This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T03:31:19+00:00 www.secnews.physaphae.fr Palo Alto Network - Site Constructeur 2017-02-16T05:16:26+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/4iN57D5SvTY/ www.secnews.physaphae.fr/article.php?IdArticle=316029 False Conference APT 35 None Graham Cluley - Blog Security A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations. David Bisson reports. ]]> 2017-02-13T20:39:54+00:00 https://www.grahamcluley.com/lazarus-gang-possibly-behind-malware-attacks-polish-banks/ www.secnews.physaphae.fr/article.php?IdArticle=313179 False Medical APT 38 None SecurityWeek - Security News 2017-02-13T11:07:38+00:00 http://feedproxy.google.com/~r/Securityweek/~3/B9TsJ3jJRHo/malware-attacks-polish-banks-linked-lazarus-group www.secnews.physaphae.fr/article.php?IdArticle=312283 False None APT 38 None Network World - Magazine Info the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering hole attacks. They then injected code into them that redirected visitors to a custom exploit kit.To read this article in full or to leave a comment, please click here]]> 2017-02-13T09:11:13+00:00 http://www.networkworld.com/article/3169409/security/recent-malware-attacks-on-polish-banks-tied-to-wider-hacking-campaign.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=312521 False None APT 38 None SANS Institute - SANS est un acteur de defense et formation contact form. Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, public ip addresses, private addresses, public keys configured and event rotating secret keys. The userdata can contain everything like initialization scripts, variables, passwords etc. The metadata urls will vary per cloud provider, Ive written a few down together with their metadata url and a link to the documentation. Google http://169.254.169.254/computeMetadata/v1/ https://cloud.google.com/compute/docs/storing-retrieving-metadata Amazon http://169.254.169.254/latest/meta-data/hostname http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html Openstack http://169.254.169.254/2009-04-04/meta-data/instance-id https://blogs.vmware.com/openstack/introducing-the-metadata-service/ Dreamhost http://169.254.169.254/metadata/v1/hostname https://developers.digitalocean.com/documentation/metadata/ Azure http://169.254.169.254/metadata/v1/maintenance The configuration and userdata is used by scripts, automating tasks and applications, but the danger is that it can be abused to leak information about the current instance. Information an attacker needs to elevate privileges or move laterally. This information can contain usernames, passwords, configuration, keys or scripts. When your application accepts remote urls as data like a proxy server, vpn server or a web application (think about wordpress plugins for embedding remote content, web screenshotting applications and many more), you need to be sure the metadata url is not accessible. If you install a default squidproxy for example, just executing this command: $ http_proxy=proxy:3128 curl http://169.254.169.254/latest/dynamic/instance-identity/document { devpayProductCodes : null, privateIp : 172.31.9.215, availabilityZone : eu-west-1c, version : 2010-08-31, region : eu-west-1, instanceId : i-*****, billingProducts : null, pendingTime : 2017-02-03T20:21:11Z, instanceType : m3.medium, accountId : *****, architecture : x86_64, kernelId : null, ramdiskId : null, imageId : ami-e31bab90 } This will return all metadata of the proxy server. Anyhow the metadata contains information you dont want to disclose. Youll be safe when the private ip has been blocked, but this is not always possible (in the case of the rotating secret keys for example). Blocking the requests can be done using good old iptables: $ iptables -A OUTPUT -m owner !]]> 2017-02-08T19:32:39+00:00 https://isc.sans.edu/diary.html?storyid=22046&rss www.secnews.physaphae.fr/article.php?IdArticle=309905 False None APT 32 None SecurityWeek - Security News 2017-01-06T14:49:11+00:00 http://feedproxy.google.com/~r/Securityweek/~3/c5geNB9jXs0/iranian-group-delivers-malware-fake-oxford-university-sites www.secnews.physaphae.fr/article.php?IdArticle=287214 False None APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl]]> 2017-01-03T14:00:00+00:00 http://feeds.feedblitz.com/~/252664318/0/alienvault-blogs~Top-AlienVault-Blogs-of www.secnews.physaphae.fr/article.php?IdArticle=284657 False Medical APT 38,APT 32 None Dark Reading - Informationweek Branch 2016-11-30T22:05:00+00:00 http://www.darkreading.com/vulnerabilities---threats/china-cybersecurity-firm-linked-with-countrys-intel-agency-for-espionage/d/d-id/1327593?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=264264 False None APT 3 None SANS Institute - SANS est un acteur de defense et formation The file zz.php is less interesting, its a simple PHP mailer. The dbl directory contains interesting pages that providea fake" /> In this case, attackers made another mistake, the source code of the phishing site was left on the server in the dbl.zip file. Once downloaded and analyzed, it revealed a classic attack trying to lure visitors and collect credentials. Note that the attacker was identified via his gmail.com address present in the scripts. But the most interesting file is called blocker.php"> ...include(blocker.php... Lets have a look at this file. It performs several checks based on the visitors details (IP and browser). First of all, it performs a reverse lookup of the visitor"> $hostname = gethostbyaddr($_SERVER[REMOTE_ADDR$blocked_words = array(above,google,softlayer,amazonaws,cyveillance,phishtank,dreamhost,netpilot,calyxinstitute,tor-exit, paypalforeach($blocked_words as $word) { if (substr_count($hostname, $word) 0) { header(HTTP/1.0 404 Not Found }} Next, the visitorif(in_array($_SERVER[REMOTE_ADDR],$bannedIP)) { header(HTTP/1.0 404 Not Found} else { foreach($bannedIP as $ip) { if(preg_match(/ . $ip . /,$_SERVER[REMOTE_ADDR])){ header(HTTP/1.0 404 Not Found } }} Here is the list of more relevant banned network: Google Digital Ocean Cogent Internet Systems Consortium Amazon Datapipe DoD Network Information Center Omnico"> if(strpos($_SERVER[HTTP_USER_AGENT], google) or strpos($_SERVER[HTTP_USER_AGENT], msnbot) or strpos($_SERVER[HTTP_USER_AGENT], Yahoo! Slurp) or strpos($_SERVER[HTTP_USER_AGENT], YahooSeeker) or strpos($_SERVER[HTTP_USER_AGENT], Googlebot) or strpos($_SERVER[HTTP_USER_AGENT], bingbot) or strpos($_SERVER[HTTP_USER_AGENT], crawler) or strpos($_SERVER[HTTP_USER_AGENT], PycURL) or strpos($_SERVER[HTTP_USER_AGENT], facebookexternalhit) !== false) { header(HTTP/1.0 404 Not Found } Surprisingly, this last"> Wget/1.13.4 (linux-gnu)curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5python-requests/2.9.1Python-urllib/2.7Java/1.8.0_111... Many ranges of IP addresses belongs to hosting companies. Many researchers use VPS and servers located there, thats why they are banned. In the same way, interesting targets for the phishing page are residential customers of the bank, connected via classic big ISPs. Conclusion: if you are hunting for malicious code / sites, use an anonymous IP address (a residential DSL line or cable is top) and be sure to use the right User-Agents to mimic classic targets. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> 2016-11-17T07:14:56+00:00 https://isc.sans.edu/diary.html?storyid=21721&rss www.secnews.physaphae.fr/article.php?IdArticle=255710 False None Yahoo,APT 32 None Network World - Magazine Info RMS Titanic was discovered resting on the ocean floor. The legend of its sinking has been retold many times in books and movies. One compelling aspect of the story is the safety claims made by its creators. Even as reports of the disaster began to filter into New York, the vice president of the White Star Line stated, without qualification, “We place absolute confidence in the Titanic. We believe that the boat is unsinkable.” Obviously reality betrayed those maritime engineers' confidence.What lessons might this famous disaster teach engineers in modern data centers? In particular, how do we prevent hostile attacks-the “icebergs” that lurk on the seas we sail-from causing catastrophic breaches?To read this article in full or to leave a comment, please click here]]> 2016-10-12T08:31:00+00:00 http://www.networkworld.com/article/3129246/security/a-night-to-remember-engineering-lessons-from-the-titanic.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=193831 False None APT 32 None Palo Alto Network - Site Constructeur 2016-10-08T11:00:23+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/9iWYHiVvjJs/ www.secnews.physaphae.fr/article.php?IdArticle=179347 False None APT 34 None SC Magazine - Magazine ]]> 2016-10-05T18:17:24+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/cA9rZ_Ox9pk/ www.secnews.physaphae.fr/article.php?IdArticle=168505 False None APT 34 None Palo Alto Network - Site Constructeur 2016-10-04T20:10:16+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/11Tx5xN2o8U/ www.secnews.physaphae.fr/article.php?IdArticle=163572 False None APT 34 None CSO - CSO Daily Dashboard To read this article in full or to leave a comment, please click here]]> 2016-09-30T09:07:00+00:00 http://www.csoonline.com/article/3126258/leadership-management/treasures-attackers-look-for-in-the-sea-of-email.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=148677 False Guideline APT 32 None SecurityWeek - Security News 2016-09-07T08:33:35+00:00 http://feedproxy.google.com/~r/Securityweek/~3/kUrlui6wIho/china-linked-apt3-group-focuses-attacks-hong-kong www.secnews.physaphae.fr/article.php?IdArticle=25118 False None APT 3 None Symantec - Symantec 2016-09-06T13:21:27+00:00 http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong www.secnews.physaphae.fr/article.php?IdArticle=20949 False None APT 3 None @Team Cymru - Flux Twitter 2016-08-27T03:54:01+00:00 https://twitter.com/teamcymru/status/769352235952304128 www.secnews.physaphae.fr/article.php?IdArticle=9069 False None APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 360 SkyEye Labs published a detailed analysis of the OnionDog APT earlier this year, and during the dog-days of Summer (see what I did there?) it seems appropriate to revisit this malware. OnionDog has been around for several years and exploits a vulnerability in Hangul office software, which is a popular Korean-language productivity suite. Hangul software is also widely deployed in South Korean Government agencies and facilities.The group behind OnionDog is the Lazarus Group, exposed by AlienVault and other threat intelligence teams as part of Operation Blockbuster for its targeting of Sony Pictures and a range of other targets.How it WorksOnionDog used various techniques to entice victims to open the malicious attachment. The attachments targeted a range of government agencies and utilities, such as power, water, ports, transit, and rail to lure its victims (see the screenshot of the ‘Investigation Report of the Korean Railway Accident” below).Source: 360 SkyEye LabsThe malware installs a back door to the compromised system, collects and forwards information about the compromised systems to the C&C server, as well as infecting any device attached to the USB drive.Impact on youThe regional nature of OnionDog will likely limit your exposure to this particular version of the threat if you’re not located in South Korea. However, if there is a user of Hangul software on your network, or if someone in your office may have visited an office that uses Hangul software and plugged a device into a compromised system, you may be at risk of data loss. However, although this version of the malware is localized to South Korea, the Lazarus Group could easily choose another popular application to target specific organizations in other countries.How AlienVault HelpsThe AlienVaultâ Unified Security Management (USM)™ platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like OnionDog. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats such as OnionDog. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by OnionDog. Learn more about the]]> 2016-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/176703272/0/alienvault-blogs~OnionDog-%e2%80%93-An-Example-of-a-Regional-Targeted-Attack www.secnews.physaphae.fr/article.php?IdArticle=7188 False Medical APT 38 None @DarkReading - Flux twitter @dakami) will present the #BHUSA 2016 Keynote on Wednesday, August 3 at 09:00 in Oceanside Ballroom http://ow.ly/CnmE302wu9Q ]]> 2016-07-25T16:05:22+00:00 https://twitter.com/BlackHatEvents/status/757592587171688448 www.secnews.physaphae.fr/article.php?IdArticle=4676 False None APT 32 None SANS Institute - SANS est un acteur de defense et formation http://media.paloaltonetworks.com/lp/ponemon/report.html andhttp://www.ponemon.org/library/flipping-the-economics-of-attacksThere are clear highlights I believe that can influence your understanding of attackers, and influence your ability to defend yourself from them:The majority of attackers (72 percent) were opportunistic, not wasting time on efforts that do not quickly yield high-value information. While advanced nation state actors employ lots of planning, think about the average attacker as the mugger on the street, versus Oceans Eleven crew that spends weeks planning a complicated high stakes heist. When put into this context, organizations that prioritize making themselves a harder target, will actively deter a significant amount of potential breaches.There is a common notion that they are in for a big payday. This is really the exception, rather than the rule, with average annual earnings from malicious activity totaling less than $30,000, which is a quarter of a cybersecurity professionals average yearly wage. This limited earning power becomes even less attractive when you consider the added legal risks including fines and jail time.Time is the defining factor to change the adversarys arithmetic. As network defenders, the more we delay adversaries, the more resources they will waste, and higher their cost will be. We found that increasing the time it takes to break into and carry out successful attacks by less than 2 days (40 hours), will deter the vast majority of attacks.Finally, it is all about how you protect yourself. Because attackers are so opportunistic, and their time is so valuable, we can change the attack equation with next-generation security approaches. We found that organizations rated as having excellent security took twice as long to breach, when compared to those rated as typical. Putting the right security in place makes all the difference.To understand how to influence an attackers economic motivation, we must consider what I call the adversary arithmetic, which boils down to the cost of an attack versus the potential outcome of a successful data breach. If malicious actors are putting in more resources than they are getting out, or we decrease their profit, being an attacker becomes much less attractive. What we have seen is simple, more malware and exploits, more effective toolkits, combined with cheaper computing power has lowered the barrier to entry for an attack, and resulted in the increase in attacks we covered in the last slide.Using the survey finding as a guideline, lets walk through what we can do to reverse this trend.It is a random mugging, not a ]]> 2016-07-20T18:09:11+00:00 https://isc.sans.edu/diary.html?storyid=21283&rss www.secnews.physaphae.fr/article.php?IdArticle=4450 False None APT 32 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC The AlienVault Labs team does a lot of malware analysis as a part of their security research. I interviewed a couple members of our Labs team, including Patrick Snyder, Eddie Lee, Peter Ewane and Krishna Kona, to learn more about how they do it.Here are some of the approaches and tools and techniques they use for reverse engineering malware, which may be helpful to you in your own malware hunting endeavors. Please watch the webcast they did recently with Javvad Malik on reverse engineering malware and hear details and examples of how the Labs team investigated OceanLotus, PowerWare and Linux malware in recent situations.Approaches in reverse engineering a malware sampleReverse engineer: The most obvious approach is to completely reverse engineer a piece of malware. This obviously takes a great amount of time, so other approaches are more practical.Exploitation techniques: Another approach you can take is to focus on the exploitation techniques of a piece of malware. Occasionally you will see a piece of malware that is using a new exploitation technique, or is exploiting a zero-day vulnerability. In this case you may be interested only in the specific exploitation technique so you can timebox your analysis and only look at the exploitation mechanisms.Obfuscation: Malware will often obfuscate itself and make itself difficult to analyze. You might come across malware that you have seen before without obfuscation. In that case you may only want to focus on reverse engineering the new parts.Encryption methods: A common type of malware these days is ransomware. Ransomware essentially encrypts the victim's files and locks them up so that they can't be accessed or read. Oftentimes the authors of ransomware will make mistakes when they implement the encryption mechanisms. So if you focus your research on the encryption mechanisms you might be able to find weaknesses in their implementation and/or you might be able to find hard-coded keys or weak algorithms.C&C communication: This is something that is pretty commonly done when looking at malware. Analysts often want to figure out what the communication protocol is between a piece of malware on the client's side and the server on the command and control side. The communication protocol can actually give you a lot of hints about the malware’s capabilities.Attribution: Murky area - kind of like a dark art. It usually involves a lot of guesswork, knowledge of malicious hacking teams and looking at more than one piece of malware.Categorization and clustering: You can reverse engineer malware from a broader point of view. This involves looking at malware in bulk and doing a broad-stroke analysis on lots of different malware, rather than doing a deep dive.TechniquesNow, let’s look at techniques that can be utilized while analyzing malware.First of all, we use static analysis. This is the process of analyzing malware or binaries without actually running them. It can be as simple as looking at metadata from a file. It can range from doing disassembly or decompilation of malware code to symbolic execution, which is something like virtual execution of a binary without actually executing it in a real environment.Conversely, dynamic analysis is the process of analyzing a piece of malware when you are running it in a live environment. In this case, you are often looking at the behavior of the malware and looking at the side effects of what it is doing. You are running tools like process monitor and sysmon to see what kinds of artifacts a piece of malware produces after it is run.We also use ]]> 2016-06-27T15:58:00+00:00 http://feeds.feedblitz.com/~/161542962/0/alienvaultotx~Reverse-Engineering-Malware www.secnews.physaphae.fr/article.php?IdArticle=3349 False None APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-06-17T10:00:38+00:00 https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/ www.secnews.physaphae.fr/article.php?IdArticle=3025 False Cloud APT 37 None The State of Security - Magazine Américain Read More]]> 2016-06-14T03:00:49+00:00 http://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/dont-fear-the-reaper-getting-the-most-out-of-your-penetration-test/ www.secnews.physaphae.fr/article.php?IdArticle=2768 False Cloud APT 37 None UnderNews - Site de news "pirate" francais ]]> 2016-06-05T07:55:06+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/mYpgW9gFoXI/swift-annonce-un-renforcement-de-la-securite-apres-attaques.html www.secnews.physaphae.fr/article.php?IdArticle=2426 False None APT 38 None Palo Alto Network - Site Constructeur 2016-05-26T21:05:54+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/319tl5LRcgo/ www.secnews.physaphae.fr/article.php?IdArticle=2102 False None APT 34 3.0000000000000000 SC Magazine - Magazine ]]> 2016-05-25T16:25:48+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/nowX8w7cr2E/ www.secnews.physaphae.fr/article.php?IdArticle=2047 False None APT 32 None Mandiant - Blog Sécu de Mandiant apt34 et leur ciblage fin 2017 d'une organisation gouvernementaleau Moyen-Orient. Introduction Au cours de la première semaine de mai 2016, DTI de FireEye \\ a identifié une vague de courriels contenant des pièces jointes malveillantes envoyées à plusieurs banques de la région du Moyen-Orient.Les acteurs de la menace semblent effectuer une reconnaissance initiale contre des cibles potentielles, et les attaques ont attiré notre attention car ils utilisaient

---

UPDATE (Dec. 8, 2017): We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East. Introduction In the first week of May 2016, FireEye\'s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using]]> 2016-05-22T08:01:01+00:00 https://www.mandiant.com/resources/blog/targeted-attacks www.secnews.physaphae.fr/article.php?IdArticle=8377568 False Threat APT 34 3.0000000000000000 TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro“Operation C-Major” Actors Also Used Android, BlackBerry Mobile Spyware Against Targets]]> 2016-04-18T14:07:50+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/oxiX-SReP2A/ www.secnews.physaphae.fr/article.php?IdArticle=557 False None APT 36 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC 4].Sample: https://www.virustotal.com/en/file/58029f84c3826a0bd2757d2fe7405611b75ffc2094a80606662919dae68f946e/analysis/Persistence mechanism: Installs a malicious file in user's home directory with the filename starting with a ‘dot' to hide itself and installs a LaunchAgent in ~/Library/LaunchAgents to refer to the created malicious file.C&C communication: Uses DGA for CnC domain names and twitter hashtags to decode the address of CnC server.AlienVault Detections:IDSExisting SIDs: 2014596, 2014597, 2014598, 2014599, 2014534, 2014522, 2014523, 2014524, 2014525System Compromise, Trojan infection, FlashbackKumar in the Mac (KitM)Description: KitM is a signed malware that can take screenshots, download and install programs, and steal data [5].Sample: https://www.virustotal.com/en/file/07062d9ecb16bd3a4ea00d434f469fe63d5c1c95d1b4903705de31353e9c92ce/analysis/Persistence mechanism: Adds a Login Item at ~/Library/Preferences/com.apple.loginitems.plistC&C server: liveapple[dot]eu (down)AlienVault Detections:IDS rules: https://github.com/AlienVault-Labs/AlienVaultLabs/blob/master/malware_analysis/OSX_Malware/snort_kitm.rulesSystem Compromise, Trojan infection, KitM]]> 2016-03-21T13:00:00+00:00 http://feeds.feedblitz.com/~/145197782/0/alienvaultotx~OS-X-Malware-Samples-Analyzed www.secnews.physaphae.fr/article.php?IdArticle=58 False None APT 32 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group.This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection.We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema.]]> 2016-02-24T14:00:00+00:00 http://feeds.feedblitz.com/~/140108184/0/alienvaultotx~Operation-BlockBuster-unveils-the-actors-behind-the-Sony-attacks www.secnews.physaphae.fr/article.php?IdArticle=59 False Medical Yahoo,APT 38 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC In the 64-bit version, strings shorter than 8 bytes are stored as integer values. Encrypted strings longer than 8 bytes are stored in adjacent variables and the decrypting function reads past the variable's 8 byte boundary. As you can see below, &v34 is passed to the decrypting function, but the function actually decrypts the combination of v34 and v35.After decoding .en_icon, EmptyApplication writes it to a temporary directory with the name "pboard" (presumably to mimic the OS X paste board daemon) and executes the binary. EmptyApplication then deletes itself, decodes .DS_Stores, and writes the decoded binary as "EmptyApplication" – replacing the original EmptyApplication executable. Finally, the new EmptyApplication is relaunched with a call to NSTask.launch(). The decrypted .DS_Stores binary does almost the same thing as the original EmptyApplication, except it does not look for .DS_Stores.The TrojanEncrypted StringsThe decoded .en_icon file is the main Trojan. It has anti-debugging capabilities and handles the connection to the command and control servers. As we'll discuss later, the Trojan takes advantage of several OS X specific commands and API calls, so it's clear that this Trojan was tailor-made for OS X rather than a port from another operating system.Again, most strings in the binary are XOR encrypted but this binary uses multiple keys and the keys themselves are XOR encrypted. In fact, the first thing the Trojan does is to decrypt several XOR keys. It is interesting to note that the code that sets up the decryption keys is executed before the "main" entry point by using C++ static constructors. This code is referenced in the __mod_init_func section of mach-o binaries.As you can see from the image above, the primary decryption key used throughout the executable is "Variable". However, there are several different instances of the "Variable" string, a]]> 2016-02-17T14:00:00+00:00 http://feeds.feedblitz.com/~/138490501/0/alienvaultotx~OceanLotus-for-OS-X-%e2%80%93-an-Application-Bundle-Pretending-to-be-an-Adobe-Flash-Update www.secnews.physaphae.fr/article.php?IdArticle=60 False None APT 32 None Mandiant - Blog Sécu de Mandiant patch pour la vulnérabilité le 8 juillet 2015. Avant ce patcha été publié, les groupes ont lancé des campagnes de phishing contre plusieurs sociétés de l'aérospatiale et de la défense, de la construction et de l'ingénierie, de l'éducation, de l'énergie

---

  The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a zero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team\'s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy]]> 2015-07-13T08:31:00+00:00 https://www.mandiant.com/resources/blog/demonstrating-hustle www.secnews.physaphae.fr/article.php?IdArticle=8377805 False Vulnerability,Threat APT 18,APT 3 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Fireeye en tant que service Campagne de phishing exploitant une vulnérabilité Adobe Flash Player Zero-Day (CVE-2015-3113).Les e-mails des attaquants comprenaient des liens vers des serveurs Web compromis qui ont servi de contenu bénin ou d'un fichier de lecteur flash malveillant malveillant qui exploite CVE-2015-3113. Adobe a déjà publié un correctif pour CVE-2015-3113 avec un bulletin de sécurité hors bande ( https://helpx.adobe.com/security/products/flash-player/apsb15-14.html ).FireEye recommande aux utilisateurs d'Adobe Flash Player à mettre à jour la dernière version dès que possible. Fire

---

In June, FireEye\'s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers\' emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113. Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash Player users update to the latest version as soon as possible. Fire]]> 2015-06-23T11:21:00+00:00 https://www.mandiant.com/resources/blog/operation-clandestine-wolf-adobe-flash-zero-day www.secnews.physaphae.fr/article.php?IdArticle=8377806 False Vulnerability APT 3,APT 3 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Operation Clandestine Fox a tranquillement continué à envoyer des vagues de messages de spearphish au cours des derniersmois.Cet acteur a lancé sa dernière campagne le 19 novembre 2014 ciblant plusieurs organisations.L'attaquant a exploité plusieurs exploits, ciblant les deux CVE-2014-6332 et CVE-2014-4113 .Le CVE-2014-6332 a été divulgué publiquement le 2014-2011-11 et est une vulnérabilité d'exécution de code à distance de tableau d'automatisation Windows Ole.CVE-2014-4113 est une vulnérabilité d'escalade privilégiée qui était divulgué publiquement le 2014-10-14 . l'utilisation de cve

---

APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14. The use of CVE]]> 2014-11-21T19:36:00+00:00 https://www.mandiant.com/resources/blog/operation-doubletap www.secnews.physaphae.fr/article.php?IdArticle=8377811 False Vulnerability,Technical APT 3,APT 3 4.0000000000000000