This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-19T07:58:56+00:00 www.secnews.physaphae.fr BAE - BAE Systelm Threat Research Malware compiled containing admin credentials for the FEIB network. 03 October 2017 Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017 Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017 ]]> 2017-10-16T22:32:36+00:00 http://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html www.secnews.physaphae.fr/article.php?IdArticle=419214 False Medical APT 38,Wannacry None BAE - BAE Systelm Threat Research ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02         "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03         57u); 04 h1 = InternetOpenA(0,&nbs]]> 2017-05-17T03:33:55+00:00 http://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html www.secnews.physaphae.fr/article.php?IdArticle=365767 False Guideline,Medical APT 38,Wannacry None BAE - BAE Systelm Threat Research article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen ]]> 2017-03-06T12:13:22+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=352308 False Guideline,Medical APT 38 None BAE - BAE Systelm Threat Research We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb]]> 2017-03-06T12:13:03+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html www.secnews.physaphae.fr/article.php?IdArticle=352307 False Guideline,Medical APT 38 None