This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:50:26+00:00 www.secnews.physaphae.fr Security Affairs - Blog Secu US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government. The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group). […] ]]> 2017-11-15T08:52:11+00:00 http://securityaffairs.co/wordpress/65582/malware/fallchill-volgmer-hidden-cobra.html www.secnews.physaphae.fr/article.php?IdArticle=433403 False Medical APT 38 None IT Security Guru - Blog Sécurité It was found that hackers, who were looking to create their own version of the Reaper botnet, downloaded an IP scanner which was a PHP file that was made available as a free download after news about Reaper botnet broke. View Full Story ORIGINAL SOURCE: BleepingComputer ]]> 2017-11-09T10:36:35+00:00 http://www.itsecurityguru.org/2017/11/09/backdoored-ip-scanner-tricks-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=430733 False Cloud APT 37 None Dark Reading - Informationweek Branch 2017-11-09T09:07:00+00:00 https://www.darkreading.com/attacks-breaches/oceanlotus-apt-group-unfolds-new-tactic-in-cyber-espionage-campaign/d/d-id/1330371?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=431079 False None APT 32 None Bleeping Computer - Magazine Américain 2017-11-08T16:16:00+00:00 https://www.bleepingcomputer.com/news/security/hacker-wannabes-fooled-by-backdoored-ip-scanner/ www.secnews.physaphae.fr/article.php?IdArticle=430368 False Cloud APT 37 None Security Affairs - Blog Secu According to the incident response firm Volexity, Vietnamese APT32 group is today one of the most advanced APTs in the threat landscape According to the incident response firm Volexity, the cyber espionage campaigns associated with a group operating out of Vietnam and tracked as tracked as OceanLotus and APT32 have become increasingly sophisticated. Researchers at Volexity has been tracking the threat actor since […] ]]> 2017-11-07T13:36:51+00:00 http://securityaffairs.co/wordpress/65271/apt/apt32-cyber-espionage-2017.html www.secnews.physaphae.fr/article.php?IdArticle=429360 False None APT 32 None F-Secure - F-Secure ]]> 2017-11-03T12:39:20+00:00 https://labsblog.f-secure.com/2017/11/03/rickrolled-by-none-other-than-iotreaper/ www.secnews.physaphae.fr/article.php?IdArticle=428076 False Cloud APT 37 None SecurityWeek - Security News The Mirai-like "Reaper" botnet that began infecting Internet of Things (IoT) devices in late September has only ensnared up to 20,000 bots so far, according to estimates from Arbor Networks. ]]> 2017-10-30T12:55:31+00:00 http://feedproxy.google.com/~r/Securityweek/~3/Ale8wQm96CM/researchers-downplay-size-reaper-iot-botnet www.secnews.physaphae.fr/article.php?IdArticle=425241 False Cloud APT 37 None ZD Net - Magazine Info 2017-10-30T12:33:00+00:00 http://www.zdnet.com/article/reaper-botnet-experts-reassess-size-and-firepower/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=425185 False None APT 37 None Krebs on Security - Chercheur Américain 2017-10-27T20:39:21+00:00 https://krebsonsecurity.com/2017/10/fear-the-reaper-or-reaper-madness/ www.secnews.physaphae.fr/article.php?IdArticle=424874 False Cloud APT 37 None InformationSecurityBuzzNews - Site de News Securite eSentire Security Advisory: Reaper IoT Botnet]]> 2017-10-26T14:15:38+00:00 http://www.informationsecuritybuzz.com/news/esentire-security-advisory-reaper-iot-botnet/ www.secnews.physaphae.fr/article.php?IdArticle=424371 False Cloud APT 37 None Data Security Breach - Site de news Francais Reaper, un nouveau botnet visant des objets connectés,  emmagasinerai des informations pour une future attaque. Reaper, une... Cet article Future attaque ? Le petit frère de Miraim, Reaper, collecte ses objets connectés est diffusé par Data Security Breach. ]]> 2017-10-25T23:00:16+00:00 https://www.datasecuritybreach.fr/reaper-future-attaque-iot/ www.secnews.physaphae.fr/article.php?IdArticle=423858 False Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-10-25T18:33:18+00:00 https://threatpost.com/hackers-prepping-iotroop-botnet-with-exploits/128608/ www.secnews.physaphae.fr/article.php?IdArticle=423872 False Cloud APT 37 None Graham Cluley - Blog Security Think the Mirai botnet which launched a DDoS attack that knocked major websites offline last year was bad? It's possible that you ain't seen nothing yet. ]]> 2017-10-24T16:14:49+00:00 https://www.bitdefender.com/box/blog/iot-news/reaper-iot-botnet-devastating-mirai/#new_tab www.secnews.physaphae.fr/article.php?IdArticle=423063 False Cloud APT 37 None ZD Net - Magazine Info 2017-10-24T12:46:37+00:00 http://www.zdnet.com/article/reaper-botnet-could-be-worse-than-mirai-cyberattack/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=422895 False Cloud APT 37 None Krebs on Security - Chercheur Américain 2017-10-23T19:42:42+00:00 https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/ www.secnews.physaphae.fr/article.php?IdArticle=422363 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-10-21T00:49:26+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/N3Rrk3CAFZk/iot-botnet-malware-attack.html www.secnews.physaphae.fr/article.php?IdArticle=421826 False Cloud APT 37 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Child safety smartwatches ‘easy’ to hack, watchdog says | BBC Third of business directors have never heard of GDPR With GDPR around the corner, and the feeling that you cannot escape the acronym wherever you go; it is quite concerning to learn that a third of business directors haven’t heard of it. While one can understand if the general public is not aware of the upcoming regulation; it is incumbent upon company directors to be aware of increased responsibilities due to GDPR. GDPR is not just another technical or security requirement, but is based in fundamental privacy rights of citizens and with potentially harsh fines. Despite many months to prepare, it would appear as if GDPR may still catch many companies by surprise. Third of IoD Members Have Never Heard of GDPR | Infosecurity Magazine Ghosts of vulnerabilities past It looks like Microsoft’s bug tracking database was infiltrated back in 2013. The company kept the news quiet and moved on. It’s pretty worrying what someone with all that information could have / would have done. How many exploits were made possible because some bad guy somewhere found some vulnerabilities they could exploit? A good reminder that companies should take a hard look at their assets and their value. Not just value in terms of direct business, but the potential impact on customers. Microsoft responded quietly after detecting secret database hack in 2013 | Reuters Microsoft never disclosed 2013 hack of secret vulnerability database | ars technica Microsoft’s bug tracker was hacked in 2013 but it didn’t tell anyone about it | Silicon Angle Unmasking the ransomware kingpins This is a great read by Elie Bursztein on exposing the cybercriminal groups that dominate the ransomware underworld. It’s the third party in a trilogy of blogs – I probably can’t do it justice so it’s best you go check it out: Unmasking the ransomware kingpins A Stick Figure Guide to the Advanced Encryption Standard (AES) This is an old post – like really old from 2009. But I only came across it recently and found it to be real]]> 2017-10-20T13:00:00+00:00 http://feeds.feedblitz.com/~/474958195/0/alienvault-blogs~Things-I-Hearted-this-Week-th-October www.secnews.physaphae.fr/article.php?IdArticle=421708 False None APT33,APT 33 None Bleeping Computer - Magazine Américain 2017-10-20T09:30:39+00:00 https://www.bleepingcomputer.com/news/security/a-gigantic-iot-botnet-has-grown-in-the-shadows-in-the-past-month/ www.secnews.physaphae.fr/article.php?IdArticle=422140 False Cloud APT 37 None Security Affairs - Blog Secu Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group. The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. […] ]]> 2017-10-18T07:04:09+00:00 http://securityaffairs.co/wordpress/64445/apt/lazarus-apt-taiwan-heist.html www.secnews.physaphae.fr/article.php?IdArticle=420304 False None APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC hack of Sony in 2014, China’s alleged hack of the US’s Office of Personnel Management in 2015, or Russia’s alleged hack of the Democratic National Committee in 2016, the stories are mounting. Iran has also been in the cyber espionage news, with major suspected attacks ranging from the Las Vegas Sands attack in 2014 to the DDOS attack on numerous US banks in 2016. Beyond these high-profile attacks, there are also countless examples of low-profile attacks. While these attacks don’t make the major headlines, they may actually be more relevant to your organization. In this blog, we zero in on this lesser-publicized activity, focusing on a recently discovered Iranian hacker group, dubbed APT33, the tools they have developed, and how AlienVault can help you detect this activity in your environment. What is state-sponsored cyber espionage and what are the typical goals? First, a quick primer on state-sponsored cyber espionage. State-sponsored cyber espionage is the act of obtaining secrets and information from individuals, competitors, rivals, groups, governments, and enemies, without the permission and knowledge of the holder of the information, usually for economic, political, or military advantage. The goals of these state-sponsored groups or individuals range from basic theft or sabotage to collecting military and diplomatic information to enabling domestic organizations to compete on a global economic level. Why should you care? Should you be concerned about state-sponsored cyber hacks? In a word, yes. And, it’s really the low-profile attacks from state-sponsored hackers that should be most concerning. This is because the tools and methods that these hackers develop and utilize can be leveraged by other nefarious hackers against your organization. You need to be alerted to and protected against these tools. Who is APT33? This leads us to Iranian group Advanced Persistent Threat 33 (APT33), a group recently chronicled by security firm FireEye. FireEye assessed that APT33 works at the behest of the Iranian government, and they attribute to APT33 many breaches of Saudi Arabian, South Korean, and US organizations ranging from the aviation sector to the energy sector. The primary goals of APT33 appear to be to enhance Iran’s domestic aviation capabilities or to support Iran’s military decision making against Saudi Arabia. Notably, FireEye has found signs of APT33 activity in some of its own clients' networks, but suspects the APT33 intrusions have been on a wider scale. APT33 has unveiled new tools, including a new backdoor. APT33 has developed numerous tools, including a new backdoor called TURNEDUP. TURNEDUP is capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information. FireEye found that APT33 has also leveraged Dropshot, a drop]]> 2017-10-17T13:00:00+00:00 http://feeds.feedblitz.com/~/472705174/0/alienvault-blogs~Newly-Discovered-Iranian-APT-Group-Brings-Statesponsored-Cyber-Espionage-into-Focus www.secnews.physaphae.fr/article.php?IdArticle=419823 False Guideline APT33,APT 33 None Bleeping Computer - Magazine Américain 2017-10-17T07:50:25+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-used-hermes-ransomware-to-hide-recent-bank-heist/ www.secnews.physaphae.fr/article.php?IdArticle=419956 False Medical APT 38 None BAE - BAE Systelm Threat Research Malware compiled containing admin credentials for the FEIB network. 03 October 2017 Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017 Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017 ]]> 2017-10-16T22:32:36+00:00 http://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html www.secnews.physaphae.fr/article.php?IdArticle=419214 False Medical Wannacry,APT 38 None Malwarebytes Labs - MalwarebytesLabs In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams. Categories: Malwarebytes news Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods (Read more...) ]]> 2017-10-12T16:00:27+00:00 https://blog.malwarebytes.com/malwarebytes-news/2017/10/labs-report-summer-ushers-in-unprecedented-season-of-breaches/ www.secnews.physaphae.fr/article.php?IdArticle=418032 False None Equifax,APT 32 None Security Affairs - Blog Secu The Iran-Linked cyberespionage group OilRig has been using a new Trojan in attacks aimed at targets in the Middle East. Experts from Palo Alto Networks spotted a new campaign launched by the notorious APT group OilRig against an organization within the government of the United Arab Emirates (UAE). The OilRig hacker group is an Iran-linked APT that has been around since at least […] ]]> 2017-10-10T13:38:53+00:00 http://securityaffairs.co/wordpress/64119/apt/oilrig-isminjector-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=417164 False None APT 34 None Zataz - Magazine Francais de secu 2017-09-24T17:34:21+00:00 https://www.zataz.com/hackers-iran-apt33/ www.secnews.physaphae.fr/article.php?IdArticle=411419 False None APT33,APT 33 None The Last Watchdog - Blog Sécurité de Byron V Acohido 2017-09-22T17:56:58+00:00 http://lastwatchdog.com/podcast-cyphort-helps-companies-translate-an-ocean-of-network-logs-into-actionable-intelligence/ www.secnews.physaphae.fr/article.php?IdArticle=411528 False None APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Meet APT33: A Gnarly Iranian Hacker Crew Threatening Destruction |Forbes Threat data, IOCs and information on APT33, aka greenbug | OTX Data breaches and Class action lawsuits Should individuals whose data has been breached have the right to sue companies? It’s a tricky question, and one that the courts are seemingly having trouble on deciding on. Recently, a judge dismissed two consolidated class actions by more than 21m federal employees who had information breached by the Office of Personnel Management (OPM). The Judge concluded that the federal employees could not establish their threshold right to sue in federal court because they had not shown they faced imminent risk of identity theft, even though nearly two dozen of those named in the class actions claimed their confidential information has already been misused. Hopefully things will change going forward. The problem with identity theft is that it’s not time-dependant. An attacker could hoard details for a long period before committing a crime. And even when an identity is stolen, it is difficult to tie back to where the breach occurred. OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal | Dark Reading OPM Says Gov't Workers' Data Breach Suit Fails | Law360 In the long run, class actions may not be the best way to redress data breaches | Reuters Somewhat related, My three years in identity theft hell | Bloomberg The Ghost of Windows XP As the lyrics go, “They stab it with their steely knives, but they just can’t kill the beast.” In this case, the beast seems to be Win XP, which, despite being woefully outdated, continues to make its presence felt. The latest announcement being that a fifth of the Manchester police department are running Win XP. Manchester police still relies on Windows XP | BBC Manchester Police are using Windows XP on one in five computers | V3 When insurance goes too far Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner's policy. She says they have been low risk clients so she didn't think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, wh]]> 2017-09-22T13:00:00+00:00 http://feeds.feedblitz.com/~/460675978/0/alienvault-blogs~Things-I-hearted-this-week-September www.secnews.physaphae.fr/article.php?IdArticle=411332 False Guideline CCleaner,APT33,APT 33 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-09-21T17:54:36+00:00 https://threatpost.com/iranian-apt33-targets-us-firms-with-destructive-malware/128074/ www.secnews.physaphae.fr/article.php?IdArticle=410952 False None APT33,APT 33 None IT Security Guru - Blog Sécurité 2017-09-21T09:31:03+00:00 http://www.itsecurityguru.org/2017/09/21/iranian-hacking-group-apt33-creators-destructive-malware/ www.secnews.physaphae.fr/article.php?IdArticle=410577 False None APT33,APT 33 5.0000000000000000 UnderNews - Site de news "pirate" francais FireEye, le spécialiste de la sécurité des réseaux basée sur l'intelligence, annonce les détails d'un groupe de "hackers" iranien aux capacités potentiellement destructrices, qu'il a baptisé APT33. Ce groupe a déjà ciblé les secteurs de l'énergie et de l'aéronautique.]]> 2017-09-21T06:57:39+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/V0q9F-Fw9nY/fireeye-revele-les-activites-du-groupe-iranien-apt33.html www.secnews.physaphae.fr/article.php?IdArticle=410560 False None APT33,APT 33 None Security Affairs - Blog Secu 2017-09-21T06:25:15+00:00 http://securityaffairs.co/wordpress/63230/apt/apt33-iranian-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=410486 True None APT33,APT 33 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-09-20T11:53:19+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/vxp4o5wtdtM/apt33-iranian-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=410278 False None APT33,APT 33 None Mandiant - Blog Sécu de Mandiant Groupe iranien présumé qui utilisait auparavant Shamoon & # 8211;AKA distrtrack & # 8211;pour cibler les organisations dans le golfe Persique.Cependant, au cours des dernières années, nous avons suivi un groupe iranien suspect séparé et moins largement connu avec des capacités destructrices potentielles, que nous appelons APT33.Notre analyse révèle que l'APT33 est un groupe capable qui a effectué des opérations de cyber-espionnage depuis au moins 2013. Nous évaluons les œuvres APT33 à la demande du gouvernement iranien. récent

---

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. Recent]]> 2017-09-20T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage www.secnews.physaphae.fr/article.php?IdArticle=8377764 False Malware APT33,APT 33,APT 33 4.0000000000000000 SecurityWeek - Security News 2017-09-19T10:47:28+00:00 http://feedproxy.google.com/~r/Securityweek/~3/MTvQwjfBmF8/digitalocean-warns-vulnerability-affecting-cloud-users www.secnews.physaphae.fr/article.php?IdArticle=409628 False None APT 32 None NoticeBored - Experienced IT Security professional Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond.  Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions, assist, guide, and generally build the credibility and information Security's brand. Doing so has the potential to:Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used, rather than being ignored, feared and shunned (the "No Department");Improve understanding on all sides, such as identifying business initiatives, issues, concerns and demands for Information Security involvement, at an early enough stage to be able to specify, plan, resource and deliver the work at a sensible pace rather than at the last possible moment with next to no available resources; also knowing when to back-off, leaving the business to its own devices if there are other more pressing demands, including situations where accepting information risks is necessary or appropriate for various business reasons;Encourage and facilitate collaboration, cooperation and alignment around common goals;Improve the productivity and effectiveness of Information Security by being more customer-oriented - always a concern with ivory-tower expert functions staffed by professionals who think they (OK, we!) know best;Improve the management and treatment of information risks as a whole through better information security, supporting key business objectives such as being able to exploit business opportunities that would otherwise be too risky, while complying with applicable laws and regulations.]]> 2017-08-23T13:14:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/r3CdR4cAALs/nblog-august-23-information-security.html www.secnews.physaphae.fr/article.php?IdArticle=409096 False Cloud APT 37 None The State of Security - Magazine Américain Read More ]]> 2017-08-23T11:04:28+00:00 https://www.tripwire.com/state-of-security/latest-security-news/california-city-stops-online-utility-bill-payment-system-amid-breach-fears/ www.secnews.physaphae.fr/article.php?IdArticle=399694 False None APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC improvements to the depth of data in OTX recently, which are now available via the free API tool. Some of the API functions now include: Malware anti-virus and sandbox reports (example) A Whois API, including reverse whois and reverse SSL (example) View IP addresses that our telemetry indicates a specific network signature has fired on (example) The HTTP contents of a domain or URL (example), as well as finding all pages that link to it (example) Passive DNS history (example) Find malware samples that talk to a domain or ip (example) Retrieve malware samples by anti-virus detection (example) Lists of malicious URLs on domains (example) Download all indicators from users that you subscribe to (example) Find pulses based on the adversary, industry or keywords that interest you (example) What could you build? This depth of data could be used for countless things, but here are a couple of examples the API could used for: Actor Tracking Let’s say you want to get daily updates on an attacker that has targeted your sector before. With the new API, you will get a daily email on name servers they use, domain registration emails they use, and servers that have fired network alerts for their malware. Malicious File Alerting Another common task is when you want to know if files that pass your network or mail gateway (either at the MX or Inbox) are malicious. You can easily extract these files, then check them against OTX to see if they are malicious. Examples Our Python SDK page includes some simple examples of using the API, such as: Storing a feed of malicious indicators on OTX Telling if a Domain, IP, File hash or URL is malicious ]]> 2017-08-17T13:00:00+00:00 http://feeds.feedblitz.com/~/437689044/0/alienvault-blogs~The-Upgraded-AlienVault-OTX-API-amp-Ways-to-Score-Swag www.secnews.physaphae.fr/article.php?IdArticle=397846 False Cloud APT 37 None Bleeping Computer - Magazine Américain 2017-08-16T16:55:51+00:00 https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-us-defense-contractors-following-nuclear-threats/ www.secnews.physaphae.fr/article.php?IdArticle=397419 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time. If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0. Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection. GlobeImposter Ransomware at a Glace Distribution Method: Malicious email attachment (MalSpam) Type: Trojan Target: Windows systems Variants: many (see below) How GlobeImposter Works The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file. Sample email subject lines include: Receipt#83396 Receipt 21426 Payment-421 Payment Receipt 222 Payment Receipt#97481 Payment Receipt_8812 Receipt-351 Payment Receipt_03950 Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised. Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time. You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here. GlobeImposter Variants on the Rise What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file e]]> 2017-08-16T13:00:00+00:00 http://feeds.feedblitz.com/~/435614526/0/alienvault-blogs~GlobeImposter-Ransomware-on-the-Rise www.secnews.physaphae.fr/article.php?IdArticle=397413 False None NotPetya,Wannacry,APT 32 None SecurityWeek - Security News 2017-08-14T14:51:02+00:00 http://feedproxy.google.com/~r/Securityweek/~3/JsFT31_Rs4U/north-korea-linked-hackers-target-us-defense-contractors www.secnews.physaphae.fr/article.php?IdArticle=396337 False None APT 38 None SecurityWeek - Security News 2017-07-27T14:57:39+00:00 http://feedproxy.google.com/~r/Securityweek/~3/g4Fzgx6tzRM/iranian-cyberspy-groups-share-malware-code www.secnews.physaphae.fr/article.php?IdArticle=389831 False None APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-07-27T14:00:36+00:00 https://threatpost.com/apt-group-uses-catfish-technique-to-ensnare-victims/127028/ www.secnews.physaphae.fr/article.php?IdArticle=389949 False None APT 34 None Palo Alto Network - Site Constructeur 2017-07-27T12:00:20+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/H8uZ_XzXa30/ www.secnews.physaphae.fr/article.php?IdArticle=389740 False None APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well. I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'." As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience. Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta. Background: 2013 to Mid-2017 When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things. As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner. As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my ]]> 2017-06-29T13:00:00+00:00 http://feeds.feedblitz.com/~/379960878/0/alienvault-blogs~Data-Carving-in-Incident-Response-Steps-Toward-Learning-More-Advanced-DFIR-Topics www.secnews.physaphae.fr/article.php?IdArticle=379939 False None Wannacry,APT 32 None Palo Alto Network - Site Constructeur 2017-06-24T11:00:10+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/FTcTuoUZCng/ www.secnews.physaphae.fr/article.php?IdArticle=378293 True None APT 32 None Palo Alto Network - Site Constructeur 2017-06-22T17:00:15+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/oF7sZQQ1oHU/ www.secnews.physaphae.fr/article.php?IdArticle=377772 False None APT 32 None We Live Security - Editeur Logiciel Antivirus ESET 2017-06-21T11:47:47+00:00 http://feedproxy.google.com/~r/eset/blog/~3/JJb8vQVzPr4/ www.secnews.physaphae.fr/article.php?IdArticle=376944 False Medical Wannacry,APT 38 None InformationSecurityBuzzNews - Site de News Securite Hidden Cobra And DeltaCharlie: An Explainer]]> 2017-06-19T08:15:46+00:00 http://www.informationsecuritybuzz.com/study-research/hidden-cobra-deltacharlie-explainer/ www.secnews.physaphae.fr/article.php?IdArticle=375850 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-16T16:00:31+00:00 https://threatpost.com/threatpost-news-wrap-june-16-2017/126332/ www.secnews.physaphae.fr/article.php?IdArticle=375739 False Medical APT 38 None InformationSecurityBuzzNews - Site de News Securite US Blames North Korean ‘Hidden Cobra’ Group For Cyber Attacks Since 2009]]> 2017-06-14T17:55:58+00:00 http://www.informationsecuritybuzz.com/expert-comments/us-blames-north-korean-hidden-cobra-group-cyber-attacks-since-2009/ www.secnews.physaphae.fr/article.php?IdArticle=374391 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-14T17:17:21+00:00 https://threatpost.com/dhs-fbi-warn-of-north-korea-hidden-cobra-strikes-against-us-assets/126263/ www.secnews.physaphae.fr/article.php?IdArticle=374251 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T14:22:31+00:00 http://www.techrepublic.com/article/us-indicts-north-korea-for-host-of-cyberattacks-expects-more-to-come/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374186 False Medical APT 38 None SecurityWeek - Security News 2017-06-14T10:44:45+00:00 http://feedproxy.google.com/~r/Securityweek/~3/uXZJuAMl5L4/us-warns-north-koreas-hidden-cobra-attacks www.secnews.physaphae.fr/article.php?IdArticle=373938 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-06-14T05:23:04+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/zQCuoN_v69E/north-korea-hacking-malware.html www.secnews.physaphae.fr/article.php?IdArticle=373927 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T04:00:00+00:00 http://www.techrepublic.com/videos/video-north-korean-hacking-group-has-been-hitting-the-us-since-2009/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374191 False Medical Wannacry,APT 38 4.0000000000000000 SANS Institute - SANS est un acteur de defense et formation $ sudo apt-get update margin-right:0in"> Install MongoDB : In this dairy I am not going to discuss how to install MongoDB , for futher details about margin-left:.5in"> $ git clone https://github.com/volatilityfoundation/volatility $ cd volatility $ sudo python setup.py install margin-left:.5in"> $ git clone https://github.com/kevthehermit/VolUtility Configuration In this diary I am going to use the default config file volutility.conf.sample border:solid windowtext 1.0pt"> $ ./manage.py runserver 0.0.0.0:8000 width:400px" /> Enter a name for the session and the location of the memory image ,for the profile you can either specify it or you can choose autodetect, then click on submit button width:400px" /> You have to wait for few minutest till it finishes from processing the image, once it finished the status will change to Complete width:400px" /> To examine the image click on the session name , in this the dairy its SANS ISC width:400px" /> Now let width:400px" /> And you can of course filter your result using tools such as MS Excel. _______________________________________________________ [1] https://github.com/kevthehermit/VolUtility/wiki [1] https://digital-forensics.sans.org/community/downloads (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> 2017-06-12T19:07:51+00:00 https://isc.sans.edu/diary.html?storyid=22508&rss www.secnews.physaphae.fr/article.php?IdArticle=373310 False Cloud APT 37 None SANS Institute - SANS est un acteur de defense et formation previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" /> Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions. Digital Shadows WCry ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows: A sophisticated financially-motivated cybercriminal actor - H1 An unsophisticated financially-motivated cybercriminal actor - H2 A nation state or state-affiliated actor conducting a disruptive operation - H3 A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px" /> Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H3 way closer. My WCry ACH Analysis Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses. When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it.]]> 2017-05-31T07:33:02+00:00 https://isc.sans.edu/diary.html?storyid=22470&rss www.secnews.physaphae.fr/article.php?IdArticle=369903 False Medical Wannacry,APT 38 None SecurityWeek - Security News WannaCry outbreak is still a mystery. We know what (ransomware), and how (a Windows vulnerability on unsupported or unpatched systems); but we don't know who or why. We're not short of theories: Lazarus, North Korea, some other nation-state actor, Chinese or Russian actors -- but none of these has gained general acceptance. ]]> 2017-05-30T15:55:19+00:00 http://feedproxy.google.com/~r/Securityweek/~3/GMdVuTl-uko/latest-wannacry-theory-currency-manipulation www.secnews.physaphae.fr/article.php?IdArticle=369682 False None Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-05-30T14:00:19+00:00 https://www.bleepingcomputer.com/news/security/new-evidence-cements-theory-that-north-korea-is-behind-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=369722 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-05-29T11:10:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/UUyO_atN2_Q/china-wannacry-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=369372 False Medical Wannacry,APT 38 None SecurityWeek - Security News 2017-05-24T11:37:10+00:00 http://feedproxy.google.com/~r/Securityweek/~3/HWIBBzsHrbQ/how-apt32-hacked-global-asian-firm-persistence www.secnews.physaphae.fr/article.php?IdArticle=368108 False None APT 32 None SecurityWeek - Security News 2017-05-23T11:11:31+00:00 http://feedproxy.google.com/~r/Securityweek/~3/yAGUejLV5zA/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says www.secnews.physaphae.fr/article.php?IdArticle=367682 False None Wannacry,APT 38 None IT Security Guru - Blog Sécurité 2017-05-23T10:35:15+00:00 http://www.itsecurityguru.org/2017/05/23/wannacry-connection-north-korea-hacking-group-compelling/ www.secnews.physaphae.fr/article.php?IdArticle=367769 False None Wannacry,APT 38 2.0000000000000000 01net. Actualites - Securite - Magazine Francais ]]> 2017-05-23T08:30:40+00:00 http://www.01net.com/actualites/wannacry-de-nombreux-indices-pointent-vers-la-coree-du-nord-1169888.html www.secnews.physaphae.fr/article.php?IdArticle=367616 False None Wannacry,APT 38 None Symantec - Symantec 2017-05-22T22:19:59+00:00 https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group www.secnews.physaphae.fr/article.php?IdArticle=367635 False None Wannacry,APT 38 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC OSX/Dok and OSX.Proton.B. Dok malware made headlines due to its unique ability to intercept all web traffic, while Proton.B gained fame when attackers replaced legitimate versions of HandBrake with an infected version on the vendor’s download site. Another lower profile piece of Mac malware making the rounds is Mac.Backdoor.Systemd.1. Figure 1: Systemd pretending to be corrupted and un-runnable. There have been no public reports as to who is behind these attacks and only little information about their targets. OSX/Dok is reported to have targeted European victims, while users of HandBrake were the victims of Proton.B. One corporate victim of Proton.B was Panic, Inc. which had its source code stolen and received a ransom demand from the attackers. Each of these malware variants is designed to take advantage of Macs, but analysis shows that they are actually drastically different from each other, showing just how diverse the Mac malware space has grown. Let’s dive into some of the technical details (but not too technical ;)  of each piece of malware to learn more about what they do and how they work.   OSX/Dok OSX.Proton.B Mac.BackDoor.System.1 Functionality HTTP(S) proxy Credential theft (potentially other RAT functionality) Backdoor/RAT Language Objective-C (with heavy use of shell commands) Objective-C (with heavy use of shell commands) C++ (with a handful of shell commands) Persistence Launch Agent Launch Agent Launch Agent Launch Daemon Startup Item Uses chflags to make files read-only Distribution Phishing emails Compromised software download (presumably) Phishing Anti-Analysis None Anti-debugger (PT_DENY_ATTACH) Closes Terminal and Wireshark Windows None Binary Obfuscation Newer variants are packed with UPX Password protected zip archive Encrypted configuration file Encrypted configuration file XOR encrypted strings in binary Detection Avoidance Signed App bundle Installs trusted root certificate Modifies sudo settings to prevent prompting Checks for security software Infected legitimate software Use of “hidden” dot files Uses chflags to hide files from UI Use of “hidden” dot files C2 MiTM proxy (no separate C2) HTTPS Custom 3DES Functionality Dok is very basic in its functionality – it reconfigures a system to proxy web traffic through a malicious h]]> 2017-05-19T19:00:00+00:00 http://feeds.feedblitz.com/~/326652608/0/alienvaultotx~Diversity-in-Recent-Mac-Malware www.secnews.physaphae.fr/article.php?IdArticle=367014 False None Wannacry,APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-05-19T13:00:19+00:00 https://threatpost.com/threatpost-news-wrap-may-19-2017/125796/ www.secnews.physaphae.fr/article.php?IdArticle=366984 False Medical Wannacry,APT 38 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/324578408/0/thesecurityledger -->»      Related StoriesEmboldened, Fancy Bear hacking crew targets French, German PoliticiansAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsFatal Flaw Slows WannaCry Ransomware Spread, but Threats Remain ]]> 2017-05-18T02:12:30+00:00 https://feeds.feedblitz.com/~/324578408/0/thesecurityledger~APT-Inc-Research-Finds-Ties-Between-Chinese-Security-Firm-and-Advanced-Threat-Group/ www.secnews.physaphae.fr/article.php?IdArticle=366383 False None Wannacry,APT 28,APT 3 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-05-17T18:52:54+00:00 https://threatpost.com/apt3-linked-to-chinese-ministry-of-state-security/125750/ www.secnews.physaphae.fr/article.php?IdArticle=366373 False None APT 3 None SecurityWeek - Security News 2017-05-17T13:03:55+00:00 http://feedproxy.google.com/~r/Securityweek/~3/uVrbvTpF93s/apt3-hackers-linked-chinese-ministry-state-security www.secnews.physaphae.fr/article.php?IdArticle=366262 False None APT 3 None UnderNews - Site de news "pirate" francais Des acteurs de cyber-espionnage, désignés par FireEye sous le nom d'APT32 (Groupe OceanLotus), mènent activement des intrusions au sein d'entreprises privées dans de multiples industries, et ont également ciblé des gouvernements, des dissidents et des journalistes.]]> 2017-05-17T08:33:49+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/8hhmiCKdhAs/le-cyber-espionnage-continue-a-proliferer-menace-dapt32-pour-les-multinationales.html www.secnews.physaphae.fr/article.php?IdArticle=366052 False None APT 32 None Bleeping Computer - Magazine Américain 2017-05-17T06:50:12+00:00 https://www.bleepingcomputer.com/news/security/3-security-firms-say-wannacry-ransomware-shares-code-with-north-korean-malware/ www.secnews.physaphae.fr/article.php?IdArticle=366168 False Medical Wannacry,APT 38 None BAE - BAE Systelm Threat Research ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02         "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03         57u); 04 h1 = InternetOpenA(0,&nbs]]> 2017-05-17T03:33:55+00:00 http://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html www.secnews.physaphae.fr/article.php?IdArticle=365767 False Guideline,Medical Wannacry,APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-05-16T15:45:50+00:00 https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/ www.secnews.physaphae.fr/article.php?IdArticle=365929 False None Wannacry,APT 38 None IT Security Guru - Blog Sécurité 2017-05-16T10:39:48+00:00 http://www.itsecurityguru.org/2017/05/16/wannacry-ransomware-cyber-attack-may-n-korea-link/ www.secnews.physaphae.fr/article.php?IdArticle=365710 False Medical Wannacry,APT 38 None 01net. Actualites - Securite - Magazine Francais ]]> 2017-05-16T08:01:19+00:00 http://www.01net.com/actualites/la-coree-du-nord-serait-derriere-l-attaque-wannacry-1165218.html www.secnews.physaphae.fr/article.php?IdArticle=365881 False None Wannacry,APT 38 5.0000000000000000 Mandiant - Blog Sécu de Mandiant Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. APT32 and FireEye\'s Community Response In the course of investigations into intrusions at several corporations with business interests in Vietnam]]> 2017-05-14T17:00:00+00:00 https://www.mandiant.com/resources/blog/cyber-espionage-apt32 www.secnews.physaphae.fr/article.php?IdArticle=8377779 False Threat APT 32,APT 32 4.0000000000000000 Palo Alto Network - Site Constructeur 2017-04-27T20:00:32+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/QVjjFOzsfnE/ www.secnews.physaphae.fr/article.php?IdArticle=359998 False None APT 34 None Dark Reading - Informationweek Branch 2017-04-27T14:10:00+00:00 http://www.darkreading.com/endpoint/iranian-hackers-believed-behind-massive-attacks-on-israeli-targets/d/d-id/1328753?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=360049 False None APT 34 None Dark Reading - Informationweek Branch 2017-04-05T14:15:00+00:00 http://www.darkreading.com/attacks-breaches/matching-wits-with-a-north-korea-linked-hacking-group-/d/d-id/1328572?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=353863 False None APT 38 None Data Security Breach - Site de news Francais À la poursuite de " Lazarus " est diffusé par Data Security Breach. ]]> 2017-04-04T22:20:41+00:00 http://www.datasecuritybreach.fr/lazarus/ www.secnews.physaphae.fr/article.php?IdArticle=353003 False None APT 38 None Network World - Magazine Info banking heist hackers and North Korea.While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.”The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.To read this article in full or to leave a comment, please click here]]> 2017-04-04T08:22:00+00:00 http://www.networkworld.com/article/3187548/security/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=352653 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-04-03T22:53:52+00:00 https://threatpost.com/security-analyst-summit-2017-day-one-recap/124755/ www.secnews.physaphae.fr/article.php?IdArticle=352250 False None APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-04-03T20:38:44+00:00 https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ www.secnews.physaphae.fr/article.php?IdArticle=352251 False Medical APT 38 None ZD Net - Magazine Info 2017-04-03T18:33:00+00:00 http://www.zdnet.com/article/hackers-responsible-for-81m-bank-heist-show-no-signs-of-stopping/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=351654 False None APT 38 None Network World - Magazine Info $81 million theft from Bangladesh's central bank through the SWIFT transaction software.However, hackers working for the group recently made a mistake: They failed to wipe the logs from a server the group had hacked in Europe, security firm Kaspersky Lab said on Monday.To read this article in full or to leave a comment, please click here]]> 2017-04-03T16:33:01+00:00 http://www.networkworld.com/article/3187391/security/banking-hackers-left-a-clue-that-may-link-them-to-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=351700 False Medical APT 38 None The State of Security - Magazine Américain Read More ]]> 2017-03-31T03:00:53+00:00 https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/disttrack-malware-distribution-suggests-link-shamoon-2-magic-hound/ www.secnews.physaphae.fr/article.php?IdArticle=349730 False None APT 35 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-28T21:12:08+00:00 https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/ www.secnews.physaphae.fr/article.php?IdArticle=348438 False None APT 31 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-27T20:51:22+00:00 https://threatpost.com/new-clues-surface-on-shamoon-2s-destructive-behavior/124587/ www.secnews.physaphae.fr/article.php?IdArticle=347685 False Conference APT 35 None Bleeping Computer - Magazine Américain 2017-03-27T16:55:51+00:00 https://www.bleepingcomputer.com/news/security/microsoft-quietly-patched-windows-zero-day-used-in-attacks-by-zirconium-group/ www.secnews.physaphae.fr/article.php?IdArticle=347622 False None APT 31 None UncommonSenseSecurity - Blog Uncommon Sense Security In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn't that easy, we need to teach better. Also, “don't click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice. The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn't assure you that the traffic isn't being decrypted, inspected, and re-encrypted. Or maybe it isn't encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn't prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock” we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn't entirely true if we are going to oversimplify this I think we're better off telling folks that the padlock doesn't mean a damn thing anymore, if it ever did. While we're on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you want”. I did find a few things which made me think of typical browser warnings: This means it's OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean. And this, you know what it means, but what does it say? That's right, it says don't P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me. ]]> 2017-03-24T13:21:06+00:00 http://blog.uncommonsensesecurity.com/2017/03/i-thought-everyone-knew-this-by-now.html www.secnews.physaphae.fr/article.php?IdArticle=360975 False None APT 32 None Dark Reading - Informationweek Branch 2017-03-21T10:00:00+00:00 http://www.darkreading.com/threat-intelligence/report-oilrig-attacks-expanding-across-industries-geographies/a/d-id/1328443?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=341878 False None APT 34 None Dark Reading - Informationweek Branch 2017-03-17T14:10:00+00:00 http://www.darkreading.com/attacks-breaches/north-koreas-lazarus-likely-behind-new-wave-of-cyberattacks/d/d-id/1328429?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=340509 False None APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-06T19:27:49+00:00 https://threatpost.com/destructive-stonedrill-wiper-malware-on-the-loose/124090/ www.secnews.physaphae.fr/article.php?IdArticle=329570 False Conference APT 35 None BAE - BAE Systelm Threat Research article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen ]]> 2017-03-06T12:13:22+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=352308 False Guideline,Medical APT 38 None BAE - BAE Systelm Threat Research We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb]]> 2017-03-06T12:13:03+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html www.secnews.physaphae.fr/article.php?IdArticle=352307 False Guideline,Medical APT 38 None Graham Cluley - Blog Security The Lazarus malware attempts to trick you into believing it was written by Russians, second-hand connected cars may be easier to steal, and is your child a malicious hacker? All this and more is discussed in the latest podcast by computer security veterans Graham Cluley, Vanja Svajcer and Carole Theriault. Oh, and Carole gets Graham and Vanja to apologise for mistakes of their past... ]]> 2017-02-23T14:30:47+00:00 https://www.grahamcluley.com/smashing-security-009-false-flags-hacker-clues/ www.secnews.physaphae.fr/article.php?IdArticle=321852 False None APT 38 None SecurityWeek - Security News 2017-02-20T18:31:49+00:00 http://feedproxy.google.com/~r/Securityweek/~3/VD3SAA9Wp54/russian-words-used-decoy-lazarus-linked-bank-attacks www.secnews.physaphae.fr/article.php?IdArticle=318739 False None APT 38 None Infosec Island - Security Magazine 2017-02-17T11:01:37+00:00 https://www.infosecisland.com/blogview/24888-DigitalOcean-Launches-Public-Bug-Bounty-Program.html www.secnews.physaphae.fr/article.php?IdArticle=317946 False None APT 32 None SecurityWeek - Security News A cyber espionage operation linked to Iran and the recent Shamoon 2 attacks has targeted several organizations in the Middle East, particularly in Saudi Arabia. ]]> 2017-02-16T12:27:22+00:00 http://feedproxy.google.com/~r/Securityweek/~3/pFJkb6i3h-s/iranian-spies-target-saudi-arabia-magic-hound-attacks www.secnews.physaphae.fr/article.php?IdArticle=316562 False None APT 35 None