité tient à remercier les réseaux Palo Alto pour leur partenariat, leur coopération et leur réponse rapide à ce problème critique.Leurs recherches peuvent être trouvées ici.Le 10 avril 2024, la volexité a identifié l'exploitation zéro-jour d'une vulnérabilité trouvée dans la fonctionnalité GlobalProtect de Palo Alto Networks Pan-OS à l'un de ses clients de surveillance de la sécurité des réseaux (NSM).La volexité a reçu des alertes concernant le trafic de réseau suspect émanant du pare-feu du client.Une enquête ultérieure a déterminé que le dispositif avait été compromis.Le lendemain, le 11 avril 2024, la volexité a observé plus loin, une exploitation identique à un autre de ses clients NSM par le même acteur de menace.L'acteur de menace, que volexité suit sous l'alias UTA0218, a pu exploiter à distance l'appareil de pare-feu, créer un shell inversé et télécharger d'autres outils sur l'appareil.L'attaquant s'est concentré sur l'exportation des données de configuration des périphériques, puis en le tirant en tirant comme point d'entrée pour se déplacer latéralement dans [& # 8230;]
>Volexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response to this critical issue. Their research can be found here. On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity received alerts regarding suspect network traffic emanating from the customer\'s firewall. A subsequent investigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor. The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within […] |
Tool Vulnerability Threat | ★★★ | |
|
2024-04-12 15:19:00 | Les pirates iraniens de Muddywater adoptent un nouvel outil C2 \\ 'darkbeatc2 \\' dans la dernière campagne Iranian MuddyWater Hackers Adopt New C2 Tool \\'DarkBeatC2\\' in Latest Campaign (lien direct) |
L'acteur de menace iranien connue sous le nom de Muddywater a été attribué à une nouvelle infrastructure de commandement et de contrôle (C2) appelé & nbsp; darkbeatc2, devenant le dernier outil de ce type dans son arsenal après & nbsp; middyc2go.
"Tout en passant occasionnellement à un nouvel outil d'administration à distance ou en modifiant leur cadre C2, les méthodes de Muddywater \\ restent constantes"
The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater\'s methods remain constant," Deep |
Tool Threat | ★★ | |
|
2024-04-12 14:36:02 | Palo Alto Networks met en garde contre le produit zéro dans le produit VPN Palo Alto Networks warns of zero-day in VPN product (lien direct) |
L'acteur de menace iranien connue sous le nom de Muddywater a été attribué à une nouvelle infrastructure de commandement et de contrôle (C2) appelé & nbsp; darkbeatc2, devenant le dernier outil de ce type dans son arsenal après & nbsp; middyc2go.
"Tout en passant occasionnellement à un nouvel outil d'administration à distance ou en modifiant leur cadre C2, les méthodes de Muddywater \\ restent constantes"
The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater\'s methods remain constant," Deep |
Vulnerability Threat | ★★★ | |
|
2024-04-12 14:26:00 | Alerte zéro-jour: réseaux Palo Alto critiques Pan-OS Flaw sous attaque active Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (lien direct) |
Palo Alto Networks avertit qu'un défaut critique impactant son logiciel Pan-OS utilisé dans ses passerelles GlobalProtect est exploité dans la nature.
Suivi en AS & NBSP; CVE-2024-3400, le problème a un score CVSS de 10,0, indiquant une gravité maximale.
"Une vulnérabilité d'injection de commande dans la fonctionnalité GlobalProtect de Palo Alto Networks Pan-OS Logiciel pour des versions PAN-OS spécifiques et une fonctionnalité distincte
Palo Alto Networks is warning that a critical flaw impacting its PAN-OS software used in its GlobalProtect gateways is being exploited in the wild. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity. "A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature |
Vulnerability Threat | ★★ | |
 |
2024-04-12 13:33:29 | La menace croissante du harcèlement sur les réseaux sociaux.Voici comment vous protéger. The Rising Threat of Social Media Harassment. Here\\'s How to Protect Yourself. (lien direct) |
> 
Certaines conversations sur les réseaux sociaux peuvent devenir… chauffées.Certains peuvent franchir la ligne dans le harcèlement.Ou pire.Harcèlement sur ...
> 
Some conversations on social media can get … heated. Some can cross the line into harassment. Or worse. Harassment on...
|
Threat | ★★ | |
|
2024-04-12 11:15:00 | Palo Alto Networks met en garde contre le zéro-jour critique dans Pan-OS Palo Alto Networks Warns About Critical Zero-Day in PAN-OS (lien direct) |
Un correctif pour CVE-2024-3400 est prévu le 4 avril, a annoncé Palo Alto Networks
A fix for CVE-2024-3400 is scheduled on April 4, Palo Alto Networks announced |
Vulnerability Threat | ★★ | |
|
2024-04-12 11:11:38 | Palo Alto Networks offre une plateforme SOC de l\'industrie pour le cloud (lien direct) | Palo Alto Networks offre une plateforme SOC de l'industrie pour le cloud Alors que les entreprises investissent dans le cloud, les nouvelles fonctionnalités de Cortex XSIAM permettent aux équipes SecOps d'identifier et de remédier aux menaces sur les applications cloud native, en temps réel. - Produits | Threat Cloud | ★★ | |
 |
2024-04-12 09:55:57 | Les acteurs de la menace manipulent la recherche GitHub pour fournir des logiciels malveillants Threat Actors Manipulate GitHub Search to Deliver Malware (lien direct) |
> CheckMarx met en garde contre une nouvelle attaque en s'appuyant sur la manipulation de la recherche GitHub pour livrer du code malveillant.
>Checkmarx warns of a new attack relying on GitHub search manipulation to deliver malicious code. |
Malware Threat | ★★ | |
 |
2024-04-12 08:01:00 | Le groupe de menaces Fin7 cible l'industrie automobile américaine Threat Group FIN7 Targets the U.S. Automotive Industry (lien direct) |
Les analystes de BlackBerry ont identifié une campagne de phisces de lance du groupe de menaces FIN7 qui ciblait un grand constructeur automobile basé aux États-Unis.FIN7 a utilisé le leurre d'un outil de numérisation IP gratuit pour exécuter des logiciels malveillants et prendre pied initial.
BlackBerry analysts have identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 used the lure of a free IP scanning tool to run malware and gain an initial foothold. |
Malware Tool Threat | ★★ | |
 |
2024-04-12 07:12:41 | CISA émet une directive d'urgence 24-02 en réponse à la cyber-menace russe ciblant les comptes de messagerie Microsoft CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts (lien direct) |
L'Agence américaine de sécurité de la cybersécurité et de l'infrastructure (CISA) a publié publiquement la directive d'urgence (ed) 24-02 en réponse à un ...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publicly issued Emergency Directive (ED) 24-02 in response to a... |
Threat | ★★★ | |
|
2024-04-12 07:05:22 | Une cyber armée pour l\'Allemagne (lien direct) | L'Allemagne prévoit de lancer une branche cyber-militaire pour contrer les menaces russes.... | Threat | ★★★ | |
|
2024-04-12 06:00:03 | Arrêt de cybersécurité du mois: vaincre les attaques de création d'applications malveillantes Cybersecurity Stop of the Month: Defeating Malicious Application Creation Attacks (lien direct) |
This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. The goal of this series is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain-reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation Supply chain compromise Multilayered malicious QR code attack In this post, we examine an emerging threat-the use of malicious cloud applications created within compromised cloud tenants following account takeover. We refer to it as MACT, for short. Background Cloud account takeover (ATO) attacks are a well-known risk. Research by Proofpoint found that last year more than 96% of businesses were actively targeted by these attacks and about 60% had at least one incident. Financial damages reached an all-time high. These findings are unsettling. But there is more for businesses to worry about. Cybercriminals and state-sponsored entities are rapidly adopting advanced post-ATO techniques. And they have embraced the use of malicious and abused OAuth apps. In January 2024, Microsoft revealed that a nation-state attacker had compromised its cloud environments and stolen valuable data. This attack was attributed to TA421 (aka Midnight Blizzard and APT29), which are threat groups that have been attributed to Russia\'s Foreign Intelligence Service (SVR). Attackers exploited existing OAuth apps and created new ones within hijacked cloud tenants. After the incident, CISA issued a new advisory for businesses that rely on cloud infrastructures. Proofpoint threat researchers observed attackers pivoting to the use of OAuth apps from compromised-and often verified-cloud tenants. Threat actors take advantage of the trust that\'s associated with verified or recognized identities to spread cloud malware threats as well as establish persistent access to sensitive resources. The scenario Proofpoint monitors a malicious campaign named MACT Campaign 1445. It combines a known tactic used by cloud ATO attackers with new tactics, techniques and procedures. So far, it has affected dozens of businesses and users. In this campaign, attackers use hijacked user accounts to create malicious internal apps. In tandem, they also conduct reconnaissance, exfiltrate data and launch additional attacks. Attackers use a unique anomalous URL for the malicious OAuth apps\' reply URL-a local loopback with port 7823. This port is used for TCP traffic. It is also associated with a known Windows Remote Access Trojan (RAT). Recently, Proofpoint researchers found four accounts at a large company in the hospitality industry compromised by attackers. In a matter of days, attackers used these accounts to create four distinct malicious OAuth apps. The threat: How did the attack happen? Here is a closer look at how the attack unfolded. Initial access vectors. Attackers used a reverse proxy toolkit to target cloud user accounts. They sent individualized phishing lures to these users, which enabled them to steal their credentials as well as multifactor authentication (MFA) tokens. A shared PDF file with an embedded phishing URL that attackers used to steal users\' credentials. Unauthorized access (cloud account takeover). Once attackers had stolen users\' credentials, they established unauthorized access to the four targeted accounts. They logged in to several native Microsoft 365 sign-in apps, including “Azure Portal” and “Office Home.” Cloud malware (post-access OAuth app creat | Spam Malware Tool Threat Cloud | APT 29 | ★★★ |
 |
2024-04-12 04:46:11 | Apple cesse d'avertissement des attaques \\ 'parrainées par l'État, alertes maintenant sur \\' mercenaire spyware \\ ' Apple stops warning of \\'state-sponsored\\' attacks, now alerts about \\'mercenary spyware\\' (lien direct) |
Rapport affirme que le gouvernement de l'Inde \\, qui est accusé d'utiliser Pegasus à la maison, a été mécontent Apple a apporté un changement significatif au libellé de ses notifications de menace, choisissant de ne pas attribuer des attaques aux attaques àune source ou un auteur spécifique, mais les catégoriser largement comme des «logiciels espions mercenaires».…
Report claims India\'s government, which is accused of using Pegasus at home, was displeased Apple has made a significant change to the wording of its threat notifications, opting not to attribute attacks to a specific source or perpetrator, but categorizing them broadly as "mercenary spyware."… |
Threat | ★★★ | |
|
2024-04-11 20:08:48 | La faille de rouille critique pose une menace d'exploitation dans des cas d'utilisation de fenêtres spécifiques Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases (lien direct) |
Le projet derrière le langage de programmation Rust a affirmé que tous les appels à une API spécifique seraient en sécurité, même avec des intrants dangereux, mais les chercheurs ont trouvé des moyens de contourner les protections.
Project behind the Rust programming language asserted that any calls to a specific API would be made safe, even with unsafe inputs, but researchers found ways to circumvent the protections. |
Threat | ★★ | |
|
2024-04-11 19:26:57 | La campagne cybercriminale propage les infostelleurs, mettant en évidence les risques pour le jeu Web3 Cybercriminal Campaign Spreads Infostealers, Highlighting Risks to Web3 Gaming (lien direct) |
## Instantané
Le groupe INSIKT a découvert une opération de cybercriminalité en langue russe à grande échelle qui tire parti de faux projets de jeu Web3 pour distribuer des logiciels malveillants infoséaler ciblant les utilisateurs de macOS et Windows.
## Description
Ces jeux Web3, basés sur la technologie de la blockchain, attirent les utilisateurs avec le potentiel de gains de crypto-monnaie.La campagne consiste à créer des projets de jeu d'imitation Web3 avec des modifications mineures pour paraître légitimes, ainsi que de faux comptes de médias sociaux pour améliorer leur crédibilité.Lors de la visite des principales pages Web de ces projets, les utilisateurs sont invités à télécharger des logiciels malveillants tels que le voleur atomique MacOS (AMOS), le Stealc, Rhadamanthys ou Risepro, selon leur système d'exploitation.Les acteurs de la menace ont établi une infrastructure résiliente et ciblent les joueurs Web3, exploitant leur manque potentiel d'hygiène de la cyber dans la poursuite de gains financiers.
Les variantes de logiciels malveillants, y compris AMOS, sont capables d'infecter à la fois Intel et Apple M1 Mac, indiquant une large vulnérabilité parmi les utilisateurs.L'objectif principal de la campagne semble être le vol de portefeuilles de crypto-monnaie, posant un risque important pour la sécurité financière.Les acteurs de la menace \\ 'Origine russe sont allumés par des artefacts dans le code HTML, bien que leur emplacement exact reste incertain.
## Les références
[https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gamingrisques-web3-gaming)
## Snapshot The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users. ## Description These Web3 games, based on blockchain technology, entice users with the potential for cryptocurrency earnings. The campaign involves creating imitation Web3 gaming projects with minor modifications to appear legitimate, along with fake social media accounts to enhance their credibility. Upon visiting the main webpages of these projects, users are prompted to download malware such as Atomic macOS Stealer (AMOS), Stealc, Rhadamanthys, or RisePro, depending on their operating system. The threat actors have established a resilient infrastructure and are targeting Web3 gamers, exploiting their potential lack of cyber hygiene in pursuit of financial gains. The malware variants, including AMOS, are capable of infecting both Intel and Apple M1 Macs, indicating a broad vulnerability among users. The primary objective of the campaign appears to be the theft of cryptocurrency wallets, posing a significant risk to financial security. The threat actors\' Russian origin is hinted at by artifacts within the HTML code, although their exact location remains uncertain. ## References [https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming](https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming) |
Malware Vulnerability Threat | ★★★ | |
|
2024-04-11 18:19:43 | Apple avertit les utilisateurs dans 150 pays d'attaques de logiciels spymétriques mercenaires Apple Warns Users in 150 Countries of Mercenary Spyware Attacks (lien direct) |
Dans les nouvelles informations sur la notification des menaces, Apple a distingué le groupe NSO du vendeur de Pegasus comme coupable dans les attaques de logiciels spymétriques mercenaires.
In new threat notification information, Apple singled out Pegasus vendor NSO Group as a culprit in mercenary spyware attacks. |
Threat | ★★★ | |
|
2024-04-11 18:00:39 | Lastpass: les pirates ciblés pour l'employé dans l'appel du PDG de Deepfake défaillant LastPass: Hackers targeted employee in failed deepfake CEO call (lien direct) |
Lastpass a révélé cette semaine que les acteurs de la menace ont ciblé l'un de ses employés dans une attaque de phishing vocale, en utilisant Deepfake Audio pour usurper l'identité de Karim Toubba, le directeur général de la société.[...]
LastPass revealed this week that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company\'s Chief Executive Officer. [...] |
Threat | LastPass | ★★ |
|
2024-04-11 17:02:00 | TA547 Phishing Attack frappe les entreprises allemandes avec Rhadamanthys Stealer TA547 Phishing Attack Hits German Firms with Rhadamanthys Stealer (lien direct) |
Un acteur de menace suivi comme & nbsp; TA547 & nbsp; a ciblé des dizaines d'organisations allemandes avec un voleur d'informations appelé & nbsp; rhadamanthys & nbsp; dans le cadre d'une campagne de phishing sur le thème de la facture.
"C'est la première fois que les chercheurs observent TA547 utiliser Rhadamanthys, un voleur d'informations utilisé par plusieurs acteurs de menaces cybercriminaux", a déclaré Proofpoint & NBSP;"De plus, l'acteur a semblé
A threat actor tracked as TA547 has targeted dozens of German organizations with an information stealer called Rhadamanthys as part of an invoice-themed phishing campaign. "This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors," Proofpoint said. "Additionally, the actor appeared to |
Threat | ★★ |
To see everything:
Our RSS (filtrered)
