This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-29T04:01:14+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference ChatGPT,ChatGPT,APT 35,APT 42,APT 36 2.0000000000000000 knowbe4 - cybersecurity services The UK's National Cyber Security Centre (NCSC) has described two separate spear phishing campaigns launched by Russia's SEABORGIUM threat actor and Iran's TA453 (also known as Charming Kitten). The NCSC says both threat actors have targeted entities in the UK, including “academia, defence, governmental organisations, NGOs, think-tanks, as well as politicians, journalists, and activists."]]> 2023-01-30T13:52:25+00:00 https://blog.knowbe4.com/russian-iranian-spear-phishing-campaigns-in-uk www.secnews.physaphae.fr/article.php?IdArticle=8305530 False Threat,Conference APT 35 2.0000000000000000 Recorded Future - FLux Recorded Future Two separate but similar espionage campaigns from Russian and Iranian-linked groups have prompted a warning from Britain's National Cyber Security Centre. In a document published on Thursday local time the NCSC warned how instead of sending surprise phishing emails, the hacking groups – identified as “Russia-based” SEABORGIUM and “Iran-based” APT42, or Charming Kitten – are […]]> 2023-01-26T00:01:00+00:00 https://therecord.media/british-cyber-agency-issues-warning-over-russian-and-iranian-espionage-campaigns/ www.secnews.physaphae.fr/article.php?IdArticle=8304084 False Conference APT 35,APT 42 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-07T11:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25070 www.secnews.physaphae.fr/article.php?IdArticle=8298792 False Vulnerability,Guideline,Conference APT 35 None Global Security Mag - Site de news francais Malware Update]]> 2022-12-14T10:20:58+00:00 https://www.globalsecuritymag.fr/Iranian-state-aligned-threat-actor-targets-new-victims-in-cyberespionage-and.html www.secnews.physaphae.fr/article.php?IdArticle=8291153 False Threat,Conference APT 35,APT 42 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2022-12-07T16:00:00+00:00 https://www.infosecurity-magazine.com/news/security-risks-found-in-millions/ www.secnews.physaphae.fr/article.php?IdArticle=8288719 False Conference APT 35 3.0000000000000000 CSO - CSO Daily Dashboard recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here]]> 2022-09-14T05:09:00+00:00 https://www.csoonline.com/article/3673295/iranian-cyberspies-use-multi-persona-impersonation-in-phishing-threads.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=6887761 False Conference APT 35,APT 42 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-08T11:08:00+00:00 https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=6779982 False Ransomware,Threat,Conference APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-23T07:50:00+00:00 https://thehackernews.com/2022/08/google-uncovers-tool-used-by-iranian.html www.secnews.physaphae.fr/article.php?IdArticle=6485628 False Malware,Tool,Threat,Conference APT 35,Yahoo None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E]]> 2022-06-21T15:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gallium-expands-targeting-across-telecommunications-government-and-finance-sectors-with-new-pingpull-tool-dragonforce-malaysia-opspatuk-opsindia-and-more www.secnews.physaphae.fr/article.php?IdArticle=5309464 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference APT 35,Yahoo None IT Security Guru - Blog Sécurité 2022-06-15T10:41:47+00:00 https://www.itsecurityguru.org/2022/06/15/new-iranian-spear-phishing-campaign-hijacks-email-conversations/?utm_source=rss&utm_medium=rss&utm_campaign=new-iranian-spear-phishing-campaign-hijacks-email-conversations www.secnews.physaphae.fr/article.php?IdArticle=5163528 False Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None SecurityWeek - Security News 2022-05-12T13:18:29+00:00 https://www.securityweek.com/iranian-cyberspy-group-launching-ransomware-attacks-against-us www.secnews.physaphae.fr/article.php?IdArticle=4584033 False Ransomware,Threat,Conference APT 35,APT 35 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-12T06:56:45+00:00 https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html www.secnews.physaphae.fr/article.php?IdArticle=4583977 False Ransomware,Malware,Threat,Conference APT 35,APT 15 4.0000000000000000 SecurityWeek - Security News 2022-02-22T15:18:36+00:00 https://www.securityweek.com/enterprise-iot-security-firm-phosphorus-raises-38-million www.secnews.physaphae.fr/article.php?IdArticle=4166870 False Patching,Conference APT 35,APT 35 None Security Affairs - Blog Secu 2022-02-18T15:21:14+00:00 https://securityaffairs.co/wordpress/128159/apt/tunnelvision-exploits-log4j-vulnerability.html?utm_source=rss&utm_medium=rss&utm_campaign=tunnelvision-exploits-log4j-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=4144680 False Ransomware,Vulnerability,Conference APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-17T23:40:44+00:00 https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html www.secnews.physaphae.fr/article.php?IdArticle=4143060 False Ransomware,Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New CapraRAT Android Malware Targets Indian Government and Military Personnel (published: February 7, 2022) Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device. Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072 Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (published: February 3, 2022) The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis. Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis]]> 2022-02-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-conti-ransomware-attack-iran-sponsored-apts-new-android-rat-russia-sponsored-gamaredon-and-more www.secnews.physaphae.fr/article.php?IdArticle=4094313 False Ransomware,Malware,Threat,Conference APT 35,APT 35,APT 29,APT 29,APT 36 2.0000000000000000 knowbe4 - cybersecurity services [Heads Up] Beware of New QuickBooks Payment Scams   Email not displaying? | CyberheistNews Vol 12 #06  |   Feb. 8th., 2022 [Heads Up] Beware of New QuickBooks Payment Scams Many small and mid-sized companies use Intuit's popular QuickBooks program. They usually start out using its easy-to-use base accounting program and then the QuickBooks program aggressively pushes other complimentary features. One of those add-on features is the ability to send customers' invoices via email. The payee can click on a “Review and pay” button in the email to pay the invoice. It used to be a free, but less mature, feature years ago, but these days, it costs extra. Still, if you are using QuickBooks for your accounting, the ability to generate, send, receive and electronically track invoices all in one place is a pretty easy sell. Unfortunately, phishing criminals are using QuickBooks' popularity to send business email compromise (BEC) scams. The emails appear as if they are coming from a legitimate vendor using QuickBooks, but if the potential victim takes the bait, the invoice they pay will be to the scammer. Worse, the payment request can require that the payee use ACH (automated clearing house) method, which requires the payee to input their bank account details. So, if the victim falls for the scam, the criminal now has their bank account information. Not good. Note: Some other QuickBooks scam warnings will tell you that QuickBooks will never ask for your ACH or banking details. This is not completely true. QuickBooks, the company and its support staff, never will, but QuickBooks email payment requests often do. Warn your users in Accounting. CONTINUED at the KnowBe4 blog with both legit and malicious example screenshots: https://blog.knowbe4.com/beware-of-quickbooks-payment-scams ]]> 2022-02-08T14:23:51+00:00 https://blog.knowbe4.com/cyberheistnews-vol-12-06-heads-up-beware-of-new-quickbooks-payment-scams www.secnews.physaphae.fr/article.php?IdArticle=4094184 False Malware,Hack,Threat,Conference APT 35 None Security Affairs - Blog Secu 2022-02-02T11:55:18+00:00 https://securityaffairs.co/wordpress/127526/apt/apt35-spike-memento-op.html?utm_source=rss&utm_medium=rss&utm_campaign=apt35-spike-memento-op www.secnews.physaphae.fr/article.php?IdArticle=4069999 False Ransomware,Conference APT 35,APT 35 None SecurityWeek - Security News 2022-02-01T16:24:06+00:00 https://www.securityweek.com/iranian-hackers-using-new-powershell-backdoor-linked-memento-ransomware www.secnews.physaphae.fr/article.php?IdArticle=4066276 False Ransomware,Conference APT 35,APT 35 None Bleeping Computer - Magazine Américain 2022-02-01T14:00:00+00:00 https://www.bleepingcomputer.com/news/security/cyberspies-linked-to-memento-ransomware-use-new-powershell-malware/ www.secnews.physaphae.fr/article.php?IdArticle=4066936 False Ransomware,Malware,Conference APT 35,APT 35 None CybeReason - Vendor blog Over the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and the Middle East region back in 2019.]]> 2022-02-01T05:01:00+00:00 https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage www.secnews.physaphae.fr/article.php?IdArticle=4063281 False Conference APT 35,APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-01T02:28:30+00:00 https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html www.secnews.physaphae.fr/article.php?IdArticle=4064183 False Malware,Threat,Conference APT 35,APT 35 None Security Affairs - Blog Secu 2022-01-12T11:22:16+00:00 https://securityaffairs.co/wordpress/126613/apt/apt35-log4shell-backdoor.html?utm_source=rss&utm_medium=rss&utm_campaign=apt35-log4shell-backdoor www.secnews.physaphae.fr/article.php?IdArticle=3951538 False Conference APT 35 None Bleeping Computer - Magazine Américain 2022-01-11T18:17:45+00:00 https://www.bleepingcomputer.com/news/security/state-hackers-use-new-powershell-backdoor-in-log4j-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=3949411 False Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard (published: December 27, 2021) Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug). Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT Dridex Affiliate Dresses Up as Scrooge (published: December 23, 2021) Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f]]> 2021-12-29T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-equation-groups-post-exploitation-framework-decentralized-finance-defi-protocol-exploited-third-log4j-vulnerability-and-more www.secnews.physaphae.fr/article.php?IdArticle=3904146 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35 None Wired Threat Level - Security News 2021-10-14T14:36:04+00:00 https://www.wired.com/story/apt35-iran-hackers-phishing-telegram-bot www.secnews.physaphae.fr/article.php?IdArticle=3514384 False Conference APT 35 None SecurityWeek - Security News 2021-08-05T15:48:35+00:00 http://feedproxy.google.com/~r/securityweek/~3/n6qIj2C2k4g/iran-linked-hackers-expand-arsenal-new-android-backdoor www.secnews.physaphae.fr/article.php?IdArticle=3178517 False Threat,Conference APT 35,APT 35 None Security Intelligence - Site de news Américain 2021-08-04T20:30:00+00:00 http://feedproxy.google.com/~r/SecurityIntelligence/~3/xUwqxoI5yaA/ www.secnews.physaphae.fr/article.php?IdArticle=3174405 False Threat,Conference APT 35,APT 35 None UnderNews - Site de news "pirate" francais TA453 usurpe secrètement l'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien first appeared on UnderNews.]]> 2021-07-31T09:53:50+00:00 https://www.undernews.fr/hacking-hacktivisme/ta453-usurpe-secretement-luniversite-de-londres-pour-derober-des-donnees-personnelles-recuperees-ensuite-par-le-gouvernement-iranien.html www.secnews.physaphae.fr/article.php?IdArticle=3154911 False Conference APT 35,APT 35 None DarkTrace - DarkTrace: AI bases detection 2021-04-23T09:00:00+00:00 https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment www.secnews.physaphae.fr/article.php?IdArticle=2682631 False Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence The Leap of a Cycldek-Related Threat Actor (published: April 5, 2021) A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek. Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107 Tags: Chinese-speaking, Cycldek-related Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool (published: April 1, 2021) Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic. Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach. MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082 Tags: Hancitor, Malspam, Cobalt Strike ]]> 2021-04-06T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-data-breach-malspam-and-more www.secnews.physaphae.fr/article.php?IdArticle=2593638 False Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 10 None InformationSecurityBuzzNews - Site de News Securite Experts Insight On APT35 Recent Phishing Attacks]]> 2021-01-15T12:14:17+00:00 https://informationsecuritybuzz.com/expert-comments/experts-insight-on-apt35-recent-phishing-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=2195754 False Conference APT 35,APT 35 None Schneier on Security - Chercheur Cryptologue Américain delightful essay matches APT hacker groups up with astrological signs. This is me: Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks...]]> 2021-01-08T20:19:37+00:00 https://www.schneier.com/blog/archives/2021/01/apt-horoscope.html www.secnews.physaphae.fr/article.php?IdArticle=2160466 False Conference APT 35,APT 35,APT 34 None InformationSecurityBuzzNews - Site de News Securite Expert Reacted On Microsoft Says Iranian Hackers “Phosphorus” Targeted Conference Attendees]]> 2020-10-29T15:21:08+00:00 https://www.informationsecuritybuzz.com/expert-comments/expert-reacted-on-microsoft-says-iranian-hackers-phosphorus-targeted-conference-attendees/ www.secnews.physaphae.fr/article.php?IdArticle=2002467 False Threat,Conference APT 35 None InformationSecurityBuzzNews - Site de News Securite Iran-linked Threat Actor Targets T20 Summit Attendees]]> 2020-10-29T11:16:42+00:00 https://www.informationsecuritybuzz.com/expert-comments/iran-linked-threat-actor-targets-t20-summit-attendees/ www.secnews.physaphae.fr/article.php?IdArticle=2001940 False Threat,Conference APT 35 None Security Affairs - Blog Secu 2020-10-29T08:28:32+00:00 https://securityaffairs.co/wordpress/110110/apt/iran-phosphorus-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=iran-phosphorus-attacks www.secnews.physaphae.fr/article.php?IdArticle=2001792 False Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal (published: September 14, 2020) A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system. Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online. Tags: China, spying US Criminal Court Hit by Conti Ransomware; Critical Data at Risk (published: September 11, 2020) The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns. Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks. Tags: conti, ryuk, ransomware ]]> 2020-09-15T15:00:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-apt-group-malware-ransomware-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=2103282 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 31,APT 28 3.0000000000000000 Malwarebytes Labs - MalwarebytesLabs This week on Lock and Code, we talk to Pieter Arntz, malware intelligence researcher for Malwarebytes, about Google Chrome extensions. Categories: Podcast Tags: advanced persistent threatsAPTCenter for Public Health ResearchCharming Kittencovid-19data breachddosDDos attackdistributed denial of service attackelection interferenceelectionsLugar CentremalvertisingNetflix scampandemic (Read more...) ]]> 2020-09-14T14:49:08+00:00 https://blog.malwarebytes.com/podcast/2020/09/lock-and-code-s1ep15-safely-using-google-chrome-extensions-with-pieter-arntz/ www.secnews.physaphae.fr/article.php?IdArticle=1916438 False Malware,Conference APT 35 None Security Affairs - Blog Secu 2020-08-28T15:33:29+00:00 https://securityaffairs.co/wordpress/107644/apt/charming-kitten-apt-whatsapp-linkedin.html?utm_source=rss&utm_medium=rss&utm_campaign=charming-kitten-apt-whatsapp-linkedin www.secnews.physaphae.fr/article.php?IdArticle=1887053 False Conference APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-08-28T03:36:28+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/SlFF9FYAUqI/hackers-journalist-malware.html www.secnews.physaphae.fr/article.php?IdArticle=1886578 False Malware,Conference APT 35 None Security Affairs - Blog Secu 2020-07-17T13:49:25+00:00 https://securityaffairs.co/wordpress/106032/apt/apt35-data-leak.html?utm_source=rss&utm_medium=rss&utm_campaign=apt35-data-leak www.secnews.physaphae.fr/article.php?IdArticle=1809947 False Conference APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-07-17T03:23:46+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/AGojF6xrBSA/iranian-hacking-training-videos.html www.secnews.physaphae.fr/article.php?IdArticle=1809580 False Threat,Conference APT 35 5.0000000000000000 Wired Threat Level - Security News 2020-07-16T10:00:00+00:00 https://www.wired.com/story/iran-apt35-hacking-video www.secnews.physaphae.fr/article.php?IdArticle=1807436 False Conference APT 35 None Security Intelligence - Site de news Américain 2020-07-16T09:00:00+00:00 http://feedproxy.google.com/~r/SecurityIntelligence/~3/FW3Ff-e-Gik/ www.secnews.physaphae.fr/article.php?IdArticle=1807511 False Threat,Conference APT 35 None Security Affairs - Blog Secu 2020-02-07T10:59:52+00:00 https://securityaffairs.co/wordpress/97430/apt/charming-kitten-phishing-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=1529366 False Conference APT 35 None Security Affairs - Blog Secu 2019-10-13T23:06:24+00:00 https://securityaffairs.co/wordpress/92469/apt/charming-kitten-impersonation-methods.html www.secnews.physaphae.fr/article.php?IdArticle=1401461 False Threat,Conference APT 35 None SecurityWeek - Security News 2019-10-09T18:20:48+00:00 http://feedproxy.google.com/~r/Securityweek/~3/VIYT0SkoGlQ/iranian-hackers-update-spear-phishing-techniques-recent-campaign www.secnews.physaphae.fr/article.php?IdArticle=1393558 False Threat,Conference APT 35 None Security Affairs - Blog Secu 2019-10-06T14:10:54+00:00 https://securityaffairs.co/wordpress/92188/apt/phosphorus-apt-2020-presidential-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=1385535 False Threat,Conference APT 35 None Bleeping Computer - Magazine Américain 2019-10-04T14:53:19+00:00 https://www.bleepingcomputer.com/news/security/microsoft-discovers-iranian-hacking-campaign-targeting-us-politics/ www.secnews.physaphae.fr/article.php?IdArticle=1380749 False Threat,Conference APT 35 None SecurityWeek - Security News 2019-03-28T06:57:04+00:00 https://www.securityweek.com/microsoft-takes-control-99-domains-used-iranian-cyberspies www.secnews.physaphae.fr/article.php?IdArticle=1086037 False Conference APT 35 None ZD Net - Magazine Info 2019-03-27T18:04:01+00:00 https://www.zdnet.com/article/microsoft-takes-control-of-99-domains-operated-by-iranian-state-hackers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1084040 False Conference APT 35 None Malwarebytes Labs - MalwarebytesLabs Read more...) ]]> 2019-01-21T16:15:03+00:00 https://blog.malwarebytes.com/cybercrime/2019/01/two-factor-authentication-defeated-spotlight-2fas-latest-challenge/ www.secnews.physaphae.fr/article.php?IdArticle=1002537 False Conference APT 35 None Zataz - Magazine Francais de secu Charming Kitten, pirates Iraniens, infiltrent les Gmail et Yahoo de responsables US est apparu en premier sur ZATAZ. ]]> 2018-12-15T12:07:04+00:00 https://www.zataz.com/charming-kitten-pirates-iraniens-infiltrent-les-gmail-et-yahoo-de-responsables-us/ www.secnews.physaphae.fr/article.php?IdArticle=947661 False Conference APT 35,Yahoo None Security Affairs - Blog Secu 2018-07-03T12:26:00+00:00 https://securityaffairs.co/wordpress/74123/apt/charming-kitten-clearsky-phishing.html www.secnews.physaphae.fr/article.php?IdArticle=731109 False Conference APT 35 None SecurityWeek - Security News Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant. The company's M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016. On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016. Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days). Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation. In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor. Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region. When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups. Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten). ]]> 2018-04-04T14:00:03+00:00 https://www.securityweek.com/breaches-increasingly-discovered-internally-mandiant www.secnews.physaphae.fr/article.php?IdArticle=565681 False Conference APT 35,APT 32,APT33,APT 33,APT 34 None InformationSecurityBuzzNews - Site de News Securite Iranian Hacker Charged For HBO Breach Part Of Charming Kitten Group]]> 2017-12-07T17:30:56+00:00 http://www.informationsecuritybuzz.com/expert-comments/iranian-hacker-charged-hbo-breach-part-charming-kitten-group/ www.secnews.physaphae.fr/article.php?IdArticle=446636 False Conference APT 35 None Security Affairs - Blog Secu A new report published by ClearSky linked a man accused by U.S. authorities of hacking into the systems of HBO to the Iranian cyber espionage group Charming Kitten. Experts from the security firm ClearSky have published a new detailed report on the activities of Charming Kitten APT group, also known as Newscaster and NewsBeef. The Newscaster group made the headlines […] ]]> 2017-12-07T09:13:17+00:00 http://securityaffairs.co/wordpress/66408/hacking/charming-kitten-apt-group.html www.secnews.physaphae.fr/article.php?IdArticle=446194 False Conference APT 35 None SecurityWeek - Security News 2017-12-06T13:49:19+00:00 http://feedproxy.google.com/~r/Securityweek/~3/noqRtez4R0M/hbo-hacker-linked-iranian-spy-group www.secnews.physaphae.fr/article.php?IdArticle=445528 False Conference APT 35 None Bleeping Computer - Magazine Américain 2017-12-06T04:45:40+00:00 https://www.bleepingcomputer.com/news/security/hbo-hacker-was-part-of-irans-charming-kitten-elite-cyber-espionage-unit/ www.secnews.physaphae.fr/article.php?IdArticle=445441 False Conference APT 35 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-27T20:51:22+00:00 https://threatpost.com/new-clues-surface-on-shamoon-2s-destructive-behavior/124587/ www.secnews.physaphae.fr/article.php?IdArticle=347685 False Conference APT 35 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-06T19:27:49+00:00 https://threatpost.com/destructive-stonedrill-wiper-malware-on-the-loose/124090/ www.secnews.physaphae.fr/article.php?IdArticle=329570 False Conference APT 35 None Palo Alto Network - Site Constructeur 2017-02-16T05:16:26+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/4iN57D5SvTY/ www.secnews.physaphae.fr/article.php?IdArticle=316029 False Conference APT 35 None