This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:29:30+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries. The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima,]]> 2024-10-03T18:30:00+00:00 https://thehackernews.com/2024/10/north-korean-hackers-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8591272 False Threat APT 37 2.0000000000000000 IndustrialCyber - cyber risk firms for industrial Phosphorus Cybersecurity Inc., fournisseur de gestion de la sécurité unifiée et basée sur la prévention pour l'Internet des objets xttend (XIOT), a annoncé jeudi ...

---

>Phosphorus Cybersecurity Inc., provider of unified, prevention-based security management for the xTended Internet of Things (xIoT), announced Thursday... ]]> 2024-10-03T17:13:17+00:00 https://industrialcyber.co/news/phosphorus-cybersecurity-expands-into-apj-appoints-new-leadership-to-drive-growth-and-innovation/ www.secnews.physaphae.fr/article.php?IdArticle=8591389 False None APT 35 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-02T20:01:11+00:00 https://community.riskiq.com/article/a558d6ba www.secnews.physaphae.fr/article.php?IdArticle=8590707 False Tool,Vulnerability,Threat,Patching APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-30T13:21:55+00:00 https://community.riskiq.com/article/70e8b264 www.secnews.physaphae.fr/article.php?IdArticle=8588927 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Mobile ChatGPT,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-27T19:44:31+00:00 https://community.riskiq.com/article/f74aeee5 www.secnews.physaphae.fr/article.php?IdArticle=8586788 True Ransomware,Malware,Tool,Threat,Mobile APT 36 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors with ties to North Korea have been observed using poisoned Python packages as a way to deliver a new malware called PondRAT as part of an ongoing campaign. PondRAT, according to new findings from Palo Alto Networks Unit 42, is assessed to be a lighter version of POOLRAT (aka SIMPLESEA), a known macOS backdoor that has been previously attributed to the Lazarus Group and deployed in]]> 2024-09-23T12:09:00+00:00 https://thehackernews.com/2024/09/new-pondrat-malware-hidden-in-python.html www.secnews.physaphae.fr/article.php?IdArticle=8582747 False Malware,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-20T15:50:36+00:00 https://community.riskiq.com/article/906408c8 www.secnews.physaphae.fr/article.php?IdArticle=8580619 False Malware,Tool,Threat APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-19T21:39:29+00:00 https://community.riskiq.com/article/e882507d www.secnews.physaphae.fr/article.php?IdArticle=8579917 False Malware,Tool,Threat,Cloud APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie]]> 2024-09-19T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8579617 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is]]> 2024-09-18T15:02:00+00:00 https://thehackernews.com/2024/09/north-korean-hackers-target-energy-and.html www.secnews.physaphae.fr/article.php?IdArticle=8579019 False Malware,Threat APT 37 2.0000000000000000 Dark Reading - Informationweek Branch Increasing attacks by the OilRig/APT34 group linked to Iran\'s Ministry of Intelligence and Security show that the nation\'s capabilities are growing, and targeting regional allies and enemies alike.]]> 2024-09-18T06:00:00+00:00 https://www.darkreading.com/cyberattacks-data-breaches/geopolitical-tensions-mount-iran-cyber-operations-grow www.secnews.physaphae.fr/article.php?IdArticle=8578874 False None APT 34 3.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain Convainquez-les de télécharger des logiciels malveillants.De A Article de presse Ces attaques particulières de l'équipe de piratage de piratage financée par l'État nord-coréen Lazarus est nouveau, mais la campagne globale de logiciels malveillants contre la communauté de développement de Python est en cours depuis au moins août 2023, lorsqu'un certain nombre de Python open source populaireLes outils ont été dupliqués avec malveillance avec des logiciels malveillants ajoutés.Maintenant, cependant, il y a aussi des attaques impliquant & # 8220; Tests de codage & # 8221;Cela n'existe que pour amener l'utilisateur final à installer des logiciels malveillants cachés sur son système (intelligemment caché avec le codage de base64) qui permet une exécution à distance une fois présente.La capacité d'exploitation à ce stade est à peu près illimitée, en raison de la flexibilité de Python et de la façon dont elle interagit avec le système d'exploitation sous-jacent ...

---

Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware. From a news article These particular attacks from North Korean state-funded hacking team Lazarus Group are new, but the overall malware campaign against the Python development community has been running since at least August of 2023, when a number of popular open source Python tools were maliciously duplicated with added malware. Now, though, there are also attacks involving “coding tests” that only exist to get the end user to install hidden malware on their system (cleverly hidden with Base64 encoding) that allows remote execution once present. The capacity for exploitation at that point is pretty much unlimited, due to the flexibility of Python and how it interacts with the underlying OS...]]> 2024-09-17T11:02:34+00:00 https://www.schneier.com/blog/archives/2024/09/python-developers-targeted-with-malware-during-fake-job-interviews.html www.secnews.physaphae.fr/article.php?IdArticle=8578307 False Malware,Tool APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-16T11:20:34+00:00 https://community.riskiq.com/article/f4ae836f www.secnews.physaphae.fr/article.php?IdArticle=8577706 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Prediction,Cloud APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Iraqi government networks have emerged as the target of an "elaborate" cyber attack campaign orchestrated by an Iran state-sponsored threat actor called OilRig. The attacks singled out Iraqi organizations such as the Prime Minister\'s Office and the Ministry of Foreign Affairs, cybersecurity company Check Point said in a new analysis. OilRig, also called APT34, Crambus, Cobalt Gypsy, GreenBug,]]> 2024-09-12T16:19:00+00:00 https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html www.secnews.physaphae.fr/article.php?IdArticle=8575176 False Malware,Threat APT 34 3.0000000000000000 Contagio - Site d infos ransomware 2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don\'t have samples for that one. These campaigns target job-seeking activities to deploy malware and conduct espionage. Contagious Interview (CL-STA-0240):The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.Wagemole (CL-STA-0241):Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea\'s weapons programs and potentially conduct espionage.Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.Download]]> 2024-09-12T14:11:31+00:00 https://contagiodump.blogspot.com/2024/09/2023-11-23-beavertail-and.html www.secnews.physaphae.fr/article.php?IdArticle=8575417 False Malware,Threat APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lazarus Group has been observed impersonating Capital One staff to lure developers into downloading malware on open source repositories]]> 2024-09-12T13:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-developers-vmconnect/ www.secnews.physaphae.fr/article.php?IdArticle=8575244 False Malware APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-11T23:46:33+00:00 https://community.riskiq.com/article/6289e51f www.secnews.physaphae.fr/article.php?IdArticle=8574915 False Malware,Tool,Threat APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain Members of the North Korean hacker group Lazarus posing as recruiters are baiting Python developers with coding test project for password management products that include malware. [...]]]> 2024-09-11T17:09:36+00:00 https://www.bleepingcomputer.com/news/security/fake-password-manager-coding-test-used-to-hack-python-developers/ www.secnews.physaphae.fr/article.php?IdArticle=8574813 False Malware,Hack APT 38 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique L'un des avantages de l'exploitation d'un service cloud pour héberger l'infrastructure d'attaque est que les acteurs de la menace peuvent utiliser un compte compromis légitime ou en créer un nouveau spécifiquement à leurs fins malveillantes. & # 160;Selon des chercheurs de Microsoft, ce modus operandi a été utilisé par APT33 (également connu sous le nom de «pêche de sable»), un [& # 8230;]

---

>One of the advantages of exploiting a cloud service to host the attack infrastructure, is that the threat actors can use either a legitimate compromised account or create a new one specifically for their malicious purposes.  According to researchers at Microsoft, this modus operandi has been used by APT33 (also known as “Peach Sandstorm”), a […] ]]> 2024-09-11T15:44:56+00:00 https://www.netskope.com/blog/cloud-threats-memo-iranian-threat-actors-continue-to-exploit-azure www.secnews.physaphae.fr/article.php?IdArticle=8574673 False Threat,Cloud APT33,APT 33 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments. "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said. The activity has been assessed to be part of]]> 2024-09-11T15:16:00+00:00 https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html www.secnews.physaphae.fr/article.php?IdArticle=8574518 False Malware APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-09T11:04:46+00:00 https://community.riskiq.com/article/563312a4 www.secnews.physaphae.fr/article.php?IdArticle=8573205 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Commercial APT 38,APT 29 2.0000000000000000 HackRead - Chercher Cyber A new Group-IB report highlights an ongoing campaign by the North Korean Lazarus Group, known as the “Eager…]]> 2024-09-08T23:26:37+00:00 https://hackread.com/lazarus-group-blockchain-fake-video-conferencing-job-scam/ www.secnews.physaphae.fr/article.php?IdArticle=8572921 False None APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-06T20:50:58+00:00 https://community.riskiq.com/article/2d5ffbad www.secnews.physaphae.fr/article.php?IdArticle=8571535 True Ransomware,Malware,Tool,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-04T18:51:15+00:00 https://community.riskiq.com/article/22951902 www.secnews.physaphae.fr/article.php?IdArticle=8569939 False Malware,Tool,Threat,Prediction APT 34 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector. Mandiant has a long history of investigating bank heists. In 2016, Mandiant investigated the world\'s largest bank heist that occurred at the Bank of Bangladesh and resulted in the theft of $81 million by North Korea\'s APT38. While the group\'s operations were quite innovative and made for an entertaining 10-episode podcast by the BBC, it pales in comparison to Web3 heists. In 2022, the largest DeFi heist occurred on Sky Mavis\' Ronin Blockchain, which resulted in the theft of over $600 million by North Korean threat actors. While North Korea is arguably the world\'s leading cyber criminal enterprise, they are not the only player. Since 2020, there have been hundreds of Web3 heists reported, which has resulted in over $12 billion in stolen digital assets Source: Chainalysis 2024 Crypto Crime Report While social engineering, crypto drainers, rug pulls (scams), and ]]> 2024-09-03T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/ www.secnews.physaphae.fr/article.php?IdArticle=8569124 False Malware,Hack,Vulnerability,Threat,Cloud APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-02T19:54:58+00:00 https://community.riskiq.com/article/161e114f www.secnews.physaphae.fr/article.php?IdArticle=8568711 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud APT 41,APT 32 2.0000000000000000 Contagio - Site d infos ransomware ]]> 2024-09-02T16:43:39+00:00 https://contagiodump.blogspot.com/2024/09/2022-2024-north-korea-citrine-sleet.html www.secnews.physaphae.fr/article.php?IdArticle=8568712 False Vulnerability,Threat,Conference APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future\'s Insikt Group has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly]]> 2024-08-30T16:45:00+00:00 https://thehackernews.com/2024/08/iranian-hackers-set-up-new-network-to.html www.secnews.physaphae.fr/article.php?IdArticle=8566822 False Threat APT 35,APT 42 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A non-profit supporting Vietnamese human rights has been the target of a multi-year campaign designed to deliver a variety of malware on compromised hosts. Cybersecurity company Huntress attributed the activity to a threat cluster known as APT32, a Vietnamese-aligned hacking crew that\'s also known as APT-C-00, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. The intrusion is]]> 2024-08-29T21:45:00+00:00 https://thehackernews.com/2024/08/vietnamese-human-rights-group-targeted.html www.secnews.physaphae.fr/article.php?IdArticle=8566270 False Malware,Threat APT 32 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-29T19:44:20+00:00 https://community.riskiq.com/article/0ce29639 www.secnews.physaphae.fr/article.php?IdArticle=8567037 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-29T18:15:40+00:00 https://community.riskiq.com/article/de978ca1 www.secnews.physaphae.fr/article.php?IdArticle=8566388 False Ransomware,Malware,Tool,Vulnerability,Threat APT 32 3.0000000000000000 SecureMac - Security focused on MAC également connu sous le nom de heur: trojan-psw.osx.beavertail.a Type: Menace hybride Plateforme: Mac OS 9 Dernière mise à jour: 07/31/24 15:52 PM Niveau de menace: High Description Nukesped est une menace hybride qui est attribuée au groupe nord-coréen Lazare, est un outil de cyber-espionnage avancé conçu pour voler des données sensibles et perturber les opérations. . Retrait des menaces nuclées MacScan peut détecter et éliminer la menace hybride nucléaire de votre système, ainsi que de protéger d'autres menaces de sécurité et de confidentialité.Un essai de 30 jours est disponible pour scanner votre système pour cette menace. télécharger macscan

---

>also known as HEUR:Trojan-PSW.OSX.BeaverTail.a Type: Hybrid Threat Platform: Mac OS 9 Last updated: 07/31/24 3:52 pm Threat Level: High Description Nukesped is a hybrid threat that is attributed to the North Korean Lazarus Group, is an advanced cyber espionage tool designed to steal sensitive data and disrupt operations. Nukesped Threat Removal MacScan can detect and remove Nukesped Hybrid Threat from your system, as well as provide protection against other security and privacy threats. A 30-day trial is available to scan your system for this threat. Download MacScan ]]> 2024-08-29T10:04:45+00:00 https://www.securemac.com/definitions/Nukesped www.secnews.physaphae.fr/article.php?IdArticle=8566302 False Tool,Threat APT 38 3.0000000000000000 Bleeping Computer - Magazine Américain The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. [...]]]> 2024-08-28T14:36:52+00:00 https://www.bleepingcomputer.com/news/security/APT33-Iranian-hacking-group-uses-new-tickler-malware-to-backdoor-us-govt-defense-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=8565689 False Malware APT33,APT 33 3.0000000000000000 Bleeping Computer - Magazine Américain The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates. [...]]]> 2024-08-28T14:36:52+00:00 https://www.bleepingcomputer.com/news/security/new-tickler-malware-used-to-backdoor-us-govt-defense-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=8565594 False Malware APT33,APT 33 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-20T20:33:25+00:00 https://community.riskiq.com/article/e2fc2f8b www.secnews.physaphae.fr/article.php?IdArticle=8561044 False Vulnerability,Threat,Cloud APT 34 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine TA453, also known as Charming Kitten, launched a targeted phishing attack using PowerShell malware BlackSmith]]> 2024-08-20T15:30:00+00:00 https://www.infosecurity-magazine.com/news/iran-ta453-phishing-attacks-isw/ www.secnews.physaphae.fr/article.php?IdArticle=8560899 False Malware APT 35 3.0000000000000000 Dark Reading - Informationweek Branch Charming Kitten goes retro and consolidates its backdoor into a tighter package, abandoning the malware framework trend.]]> 2024-08-20T09:00:00+00:00 https://www.darkreading.com/threat-intelligence/irgc-linked-hackers-package-modular-malware-into-monolithic-trojan www.secnews.physaphae.fr/article.php?IdArticle=8561183 False Malware,Prediction APT 35 2.0000000000000000 ProofPoint - Cyber Firms 2024-08-20T05:00:25+00:00 https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering www.secnews.physaphae.fr/article.php?IdArticle=8560720 False Malware,Threat,Studies APT 35,APT 42 3.0000000000000000 SecurityWeek - Security News La vulnérabilité, suivie en CVE-2024-38193 et ​​marquée comme \\ 'activement exploitée \' par Microsoft, permet des privilèges système sur les derniers systèmes d'exploitation Windows.

---

>The vulnerability, tracked as CVE-2024-38193 and marked as \'actively exploited\' by Microsoft, allows SYSTEM privileges on the latest Windows operating systems. ]]> 2024-08-19T15:35:53+00:00 https://www.securityweek.com/windows-zero-day-attack-linked-to-north-koreas-lazarus-apt/ www.secnews.physaphae.fr/article.php?IdArticle=8560350 False Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this]]> 2024-08-19T12:35:00+00:00 https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html www.secnews.physaphae.fr/article.php?IdArticle=8560131 False Vulnerability,Threat APT 38 3.0000000000000000 Dark Reading - Informationweek Branch The threat group tracked as APT42 remains on the warpath with various phishing and other social engineering campaigns, as tensions with Israel rise.]]> 2024-08-15T17:21:38+00:00 https://www.darkreading.com/cyberattacks-data-breaches/google-iran-charming-kitten-targets-presidential-elections-israeli-military www.secnews.physaphae.fr/article.php?IdArticle=8558263 False Threat APT 35,APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-14T18:17:06+00:00 https://community.riskiq.com/article/55996e79 www.secnews.physaphae.fr/article.php?IdArticle=8557777 False Ransomware,Malware,Tool,Threat,Cloud APT 27,APT 31 3.0000000000000000 Kaspersky - Kaspersky Research blog Kaspersky has identified a new EastWind campaign targeting Russian organizations and using CloudSorcerer as well as APT31 and APT27 tools.]]> 2024-08-14T12:00:57+00:00 https://securelist.com/eastwind-apt-campaign/113345/ www.secnews.physaphae.fr/article.php?IdArticle=8557565 False Tool APT 27,APT 31 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-05T10:51:17+00:00 https://community.riskiq.com/article/ed438f56 www.secnews.physaphae.fr/article.php?IdArticle=8552050 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile APT33,APT 41,APT 33,APT-C-17 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot TrustedSec identified a new red team post-exploitation framework called "Specula," which leverages a vulnerability in Microsoft Outlook to remotely execute code by setting malicious home pages via registry modifications. ## Description The novel Specula framework exploits [CVE-2017-11774](https://sip.security.microsoft.com/vulnerabilities/vulnerability/CVE-2017-11774/overview), a security feature bypass vulnerability in Outlook that allows threat actors to set a custom Outlook home page via registry keys and run vbscript or jscript to execute arbitrary commands on compromised Windows systems. Despite being patched, attackers can still create malicious home pages using Windows Registry values, enabling them to achieve persistence and laterally spread to other systems. The method is notable for its ability to bypass security software by leveraging Outl]]> 2024-08-02T00:53:15+00:00 https://community.riskiq.com/article/4b71ce29 www.secnews.physaphae.fr/article.php?IdArticle=8549339 False Tool,Vulnerability,Threat APT33,APT 33 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-29T10:58:35+00:00 https://community.riskiq.com/article/72f3426d www.secnews.physaphae.fr/article.php?IdArticle=8546560 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Industrial,Medical APT 28,APT 36 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators.  APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43.  Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. Shifts in Targeting and Expanding Operations Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities. Financial Sector Like other North Korea]]> 2024-07-25T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/ www.secnews.physaphae.fr/article.php?IdArticle=8544047 False Ransomware,Malware,Tool,Threat,Medical APT 37,APT 43 5.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-24T23:34:10+00:00 https://community.riskiq.com/article/31828df1 www.secnews.physaphae.fr/article.php?IdArticle=8544253 False Ransomware,Malware,Tool,Vulnerability,Threat,Industrial,Cloud,Technical,Commercial APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-24T21:28:53+00:00 https://community.riskiq.com/article/dfae4887 www.secnews.physaphae.fr/article.php?IdArticle=8543707 True Ransomware,Malware,Tool,Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-08T15:06:59+00:00 https://community.riskiq.com/article/9a175891 www.secnews.physaphae.fr/article.php?IdArticle=8532909 False Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 36 3.0000000000000000 HackRead - Chercher Cyber Transparent Tribe Expands Android Spyware Arsenal: Gamers, Weapons Fans, and TikTok Users Targeted!]]> 2024-07-04T11:15:55+00:00 https://hackread.com/android-spyware-steals-gamers-tiktok-users-data/ www.secnews.physaphae.fr/article.php?IdArticle=8530518 False Mobile APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-02T21:54:47+00:00 https://community.riskiq.com/article/d62a3110 www.secnews.physaphae.fr/article.php?IdArticle=8529579 False Malware,Tool,Threat,Mobile APT 36 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group\'s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex]]> 2024-07-01T18:30:00+00:00 https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html www.secnews.physaphae.fr/article.php?IdArticle=8529204 False Threat,Mobile,Prediction APT 36 3.0000000000000000 Global Security Mag - Site de news francais mise à jour malveillant

---

CapraTube remix - Transparent Tribe\'s Android spyware targeting gamers, weapons enthusiasts by SentinelOne - Malware Update]]> 2024-07-01T13:46:53+00:00 https://www.globalsecuritymag.fr/capratube-remix-transparent-tribe-s-android-spyware-targeting-gamers-weapons.html www.secnews.physaphae.fr/article.php?IdArticle=8529266 False Mobile APT 36 3.0000000000000000 SentinelOne (Adversary) - Cyber Firms SentinelLabs has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe.]]> 2024-07-01T12:55:23+00:00 https://www.sentinelone.com/labs/capratube-remix-transparent-tribes-android-spyware-targeting-gamers-weapons-enthusiasts/ www.secnews.physaphae.fr/article.php?IdArticle=8651455 False Mobile APT 36 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives. Today\'s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain. This blog post presents Mandiant\'s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities. Figure 1: Sample of imagery used by hacktivists to promote their threat activity Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism\'s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive moni]]> 2024-06-27T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism/ www.secnews.physaphae.fr/article.php?IdArticle=8526607 False Malware,Tool,Threat,Legislation,Industrial,Cloud,Commercial APT 38 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary  Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations.  Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event.  Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction  The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons:  Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified.  Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v]]> 2024-06-05T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics/ www.secnews.physaphae.fr/article.php?IdArticle=8513588 False Ransomware,Malware,Threat,Studies,Mobile,Cloud,Technical APT 15,APT 31,APT 42 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-31T22:14:46+00:00 https://community.riskiq.com/article/08f4a417 www.secnews.physaphae.fr/article.php?IdArticle=8510885 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and]]> 2024-05-29T16:05:00+00:00 https://thehackernews.com/2024/05/microsoft-uncovers-moonstone-sleet-new.html www.secnews.physaphae.fr/article.php?IdArticle=8509208 False Ransomware,Malware,Threat,Industrial APT 38 2.0000000000000000 The Register - Site journalistique Anglais Microsoft says Kim\'s hermit nation is pivoting to latest tools as it evolves in cyberspace A brand-new cybercrime group that Microsoft ties to North Korea is tricking targets using fake job opportunities to launch malware and ransomware, all for financial gain.…]]> 2024-05-29T13:00:09+00:00 https://go.theregister.com/feed/www.theregister.com/2024/05/29/north_korea_using_ransomware_and/ www.secnews.physaphae.fr/article.php?IdArticle=8509278 False Ransomware,Malware,Tool APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Ransomware,Malware,Hack,Tool,Threat APT 34 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial BlackBerry a révélé que le groupe de menaces persistant avancé basé à Pakistanais, la tribu transparente (APT36), a ciblé le gouvernement indien, la défense et ...

---

>BlackBerry disclosed that the Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeted the Indian government, defense, and... ]]> 2024-05-27T17:59:53+00:00 https://industrialcyber.co/threats-attacks/blackberry-exposes-cyber-espionage-by-transparent-tribe-targeting-indian-government-defense-sectors/ www.secnews.physaphae.fr/article.php?IdArticle=8507970 False Threat APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Ransomware,Malware,Tool,Threat APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations.  By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities.  These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks.  Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp]]> 2024-05-22T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8504765 False Malware,Tool,Vulnerability,Threat,Prediction,Cloud,Commercial APT 15,APT 5,APT 31 3.0000000000000000 The Register - Site journalistique Anglais \'Sid\' is looking a little sickly of late, but it will pass The intrepid users of Debian\'s "testing" branch just discovered that a bunch of their password manager\'s features disappeared… but their package manager is going to get new ones.…]]> 2024-05-22T13:30:12+00:00 https://go.theregister.com/feed/www.theregister.com/2024/05/22/apt_gains_keepassxc_loses/ www.secnews.physaphae.fr/article.php?IdArticle=8504768 False None APT 3 2.0000000000000000 BlackBerry - Fabricant Matériel et Logiciels As part of our continuous threat hunting efforts across the Asia-Pacific region, BlackBerry discovered Pakistani-based APT group Transparent Tribe targeting the government, defense and aerospace sectors of India. ]]> 2024-05-22T08:01:00+00:00 https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors www.secnews.physaphae.fr/article.php?IdArticle=8504897 False Threat APT 36 3.0000000000000000 Dark Reading - Informationweek Branch Scarred Manticore is the smart, sophisticated one. But when Iran needs something destroyed, it hands the keys over to Void Manticore.]]> 2024-05-21T20:47:21+00:00 https://www.darkreading.com/threat-intelligence/iran-apts-tag-team-espionage-wiper-attacks-against-israel-and-albania www.secnews.physaphae.fr/article.php?IdArticle=8504281 False None APT 34 2.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Les chercheurs de point de contrôle ont détaillé un nouveau groupe de pirates parrainé par l'État iranien appelé Void Manticore, en partenariat avec Scarred Manticore, un autre groupe de menaces basé dans le ministère de l'Intension et de la Sécurité de l'Iran. . Ceci est un article de HackRead.com Lire le post original: Les pirates d'État iraniens s'associent pour des attaques à grande échelle, rapport

---

>By Deeba Ahmed Check Point researchers have detailed a new Iranian state-sponsored hacker group called Void Manticore, partnering with Scarred Manticore, another threat group based in Iran\'s Ministry of Intelligence and Security. This is a post from HackRead.com Read the original post: Iranian State Hackers Partner Up for Large-Scale Attacks, Report]]> 2024-05-21T11:37:37+00:00 https://www.hackread.com/iranian-state-hackers-partner-up-for-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8504004 False Threat APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine CPR has suggested a significant overlap in targets between Void Manticore and Scarred Manticore]]> 2024-05-20T15:30:00+00:00 https://www.infosecurity-magazine.com/news/iranlinked-void-manticore/ www.secnews.physaphae.fr/article.php?IdArticle=8503480 False None APT 34 3.0000000000000000 Techworm - News avertir dans un article de blog . «La seiche est en attente, reniflant passivement les paquets, n'agissant que lorsqu'il est déclenché par un ensemble de règles prédéfini.Le renifleur de paquets utilisé par la seiche a été conçu pour acquérir du matériel d'authentification, en mettant l'accent sur les services publics basés sur le cloud. » ]]> 2024-05-01T23:25:26+00:00 https://www.techworm.net/2024/05/malware-target-router-steal-password.html www.secnews.physaphae.fr/article.php?IdArticle=8491968 False Malware,Threat,Cloud,Technical APT 32 4.0000000000000000 Mandiant - Blog Sécu de Mandiant   APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (]]> 2024-05-01T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8500390 False Malware,Tool,Threat,Cloud Yahoo,APT 35,APT 42 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Lazarus Group employed its time-tested fabricated job lures to deliver a new remote access trojan called Kaolin RAT. The malware could, "aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from [command-and-control] server," Avast security researcher Luigino]]> 2024-04-25T22:17:00+00:00 https://thehackernews.com/2024/04/north-koreas-lazarus-group-deploys-new.html www.secnews.physaphae.fr/article.php?IdArticle=8488646 False Malware,Threat APT 38 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000 Dark Reading - Informationweek Branch Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).]]> 2024-04-24T16:27:13+00:00 https://www.darkreading.com/cyberattacks-data-breaches/north-korea-apt-triumvirate-spied-on-south-korean-defense-industry-for-years www.secnews.physaphae.fr/article.php?IdArticle=8488095 False None APT 38 2.0000000000000000 AhnLab - Korean Security Firm Pupy est une souche malveillante de rat qui offre un soutien à la plate-forme croisée.Parce qu'il s'agit d'un programme open-source publié sur GitHub, il est continuellement utilisé par divers acteurs de menace, y compris des groupes APT.Par exemple, il est connu pour avoir été utilisé par APT35 (qui aurait des liens avec l'Iran) [1] et a également été utilisé dans l'opération Earth Berberoka [2] qui ciblait les sites de jeux en ligne.Récemment, une souche de logiciels malveillante nommée Disy Dog a été découverte, qui est une version mise à jour de Pupy Rat ....

---

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT.... ]]> 2024-04-18T07:46:32+00:00 https://asec.ahnlab.com/en/64258/ www.secnews.physaphae.fr/article.php?IdArticle=8484600 False Malware,Threat APT 35 2.0000000000000000 ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 37,APT 43 2.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Pour les dernières découvertes de cyber-recherche pour la semaine du 1er avril, veuillez télécharger notre bulletin Threat_Intelligence.Les meilleures attaques et violations que les gouvernements américains et britanniques ont annoncé un acte d'accusation criminel et des sanctions contre l'APT31, un groupe de pirates chinois, pour leur rôle dans les attaques prétendument contre des entreprises aux États-Unis, ainsi que [& # 8230;]

---

>For the latest discoveries in cyber research for the week of 1st April, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES The US and UK governments have announced a criminal indictment and sanctions against APT31, a group of Chinese hackers, for their role in allegedly conducting attacks against companies in the US, as well […] ]]> 2024-04-01T08:18:43+00:00 https://research.checkpoint.com/2024/1st-april-threat-intelligence-report/ www.secnews.physaphae.fr/article.php?IdArticle=8473934 False Threat APT 31 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country\'s Parliament in 2020. The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a "]]> 2024-03-28T22:20:00+00:00 https://thehackernews.com/2024/03/finland-blames-chinese-hacking-group.html www.secnews.physaphae.fr/article.php?IdArticle=8472126 False Legislation APT 31 3.0000000000000000 Bleeping Computer - Magazine Américain The Finnish Police confirmed on Tuesday that the APT31 hacking group linked to the Chinese Ministry of State Security (MSS) was behind a breach of the country\'s parliament disclosed in March 2021. [...]]]> 2024-03-26T17:23:54+00:00 https://www.bleepingcomputer.com/news/security/finland-confirms-apt31-hackers-behind-2021-parliament-breach/ www.secnews.physaphae.fr/article.php?IdArticle=8471001 False Legislation APT 31 3.0000000000000000 Checkpoint - Fabricant Materiel Securite lundi, l'administration Biden a annoncé un acte d'accusation criminel et des sanctions contre un groupe de pirates chinois pour leur rôle dans la conduite prétendument des hacks contre les entreprises aux États-Unis, ainsi que des représentants du gouvernement.Le gouvernement américain a inculpé sept pirates, du groupe connu sous le nom d'APT31;Dans une décision connexe, le gouvernement britannique a annoncé des sanctions contre une entreprise de front, ainsi que deux personnes en lien avec une violation à la Commission électorale du Royaume-Uni.Le gouvernement américain a noté que le groupe avait passé environ 14 ans à cibler les entreprises américaines et étrangères et les responsables politiques.«Aujourd'hui, les gouvernements du Royaume-Uni et des États-Unis [& # 8230;]

---

>On Monday, the Biden administration announced a criminal indictment and sanctions against a group of Chinese hackers for their role in allegedly conducting hacks against companies in the US, as well as government officials. The US government charged seven hackers, from the group known as APT31; in a related move, the British government announced sanctions on a front company, as well as two individuals in connection with a breach at the UK\'s Electoral Commission. The US government noted that the group spent about 14 years targeting US and foreign businesses and political officials. “Today both the UK and US governments […] ]]> 2024-03-26T14:57:51+00:00 https://blog.checkpoint.com/security/us-and-uk-governments-take-stand-against-apt31-state-affiliated-hacking-group/ www.secnews.physaphae.fr/article.php?IdArticle=8470789 False None APT 31 3.0000000000000000 Dark Reading - Informationweek Branch The US and the UK charge seven Chinese nationals for operating as part of threat group APT31.]]> 2024-03-25T21:20:40+00:00 https://www.darkreading.com/cyber-risk/chinese-state-hackers-slapped-with-us-charges-sanctions www.secnews.physaphae.fr/article.php?IdArticle=8470383 False Threat APT 31 3.0000000000000000 SecurityWeek - Security News Le Département du Trésor américain sanctionne une paire de pirates chinois liés à des «cyber-opérations malveillantes ciblant les secteurs des infrastructures critiques».

---

>The US Treasury Department sanctions a pair of Chinese hackers linked to “malicious cyber operations targeting US critical infrastructure sectors.” ]]> 2024-03-25T18:50:17+00:00 https://www.securityweek.com/us-treasury-slaps-sanctions-on-china-linked-apt31-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=8470303 False None APT 31 2.0000000000000000 Recorded Future - FLux Recorded Future Les États-Unis ont sanctionné une société basée à Wuhan qui serait un front pour le ministère d'État de la Sécurité de la Chine lundi à la suite de dizaines d'attaques contre des infrastructures critiques. & NBSP;Les départements de la justice et du trésor ont accusé Wuhan Xiaoruizhi Science and Technology Company d'être une couverture pour APT31 - un groupe de piratage basé en Chine connu pour son ciblage précédemment

---

The U.S. sanctioned a Wuhan-based company believed to be a front for China\'s Ministry of State Security on Monday following dozens of attacks on critical infrastructure.  The Justice and Treasury Departments accused Wuhan Xiaoruizhi Science and Technology Company of being a cover for APT31 - a notorious China-based hacking group known for previously targeting]]> 2024-03-25T17:50:21+00:00 https://therecord.media/us-sanctions-chinese-hackers-infrastructure-attacks www.secnews.physaphae.fr/article.php?IdArticle=8470278 False None APT 31 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The UK\'s NCSC assesses that China-backed APT31 was “almost certainly” responsible for hacking the email accounts of UK parliamentarians]]> 2024-03-25T15:50:00+00:00 https://www.infosecurity-magazine.com/news/uk-blames-china-for-2021-electoral/ www.secnews.physaphae.fr/article.php?IdArticle=8470233 False Hack APT 31 2.0000000000000000 Zataz - Magazine Francais de secu 2024-03-19T14:01:20+00:00 https://www.zataz.com/lazarus-group-htx-heco/ www.secnews.physaphae.fr/article.php?IdArticle=8466703 False Hack APT 38 3.0000000000000000 Recorded Future - FLux Recorded Future Le groupe de piratage de Lazarus de la Corée du Nord aurait repris un ancien service afin de laver 23 millions de dollars volés lors d'une attaque en novembre. & NBSP;Les enquêteurs de la société de recherche Blockchain, Elliptic, ont déclaré vendredi qu'au dernier jour où ils avaient & nbsp;vu les fonds - une partie des 112,5 millions de dollars volés au HTX

---

North Korea\'s Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November.  Investigators at blockchain research company Elliptic said on Friday that in the last day they had  seen the funds - part of the $112.5 million stolen from the HTX]]> 2024-03-15T18:33:59+00:00 https://therecord.media/lazarus-group-north-korea-tornado-cash-money-laundering www.secnews.physaphae.fr/article.php?IdArticle=8464489 False None APT 38 3.0000000000000000 knowbe4 - cybersecurity services ]]> 2024-03-14T14:20:00+00:00 https://blog.knowbe4.com/despite-prepared-for-image-based-attacks-most-organizations-have-been-compromised www.secnews.physaphae.fr/article.php?IdArticle=8463827 False None APT 3 3.0000000000000000 AhnLab - Korean Security Firm aperçu du 13 février 2024, Microsoft a annoncé une élévation du noyau Windows des privilèges Vulnérabilité CVE-2012-21338correctif.La vulnérabilité se produit à certains ioctl de & # 8220; appid.sys & # 8221;Connu sous le nom de pilote AppLocker, l'une des fonctionnalités Windows.L'acteur de menace peut lire et écrire sur une mémoire de noyau aléatoire en exploitant la vulnérabilité, et peut soit désactiver les produits de sécurité ou gagner le privilège du système.Avast a rapporté que le groupe de menaces Lazarus a récemment utilisé la vulnérabilité CVE-2024-21338 à désactiver les produits de sécurité.Ainsi, les utilisateurs de Windows OS sont ...

---

Overview On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege. AVAST reported that the Lazarus threat group has recently used CVE-2024-21338 vulnerability to disable security products. Thus, Windows OS users are... ]]> 2024-03-06T08:56:56+00:00 https://asec.ahnlab.com/en/62668/ www.secnews.physaphae.fr/article.php?IdArticle=8459725 False Vulnerability,Threat APT 38 2.0000000000000000 Dark Reading - Informationweek Branch North Korean state actors Lazarus Group used a Windows AppLocker zero day, along with a new and improved rootkit, in a recent cyberattack, researchers report.]]> 2024-03-01T00:17:13+00:00 https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-day-used-by-lazarus-in-rootkit-attack www.secnews.physaphae.fr/article.php?IdArticle=8457255 False Threat APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts. The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part]]> 2024-02-29T16:49:00+00:00 https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8456930 False Vulnerability,Threat APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware. The packages, now taken down, are pycryptoenv, pycryptoconf, quasarlib, and swapmempool. They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most]]> 2024-02-29T13:47:00+00:00 https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html www.secnews.physaphae.fr/article.php?IdArticle=8456854 False Malware APT 38 4.0000000000000000 SecurityWeek - Security News Le groupe nord-coréen Lazarus a exploité le conducteur Applocker Zero-Day CVE-2024-21338 pour l'escalade des privilèges dans les attaques impliquant Fudmodule Rootkit.

---

>North Korean group Lazarus exploited AppLocker driver zero-day CVE-2024-21338 for privilege escalation in attacks involving FudModule rootkit. ]]> 2024-02-29T10:28:36+00:00 https://www.securityweek.com/windows-zero-day-exploited-by-north-korean-hackers-in-rootkit-attack/ www.secnews.physaphae.fr/article.php?IdArticle=8456926 False Vulnerability,Threat APT 38 3.0000000000000000 Bleeping Computer - Magazine Américain Japan\'s Computer Security Incident Response Team (JPCERT/CC) is warning that the notorious North Korean hacking group Lazarus has uploaded four malicious PyPI packages to infect developers with malware. [...]]]> 2024-02-28T10:04:50+00:00 https://www.bleepingcomputer.com/news/security/japan-warns-of-malicious-pypi-packages-created-by-north-korean-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=8456467 False Malware APT 38 2.0000000000000000 Dark Reading - Informationweek Branch The latest ploy by the APT also known as Charming Cypress targets policy experts in the Middle East, Europe, and the US.]]> 2024-02-22T14:09:46+00:00 https://www.darkreading.com/vulnerabilities-threats/iran-backed-charming-kitten-stages-fake-webinar-platform-to-ensnare-targets www.secnews.physaphae.fr/article.php?IdArticle=8453731 False None APT 35 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal. Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a]]> 2024-02-19T10:09:00+00:00 https://thehackernews.com/2024/02/iranian-hackers-target-middle-east.html www.secnews.physaphae.fr/article.php?IdArticle=8452155 False Threat APT 35 2.0000000000000000 Volexity - Cyber Firms Grâce à ses offres de services de sécurité gérées, la volexité identifie régulièrement des campagnes de phisseur de lance ciblant ses clients.Un acteur de menace persistant, dont la volexité des campagnes observe fréquemment, est l'acteur de menace d'origine iranienne CharmingCypress (alias Charming Kitten, Apt42, TA453).La volexité évalue que CharmingCypress est chargé de collecter des renseignements politiques contre les cibles étrangères, en particulier en se concentrant sur les groupes de réflexion, les ONG et les journalistes.Dans leurs campagnes de phishing, CharmingCypress utilise souvent des tactiques inhabituelles d'ingénierie sociale, comme engager des cibles dans des conversations prolongées par e-mail avant d'envoyer des liens vers un contenu malveillant.Dans une campagne de lance de lance particulièrement notable observée par volexité, CharmingCypress est allé jusqu'à créer une plate-forme de webinaire entièrement fausse à utiliser dans le cadre de l'attrait.CharmingCypress contrôlé un accès à cette plate-forme, nécessitant des cibles pour installer des applications VPN chargées de logiciels malveillants avant d'accorder l'accès.Remarque: Un contenu dans ce blog a récemment été discuté dans le rapport de Microsoft \\, de nouveaux TTP observés dans la campagne de Sandstorm de Mint ciblant des individus de haut niveau dans les universités et [& # 8230;]

---

>Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists. In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. In a particularly notable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications prior to granting access. Note: Some content in this blog was recently discussed in Microsoft\'s report, New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and […] ]]> 2024-02-13T14:47:15+00:00 https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/ www.secnews.physaphae.fr/article.php?IdArticle=8449587 False Threat APT 35,APT 42 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates d'État nord-coréens visent des organisations de médias et des universitaires de haut niveau dans une nouvelle campagne d'espionnage, selon un nouveau Rapport publié cette semaine.L'objectif de ces attaques, attribué par des chercheurs de Sentinelabs à un groupe de pirates connu sous le nom de Scarcruft ou APT37, est de «recueillir des renseignements stratégiques» qui peuvent «contribuer à la prise de décision de la Corée du Nord \\

---

North Korean state hackers are targeting media organizations and high-profile academics in a new espionage campaign, according to a new report released this week. The goal of these attacks, attributed by researchers at SentinelLabs to a hacker group known as ScarCruft or APT37, is to “gather strategic intelligence” that can “contribute to North Korea\'s decision-making]]> 2024-01-24T14:00:00+00:00 https://therecord.media/scarcruft-apt37-north-korea-espionage-south-korea-media-academia www.secnews.physaphae.fr/article.php?IdArticle=8442554 False None APT 37 3.0000000000000000 AhnLab - Korean Security Firm à travers le groupe & # 8220; Lazarus utilise la technique de chargement latéral DLL & # 8221;[1] Article de blog, Ahnlab Security Intelligence Center (ASEC) a précédemment couvert comment le groupe Lazare a utilisé la technique d'attaque de chargement de chargement DLL en utilisant des applications légitimes au stade d'accès initial pour atteindre la prochaine étape de leur processus d'attaque.Ce billet de blog couvrira les variantes de DLL ajoutées et leur routine de vérification pour les cibles.Le groupe Lazare est un groupe approprié qui cible les entreprises sud-coréennes, les institutions, les groupes de réflexion et autres.Sur ...

---

Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. This blog post will cover the added DLL variants and their verification routine for the targets. The Lazarus group is an APT group that targets South Korean companies, institutions, think tanks, and others. On... ]]> 2024-01-23T00:40:00+00:00 https://asec.ahnlab.com/en/60792/ www.secnews.physaphae.fr/article.php?IdArticle=8441897 False None APT 38 2.0000000000000000 Dark Reading - Informationweek Branch Based on fresh infection routines the APT is testing, it\'s looking to harvest threat intelligence in order to improve operational security and stealth.]]> 2024-01-22T20:30:00+00:00 https://www.darkreading.com/threat-intelligence/north-koreasc-arcruft-attackers-target-cybersecurity-pros www.secnews.physaphae.fr/article.php?IdArticle=8441819 False Threat APT 37 3.0000000000000000 Global Security Mag - Site de news francais mise à jour malveillant

---

A glimpse into future ScarCruft campaigns - Attackers gather strategic intelligence and target cybersecurity professionals. In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea\'s academic sector and a news organisation focused on North Korea. SentinelLabs has observed persistent targeting of the same individuals over a span of two months. - Malware Update]]> 2024-01-22T14:45:41+00:00 https://www.globalsecuritymag.fr/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic.html www.secnews.physaphae.fr/article.php?IdArticle=8441691 False None APT 37 3.0000000000000000