This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:27:06+00:00 www.secnews.physaphae.fr Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-12-30T19:30:10+00:00 https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/ www.secnews.physaphae.fr/article.php?IdArticle=283376 False None APT 29,APT 28 None Errata Security - Errata Security GRIZZLY STEPPE" announcement:What is this? What does this mean? What do I do with this information?It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here [*], or you can view it on GitHub here [*].Once a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at tracking the activity of that hacker, to see which other attacks they've been involved in, since it will find the same web shell on all the victims.The problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes using the YARA signature for attribution problematic: just because you found P.A.S. in two different places doesn't mean it's the same hacker.A web shell, by the way, is one of the most common things hackers use once they've broken into a server. It allows further hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP, ASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor.In other words, these rules can be a reflection of the fact the government has excellent information for attribution. Or, it could be a reflection that they've got only weak bits and pieces. It's impossible for us outsiders to tell. IoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the complexity and context around the rules, often misunderstanding what's going on. (I've written thousands of the things -- I'm constantly annoyed by the ignorance among those not understanding what they mean).I see on]]> 2016-12-29T20:40:33+00:00 http://blog.erratasec.com/2016/12/some-notes-on-iocs.html www.secnews.physaphae.fr/article.php?IdArticle=282206 False None APT 29,APT 28 None Dark Reading - Informationweek Branch 2016-12-29T17:00:00+00:00 http://www.darkreading.com/threat-intelligence/fbi-dhs-report-implicates-cozy-bear-fancy-bear-in-election-related-hacks/d/d-id/1327811?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=282231 False None APT 29,APT 28 None SANS Institute - SANS est un acteur de defense et formation GIAC Security Expert re-certification process, Ill focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes preconfigured with Scapy and Snort, so youre ready to go out of the gate if youd like to follow along for a quick introduction. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. This includes the ability to handle most tasks such as scanning, tracerouting, probing, unit tests, attacks or network discovery, thus replacing functionality expected from hping, 85% of nmap, arpspoof, tcpdump, and others. If youd really like to dig in, grab TJ OConnors Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (you should already have it), as first discussed here in January 2013. TJ loves him some Scapy: Detecting and Responding to Data Link Layer Attacks is another reference. :-) You can also familiarize yourself with Scapys syntax in short order with the SANS Scapy Cheat Sheet as well. Judy Novaks SANS GIAC Certified Intrusion Analyst Day 5 content offers a nice set of walk-throughs using Scapy, and given that it is copyrighted and private material, I wont share them here, but will follow a similar path so you have something to play along with at home. Well use a real-world APT scenario given recent and unprecedented Russian meddling in American politics. According to SC Magazine, Russian government hackers apparently broke into the Democratic National Committee (DNC) computer systems in infiltrations believed to be the work of two different Russian groups, namely Cozy Bear/ CozyDuke/APT 29 and Fancy Bear/Sofacy/APT 28, working separately. As is often the case, ironically and consistently, one the best overviews of CozyDuke behaviors comes via Kaspersky">syn = IP(src=10.0.2.15, dst=209.200.83.43)/TCP(sport=1337, dport=80, flags=S)/GET /ajax/index.php HTTP/1.1">wrpcap(/tmp/CozyDukeC2GET.pcap, syn), as seen in Figure 2. ">ls(IP). ">Figure 4: ls() If you">|">@holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> 2016-11-27T19:24:01+00:00 https://isc.sans.edu/diary.html?storyid=21755&rss www.secnews.physaphae.fr/article.php?IdArticle=260988 False None APT 29,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2016-11-11T01:10:14+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/-JOGEYf0Ri4/election-trump-phishing-malware.html www.secnews.physaphae.fr/article.php?IdArticle=252367 False None APT 29 None Dark Reading - Informationweek Branch 2016-11-10T15:55:00+00:00 http://www.darkreading.com/threat-intelligence/russian-hackers-behind-dnc-breach-wage-post-us-election-attacks/d/d-id/1327462?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=252303 False None APT 29 None Network World - Magazine Info responsible for hacking the Democratic National Committee and is allegedly tied to the Russian government.To read this article in full or to leave a comment, please click here]]> 2016-11-10T11:46:16+00:00 http://www.networkworld.com/article/3139403/security/suspected-russian-hackers-target-us-think-tanks-after-election.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=251916 False None APT 29 None Palo Alto Network - Site Constructeur 2016-09-09T15:53:24+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/fQw-sk2IRrA/ www.secnews.physaphae.fr/article.php?IdArticle=37465 False None APT 29 None Dark Reading - Informationweek Branch 2016-08-30T10:30:00+00:00 http://www.darkreading.com/attacks-breaches/us-think-tanks-involved-in-russia-research-allegedly-hacked/d/d-id/1326767?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=9532 False None APT 29 None SC Magazine - Magazine ]]> 2016-08-29T20:55:31+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/easWhxEUH0U/ www.secnews.physaphae.fr/article.php?IdArticle=9438 False None APT 29 None SC Magazine - Magazine ]]> 2016-06-21T13:04:21+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/CjWOycfronc/ www.secnews.physaphae.fr/article.php?IdArticle=3156 False None APT 29,APT 28 None