What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-03 02:50:11 | La cybercriminalité va-t-elle empirer? Is Cybercrime Only Going to Get Worse? (lien direct) |
Au tournant du millénaire, peu de gens s'inquiétaient de la cybercriminalité.L'accord du Vendredi Saint venait de entrer en vigueur, les États-Unis ont expulsé un diplomate russe pour espionnage, et la menace du bug Y2K se profile.Iloveyou, le ver informatique qui a catapulté la cybercriminalité dans la conscience du public, était encore dans cinq mois.Aujourd'hui, les choses ne pourraient pas être plus différentes.En 2001, six personnes ont été victimes de la cybercriminalité par heure.D'ici 2022, ce nombre était passé à 97, soit une augmentation de 1517%.À cette époque, les attaques Solarwinds, Colonial Pipeline et Wannacry ont établi une cybercriminalité comme potentiellement ...
At the turn of the millennium, few people were worried about cybercrime. The Good Friday Agreement had just come into effect, the US expelled a Russian diplomat for spying, and the threat of the Y2K bug loomed. ILOVEYOU , the computer worm that catapulted cybercrime into the public consciousness, was still five months away. Today, things couldn\'t be more different. In 2001, six people fell victim to cybercrime an hour. By 2022, that number had risen to 97, an increase of 1517% . At that time, the SolarWinds, Colonial Pipeline, and WannaCry attacks established cybercrime as a potentially... |
Threat Threat | Wannacry | ★★★ |
 |
2023-08-29 10:00:00 | Lutte contre les logiciels malveillants dans la chaîne d'approvisionnement industrielle Battling malware in the industrial supply chain (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Here\'s how organizations can eliminate content-based malware in ICS/OT supply chains. As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects. A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack: Two distinct types of malware, "Sunburst" and "Supernova," were secretly placed into an authorized software update. Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures. Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection. The C2 traffic was cleverly hidden using steganography, making detection even more challenging. The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations. While this incident led to widespread IT infiltration, it did not directly affect OT systems. In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences. Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems. These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including: Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making. Access control challenges: Proper identity and access management within complex environments are crucial. Compliance with best practices: Adherence to guidelines such as NIST\'s best practices is essential for resilience. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions. Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems. Supply chain defense: The power of content disarm and reconstruction Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious. What does CDR do? In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety. Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while mainta | Malware Vulnerability Threat Industrial Cloud | NotPetya Wannacry Solardwinds | ★★ |
 |
2022-11-14 14:20:28 | The next WannaCry and drone hacking: Security Predictions for 2023 (lien direct) | The next WannaCry and drone hacking: Security Predictions for 2023 Kaspersky researchers presented their vision of the future for advanced persistent threats (APTs), defining the changes in threat landscape that will emerge in 2023. Attacks on satellite technologies, mail servers, the rise of destructive attacks and leaks, drone hacking and the next big cyber epidemic are among some of the predictions for the next year. - Opinion | Threat | Wannacry Wannacry | |
|
2022-10-18 19:13:26 | N\'attendez pas qu\'une attaque de type WannaCry cible les mobiles (lien direct) | N'attendez pas qu'une attaque de type WannaCry cible les mobiles Par Richard Melick, Director of Product Marketing, Mobile Threat Intelligence, Zimperium - Points de Vue | Threat | Wannacry Wannacry | |
|
2022-10-06 10:00:00 | 7 Biggest Cybersecurity Threats of the 21st Century (lien direct) | This blog was written by an independent guest blogger. The 21st century has seen a dramatic increase in the number and sophistication of cybersecurity threats. Here are the 7 biggest threats that businesses and individuals need to be aware of. Ransomware as a service In the past few years, ransomware has become one of the most popular tools for cybercriminals. Ransomware as a service (RaaS) is a new business model that allows anyone with little to no technical expertise to launch their own ransomware attacks. All they need is to sign up for a RaaS platform and pay a fee (usually a percentage of the ransom they collect). RaaS is a growing threat because it makes it easy for anyone to launch attacks. Cybercriminals can target any organization, no matter its size or resources. And, because RaaS platforms typically take care of all the technical details, ransomware attacks can be launched with little effort. In the past several years, there have been a number of high-profile ransomware attacks that have made headlines. In May 2017, the WannaCry ransomware attack affected more than 200,000 computers in 150 countries. The attack caused billions of dollars in damage and disrupted critical infrastructure, such as hospitals and banks. In December 2017, the NotPetya ransomware attack hit more than 10,000 organizations in over 60 countries. The attack caused billions of dollars in damage and disrupted critical infrastructure, such as hospitals and banks. Ransomware attacks have become more sophisticated and targeted. Cybercriminals are now using RaaS platforms to launch targeted attacks against specific organizations. These attacks are often called "spear phishing" attacks because they use carefully crafted emails to trick people into clicking on malicious links or opening attachments that install ransomware on their computers. Organizations of all sizes need to be aware of the threat of ransomware and take steps to protect themselves. This includes having a robust backup and recovery plan in place in case of an attack. Internet of Things The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances, and other items that are embedded with electronics, software, sensors, and connectivity enabling these objects to connect and exchange data. The IoT is a growing market with more and more devices being connected to the internet every day. However, this also creates new security risks. Because IoT devices are often connected to the internet, they can be hacked and used to launch attacks. In October 2016, a massive Distributed Denial of Service (DDoS) attack was launched against the Dyn DNS service using a network of IoT devices that had been infected with the Mirai malware. The attack caused widespread internet disruptions and took down major websites, such as Twitter and Netflix. The IoT presents a unique challenge for security because there are so many different types of devices that can be connected to the internet. Each type of device has its own security risks and vulnerabilities. And, as the number of IoT devices continues to grow, so do the opportunities for cybercriminals to exploit them. Cloud security The cloud has become an essential part of business for many organizations. It offers a number of advantages, such as flexibility, scalability, and cost savings. However, the cloud also creates new security risks. One of the biggest security risks associated with the cloud is data breaches. Because data is stored remotely on servers, it is more vulnerable to attack. In addition, cloud service providers often have access to customer data, which creates another potential point of entry for hackers. Another security risk associated with the | Ransomware Malware Threat | NotPetya NotPetya Wannacry Wannacry | |
 |
2022-07-07 08:14:35 | North Korean State-Sponsored Threat Actors Deploying "MAUI" Ransomware (lien direct) | Today, the United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA) and the Department of Treasury released a joint Cybersecurity Advisory on Maui Ransomware, which is attributed to state sponsored activity by the government of North Korea. The Joint CSA provides detailed insight on the various TTPs used by the threat actors behind Maui, which has targeted the Health and Public Health Sector.How Serious of an Issue is This?High. As ransomware activity causes downtime, theft of confidential and personally identifiable information (PII) and other significant impact to operations, it is important to ensure that various security measures are in place, like being up to date with patching vulnerable machines/infrastructure. Also, ensuring employees are trained and up to date on various social engineering attempts and tactics used by threat actors will be a first line of defense against such attacks.What is Maui Ransomware?Maui ransomware is unique in a way that it requires manual execution to start the encryption routine. Maui also features a CLI (command line interface) that is used by the threat actor to target specific files to encrypt. Maui also has the ability to identify previously encrypted files due to customer headers containing the original path of the file.Who are HIDDEN COBRA/LAZARUS/APT38/BeagleBoyz?HIDDEN COBRA also known as Lazarus/APT38/BeagleBoyz has been atributed to the government of North Korea. Also, they have been linked to multiple high-profile, financially-motivated attacks in various parts of the world - some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around 81 million dollars in total.The most recent notable attack attributed to HIDDEN COBRA was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially those in manufacturing. Various estimates of the impact were in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.Who are the BeagleBoyz?The BeagleBoyz group is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38 and has been observed committing financial crimes, specifically cryptocurrency related thefts. Further information about the BeagleBoyz can be found here.What Operating Systems are Affected?Windows based operating systems are affected.What is the Status of Coverage?Fortinet customers running the latest definitions are protected against Maui with the following (AV) signatures:W32/Ransom_Win32_MAUICRYPT.YACC5W32/Agent.C5C2!trW32/PossibleThreatAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory. | Ransomware Threat Patching Medical | Wannacry Wannacry APT 38 | |
|
2022-06-27 10:00:00 | Stories from the SOC - Detecting internal reconnaissance (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
Internal Reconnaissance, step one of the Cyber Kill Chain, is the process of collecting internal information about a target network to identify vulnerabilities that can potentially be exploited. Threat actors use the information gained from this activity to decide the most effective way to compromise the target network. Vulnerable services can be exploited by threat actors and potentially lead to a network breach. A network breach puts the company in the hands of cybercriminals. This can lead to ransomware attacks costing the company millions of dollars to remediate along with a tarnished public image.
The Managed Extended Detection and Response (MXDR) analyst team received two alarms regarding an asset performing network scans within a customer's environment. Further investigation into these alarms revealed that the source asset was able to scan 60 unique IPs within the environment and successfully detected numerous open ports with known vulnerabilities.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The initial alarm that prompted this investigation was a Darktrace Cyber Intelligence Platform event that was ingested by USM Anywhere. The priority level associated with this alarm was High, one level below the maximum priority of Critical. Network scanning is often one of the first steps a threat actor takes when attempting to compromise a network, so it is a red flag any time an unknown device is scanning the network without permission. From here, the SOC went deeper into associated events to see what activity was taking place in the customer’s environment. The image shown below is the Darktrace alarm that initiated the investigation.
Expanded investigation
Events search
Utilizing the filters built into USM Anywhere , the events were narrowed down to the specific source asset IP address and Host Name to only query events associated to that specific asset. The following events were found that provide more information about the reconnaissance activity that was being observed.
Event deep dive
Upon reviewing the logs from the events shown above, the SOC was able to determine that the source asset scanned two separate Classless Inter-Domain Routing (CIDR) blocks, detecting, and scanning 60 unique internal devices for open ports. As shown in the log snippets below, the scans revealed multiple open ports with known vulnerabilities, most notable is Server Message Block (SMB) port 445 which is the key attack vector for the infamous WannaCry malware. Looking at the logs we can also see that the source asset detected port 5985, the port utilized by Windows Remote Management (WinRM). WinRM can be used by threat actors to move laterally in environments by executing remote commands on other assets from the compromised host. These remote commands are typically batch files performing malicious activity or implanting backdoors to maintain persistence in the network. Lastly, we can see the asset scanning for Lightweight Directory Access Protocol (LD |
Ransomware Malware Threat Guideline | Wannacry | |
 |
2022-05-19 02:00:00 | WannaCry 5 years on: Still a top threat (lien direct) | Who doesn't love an anniversary and the opportunity to reminisce about “where we were” when an historical event happened? Such is the case over the last several days when it comes to remembering WannaCry, the ransomware that infected thousands of computers five years ago and cost companies all over the world billions of dollars in damages.WannaCry broke onto the infosec scene on May 12, 2017. Taking advantage of the vulnerable version of the Server Message Block (SMB) protocol, it ultimately infected approximately 200,000+ machines in more than 150 countries. While Microsoft had issued a patch for the SMB flaw more than a month before the attacks began, millions of computers had not been unpatched against the bug. The largest ransomware attack ever, it impacted several big names globally, including the UK's National Health Service, US delivery giant FedEx, and Deutsche Bahn, the German railway company.To read this article in full, please click here | Ransomware Threat | FedEx Wannacry | |
 |
2022-05-12 00:37:30 | How the evolution of ransomware has changed the threat landscape (lien direct) | >From WannaCry to Conti: A 5-Year Perspective Five years ago, on May 12, 2017, the world fell victim to a major ransomware attack known as 'WannaCry'. The attack had an unprecedented scale, and spread around the world like wildfire, with more than 200,000 Windows computers across 150 countries affected outbreaking only a few days.… | Ransomware Threat | Wannacry Wannacry | |
|
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
 |
2022-02-01 14:37:29 | CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential (lien direct) |
![CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential](https://blog.knowbe4.com/hubfs/Stu_Headshot_2021_resize.png)
|
Ransomware Malware Hack Tool Threat Guideline | NotPetya NotPetya Wannacry Wannacry APT 27 APT 27 | |
 |
2021-06-29 15:00:34 | How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence (lien direct) | 
As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And not just any threat intelligence but actionable intelligence from MVISION Insights. Fortunately, there are several steps you can take to proactively increase your Endpoint Security to help minimize damage from the next Darkside, WannaCry, Ryuk, […]
|
Ransomware Threat | Wannacry | |
 |
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 | |
 |
2021-03-09 12:16:02 | On Not Fixing Old Vulnerabilities (lien direct) | How is this even possible? …26% of companies Positive Technologies tested were vulnerable to WannaCry, which was a threat years ago, and some even vulnerable to Heartbleed. “The most frequent vulnerabilities detected during automated assessment date back to 20132017, which indicates a lack of recent software updates,” the reported stated. 26%!? One in four networks? Even if we assume that the report is self-serving to the company that wrote it, and that the statistic is not generally representative, this is still a disaster. The number should be 0%... | Threat | Wannacry | |
|
2021-03-03 11:00:00 | Extended threat detection and response (XDR): Filling out cybersecurity gaps (lien direct) |
This blog was written by an independent guest blogger.
Image source
Business technology generally advances on a rapid basis, however, so do the cyberthreats that can endanger your security.
According to BusinessWire, more than half of enterprises believe that their security cannot keep up, and according to IBM News Room, more than half of organizations with cybersecurity incident response plans fail to test them.
Because of overloaded security teams, poor visibility, and threat alert overload due to the many implemented technologies in place to fight this, for many of these enterprises, the difficulty constantly grows when it comes to detecting and effectively responding to cyber threats.
What is XDR?
XDR can be defined as a cross-layered detection and response tool. In other words, it collects and then correlates data over a variety of security layers, such as endpoints, emails, servers, clouds, and networks.
What this means is that, rather than focusing on end-point detection alone, it can enable your security team to detect, investigate, and respond to threats across multiple layers of security, not just the end-point.
This is due to the fact that today’s cyber threats are extremely tricky and complex, to the point where they can hide throughout different layers within an organization.
If you were to use a sideload approach, through the usage of different technologies, simply cannot provide a contextual view of all of the threats across the environment, and as such, can slow down the detection, investigation, and response.
It allows for improved protection, detection, and response capabilities as well as improved productivity of the operational security personnel, with lower costs associated with owning it.
Image source
XDR features
XDR was designed to simplify the security visibility across an organization’s entire cyber architecture. In other words, to allow an organization to analyze all of the layers associated with their security, not just the end-point, through an |
Tool Threat Guideline | Wannacry | |
|
2021-03-02 15:00:00 | Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More (lien direct) |
We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.
We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
(published: February 26, 2021)
Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | |
Ransomware Malware Threat | Wannacry Wannacry APT 29 APT 28 APT 31 APT 34 | |
 |
2021-02-04 02:20:16 | Why Human Error is #1 Cyber Security Threat to Businesses in 2021 (lien direct) | Phishing and Malware
Among the major cyber threats, the malware remains a significant danger. The 2017 WannaCry outbreak that cost businesses worldwide up to $4 billion is still in recent memory, and other new strains of malware are discovered on a daily basis.
Phishing has also seen a resurgence in the last few years, with many new scams being invented to take advantage of unsuspecting |
Malware Threat | Wannacry Wannacry | |
 |
2020-05-12 12:30:02 | WannaCryptor remains a global threat three years on (lien direct) | WannaCryptor is still alive and kicking, so much so that it sits atop the list of the most commonly detected ransomware families | Ransomware Threat | Wannacry | |
|
2019-09-18 13:00:00 | Does your government take cybersecurity seriously enough? (lien direct) |
Photo by Katie Moum on Unsplash
Cybercrime is global, but the response isn’t. Governments in the west are slowly waking up to the importance of cybersecurity, and are (equally slowly) helping businesses to safeguard data and home users to protect their homes from cyberattack.
Look outside Europe and the US, though, and the picture is radically different. African countries, in particular, are underprepared for the impact of cyberattacks, and lack the governmental expertise to deal with them.
This is an issue for citizens of these countries, but also for us in the west. Poorly prepared countries act as safe havens for cybercriminals, and hackers (some of them state-sponsored) can use these countries to stage cyberattacks that directly impact users in the west.
Cybercrime: a global view
Though you wouldn’t know it from the press coverage, large cyberattacks don’t just affect the west.
Africa, for instance, actually has a huge problem with cybercrime. Recent reports from Botswana, Zimbabwe and Mozambique show that companies are increasingly falling victim to cybercrime. The global WannaCry malware attack of May 2017 hit South Africa hard, and companies in that country typically lose R36 million when they fall victim to an attack.
This situation is mirrored across the global south. It is made worse by the fact that developing nations do not have governmental policies for dealing with cyberattacks. This makes companies and home users in these countries particularly vulnerable. It also means that hackers can route their activities through these countries, which have neither the technical nor the legal expertise to catch them, let alone punish them.
Though government policies on cybercrime vary widely across the globe, many of the largest attacks of recent years rely for their success on their global reach. The Mirai Botnet, for instance, managed to infect IoT devices across a huge range of territories and countries, and this global base made it incredibly difficult to stop. Attacks like this have made the IoT one of the largest concerns among security professionals today.
Given this context, it is time for governments – in all countries and at all levels – to do more when it comes to managing cyber risk.
Managing risk
The approach that governments take to dealing with cyber risk is a critical factor in the success of these programs. Too often, governments take a ‘hands off’ approach, issuing advice to citizens and businesses about how to avoid falling victim to an attack, and then expecting them to protect themselves.
This approach i |
Malware Vulnerability Threat Guideline | Wannacry | |
|
2019-09-09 13:00:00 | Category 1 cyber threat for UK businesses (lien direct) |
Julia Solonina
Britain should be prepared for a Category 1 cyber security emergency, according to the National Cyber Security Centre (NCSC). This means that national security, the economy, and even the nation’s lives will be at risk. However, despite this harsh warning, UK businesses still aren’t taking proactive and potentially preventative action to stop these attacks from happening. So just where are UK businesses going wrong and can they turn things around before it’s too late?
How businesses have responded
Since Brexit was announced in June 2016, 53% of UK businesses have increased their cyber security, according to latest statistics. This is as a direct result of industry data being published which revealed that malware, phishing, and ransomware attacks will become the biggest threats once Britain leaves the EU. However, despite these efforts being made, figures reveal that British businesses have the smallest cyber security budget compared to any other country. They typically spend less than £900,000, whereas the average across the world is $1.46 million.
At risk of a Category 1 cyber attack
A Category 1 cyber attack is described by the NCSC as “A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.” To date, the UK has never witnessed such an attack. Although, one of the most severe attacks in recent times was the 2017 NHS cyber attack which was classed as a Category 2 due to there being no imminent threat to life.
The NCSC says that they typically prevent 10 cyber attacks from occurring on a daily basis. However, as the organization believes that hostility from neighbouring nations is what drives these attacks every single day, they say that it’s only a matter of time before a Category 1 attack launches the country into chaos. NCSC's CEO Ciaran Martin states that "I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack."
UK businesses under attack
The UK government’s ‘Cyber Securi |
Ransomware Threat Guideline | Wannacry | |
 |
2019-07-11 16:21:03 | Wannacry ransomware attack: Industry experts offer their tips for prevention (lien direct) | Wannacry remains a significant threat for companies. Learn how your organization can guard against it. | Ransomware Threat | Wannacry | |
|
2019-06-13 13:00:03 | May 2019\'s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues (lien direct) | In May, the most significant event in the threat landscape was not a new type of malware: it was a serious vulnerability in older versions of Windows operating systems that – if exploited by criminals – could lead to the type of mega-scale ransomware attacks we saw in 2017 with WannaCry and NotPetya. The… | Ransomware Vulnerability Threat Guideline | NotPetya Wannacry | ★★★ |
 |
2019-05-28 06:20:06 | Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) (lien direct) | Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579 UNKNOWN - receive timeout1414793 SAFE - Target appears patched1294719 UNKNOWN - connection reset by peer1235448 SAFE - CredSSP/NLA required 923671 VULNERABLE -- got appid 651545 UNKNOWN - FIN received 438480 UNKNOWN - connect timeout 105721 UNKNOWN - connect failed 9 82836 SAFE - not RDP but HTTP 24833 UNKNOWN - connection reset on connect 3098 UNKNOWN - network error 2576 UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o | Ransomware Vulnerability Threat Patching Guideline | NotPetya Wannacry | |
 |
2019-05-21 21:30:03 | Another WannaCry May Be Coming – Are You Ready? (lien direct) | The vulnerability is severe enough that Microsoft took a pretty unusual step in releasing updates for Windows XP and Server 2003 in addition to currently supported versions of Windows that are affected. Unlike WannaCry, this threat is seen as extremely easy to exploit. It took a leaked NSA tool to exploit the WannaCry vulnerability, whereas the fear … The ISBuzz Post: This Post Another WannaCry May Be Coming – Are You Ready? | Tool Vulnerability Threat | Wannacry | |
|
2019-05-14 17:11:03 | Microsoft Patches \'Wormable\' Flaw in Windows XP, 7 and Windows 2003 (lien direct) | Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a "wormable" flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017. The vulnerability (CVE-2019-0709) resides in the "remote desktop services" component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates. | Ransomware Malware Vulnerability Threat | Wannacry | |
 |
2019-05-07 09:14:03 | NSA Hacking Tools Used by Chinese Hackers One Year Before Leak (lien direct) | A Chinese threat group was using hacking tools developed by the NSA more than a year before Shadow Brokers leaked them in April 2017, tools that were later used in highly destructive attacks such as the WannaCry ransomware campaign from May 2017. [...] | Threat | Wannacry | ★★★ |
 |
2019-04-09 15:36:04 | Get Ready for the First Wave of AI Malware (lien direct) | While viruses and malware have stubbornly stayed as a top-10 “things I lose sleep over as a CISO,” the overall threat has been steadily declining for a decade. Unfortunately, WannaCry, NotPetya, and an entourage of related self-propagating ransomware abruptly propelled malware back up the list and highlighted the risks brought by modern inter-networked business systems and the explosive growth of unmanaged devices. | Ransomware Malware Threat | NotPetya Wannacry | |
 |
2019-03-12 16:27:00 | The Advanced Persistent Threat files: Lazarus Group (lien direct) |
Lazarus Group, the threat actors likely behind the Sony breach and WannaCry outbreak, are in the news again. Here's what you need to know about this North Korean organization, and what you should do to protect against such nation-state attacks.
Categories:
Criminals
Threat analysis
Tags: APTLazarusNorth Korea
(Read more...)
|
Threat Medical | Wannacry APT 38 | |
 |
2019-02-26 11:00:03 | Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks (lien direct) | >Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware […] | Ransomware Threat | NotPetya Wannacry | ★★ |
|
2018-12-20 14:00:00 | Let\'s Chat: Healthcare Threats and Who\'s Attacking (lien direct) |
Healthcare is under fire and there’s no sign of the burn slowing.
Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.
Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.
So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.
.png)
And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.
SamSam attackers are known to:
Gain remote access through traditional attacks, such as JBoss exploits
Deploy web-shells
Connect to RDP over HTTP tunnels such as ReGeorg
Run batch scripts to deploy the ransomware over machines
SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading |
Threat | Wannacry APT 19 APT 18 APT 22 APT 23 | |
|
2018-10-30 13:00:00 | AlienVault Open Threat Exchange Hits Major Milestone with 100,000 Participants (lien direct) | Today, I’m excited to announce that AlienVault® Open Threat Exchange® (OTX™) has grown to 100,000 global participants, representing 36% percent year-over-year growth. AlienVault OTX, launched in 2012, is the world’s first free threat intelligence community that enables real-time collaboration between security researchers and IT security practitioners from around the world. Every day, participants from more than 140 countries contribute 19 million pieces of threat data to the community. OTX enables companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyber-attacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). As Russell Spitler, SVP of Product for AlienVault, an AT&T company, explains, “Attackers rely on isolation - they benefit when defenders don’t talk to each other. We can’t be everywhere at once, but they can learn from each others’ experience. With the growth in OTX membership, we all benefit from the diversity of threat intelligence from an even wider variety of participants.” To provide big-picture perspective on the billions of security artifacts contributed to OTX this year, AlienVault Security Advocate Javvad Malik and Threat Engineer Chris Doman have created the OTX Trends Report for 2018 Q1 and Q2. Like the 2017 report, this analysis reveals trends across exploits, malware, and threat actors, including top-ten rankings of the most seen exploits and adversaries recorded in vendor reports. The analysis reveals changes in the threat landscape, including a shift in the most reported exploits. For example, this year’s report reveals a rise in server exploits, as well as marking the first time an exploit targeting IoT devices (GPON Routers) has made the list of most-seen exploits. Encouragingly, the OTX Trends Report shows an uptick in information sharing across the InfoSec industry, including a plethora of independent research sharing on Twitter. According to the report, “As more companies and researchers look at ways to share threat data, we see more usable and useful information flow into OTX. This openness and collaboration has resulted not only in organisations being able to defend themselves better - but increasing circles of trust within the industry where actual threat intelligence is being shared more openly. A trend that we have seen grow over the years.” The sheer volume of security events included in the OTX Trends Report reflects the importance of keeping up with the latest threat intelligence. Without threat sharing, malicious actors can easily reuse effective exploits and pivot their attacks from target to target. A campaign affecting the UK legal industry can be repurposed for bankers in the United States, while security researchers operating in silos start from scratch each time. For example, the OTX Trends Report shows that the most commonly reported exploit, CVE-2017-11882, has been reused widely. By joining OTX, participants can strengthen their defenses and share real-time information about emerging threats, attack methods, and malicious actors. The diversity of OTX participants representing different countries, industries, and organization sizes provi | Threat | Wannacry | |
|
2018-09-11 13:00:00 | Explain Cryptojacking to Me (lien direct) | Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found | Malware Threat | NotPetya Wannacry Tesla | |
 |
2017-08-11 08:00:00 | APT28 cible le secteur de l'hôtellerie, présente une menace pour les voyageurs APT28 Targets Hospitality Sector, Presents Threat to Travelers (lien direct) |
Fireeye a une confiance modérée qu'une campagne ciblant le secteur de l'hôtellerie est attribuée à l'acteur russe apt28 .Nous pensons que cette activité, qui remonte au moins en juillet 2017, était destinée à cibler les voyageurs dans des hôtels à travers l'Europe et le Moyen-Orient.L'acteur a utilisé plusieurs techniques notables dans ces incidents tels que renifler les mots de passe du trafic Wi-Fi, empoisonner le service de nom NetBios et se propager latéralement via le eternalblue exploit.
APT28 utilise un document malveillant pour cibler l'industrie hôtelière
Fireeye a découvert un document malveillant envoyé en lance
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit. APT28 Uses Malicious Document to Target Hospitality Industry FireEye has uncovered a malicious document sent in spear |
Threat | Wannacry APT 28 APT 28 | ★★★★ |
|
2017-06-02 08:00:00 | Les acteurs de la menace tirent parti de l'exploit éternel pour livrer des charges utiles non de la wannacry Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads (lien direct) |
L'exploit «eternalblue» ( MS017-010 ) a d'abord été utilisépar Wannacry Ransomware et Adylkuzz Cryptocurrency Miner.Maintenant, plus d'acteurs de menaces tirent parti de la vulnérabilité à MicrosoftProtocole de bloc de messages du serveur (SMB) & # 8211;Cette fois pour distribuer Backdoor.Nitol et Trojan Gh0st Rat.
Fireeye Dynamic Threat Intelligence (DTI) a historiquement observé des charges utiles similaires livrées via l'exploitation de la vulnérabilité CVE-2014-6332 ainsi que dans certaines campagnes de spam par e-mail en utilisant Commandes de versions .Plus précisément, Backdoor.Nitol a également été lié à des campagnes impliquant une exécution de code distante
The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution |
Ransomware Spam Vulnerability Threat | Wannacry | ★★★★ |
|
2017-05-15 08:01:01 | Campagne de ransomwares Wannacry: Détails de la menace et gestion des risques WannaCry Ransomware Campaign: Threat Details and Risk Management (lien direct) |
Mise à jour 3 (17 mai & # 8211; 19 h 00 HE)
Nous avons observé l'émergence d'une nouvelle variante de Wannacry avec l'URL de vérification Internet www.iffferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Un bogue dans la logique de code fait que les logiciels malveillants interrogent réellement www.iffefsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Le malware ne cryptera vos fichiers que s'il ne peut pas contacter ce domaine (en particulier, s'il ne peut pas faire une demande HTTP réussie à la résolution du domaine).Les chercheurs en sécurité ont pu enregistrer ces domaines «Killswitch» pour les variantes précédentes pour arrêter le chiffrement;Cependant, ce domaine particulier
UPDATE 3 (May 17 – 7:00 p.m. ET) We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic causes the malware to actually query www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test. The malware will encrypt your files only if it cannot contact this domain (specifically, if it cannot make a successful HTTP request to the resolution of the domain). Security researchers were able to register these “killswitch” domains for previous variants to stop encryption; however, this particular domain |
Ransomware Malware Threat | Wannacry | ★★★ |
1
We have: 36 articles.
We have: 36 articles.
To see everything:
Our RSS (filtrered)
