This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T17:43:45+00:00 www.secnews.physaphae.fr Bleeping Computer - Magazine Américain 2023-02-22T16:58:19+00:00 https://www.bleepingcomputer.com/news/security/hackers-use-fake-chatgpt-apps-to-push-windows-android-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8312588 False Malware,Tool,Threat ChatGPT 3.0000000000000000 DarkTrace - DarkTrace: AI bases detection 2023-02-22T00:00:00+00:00 https://darktrace.com/blog/detect-respond-and-escalate-preventing-further-compromise-for-account-hijacks www.secnews.physaphae.fr/article.php?IdArticle=8312517 False Tool None 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC includes “not only the automated monitoring and detection of threats on the endpoint, but also a combination of autonomous and manual investigation, remediation, and response.” While not every tool will make the cut, here are seven reasons why Endpoint Detection and Response (EDR) should not be ignored. Cybercriminals aren’t ignoring endpoints. It’s not surprising that in a recent study, 76% of IT decision-makers reported their company use of endpoint devices has gone up. This can include workstations, servers, tablets, smartphones and a host of IoT devices like cameras, smart speakers, and lighting. However, it is equally unsurprising that bad actors have capitalized on this gain, and consequently, 79% of IT teams have seen a rise in endpoint-related security breaches. The cyber talent crisis creates the need for autonomous response on the endpoint. With an increase of both endpoints and endpoint-related attacks, a proportional increase in endpoint security measures is needed; unfortunately, the ongoing cyber talent deficit hamstrings those efforts and makes whatever qualified cybersecurity experts are available difficult to attain for many small to medium-sized businesses. Endpoint security solutions use automatic investigation and monitoring techniques to spot threat 24/7/365 and often respond autonomously to mitigate them. This cuts back significantly on the work remaining for already-strapped security teams to do. EDR offers cloud-based security for end-user devices. One of the primary security problems facing fast-expanding, digitally native, and mid-transition companies is how to secure both on-premises and cloud-based assets. Endpoints, while not in the cloud, connect to it and bad actors can use vulnerabilities in device software to pivot to the rest of your network. State of the industry endpoint security platforms can deploy patches and run reboots from the cloud and offer enterprise-wide centralized cloud management. Remote device security trends downward as workers mix personal with professional. The rise of BYOD has been significant and ubiquitous in the wake of the remote-work migration, and a study by Gartner revealed that over 50% of workers used their own laptop or smartphone for work activity. Interestingly, a Ponemon study indicated that 67% of respondents reported that personal mobile devices have negatively impacted their company’s security posture, and 55% cite smartphones as ]]> 2023-02-21T11:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/7-reasons-why-endpoint-security-and-response-shouldnt-be-ignored www.secnews.physaphae.fr/article.php?IdArticle=8312091 False Tool,Threat Deloitte 2.0000000000000000 Contagio - Site d infos ransomware 2023-02-18Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology.Download the full collectionEmail me if you need the password (see in my profile) (209 MB. 218 samples listed in the hash tables below).The malware arsenal collected here includes:Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)Graphiron BackdoorOutSteel (LorecDocStealer)BabaDedaCobalt Strike (Beacon)SaintBot DownloaderWhisperGate WiperAPT Group DescriptionAPT Group aliases:UAC-0056 (UA CERT)Ember Bear (Crowdstrike)Saint Bear (F-Secure)UNC2589 (Fireeye, IBM)Lorec53 (NSFOCUS)TA471 (Proofpoint)Nodaria (Symantec)Nascent Ursa (Palo Alto)LorecBearBleeding Bear (Elastic)DEV-0586 (MIcrosoft)The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.The Lorec53 group is a new type of APT group fi]]> 2023-02-18T03:02:00+00:00 https://contagiodump.blogspot.com/2023/02/malware-arsenal-used-by-ember-bear-aka.html www.secnews.physaphae.fr/article.php?IdArticle=8311492 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Medical None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-17T18:17:00+00:00 https://thehackernews.com/2023/02/armenian-entities-hit-by-new-version-of.html www.secnews.physaphae.fr/article.php?IdArticle=8311235 False Tool None 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-16T20:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36278 www.secnews.physaphae.fr/article.php?IdArticle=8311015 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-02-16T20:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34153 www.secnews.physaphae.fr/article.php?IdArticle=8311012 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-02-16T20:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36398 www.secnews.physaphae.fr/article.php?IdArticle=8311017 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-02-16T18:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23947 www.secnews.physaphae.fr/article.php?IdArticle=8310941 False Tool,Vulnerability Uber None Checkpoint Research - Fabricant Materiel Securite Executive summary Amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022, Check Point Research identified a malicious campaign against entities in Armenia. The malware distributed in this campaign is a new version of a backdoor we track as OxtaRAT, an AutoIt-based tool for remote access and desktop surveillance. Key findings: […] ]]> 2023-02-16T10:56:45+00:00 https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/ www.secnews.physaphae.fr/article.php?IdArticle=8310797 False Malware,Tool None 2.0000000000000000 CSO - CSO Daily Dashboard Cloud security posture management (CSPM) is a process that helps organizations continuously monitor, identify, and remediate security risks in the cloud. The use of automation in CSPM is crucial to ensuring the security and compliance of an organization's cloud infrastructure.A key component of CSPM is the automation of its core tasks: continuous monitoring, remediation of issues, compliance management, and alerts and notifications. The integration of robotic process automation (RPA) in CSPM helps to reduce the need to perform repetitive and mundane tasks, making it a powerful tool for organizations to secure and streamline their cloud environment, support the overall security posture, and manage security risks more efficiently.To read this article in full, please click here]]> 2023-02-16T02:00:00+00:00 https://www.csoonline.com/article/3687745/how-automation-in-cspm-can-improve-cloud-security.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8310793 False Tool None 2.0000000000000000 WatchGuard - Fabricant Matériel et Logiciels 2023-02-16T00:00:00+00:00 https://www.watchguard.com/fr/wgrd-news/press-releases/watchguard-lance-une-nouvelle-gamme-de-firewalls-pour-ameliorer-la www.secnews.physaphae.fr/article.php?IdArticle=8393221 False Malware,Tool,Threat,Cloud None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-15T21:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42455 www.secnews.physaphae.fr/article.php?IdArticle=8310681 False Tool None None CSO - CSO Daily Dashboard 2023-02-15T15:13:00+00:00 https://www.computerworld.com/article/3688350/security-tool-adoption-jumps-okta-report-shows.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8310666 False Tool None 2.0000000000000000 CSO - CSO Daily Dashboard tweeted on Monday. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for reconnaissance and lateral movement, and the use of Cobalt Strike - a penetration testing tool - for command and control and data exfiltration, Microsoft wrote in its tweet. To read this article in full, please click here]]> 2023-02-15T08:49:00+00:00 https://www.csoonline.com/article/3687618/china-based-cyberespionage-actor-seen-targeting-south-america.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8310554 False Tool None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-15T04:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25011 www.secnews.physaphae.fr/article.php?IdArticle=8310399 False Tool None None Dark Reading - Informationweek Branch 2023-02-14T19:08:00+00:00 https://www.darkreading.com/endpoint/configuration-issues-in-saltstack-put-enterprises-at-risk www.secnews.physaphae.fr/article.php?IdArticle=8310152 False Tool None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (published: February 9, 2023) The US and South Korea issued a joint advisory on ongoing, North Korea-sponsored ransomware activity against healthcare and other critical infrastructure. The proceedings are used to fund North Korea’s objectives including further cyber attacks against the US and South Korean defense and defense industrial base sectors. For initial access, the attackers use a trojanized messenger (X-Popup) or various exploits including those targeting Apache log4j2 and SonicWall appliances. Despite having two custom ransomware crypters, Maui and H0lyGh0st, the attackers can portray themselves as a different ransomware group (REvil) and/or use publicly-available crypters, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Analyst Comment: Organizations in the healthcare sector should consider following the Cross-Sector Cybersecurity Performance Goals developed by the U.S. Cybersecurity and Infrastructure Security Agency and the U.S. National Institute of Standards and Technology. Follow the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts. Turn off weak or unnecessary network device management interfaces. MITRE ATT&CK: [MITRE ATT&CK] T1583 - Acquire Infrastructure | [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1133 - External Remote Services | [MITRE ATT&CK] T1195 - Supply Chain Compromise | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1021 - Remote Services | [MITRE ATT&CK] T1486: Data Encrypted for Impact Tags: malware-type:Ransomware, source-country:North Korea, source-country:DPRK, source-country:KP, target-industry:Healthcare, target-sector:Critical infrastructure, target-industry:Defense, target-industry:Defense Industrial Base, Log4Shell, SonicWall, CVE-2021-44228, CVE-2021-20038, CVE-2022-24990, X-Popup, malware:Maui, malware:H0lyGh0st, malware:BitLocker, malware:Deadbolt, malware:ech0raix, malware:GonnaCry, malware:Hidden Tear, malware:Jigsaw, malware:LockBit 2.0, malware:My Little Ransomware, malware:NxRansomware, malware:Ryuk, malware:YourRansom ]]> 2023-02-14T17:48:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-hospital-ransoms-pay-for-attacks-on-defense-nodaria-got-upgraded-go-based-infostealer-ta866-moved-screenshot-functionality-to-standalone-tool www.secnews.physaphae.fr/article.php?IdArticle=8310132 False Ransomware,Malware,Tool,Threat,Industrial None 2.0000000000000000 Dark Reading - Informationweek Branch 2023-02-14T15:10:00+00:00 https://www.darkreading.com/ics-ot/synsaber-launches-a-free-ot-pcap-analyzer-tool-for-the-industrial-security-community www.secnews.physaphae.fr/article.php?IdArticle=8310101 False Tool,Industrial None 3.0000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-02-14T09:36:00+00:00 https://www.csoonline.com/article/3687678/a-faster-better-way-to-detect-network-threats.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8310135 False Tool,Threat None 1.00000000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-02-14T09:36:00+00:00 https://www.csoonline.com/article/3687678/protection-groups-within-netscouts-omnis-cyber-intelligence-secure-your-most-valuable-assets.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8310894 True Tool,Threat None 1.00000000000000000000 CyberScoop - scoopnewsgroup.com special Cyber 2023-02-13T22:55:36+00:00 https://cyberscoop.com/california-lawmaker-reverse-warrants-abortion/ www.secnews.physaphae.fr/article.php?IdArticle=8309799 False Tool,Threat None 2.0000000000000000 DarkTrace - DarkTrace: AI bases detection 2023-02-13T00:00:00+00:00 https://darktrace.com/blog/cryptojacking-how-this-double-edged-sword-can-come-back-to-hurt-you www.secnews.physaphae.fr/article.php?IdArticle=8309771 False Tool,Threat None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-11T19:06:00+00:00 https://thehackernews.com/2023/02/new-esxiargs-ransomware-variant-emerges.html www.secnews.physaphae.fr/article.php?IdArticle=8309372 False Ransomware,Tool,Threat None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-10T20:15:53+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24816 www.secnews.physaphae.fr/article.php?IdArticle=8309601 False Tool,Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-02-09T21:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21940 www.secnews.physaphae.fr/article.php?IdArticle=8308892 False Tool,Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-02-09T21:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21939 www.secnews.physaphae.fr/article.php?IdArticle=8308891 False Tool,Vulnerability None None SecurityWeek - Security News There have been some new developments in the case of the ESXiArgs ransomware attacks, including related to the encryption method used by the malware, victims, and the vulnerability exploited by the hackers. After the US Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of an open source tool designed to help some victims of […] ]]> 2023-02-09T11:00:00+00:00 https://www.securityweek.com/esxiargs-ransomware-hits-over-3800-servers-as-hackers-continue-improving-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8308503 False Ransomware,Malware,Tool,Vulnerability None 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-08T21:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25163 www.secnews.physaphae.fr/article.php?IdArticle=8308422 False Spam,Tool,Vulnerability Uber None CVE Liste - Common Vulnerability Exposure 2023-02-08T20:15:24+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25165 www.secnews.physaphae.fr/article.php?IdArticle=8308394 False Tool Uber None InfoSecurity Mag - InfoSecurity Magazine 2023-02-08T10:00:00+00:00 https://www.infosecurity-magazine.com/news/cisa-releases-recovery-vmware/ www.secnews.physaphae.fr/article.php?IdArticle=8308192 False Ransomware,Tool,Threat None 3.0000000000000000 Recorded Future - FLux Recorded Future The first Linux variant of the Clop ransomware was rife with issues that allowed researchers to create a decryptor tool for victims. SentinelOne researcher Antonis Terefos said his team observed the first Clop (also stylized as Cl0p) ransomware variant targeting Linux systems on December 26. Clop has existed since about 2019, targeting large companies, financial institutions, […]]> 2023-02-08T00:34:48+00:00 https://therecord.media/first-linux-variant-of-clop-ransomware-targeted-universities-colleges-but-was-flawed/ www.secnews.physaphae.fr/article.php?IdArticle=8308101 False Ransomware,Tool None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (published: February 2, 2023) In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer. Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators. MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | ]]> 2023-02-07T17:23:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-malvirt-obfuscates-with-koivm-virtualization-icebreaker-overlay-hides-v8-bytecode-runtime-interpretation-sandworm-deploys-multiple-wipers-in-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8307984 False Malware,Tool,Threat,Medical,Medical APT 38 3.0000000000000000 Dark Reading - Informationweek Branch 2023-02-07T08:00:00+00:00 https://www.darkreading.com/zscaler/a-fool-with-a-tool-is-still-a-fool-a-cyber-take www.secnews.physaphae.fr/article.php?IdArticle=8307805 False Tool None 3.0000000000000000 CVE Liste - Common Vulnerability Exposure = `DEBUG`) and in the attestation or SBOM only when the `syft-json` format is used. Note that as of v0.69.0 any generated attestations by the `syft attest` command are uploaded to the OCI registry (if you have write access to that registry) in the same way `cosign attach` is done. This means that any attestations generated for the affected versions of syft when the `SYFT_ATTEST_PASSWORD` environment variable was set would leak credentials in the attestation payload uploaded to the OCI registry. This issue has been patched in commit `9995950c70` and has been released as v0.70.0. There are no workarounds for this vulnerability. Users are advised to upgrade.]]> 2023-02-07T01:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24827 www.secnews.physaphae.fr/article.php?IdArticle=8307825 False Tool,Vulnerability None None CVE Liste - Common Vulnerability Exposure 2023-02-06T21:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23942 www.secnews.physaphae.fr/article.php?IdArticle=8307762 False Tool None None CSO - CSO Daily Dashboard Microsoft Digital Defense Report. Organizations can use this tool to understand their most pressing cyber threats and strengthen their cyber defenses to withstand an evolving digital threat landscape.Comprised of security data from organizations and consumers across the cloud, endpoints, and the intelligent edge, the Microsoft Digital Defense Report covers key insights across cybercrime, nation-state threats, devices and infrastructure, cyber-influence operations, and cyber resiliency. Keep reading to explore section four of the report: cyber-influence operations.To read this article in full, please click here]]> 2023-02-06T06:43:00+00:00 https://www.csoonline.com/article/3687215/tackling-cyber-influence-operations-exploring-the-microsoft-digital-defense-report.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8307550 False Tool,Threat None 1.00000000000000000000 AhnLab - Korean Security Firm Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team is monitoring attacks against systems with either unpatched vulnerabilities or... ]]> 2023-02-06T01:00:00+00:00 https://asec.ahnlab.com/en/47088/ www.secnews.physaphae.fr/article.php?IdArticle=8307406 False Malware,Tool,Vulnerability,Threat None 2.0000000000000000 Recorded Future - FLux Recorded Future Fortra issued a private advisory about the zero-day. Cyber researchers then highlighted the information. There's no mention of a patch]]> 2023-02-03T20:28:11+00:00 https://therecord.media/forta-goanywhere-mft-file-transfer-zero-day/ www.secnews.physaphae.fr/article.php?IdArticle=8307005 False Tool None 3.0000000000000000 Recorded Future - FLux Recorded Future For $120 per month, Passion allows customers to “customize” their DDoS incidents. The tool allegedly has been used against hospital websites]]> 2023-02-03T20:23:18+00:00 https://therecord.media/passion-botnet-customizable-pro-russia-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=8307006 False Tool None 3.0000000000000000 Dark Reading - Informationweek Branch 2023-02-03T03:00:00+00:00 https://www.darkreading.com/dr-tech/mitre-releases-tool-to-design-cyber-resilient-systems www.secnews.physaphae.fr/article.php?IdArticle=8306858 False Tool None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-03T02:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24613 www.secnews.physaphae.fr/article.php?IdArticle=8306784 False Tool,Vulnerability None None GoogleSec - Firm Security Blog launching in 2016, Google's free OSS-Fuzz code testing service has helped get over 8800 vulnerabilities and 28,000 bugs fixed across 850 projects. Today, we're happy to announce an expansion of our OSS-Fuzz Rewards Program, plus new features in OSS-Fuzz and our involvement in supporting academic fuzzing research. Refreshed OSS-Fuzz rewards The OSS-Fuzz project's purpose is to support the open source community in adopting fuzz testing, or fuzzing - an automated code testing technique for uncovering bugs in software. In addition to the OSS-Fuzz service, which provides a free platform for continuous fuzzing to critical open source projects, we established an OSS-Fuzz Reward Program in 2017 as part of our wider Patch Rewards Program. We've operated this successfully for the past 5 years, and to date, the OSS-Fuzz Reward Program has awarded over $600,000 to over 65 different contributors for their help integrating new projects into OSS-Fuzz. Today, we're excited to announce that we've expanded the scope of the OSS-Fuzz Reward Program considerably, introducing many new types of rewards! These new reward types cover contributions such as: Project fuzzing coverage increases Notable FuzzBench fuzzer integrations Integrating a new sanitizer (example) that finds two new vulnerabilities These changes boost the total rewards possible per project integration from a maximum of $20,000 to $30,000 (depending on the criticality of the project). In addition, we've also established two new reward categories that reward wider improvements across all OSS-Fuzz projects, with up to $11,337 available per category. For more details, see the fully updated rules for our dedicated OSS-Fuzz Reward Program. OSS-Fuzz improvements We've continuously made improvements to OSS-Fuzz's infrastructure over the years and expanded our language offerings to cover C/C++, Go, Rust, Java, Python, and Swift, and have introduced support for new frameworks such as FuzzTest. Additionally, as part of an ongoing collaboration with Code Intelligence, we'll soon have support for JavaScript fuzzing through Jazzer.js. FuzzIntrospector support Last year, we launched the OpenSSF FuzzIntrospector tool and integrated it into OSS-Fuzz. We've continued to build on this by adding new language support and better analysis, and now C/C++, Python, and Java projects integrated into OSS-Fuzz have detailed insights on how the coverage and fuzzing effectiveness for a project can be improved. The ]]> 2023-02-01T13:00:49+00:00 http://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html www.secnews.physaphae.fr/article.php?IdArticle=8306318 False Tool None 5.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese PlugX Malware Hidden in Your USB Devices? (published: January 26, 2023) Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it. Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name. MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows Abraham's Ax Likely Linked to Moses Staff (published: January 26, 2023) Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware. Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an]]> 2023-01-31T17:27:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-killlsomeone-folders-invisible-in-windows-everything-apis-abuse-speeds-up-ransomware-apt38-experiments-with-delivery-vectors-and-backdoors www.secnews.physaphae.fr/article.php?IdArticle=8305945 False Ransomware,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 SecurityWeek - Security News The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool for beneficial improvement is still unknown. ]]> 2023-01-31T15:30:00+00:00 https://www.securityweek.com/cyber-insights-2023-artificial-intelligence/ www.secnews.physaphae.fr/article.php?IdArticle=8305914 False Tool None 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-30T23:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32748 www.secnews.physaphae.fr/article.php?IdArticle=8305729 False Tool,Vulnerability None None Dark Reading - Informationweek Branch 2023-01-30T15:00:00+00:00 https://www.darkreading.com/application-security/spotlight-on-2023-devsecops-trends www.secnews.physaphae.fr/article.php?IdArticle=8305546 False Tool None 2.0000000000000000 CSO - CSO Daily Dashboard reported this week that one particular commercial RMM tool called Syncro was observed in a third of the incident response cases the company was engaged in during the fourth quarter of 2022. However, this wasn't the only such tool used.To read this article in full, please click here]]> 2023-01-27T06:55:00+00:00 https://www.csoonline.com/article/3686610/hackers-abuse-legitimate-remote-monitoring-and-management-tools-in-attacks.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8304828 False Tool None 3.0000000000000000 Recorded Future - FLux Recorded Future Large companies in East Asia are being attacked with an open source tool named SparkRAT, according to a new report.  Researchers from SentinelLabs told The Record that they have been tracking a hacking group named “DragonSpark” since October due to its frequent attacks on large companies, which they did not name, and its ability to […]]> 2023-01-26T21:30:32+00:00 https://therecord.media/large-east-asian-companies-attacked-with-sparkrat-open-source-tool/ www.secnews.physaphae.fr/article.php?IdArticle=8304372 False Tool None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-26T21:18:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23611 www.secnews.physaphae.fr/article.php?IdArticle=8304619 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-01-26T21:18:13+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22736 www.secnews.physaphae.fr/article.php?IdArticle=8304612 False Tool,Vulnerability Uber None CVE Liste - Common Vulnerability Exposure 2023-01-26T21:18:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22482 www.secnews.physaphae.fr/article.php?IdArticle=8304606 False Tool,Vulnerability Uber None McAfee Labs - Editeur Logiciel ChatGPT: Everyone's favorite chatbot/writer's-block buster/ridiculous short story creator is skyrocketing in fame. 1 In fact, the AI-generated content “masterpieces” (by... ]]> 2023-01-26T00:37:55+00:00 https://www.mcafee.com/blogs/internet-security/chatgpt-a-scammers-newest-tool/ www.secnews.physaphae.fr/article.php?IdArticle=8304091 False Tool ChatGPT 2.0000000000000000 TrendLabs Security - Editeur Antivirus 2023-01-26T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html www.secnews.physaphae.fr/article.php?IdArticle=8304192 False Ransomware,Tool,Prediction None 2.0000000000000000 Recorded Future - FLux Recorded Future Researchers from Akamai have released a proof-of-concept for a vulnerability affecting a Microsoft tool that allows the Windows' application programming interface to deal with cryptography.  The vulnerability, CVE-2022-34689, was discovered by the United Kingdom’s National Cyber Security Centre and the National Security Agency. It affects a tool called CryptoAPI and allows an attacker to masquerade […]]> 2023-01-25T21:43:55+00:00 https://therecord.media/exploit-released-for-microsoft-bug-allowing-attacker-to-masquerade-as-legitimate-entity/ www.secnews.physaphae.fr/article.php?IdArticle=8304055 False Tool,Vulnerability None 2.0000000000000000 CSO - CSO Daily Dashboard threat actor DragonSpark. The threat actor was observed using open source tool SparkRAT for its attacks, according to a report by SentinelOne. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the Remote Access Trojan (RAT) attractive to threat actors.To read this article in full, please click here]]> 2023-01-25T04:31:00+00:00 https://www.csoonline.com/article/3686275/chinese-threat-actor-dragonspark-targets-east-asian-businesses.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8303954 False Tool,Threat None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Malware,Tool,Threat,Guideline APT 25,APT 15 3.0000000000000000 SentinelOne (Adversary) - Cyber Firms A cluster of attacks SentinelLabs tracks as DragonSpark uses a novel technique, Golang source code interpretation, to avoid detection while also deploying a little-known tool called SparkRAT.]]> 2023-01-24T10:55:22+00:00 https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/ www.secnews.physaphae.fr/article.php?IdArticle=8388323 False Tool None 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-24T02:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45639 www.secnews.physaphae.fr/article.php?IdArticle=8303614 False Tool,Vulnerability None None SkullSecurity - Blog Sécu CVE-2022-41352 - my AttackerKB analysis for Rapid7) that turned out to be a new(-ish) exploit path for a really old bug in cpio - CVE-2015-1194. But that was patched in 2019, so what happened? (I posted this as a tweet-thread awhile back, but I decided to flesh it out and make it into a full blog post!) cpio is an archive tool commonly used for system-level stuff (firmware images and such). It can also extract other format, like .tar, which we'll use since it's more familiar. cpio has a flag (--no-absolute-filenames), off by default, that purports to prevent writing files outside of the target directory. That's handy when, for example, extracting untrusted files with Amavis (like Zimbra does). The problem is, symbolic links can point to absolute paths, and therefore, even with --no-absolute-filenames, there was no safe way to extract an untrusted archive (outside of using a chroot environment or something similar, which they really ought to do). Much later, in 2019, the cpio team released cpio version 2.13, which includes a patch for CVE-2015-1194, with unit tests and everything. Some (not all) modern OSes include the patched version of cpio, which should be the end of the story, but it's not! I'm currently writing this on Fedora 35, so let's try exploiting it. We can confirm that the version of cpio installed with the OS is, indeed, the fixed version: ron@fedora ~ $ cpio --version cpio (GNU cpio) 2.13 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Phil Nelson, David MacKenzie, John Oleynick, and Sergey Poznyakoff. That means that we shouldn't be able to use symlinks to write outside of the target directory, so let's create a .tar file that includes a symlink and a file written through that symlink (this is largely copied from this mailing list post: ron@fedora ~ $ mkdir cpiotest ron@fedora ~ $ cd cpiotest ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile demo demo/imafile ron@fedora ~/cpiotest $ ]]> 2023-01-23T20:14:17+00:00 https://www.skullsecurity.org/2023/blast-from-the-past--how-attackers-compromised-zimbra-with-a-patched-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8303535 False Tool,Vulnerability APT 17 4.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-23T18:00:00+00:00 https://www.infosecurity-magazine.com/news/hackers-deploy-open-source-tool/ www.secnews.physaphae.fr/article.php?IdArticle=8303452 False Tool None 2.0000000000000000 Minerva - Minerva Security researcher Blog 2023-01-19T14:22:50+00:00 https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection/ www.secnews.physaphae.fr/article.php?IdArticle=8302548 False Tool None 5.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-01-19T11:03:00+00:00 https://thehackernews.com/2023/01/mailchimp-suffers-another-security.html www.secnews.physaphae.fr/article.php?IdArticle=8302447 False Tool,Threat None 1.00000000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware (published: January 16, 2023) On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens. Analyst Comment: Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent. MITRE ATT&CK: [MITRE ATT&CK] T1204 - User Execution | [MITRE ATT&CK] T1555 - Credentials From Password Stores Tags: actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd (published: January 11, 2023) In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries. Analyst Comment: Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads. MITRE ATT&CK: [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1070 - Indicator Removal On Host Tags: FG-IR-22-398, CVE-2022-42]]> 2023-01-18T16:35:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-fortios-zero-day-has-been-exploited-by-an-apt-two-rats-spread-by-four-types-of-jar-polyglot-files-promethium-apt-continued-android-targeting www.secnews.physaphae.fr/article.php?IdArticle=8302291 False Malware,Tool,Vulnerability,Threat,Guideline LastPass 2.0000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-01-18T02:00:00+00:00 https://www.csoonline.com/article/3685671/why-its-time-to-review-your-on-premises-microsoft-exchange-patch-status.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8302193 False Tool,Vulnerability,Patching None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-17T22:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41953 www.secnews.physaphae.fr/article.php?IdArticle=8302002 False Tool None None Global Security Mag - Site de news francais Product Reviews]]> 2023-01-17T14:22:28+00:00 https://www.globalsecuritymag.fr/Action1-Provides-Free-Tool-to-Eliminate-Organizations-Exposure-to-Compromise.html www.secnews.physaphae.fr/article.php?IdArticle=8301866 False Tool LastPass 3.0000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-01-17T10:14:00+00:00 https://www.csoonline.com/article/3685674/optimize-your-security-investments-with-the-right-mdr-provider.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8301929 False Tool None 1.00000000000000000000 Hacking Articles - Blog de Raj Chandel 2023-01-16T15:39:59+00:00 https://www.hackingarticles.in/a-detailed-guide-on-evil-winrm/ www.secnews.physaphae.fr/article.php?IdArticle=8301537 False Tool None 4.0000000000000000 CSO - CSO Daily Dashboard GPT-3.5, was released on 30 November 2022 and racked up a million users in five days. It is capable of writing emails, essays, code and phishing emails, if the user knows how to ask.By comparison, it took Twitter two years to reach a million users. Facebook took ten months, Dropbox seven months, Spotify five months, Instagram six weeks. Pokemon Go took ten hours, so don't break out the champagne bottles, but still, five days is pretty impressive for a web-based tool that didn't have any built-in name recognition.To read this article in full, please click here]]> 2023-01-16T02:00:00+00:00 https://www.csoonline.com/article/3685488/how-ai-chatbot-chatgpt-changes-the-phishing-game.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8301456 False Tool ChatGPT 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-14T01:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22471 www.secnews.physaphae.fr/article.php?IdArticle=8301072 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-01-14T01:15:13+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22470 www.secnews.physaphae.fr/article.php?IdArticle=8301071 False Tool None None Soc Radar - Blog spécialisé SOC 2023-01-13T09:23:21+00:00 https://socradar.io/threat-actors-exploit-cve-2022-44877-rce-vulnerability-in-centos-web-panel-cwp/ www.secnews.physaphae.fr/article.php?IdArticle=8300828 False Tool,Vulnerability,Threat None 3.0000000000000000 AhnLab - Korean Security Firm The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor. The threat actor that distributed this malware is the same person that distributed BitRAT and XMRig CoinMiner disguised as a Windows license verification tool on file-sharing sites.[1] The malware distributed by the threat actor has a similar form as those of the past, except for the fact that Orcus RAT was used instead of BitRAT. Furthermore, the new malware... ]]> 2023-01-13T00:52:34+00:00 https://asec.ahnlab.com/en/45462/ www.secnews.physaphae.fr/article.php?IdArticle=8300704 False Malware,Tool,Threat None 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Équipe d'action de cybersécurité Google (GCAT) prédit des actifs et des dépendances tiers dans le cloud nécessitera des mises à jour de la gestion des risques

---

The external attack surface management (EASM) category came into existence as security vendors sought to improve the gaps in asset visibility and vulnerability enumeration created by legacy tools that failed to adapt to the evolving dynamics of enterprise IT and the growth of digital ecosystems. Among challenges with gaining visibility into unknown assets, organizations are faced with risk introduced by third party assets, including applications. The Google Cybersecurity Action Team (GCAT) predicts third-party assets and dependencies within the cloud will necessitate updates to risk management]]> 2023-01-12T18:00:00+00:00 https://www.mandiant.com/resources/blog/external-attack-surface-management www.secnews.physaphae.fr/article.php?IdArticle=8377389 False Tool,Vulnerability,Cloud None 3.0000000000000000 CSO - CSO Daily Dashboard CloudSek has launched BeVigil, a tool that can tell users how safe the apps installed on their phone are, and helps users and developers win bug bounty by helping them identify and report bugs in the code.BeVigil scans all the apps installed on a user's phone and rates them as dangerous, risky, or safe. Running as a web application for the past one year, BeVigil has already scanned over a million apps and rated them. The tool also alerts software companies and app developers about vulnerabilities found through the app, and helps users and developers win bug bounty contests from various software companies by giving them access to the code of apps running on their phone and reporting bugs.To read this article in full, please click here]]> 2023-01-12T03:57:00+00:00 https://www.csoonline.com/article/3685529/cloudsek-launches-free-security-tool-that-helps-users-win-bug-bounty.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8300530 False Tool None 2.0000000000000000 Global Security Mag - Site de news francais Business News]]> 2023-01-11T13:45:01+00:00 https://www.globalsecuritymag.fr/EfficientIP-Launches-Free-Tool-to-Detect-Enterprises-Risk-of-Data-Exfiltration.html www.secnews.physaphae.fr/article.php?IdArticle=8300008 False Hack,Tool None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-10T22:15:16+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-21725 www.secnews.physaphae.fr/article.php?IdArticle=8299775 False Tool None None CVE Liste - Common Vulnerability Exposure 2023-01-10T21:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22469 www.secnews.physaphae.fr/article.php?IdArticle=8299833 False Tool None None SkullSecurity - Blog Sécu Rapid7 Research Blog (secret rss link!)! Anyway, while working on an application, I ran into a function called LZ4_decompress_safe. I wanted to learn how it worked, but EVERYTHING I tried to decompress returned an error - even test data generated by a legitimtae LZ4 library! I'm not sure why it didn't work - maybe they modified it? Maybe it's a different version? Maybe the lz4 CLI tool has more or less file headers? - Dunno! But let's make the application create its own test data! I know (from Googling) that the signatures for the decompress and compress functions are: int __fastcall LZ4_decompress_safe(const char *src, char *dst, int compressedSize, int dstCapacity) int __fastcall LZ4_compress(const char *src, char *dst, int srcSize, int dstCapacity) The calling code looks like: mov ecx, dword ptr [rsp+80h+capacity] ; dstCapacity mov edx, dword ptr [rsp+88h+size] ; compressedSize mov rsi, cs:buffer ; dst mov rdi, [rsp+88h+out_buffer] ; src call LZ4_decompress_safe ; I can't figure out how to get this to work :( The functions have the exact same signature, which is super handy! I put a breakpoint on the function LZ4_decompress_safe, which will stop execution when the application attempts to decompress data: (gdb) b *LZ4_decompress_safe Breakpoint 4 at 0x40bc40 (gdb) run Starting program: [...] Then I sent a message to the server with the “this message is compressed!” flag set, but with uncompressed data (specifically, the contents of /etc/passwd - my go-to for longer test data). So basically, the server will think the data is compressed, but it's actually not. When the service tries to decompress the packet, it'll hit the breakpoint: (gdb) run Starting program: [...] Breakpoint 4, 0x000000000040bc40 in LZ4_decompress_safe () The calling convention on x64 Linux means that the first three arguments are placed in the rdi, rsi, and rdx registers. We want the dst buffer, which is the second argument, so we print out rsi: (gdb) print/x $rsi $63 = 0x6820f0 ]]> 2023-01-10T18:02:16+00:00 https://www.skullsecurity.org/2023/gdb-tricks--tricking-the-application-into-generating-test-data www.secnews.physaphae.fr/article.php?IdArticle=8300176 False Tool None 4.0000000000000000 Dark Reading - Informationweek Branch 2023-01-10T17:00:00+00:00 https://www.darkreading.com/cloud/microsoft-kinsing-malware-kubernetes-containers-postgresql www.secnews.physaphae.fr/article.php?IdArticle=8299606 False Tool Uber 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence OPWNAI : Cybercriminals Starting to Use ChatGPT (published: January 6, 2023) Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool. Analyst Comment: ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware. MITRE ATT&CK: [MITRE ATT&CK] T1566 - Phishing | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | [MITRE ATT&CK] T1560 - Archive Collected Data | [MITRE ATT&CK] T1005: Data from Local System Tags: ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP Turla: A Galaxy of Opportunity (published: January 5, 2023) Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022. Analyst Comment: Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated]]> 2023-01-10T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turla-re-registered-andromeda-domains-spynote-is-more-popular-after-the-source-code-publication-typosquatted-site-used-to-leak-companys-data www.secnews.physaphae.fr/article.php?IdArticle=8299602 False Ransomware,Malware,Tool,Threat ChatGPT,APT-C-36 2.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain are seeing ChatGPT-written malware in the wild. …within a few weeks of ChatGPT going live, participants in cybercrime forums—­some with little or no coding experience­—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. “It's still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,” company researchers wrote. “However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.”...]]> 2023-01-10T12:18:55+00:00 https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8299521 False Malware,Tool,Prediction ChatGPT 2.0000000000000000 The Register - Site journalistique Anglais 2023-01-09T21:15:11+00:00 https://go.theregister.com/feed/www.theregister.com/2023/01/09/pypi_aws_malware_key/ www.secnews.physaphae.fr/article.php?IdArticle=8299326 False Malware,Tool None 2.0000000000000000 CybeReason - Vendor blog MITRE's Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a critical tool for security practitioners seeking to understand how attackers move, operate, and conduct their attacks. Designed to look at attacks from the attacker's perspective, it catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations.]]> 2023-01-09T18:47:58+00:00 https://www.cybereason.com/blog/mitre-attck-and-the-art-of-building-better-defenses www.secnews.physaphae.fr/article.php?IdArticle=8299313 False Tool None 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-09T14:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22472 www.secnews.physaphae.fr/article.php?IdArticle=8299268 False Tool None None CSO - CSO Daily Dashboard security incident and event management (SIEM), endpoint detection and response (EDR), and even security orchestration and response (SOAR). In fact, some XDR platforms listed here are the fusion of existing tools the vendor has offered for some time.To read this article in full, please click here]]> 2023-01-09T02:00:00+00:00 https://www.csoonline.com/article/3684850/11-top-xdr-tools-and-how-to-evaluate-them.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8299129 False Tool,Threat None 2.0000000000000000 Hacking Articles - Blog de Raj Chandel 2023-01-08T18:03:09+00:00 https://www.hackingarticles.in/a-detailed-guide-on-kerbrute/ www.secnews.physaphae.fr/article.php?IdArticle=8299006 False Tool None 4.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-01-06T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22475 www.secnews.physaphae.fr/article.php?IdArticle=8298606 False Tool,Vulnerability None None AhnLab - Korean Security Firm NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. Unlike backdoors and RATs (Remote Access Trojans), which are mostly based on command lines, remote control tools (Remote Administration Tools) place emphasis on user-friendliness, so they offer remote desktops, also known as GUI environments. Even though they may... ]]> 2023-01-05T23:47:00+00:00 https://asec.ahnlab.com/en/45312/ www.secnews.physaphae.fr/article.php?IdArticle=8298371 False Malware,Tool,Threat None 2.0000000000000000 SC Magazine - Magazine 2023-01-05T17:26:49+00:00 https://www.scmagazine.com/brief/malware/new-malware-campaign-exploits-windows-error-reporting-tool www.secnews.physaphae.fr/article.php?IdArticle=8298353 False Malware,Tool,Threat None 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-01-05T16:21:00+00:00 https://thehackernews.com/2023/01/mitigate-lastpass-attack-surface-in.html www.secnews.physaphae.fr/article.php?IdArticle=8298096 False Tool LastPass 3.0000000000000000 Anomali - Firm Blog 2023-01-05T05:50:00+00:00 https://www.anomali.com/blog/focusing-on-your-adversary www.secnews.physaphae.fr/article.php?IdArticle=8298031 False Ransomware,Malware,Tool,Vulnerability,Threat,Industrial,Prediction None 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays (published: January 1, 2023) Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server. Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux Linux Backdoor Malware Infects WordPress-Based Websites (published: December 30, 2022) Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect. Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use ]]> 2023-01-04T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-machine-learning-toolkit-targeted-by-dependency-confusion-multiple-campaigns-hide-in-google-ads-lazarus-group-experiments-with-bypassing-mark-of-the-web www.secnews.physaphae.fr/article.php?IdArticle=8297872 False Malware,Tool,Vulnerability,Threat,Patching,Medical APT 38,LastPass 2.0000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-01-04T15:19:00+00:00 https://www.csoonline.com/article/3684769/attackers-use-stolen-banking-data-as-phishing-lure-to-deploy-bitrat.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8297971 False Data Breach,Tool None 1.00000000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-04T14:15:00+00:00 https://www.infosecurity-magazine.com/news/phishing-campaign-uses-flipper-zero/ www.secnews.physaphae.fr/article.php?IdArticle=8297829 False Tool,Threat None 4.0000000000000000 Bleeping Computer - Magazine Américain 2023-01-04T12:16:37+00:00 https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8297879 False Malware,Tool None 2.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber As threats against space systems increase, a new tool aims to improve efforts to defend against cyberattacks. ]]> 2023-01-03T17:07:44+00:00 https://www.cyberscoop.com/space-satellite-cybersecurity-sparta/ www.secnews.physaphae.fr/article.php?IdArticle=8297494 False Tool None 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New RisePro Stealer Distributed by the Prominent PrivateLoader (published: December 22, 2022) RisePro is a new commodity infostealer that is being sold and supported by Telegram channels. Log credentials derived from RisePro are for sale on illicit markets since December 13, 2022. RisePro targets password stores and particular file patterns to extract cookies, credit card information, cryptocurrency wallets, installed software credentials, and passwords. RisePro was delivered by PrivateLoader and these two malware families have significant code similarity. It also shares similarity with the Vidar stealer in a way that both use dropped DLL dependencies. Analyst Comment: Infostealers are a continually rising threat for organizations especially with hybrid workers utilizing their own and other non-corporate devices to access cloud based resources and applications. Information from these sessions, useful to attackers, can be harvested unknown to the worker or end organization. In addition, the rise of threat actor reliance on potent commodity malware is one of the trends that Anomali analysts observe going into 2023 (see Predictions below). Network defenders are advised to block known PrivateLoader and RisePro indicators (available on the Anomali platform). MITRE ATT&CK: [MITRE ATT&CK] T1213 - Data From Information Repositories | [MITRE ATT&CK] T1113 - Screen Capture | [MITRE ATT&CK] T1555.004 - Credentials from Password Stores: Windows Credential Manager | [MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | [MITRE ATT&CK] T1087 - Account Discovery | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | ]]> 2022-12-29T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-zerobot-added-new-exploits-and-ddos-methods-gamaredon-group-bypasses-dns-proxynotshell-exploited-prior-to-dll-side-loading-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=8295813 False Malware,Tool,Threat None 2.0000000000000000 Darknet - The Darkside - Site de news Américain 2022-12-29T07:36:08+00:00 https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discovery-tool/ www.secnews.physaphae.fr/article.php?IdArticle=8295723 False Tool None 3.0000000000000000