This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T19:20:10+00:00 www.secnews.physaphae.fr IT Security Guru - Blog Sécurité 2019-04-11T12:28:03+00:00 https://hellofromhony.com/goaway?temp=5&/2019/04/11/new-hoplight-malware-marks-re-emergence-of-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=1092926 False Malware,Medical APT 38 None Security Affairs - Blog Secu 2019-03-28T08:20:04+00:00 https://securityaffairs.co/wordpress/82985/apt/lazarus-targets-mac.html www.secnews.physaphae.fr/article.php?IdArticle=1084744 False Malware,Medical APT 38 None SecurityWeek - Security News 2019-03-27T15:00:02+00:00 https://www.securityweek.com/north-korea-linked-hackers-target-macos-users www.secnews.physaphae.fr/article.php?IdArticle=1084549 False Medical APT 38 None ZD Net - Magazine Info 2019-03-27T10:52:01+00:00 https://www.zdnet.com/article/north-korean-hackers-continue-attacks-on-cryptocurrency-businesses/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1083251 False Malware,Medical APT 38 None Malwarebytes Labs - MalwarebytesLabs A roundup of security news from March 11–17 covering our most recent blogs and other news, including Lazarus Group, Emotet, PSD2, reputation management, Google's Nest, and Firefox Send. Categories: Security world Week in security Tags: Apex LegendsChinese DNAemotetfacebookFacebook outageFirefox SendGoogle NestGoogle PlayLazarus Groupnetflixpsd2Spotify (Read more...) ]]> 2019-03-18T14:57:01+00:00 https://blog.malwarebytes.com/security-world/2019/03/a-week-in-security-march-11-17/ www.secnews.physaphae.fr/article.php?IdArticle=1073431 False Medical APT 38 None Malwarebytes Labs - MalwarebytesLabs Lazarus Group, the threat actors likely behind the Sony breach and WannaCry outbreak, are in the news again. Here's what you need to know about this North Korean organization, and what you should do to protect against such nation-state attacks. Categories: Criminals Threat analysis Tags: APTLazarusNorth Korea (Read more...) ]]> 2019-03-12T16:27:00+00:00 https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=1066116 False Threat,Medical Wannacry,APT 38 None Dark Reading - Informationweek Branch 2019-03-05T14:15:00+00:00 https://www.darkreading.com/threat-intelligence/lazarus-research-highlights-threat-from-north-korea/d/d-id/1334063?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1054783 False Threat,Medical APT 38 None ZD Net - Magazine Info 2019-03-04T11:43:02+00:00 https://www.zdnet.com/article/researchers-granted-command-server-by-officials-link-sharpshooter-campaign-to-north-korea/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1052594 False Medical APT 38 None IT Security Guru - Blog Sécurité 2019-01-31T10:29:01+00:00 https://www.itsecurityguru.org/2019/01/31/fbi-maps-and-further-disrupts-north-korean-jonap-botnet/ www.secnews.physaphae.fr/article.php?IdArticle=1016373 True Threat,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2019-01-31T00:03:04+00:00 https://thehackernews.com/2019/01/north-korea-hacker.html www.secnews.physaphae.fr/article.php?IdArticle=1016264 False Threat,Medical APT 38 None Bleeping Computer - Magazine Américain 2018-12-12T11:26:05+00:00 https://www.bleepingcomputer.com/news/security/op-sharpshooter-uses-lazarus-group-tactics-techniques-and-procedures/ www.secnews.physaphae.fr/article.php?IdArticle=943040 False Malware,Tool,Threat,Medical APT 38 None Security Affairs - Blog Secu 2018-11-24T10:23:02+00:00 https://securityaffairs.co/wordpress/78382/apt/lazarus-latin-american-banks.html www.secnews.physaphae.fr/article.php?IdArticle=915607 False Malware,Medical APT 38 None Security Affairs - Blog Secu 2018-11-10T14:47:00+00:00 https://securityaffairs.co/wordpress/77877/apt/lazarus-apt-fastcash-trojan.html www.secnews.physaphae.fr/article.php?IdArticle=890512 True Malware,Hack,Medical APT 38 None Dark Reading - Informationweek Branch 2018-11-08T17:45:00+00:00 https://www.darkreading.com/attacks-breaches/symantec-uncovers-north-korean-groups-atm-attack-malware-/d/d-id/1333233?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=887602 False Malware,Medical APT 38 None CSO - CSO Daily Dashboard worst botnets and banking trojans, according to Webroot, were Emotet, Trickbot, and Zeus Panda. Crysis/Dharma, GandCrab, and SamSam were the worst among ransomware. The top three in cryptomining/cryptojacking were GhostMiner, Wanna Mine, and Coinhive.And included in the list of top 10 threat actors so far this year, we find Lazarus Group, Sofacy and MuddyWater coming in the top three spots, according to AlienVault. Lazarus Group took the top spot from Sofacy this year. The reported locations for the top 10 threat actors are North Korea, with two groups; Russia, with three groups; Iran, with two groups; China, with two groups; and India, with one. Microsoft Office was the most exploited application, but Adobe Flash, WebLogic, Microsoft Windows, Drupal and GPON routers were also listed in the top 10.]]> 2018-11-06T08:56:00+00:00 https://www.csoonline.com/article/3319116/malware/worst-malware-and-threat-actors-of-2018-so-far.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=883049 False Malware,Threat,Medical APT 38 None Security Affairs - Blog Secu 2018-10-04T06:55:00+00:00 https://securityaffairs.co/wordpress/76807/apt/apt38-north-korea.html www.secnews.physaphae.fr/article.php?IdArticle=830646 False Threat,Medical APT 38 None Security Affairs - Blog Secu 2018-10-03T20:02:03+00:00 https://securityaffairs.co/wordpress/76798/hacking/fastcash-hidden-cobra-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=830473 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2018-10-03T04:18:05+00:00 https://thehackernews.com/2018/10/bank-atm-hacking.html www.secnews.physaphae.fr/article.php?IdArticle=829741 False Medical APT 38 None SecurityWeek - Security News 2018-09-07T17:29:00+00:00 https://www.securityweek.com/industry-reactions-us-charging-north-korean-hacker-feedback-friday www.secnews.physaphae.fr/article.php?IdArticle=799818 True Medical APT 38 None SecurityWeek - Security News 2018-09-07T09:00:01+00:00 https://www.securityweek.com/opsec-mistakes-allowed-us-link-north-korean-man-hacks www.secnews.physaphae.fr/article.php?IdArticle=797410 False Threat,Medical APT 38 None ZD Net - Magazine Info 2018-09-06T21:43:04+00:00 https://www.zdnet.com/article/how-us-authorities-tracked-down-the-north-korean-hacker-behind-wannacry/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=796102 False Malware,Medical Wannacry,APT 38 None SecurityWeek - Security News 2018-09-06T18:04:01+00:00 https://www.securityweek.com/us-charges-north-korean-over-lazarus-group-hacks www.secnews.physaphae.fr/article.php?IdArticle=796406 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC major company announcements, we continue to evolve USM Anywhere and USM Central with new features and capabilities that help you to defend against the latest threats and to streamline your security operations. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Here are a few of the highlights from our July and August 2018 releases: New EDR capabilities with the new AlienVault Agent On July 31, 2018, we publicly launched new endpoint detection and response (EDR) capabilities in USM Anywhere, extending the platform’s powerful threat detection and response capabilities to the endpoint. Read the blog post here. By deploying the AlienVault Agent - a lightweight and adaptable endpoint agent based on osquery -  you can expand your security visibility to detect modern threats and monitor critical files (FIM) on your Windows and Linux endpoints, whether in the cloud, in your data center, or remote. The new EDR capabilities were made available automatically and seamlessly to all USM Anywhere customers, without requiring any subscription upgrades, system updates, or the purchase of add-on products to access the capabilities. AlienApp for ConnectWise The AlienApp for ConnectWise is now included in the Standard and Premium editions of USM Anywhere. Service management teams that use ConnectWise Manage can leverage automated service ticket creation from USM Anywhere alarms and vulnerabilities as well as synchronization of asset information. Slaying Defects and Optimizing the UX In addition to these new capabilities and apps, in every update this summer, the team has rolled out enhancements to the user interface and / or has addressed multiple defects and inefficiencies. Make sure to read the product release notes for all the details. USM Central Roundup and Look Ahead Earlier this month, Skylar Talley, AlienVault Senior Product Manager for USM Central, wrote a blog post recapping the recent improvements to USM Central and outlining his vision for the product in the next few months. You can read the full post here. The highlights include: Two-way alarm status and label synchronization Orchestration rules management across USM Anywhere deployments USM Central API availability (You can find the API documentation here.) Threat Intelligence Highlights USM Anywhere receives continuously updated rules and (new!) endpoint queries to detect not only the latest signatures but also higher-level attack tools, tactics, and procedures – all curated for you by the machine and human intelligence of the AlienVault Labs Security Research Team. The AlienVault Labs Security Research team publishes a weekly threat intelligence newsletter, keeping you informed of the threats they are rese]]> 2018-08-28T13:00:00+00:00 http://feeds.feedblitz.com/~/566580736/0/alienvault-blogs~AlienVault-Product-Roundup-July-August www.secnews.physaphae.fr/article.php?IdArticle=782871 False Threat,Medical APT 38 None Malwarebytes Labs - MalwarebytesLabs A roundup of the security news from August 20 – 26, including a look at insider threats, several breaches, and what tech giants Google and Facebook are doing about their privacy issues. Categories: Security world Week in security Tags: a week in securitybadgelifecobalt dickenscybersecuritycybersecurity awarenessdigital entropy of deathelectionsfacebookGooglegreen card scamprivacyproject insecurityransomwarerecapryuksearch browser extensionssuperdrugthe lazarus grouptwitchvulnerabilitiesweekly blog roundup (Read more...) ]]> 2018-08-27T17:06:01+00:00 https://blog.malwarebytes.com/security-world/week-in-security/2018/08/a-week-in-security-august-20-august-26/ www.secnews.physaphae.fr/article.php?IdArticle=782851 False Medical APT 38 None Dark Reading - Informationweek Branch 2018-08-23T15:07:00+00:00 https://www.darkreading.com/vulnerabilities---threats/lazarus-group-builds-its-first-macos-malware/d/d-id/1332653?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=783029 False Malware,Medical APT 38 None Security Affairs - Blog Secu 2018-08-10T16:15:03+00:00 https://securityaffairs.co/wordpress/75227/malware/north-korea-malware-lazarus.html www.secnews.physaphae.fr/article.php?IdArticle=775338 False Malware,Medical,Cloud APT 38,APT 37 None McAfee Labs - Editeur Logiciel This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story.  Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to … ]]> 2018-08-09T13:00:01+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/ www.secnews.physaphae.fr/article.php?IdArticle=773111 False Malware,Guideline,Medical,Cloud APT 38,APT 37 None Dark Reading - Informationweek Branch 2018-06-25T18:30:00+00:00 https://www.darkreading.com/attacks-breaches/malware-in-south-korean-cyberattacks-linked-to-bithumb-heist/d/d-id/1332144?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=722895 False Malware,Medical Bithumb,Bithumb,APT 38 None SecurityWeek - Security News 2018-06-25T17:31:04+00:00 https://www.securityweek.com/north-korean-hackers-exploit-hwp-docs-recent-cyber-heists www.secnews.physaphae.fr/article.php?IdArticle=722900 False Medical APT 38 None Security Affairs - Blog Secu 2018-06-18T15:18:04+00:00 https://securityaffairs.co/wordpress/73646/apt/hidden-cobra-malware-2.html www.secnews.physaphae.fr/article.php?IdArticle=710568 False Medical TYPEFRAME,APT 38 None SecurityWeek - Security News 2018-06-12T11:14:05+00:00 https://www.securityweek.com/north-korean-hackers-abuse-activex-recent-attacks www.secnews.physaphae.fr/article.php?IdArticle=703789 False Medical APT 38 None InformationSecurityBuzzNews - Site de News Securite Analysis Of Banco De Chile + Continued Cyber Attacks On Banks]]> 2018-06-12T10:30:01+00:00 https://www.informationsecuritybuzz.com/expert-comments/analysis-of-banco/ www.secnews.physaphae.fr/article.php?IdArticle=704076 False Medical APT 38 None SecurityWeek - Security News 2018-05-31T10:11:03+00:00 https://www.securityweek.com/north-korea-linked-group-stops-targeting-us www.secnews.physaphae.fr/article.php?IdArticle=684485 False Medical APT 38 None Security Affairs - Blog Secu 2018-05-30T18:30:05+00:00 https://securityaffairs.co/wordpress/73062/apt/hidden-cobra-malware.html www.secnews.physaphae.fr/article.php?IdArticle=683145 False Medical APT 38 None SecurityWeek - Security News 2018-05-30T10:44:00+00:00 https://www.securityweek.com/us-attributes-two-more-malware-families-north-korea www.secnews.physaphae.fr/article.php?IdArticle=682227 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2018-05-30T07:42:05+00:00 https://thehackernews.com/2018/05/north-korean-hacker-hidden-cobra.html www.secnews.physaphae.fr/article.php?IdArticle=682731 False Medical APT 38 None IT Security Guru - Blog Sécurité 2018-04-30T12:25:04+00:00 http://www.itsecurityguru.org/2018/04/30/thailand-seizes-server-linked-north-korean-attack-gang/ www.secnews.physaphae.fr/article.php?IdArticle=619390 False Medical APT 38 2.0000000000000000 Security Affairs - Blog Secu 2018-04-30T08:06:04+00:00 https://securityaffairs.co/wordpress/71937/apt/op-ghostsecret-thailand.html www.secnews.physaphae.fr/article.php?IdArticle=619478 False Medical APT 38 None McAfee Labs - Editeur Logiciel McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, … ]]> 2018-04-25T04:01:02+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ www.secnews.physaphae.fr/article.php?IdArticle=705875 True Medical APT 38 None McAfee Labs - Editeur Logiciel McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive … ]]> 2018-04-25T04:01:02+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/global-malware-campaign-pilfers-data-from-critical-infrastructure-entertainment-finance-health-care-and-other-industries/ www.secnews.physaphae.fr/article.php?IdArticle=705874 True Medical APT 38 None Security Affairs - Blog Secu 2018-04-05T09:22:01+00:00 https://securityaffairs.co/wordpress/71074/apt/lazarus-online-casino.html www.secnews.physaphae.fr/article.php?IdArticle=567475 False Medical APT 38 None SecurityWeek - Security News The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says. The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank. Said to be the most serious threat against banks, the group has shown increased interest in ]]> 2018-04-04T17:40:00+00:00 https://www.securityweek.com/north-korean-hackers-behind-online-casino-attack-report www.secnews.physaphae.fr/article.php?IdArticle=566100 False Medical APT 38 None We Live Security - Editeur Logiciel Antivirus ESET The Lazarus Group gained notoriety especially after cyber-sabotage against Sony Pictures Entertainment in 2014. Fast forward to late 2017 and the group continues to deploy its malicious tools, including disk-wiping malware known as KillDisk, to attack a number of targets. ]]> 2018-04-03T13:00:03+00:00 https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/ www.secnews.physaphae.fr/article.php?IdArticle=563651 False Medical APT 38 None Errata Security - Errata Security Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti]]> 2018-03-29T22:25:24+00:00 https://blog.erratasec.com/2018/03/wannacry-after-one-year.html www.secnews.physaphae.fr/article.php?IdArticle=551991 False Medical Wannacry,APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Not sure if that means I’ve succeeded as a Dad or failed miserably. Hopefully she’ll come across one of these posts in the future and realise there was more to me than just memes. Operation Bayonet This article gives a fascinating insight into how law enforcement infiltrated and took down a drug market. As reports of these kinds of operations become available, Hollywood should really be looking to these for inspiration. Far better plots than most fiction! Operation Bayonet: Inside the sting that hijacked an entire dark web drug market | Wired How many devices are misconfigured… or not configured? I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways. Broadly speaking, I agree, in the race to get things done, assurance often takes a back seat. But there’s no obvious answer. Testing takes time and expertise. Unless it’s automated. But even then someone needs to look at the results and get things fixed. DevSecOps maybe? How Much of Your Security Gear Is Misconfigured or Not Configured? | Gartner Hacking encrypted phones Encrypted phone company Ciphr claims it was hacked by a rival company. A preview into how vicious digital rivals can get. And regardless of who is to blame, the fact remains that the real victims here are the users. Customer Data From Encrypted Phone Company Ciphr Has Been Dumped Online | Motherboard Hidden Cobra on Turkish Banks Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017. ]]> 2018-03-16T13:00:00+00:00 http://feeds.feedblitz.com/~/532949046/0/alienvault-blogs~Things-I-hearted-this-week-th-March www.secnews.physaphae.fr/article.php?IdArticle=519344 False Medical Equifax,APT 38 None Security Affairs - Blog Secu 2018-03-10T06:53:00+00:00 http://securityaffairs.co/wordpress/70052/apt/hidden-cobra-targets-turkish.html www.secnews.physaphae.fr/article.php?IdArticle=504476 False Medical APT 38 None SecurityWeek - Security News 2018-03-09T17:22:01+00:00 http://feedproxy.google.com/~r/Securityweek/~3/zt1I4cfHxus/new-north-korea-linked-cyberattacks-target-financial-institutions www.secnews.physaphae.fr/article.php?IdArticle=503423 False Medical APT 38 None McAfee Labs - Editeur Logiciel This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.  On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra's Bankshot malware implant surfacing in the Turkish financial … ]]> 2018-03-08T14:00:03+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ www.secnews.physaphae.fr/article.php?IdArticle=705885 False Medical APT 38 3.0000000000000000 Zataz - Magazine Francais de secu Hidden Cobra, un malveillant made un Corée du Nord est apparu en premier sur ZATAZ. ]]> 2018-02-13T18:45:01+00:00 https://www.zataz.com/hidden-cobra-malveillant-made-coree-nord/ www.secnews.physaphae.fr/article.php?IdArticle=480942 False Medical APT 38 None Data Security Breach - Site de news Francais Opération de la Corée du nord baptisée HIDDEN COBRA est diffusé par Data Security Breach. ]]> 2018-02-13T18:27:03+00:00 https://www.datasecuritybreach.fr/hidden-cobra/ www.secnews.physaphae.fr/article.php?IdArticle=481178 False Medical APT 38 None Security Affairs - Blog Secu Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions. Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions. The activity of the Lazarus Group surged in 2014 and 2015, its […] ]]> 2018-01-25T19:26:13+00:00 http://securityaffairs.co/wordpress/68221/apt/lazarus-apt-arsenal.html www.secnews.physaphae.fr/article.php?IdArticle=460268 False Medical APT 38 None SecurityWeek - Security News 2018-01-25T15:01:52+00:00 http://feedproxy.google.com/~r/Securityweek/~3/IzHZleE1tkc/north-korea-linked-lazarus-hackers-update-arsenal-hacking-tools www.secnews.physaphae.fr/article.php?IdArticle=460242 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-12-20T05:18:48+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/sSNJSmT1r_A/lazarus-hacking-bitcoin.html www.secnews.physaphae.fr/article.php?IdArticle=453023 False Medical APT 38 None Security Affairs - Blog Secu Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company. The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials. The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks […] ]]> 2017-12-15T21:04:37+00:00 http://securityaffairs.co/wordpress/66780/apt/lazarus-apt-cryptocurrency.html www.secnews.physaphae.fr/article.php?IdArticle=451477 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC life of its own a few days ago. But I’m reminded of the ending monologue by Morgan Freeman in “The Shawshank Redemption”, in which he starts off by saying, “Get busy living or get busy dying.” So the thought of the week is, “Get busy securing, or get busy insecuring.” Hmm doesn’t quite have the same ring to it. Will have to think of a better word – but you catch my drift. Let’s jump into this week’s interesting security bits Mirai Mirai on the wall I picture Brian Krebs as being a Liam Neeson type – he sees that his website is under attack by a never-before seen DDoS attack. He mutters to himself, “I don’t know who you are, but I will hunt you, I will find you, and I will blog about it until you get arrested, prosecuted, and thrown in jail.” It so happens that this week the hackers behind the Mirai botnet and a series of DDoS attacks pled guilty. The Hackers Behind Some of the Biggest DDoS Attacks in History Plead Guilty | Motherboard Mirai IoT Botnet Co-Authors Plead Guilty | KrebsonSecurity Botnet Creators Who Took Down the Internet Plead Guilty | Gizmondo Bug Laundering Bounties Apparently, HBO negotiated with hackers. Paying them $250,000 under the guise of a bug bounty as opposed to a ransom. Maybe in time, it will be found that HBO acted above board, maybe it was a sting operation, maybe it was a misconstrued email. The worrying fact is that any payment exchange system can be used to launder money. However, bug bounty providers don’t (as far as I can tell) have financial services obligations. Does the bug bounty industry need more regulation (shudder)? Leaked email shows HBO negotiating with hackers | Calgary Herald Remember the 'Game of Thrones' leak? An Iranian hacker was charged with stealing HBO scripts to raise bitcoin | USA Today Uber used bug bounty program to launder blackmail payment to hacker | ars Technica Inside a low budget consumer hardware espionage implant I’m not much of a hardware expert – actually, I’m not much of a hardware novice either. But this writeup by Mich is awesome. I didn’t even know there were so many ways to sniff, intercept and basically mess around with stuff at such small scale. It’s extremely detailed and I’ve permanently bookmarked it for future reference. ]]> 2017-12-15T14:00:00+00:00 http://feeds.feedblitz.com/~/510731884/0/alienvault-blogs~Things-I-Hearted-This-Week-th-December www.secnews.physaphae.fr/article.php?IdArticle=451486 False Guideline,Medical,Cloud Uber,APT 38,APT 37 None Security Affairs - Blog Secu The North Korea linked group Lazarus APT has been using a new strain of Android malware to target smartphone users in South Korea. The hacking campaign was spotted by McAfee and Palo Alto Networks, both security firms attributed the attacks to the Hidden Cobra APT. The activity of the Lazarus APT Group surged in 2014 and 2015, its […] ]]> 2017-11-22T07:45:40+00:00 http://securityaffairs.co/wordpress/65854/apt/lazarus-apt-android.html www.secnews.physaphae.fr/article.php?IdArticle=437853 False Medical APT 38 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/493009316/0/thesecurityledger -->»]]> 2017-11-15T17:21:07+00:00 https://feeds.feedblitz.com/~/493009316/0/thesecurityledger~US-Government-Warns-of-Hidden-Cobra-North-Korea-Cyber-Threat/ www.secnews.physaphae.fr/article.php?IdArticle=434031 False Medical APT 38 None Graham Cluley - Blog Security The FBI and US Department of Homeland Security have issued an alert that hackers have targeted the aerospace industry, financial services and critical infrastructure with a remote access trojan (RAT) to further exploit vulnerable networks. ]]> 2017-11-15T11:14:56+00:00 https://hotforsecurity.bitdefender.com/blog/us-government-issues-alert-about-north-korean-hidden-cobra-cyber-attacks-19215.html#new_tab www.secnews.physaphae.fr/article.php?IdArticle=433748 False Medical APT 38 None Security Affairs - Blog Secu US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government. The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group). […] ]]> 2017-11-15T08:52:11+00:00 http://securityaffairs.co/wordpress/65582/malware/fallchill-volgmer-hidden-cobra.html www.secnews.physaphae.fr/article.php?IdArticle=433403 False Medical APT 38 None Bleeping Computer - Magazine Américain 2017-10-17T07:50:25+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-used-hermes-ransomware-to-hide-recent-bank-heist/ www.secnews.physaphae.fr/article.php?IdArticle=419956 False Medical APT 38 None BAE - BAE Systelm Threat Research Malware compiled containing admin credentials for the FEIB network. 03 October 2017 Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017 Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017 ]]> 2017-10-16T22:32:36+00:00 http://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html www.secnews.physaphae.fr/article.php?IdArticle=419214 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-08-16T16:55:51+00:00 https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-us-defense-contractors-following-nuclear-threats/ www.secnews.physaphae.fr/article.php?IdArticle=397419 False Medical APT 38 None We Live Security - Editeur Logiciel Antivirus ESET 2017-06-21T11:47:47+00:00 http://feedproxy.google.com/~r/eset/blog/~3/JJb8vQVzPr4/ www.secnews.physaphae.fr/article.php?IdArticle=376944 False Medical Wannacry,APT 38 None InformationSecurityBuzzNews - Site de News Securite Hidden Cobra And DeltaCharlie: An Explainer]]> 2017-06-19T08:15:46+00:00 http://www.informationsecuritybuzz.com/study-research/hidden-cobra-deltacharlie-explainer/ www.secnews.physaphae.fr/article.php?IdArticle=375850 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-16T16:00:31+00:00 https://threatpost.com/threatpost-news-wrap-june-16-2017/126332/ www.secnews.physaphae.fr/article.php?IdArticle=375739 False Medical APT 38 None InformationSecurityBuzzNews - Site de News Securite US Blames North Korean ‘Hidden Cobra’ Group For Cyber Attacks Since 2009]]> 2017-06-14T17:55:58+00:00 http://www.informationsecuritybuzz.com/expert-comments/us-blames-north-korean-hidden-cobra-group-cyber-attacks-since-2009/ www.secnews.physaphae.fr/article.php?IdArticle=374391 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-14T17:17:21+00:00 https://threatpost.com/dhs-fbi-warn-of-north-korea-hidden-cobra-strikes-against-us-assets/126263/ www.secnews.physaphae.fr/article.php?IdArticle=374251 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T14:22:31+00:00 http://www.techrepublic.com/article/us-indicts-north-korea-for-host-of-cyberattacks-expects-more-to-come/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374186 False Medical APT 38 None SecurityWeek - Security News 2017-06-14T10:44:45+00:00 http://feedproxy.google.com/~r/Securityweek/~3/uXZJuAMl5L4/us-warns-north-koreas-hidden-cobra-attacks www.secnews.physaphae.fr/article.php?IdArticle=373938 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-06-14T05:23:04+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/zQCuoN_v69E/north-korea-hacking-malware.html www.secnews.physaphae.fr/article.php?IdArticle=373927 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T04:00:00+00:00 http://www.techrepublic.com/videos/video-north-korean-hacking-group-has-been-hitting-the-us-since-2009/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374191 False Medical Wannacry,APT 38 4.0000000000000000 SANS Institute - SANS est un acteur de defense et formation previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" /> Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions. Digital Shadows WCry ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows: A sophisticated financially-motivated cybercriminal actor - H1 An unsophisticated financially-motivated cybercriminal actor - H2 A nation state or state-affiliated actor conducting a disruptive operation - H3 A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px" /> Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H3 way closer. My WCry ACH Analysis Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses. When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it.]]> 2017-05-31T07:33:02+00:00 https://isc.sans.edu/diary.html?storyid=22470&rss www.secnews.physaphae.fr/article.php?IdArticle=369903 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-05-30T14:00:19+00:00 https://www.bleepingcomputer.com/news/security/new-evidence-cements-theory-that-north-korea-is-behind-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=369722 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-05-29T11:10:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/UUyO_atN2_Q/china-wannacry-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=369372 False Medical Wannacry,APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-05-19T13:00:19+00:00 https://threatpost.com/threatpost-news-wrap-may-19-2017/125796/ www.secnews.physaphae.fr/article.php?IdArticle=366984 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-05-17T06:50:12+00:00 https://www.bleepingcomputer.com/news/security/3-security-firms-say-wannacry-ransomware-shares-code-with-north-korean-malware/ www.secnews.physaphae.fr/article.php?IdArticle=366168 False Medical Wannacry,APT 38 None BAE - BAE Systelm Threat Research ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02         "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03         57u); 04 h1 = InternetOpenA(0,&nbs]]> 2017-05-17T03:33:55+00:00 http://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html www.secnews.physaphae.fr/article.php?IdArticle=365767 False Guideline,Medical Wannacry,APT 38 None IT Security Guru - Blog Sécurité 2017-05-16T10:39:48+00:00 http://www.itsecurityguru.org/2017/05/16/wannacry-ransomware-cyber-attack-may-n-korea-link/ www.secnews.physaphae.fr/article.php?IdArticle=365710 False Medical Wannacry,APT 38 None Network World - Magazine Info banking heist hackers and North Korea.While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.”The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.To read this article in full or to leave a comment, please click here]]> 2017-04-04T08:22:00+00:00 http://www.networkworld.com/article/3187548/security/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=352653 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-04-03T20:38:44+00:00 https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ www.secnews.physaphae.fr/article.php?IdArticle=352251 False Medical APT 38 None Network World - Magazine Info $81 million theft from Bangladesh's central bank through the SWIFT transaction software.However, hackers working for the group recently made a mistake: They failed to wipe the logs from a server the group had hacked in Europe, security firm Kaspersky Lab said on Monday.To read this article in full or to leave a comment, please click here]]> 2017-04-03T16:33:01+00:00 http://www.networkworld.com/article/3187391/security/banking-hackers-left-a-clue-that-may-link-them-to-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=351700 False Medical APT 38 None BAE - BAE Systelm Threat Research article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen ]]> 2017-03-06T12:13:22+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=352308 False Guideline,Medical APT 38 None BAE - BAE Systelm Threat Research We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb]]> 2017-03-06T12:13:03+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html www.secnews.physaphae.fr/article.php?IdArticle=352307 False Guideline,Medical APT 38 None Graham Cluley - Blog Security A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations. David Bisson reports. ]]> 2017-02-13T20:39:54+00:00 https://www.grahamcluley.com/lazarus-gang-possibly-behind-malware-attacks-polish-banks/ www.secnews.physaphae.fr/article.php?IdArticle=313179 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl]]> 2017-01-03T14:00:00+00:00 http://feeds.feedblitz.com/~/252664318/0/alienvault-blogs~Top-AlienVault-Blogs-of www.secnews.physaphae.fr/article.php?IdArticle=284657 False Medical APT 38,APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 360 SkyEye Labs published a detailed analysis of the OnionDog APT earlier this year, and during the dog-days of Summer (see what I did there?) it seems appropriate to revisit this malware. OnionDog has been around for several years and exploits a vulnerability in Hangul office software, which is a popular Korean-language productivity suite. Hangul software is also widely deployed in South Korean Government agencies and facilities.The group behind OnionDog is the Lazarus Group, exposed by AlienVault and other threat intelligence teams as part of Operation Blockbuster for its targeting of Sony Pictures and a range of other targets.How it WorksOnionDog used various techniques to entice victims to open the malicious attachment. The attachments targeted a range of government agencies and utilities, such as power, water, ports, transit, and rail to lure its victims (see the screenshot of the ‘Investigation Report of the Korean Railway Accident” below).Source: 360 SkyEye LabsThe malware installs a back door to the compromised system, collects and forwards information about the compromised systems to the C&C server, as well as infecting any device attached to the USB drive.Impact on youThe regional nature of OnionDog will likely limit your exposure to this particular version of the threat if you’re not located in South Korea. However, if there is a user of Hangul software on your network, or if someone in your office may have visited an office that uses Hangul software and plugged a device into a compromised system, you may be at risk of data loss. However, although this version of the malware is localized to South Korea, the Lazarus Group could easily choose another popular application to target specific organizations in other countries.How AlienVault HelpsThe AlienVaultâ Unified Security Management (USM)™ platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like OnionDog. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats such as OnionDog. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by OnionDog. Learn more about the]]> 2016-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/176703272/0/alienvault-blogs~OnionDog-%e2%80%93-An-Example-of-a-Regional-Targeted-Attack www.secnews.physaphae.fr/article.php?IdArticle=7188 False Medical APT 38 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group.This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection.We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema.]]> 2016-02-24T14:00:00+00:00 http://feeds.feedblitz.com/~/140108184/0/alienvaultotx~Operation-BlockBuster-unveils-the-actors-behind-the-Sony-attacks www.secnews.physaphae.fr/article.php?IdArticle=59 False Medical Yahoo,APT 38 None CrowdStrike - CTI Society 1970-01-01T00:00:00+00:00 https://www.crowdstrike.com/en-us/blog/nhs-matures-healthcare-cybersecurity-ncsc-caf/ www.secnews.physaphae.fr/article.php?IdArticle=8655688 False Medical None 2.0000000000000000