This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T19:55:11+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 43,APT 29,APT 31,APT 42,APT 28,APT 40 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.  This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political]]> 2024-03-22T11:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties www.secnews.physaphae.fr/article.php?IdArticle=8469994 False Threat APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.   This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER.  Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations.  Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1).  The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”.  ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.  WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru.  The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). ]]> 2024-03-22T00:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties/ www.secnews.physaphae.fr/article.php?IdArticle=8500402 False Malware,Threat,Cloud,Technical APT 29 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Key Insights APT29\'s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR\'s central role in collecting intelligence concerning the current pivotal phase of the war. During this period, Mandiant has tracked substantial changes in APT29\'s tooling and tradecraft, likely designed to support the increased frequency and scope of operations and hinder forensic analysis.  APT29 has used various infection chains simultaneously across different operations, indicating that distinct initial access operators or]]> 2023-09-21T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing www.secnews.physaphae.fr/article.php?IdArticle=8386704 False None APT 29 3.0000000000000000 Mandiant - Blog Sécu de Mandiant historique ]]> 2022-11-08T15:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming www.secnews.physaphae.fr/article.php?IdArticle=8377408 False None APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Mandiant continue d'identifier les opérations APT29 ciblant les intérêts des États-Unis et les pays des États-Unis et ceux des pays de l'OTAN et des pays partenaires.Malgré la publication de multiples opérations APT29, ils continuent d'être extrêmement prolifiques.En 2022, APT29 s'est concentré sur les organisations responsables de l'influence et de l'élaboration de la politique étrangère des pays de l'OTAN.Cela a inclus plusieurs cas où APT29 a revisité les victimes qu'ils avaient compromis des années

---

APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). Mandiant continues to identify APT29 operations targeting the United States\' (US) interests, and those of NATO and partner countries. Despite the publicization of multiple APT29 operations, they continue to be extremely prolific. In 2022, APT29 has focused on organizations responsible for influencing and crafting the foreign policy of NATO countries. This has included multiple instances where APT29 revisited victims they had compromised years]]> 2022-08-18T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft www.secnews.physaphae.fr/article.php?IdArticle=8377438 False None APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer]]> 2022-05-02T09:30:00+00:00 https://www.mandiant.com/resources/blog/unc3524-eye-spy-email www.secnews.physaphae.fr/article.php?IdArticle=8377467 False Tool,Threat APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Le ciblage diplomatique centré sur ce récent

---

Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29\'s efforts to evade detection through retooling and abuse of Atlassian\'s Trello service. APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). The diplomatic-centric targeting of this recent]]> 2022-04-28T12:00:00+00:00 https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns www.secnews.physaphae.fr/article.php?IdArticle=8377468 False Malware APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Solarwinds Compromis en décembre 2020 , est attribuable à APT29. Cette conclusion correspond aux instructions d'attribution précédemment faites par le u.s.Gouvernement que le compromis de la chaîne d'approvisionnement de Solarwinds a été réalisé par APT29, un groupe d'espionnage basé en Russie évalué comme parrainé par le Russian Foreign Intelligence Service (SVR).Notre évaluation est basée sur des données de première main recueillies par Mandiant et est le résultat d'une comparaison et d'une revue approfondies de UNC2452 et de notre ]]> 2022-04-27T09:00:00+00:00 https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29 www.secnews.physaphae.fr/article.php?IdArticle=8377472 False None APT 29,APT 29,Solardwinds 3.0000000000000000 Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by]]> 2021-12-06T10:00:00+00:00 https://www.mandiant.com/resources/blog/russian-targeting-gov-business www.secnews.physaphae.fr/article.php?IdArticle=8377522 False Threat APT 29,Solardwinds 3.0000000000000000 Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post et ce rapport est désormais attribuée à APT29. Mise à jour (28 octobre 2021): Mandiant a récemment observé des acteurs de menace ciblés utilisant l'identité EWS (via le rôle de l'impression d'application) pour maintenir un accès persistant aux boîtes aux lettres dans les environnements victimes.Une fois que l'acteur de menace a accès à ce rôle, ses abus sont difficiles à détecter et fournissent le contrôle de l'acteur de menace sur chaque boîte aux lettres d'un locataire victime.Mandiant a également observé des acteurs de menace ciblés abusant de la relation de confiance entre le cloud

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post and report is now attributed to APT29. UPDATE (Oct. 28, 2021): Mandiant has recently observed targeted threat actors using EWS impersonation (via the ApplicationImpersonation role) to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the threat actor control over every mailbox in a victim tenant. Mandiant has also observed targeted threat actors abusing the trust relationship between Cloud]]> 2021-01-19T14:00:00+00:00 https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 www.secnews.physaphae.fr/article.php?IdArticle=8377611 False Threat APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. Résumé de l'exécutif Nous avons découvert une campagne mondiale d'intrusion.Nous suivons les acteurs derrière cette campagne sous le nom de UNC2452. Fireeye a découvert une attaque de chaîne d'approvisionnement trrojanisant les mises à jour de logiciels commerciaux de Solarwinds Orion afin de distribuer des logiciels malveillants que nous appelons Sunburst. L'activité post-compromis de l'attaquant exploite plusieurs techniques pour échapper à la détection et obscurcir leur activité, mais ces efforts offrent également quelques opportunités de détection. le

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.  The attacker\'s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection. The]]> 2020-12-13T22:00:00+00:00 https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377613 False Malware APT 29,Solardwinds 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon. Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29. APT29]]> 2018-11-19T22:00:00+00:00 https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign www.secnews.physaphae.fr/article.php?IdArticle=8377724 False None APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors. POSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an especially stealthy backdoor. POSHSPY\'s use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone]]> 2017-04-03T07:00:00+00:00 https://www.mandiant.com/resources/blog/dissecting-one-ofap www.secnews.physaphae.fr/article.php?IdArticle=8377785 False Tool,Technical APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant document détaillant ces techniques .Domain Fronting fournit des connexions de réseau sortant qui ne se distinguent pas des demandes légitimes de sites Web populaires. APT29 a utilisé le routeur d'oignon (TOR) et le plugin de façade du domaine Tor Mode pour créer un tunnel réseau crypté caché qui semblait se connecter aux services Google sur TLS

---

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques. Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites. APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS]]> 2017-03-27T07:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-domain-frontin www.secnews.physaphae.fr/article.php?IdArticle=8377787 False None APT 29,APT 29 4.0000000000000000