This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T22:12:55+00:00 www.secnews.physaphae.fr Security Affairs - Blog Secu US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government. The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group). […] ]]> 2017-11-15T08:52:11+00:00 http://securityaffairs.co/wordpress/65582/malware/fallchill-volgmer-hidden-cobra.html www.secnews.physaphae.fr/article.php?IdArticle=433403 False Medical APT 38 None Bleeping Computer - Magazine Américain 2017-10-17T07:50:25+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-used-hermes-ransomware-to-hide-recent-bank-heist/ www.secnews.physaphae.fr/article.php?IdArticle=419956 False Medical APT 38 None BAE - BAE Systelm Threat Research Malware compiled containing admin credentials for the FEIB network. 03 October 2017 Transfers using MT103 messages were sent from FEIB to Cambodia, the US and Sri Lanka. Messages to cover the funds for the payments were incorrectly created and sent. 03 October 2017 Breach discovered and ransomware uploaded to online malware repository site. 04 October 2017 Individual in Sri Lanka cashes out a reported Rs30m (~$195,000). 06 October 2017 ]]> 2017-10-16T22:32:36+00:00 http://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html www.secnews.physaphae.fr/article.php?IdArticle=419214 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-08-16T16:55:51+00:00 https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-us-defense-contractors-following-nuclear-threats/ www.secnews.physaphae.fr/article.php?IdArticle=397419 False Medical APT 38 None We Live Security - Editeur Logiciel Antivirus ESET 2017-06-21T11:47:47+00:00 http://feedproxy.google.com/~r/eset/blog/~3/JJb8vQVzPr4/ www.secnews.physaphae.fr/article.php?IdArticle=376944 False Medical Wannacry,APT 38 None InformationSecurityBuzzNews - Site de News Securite Hidden Cobra And DeltaCharlie: An Explainer]]> 2017-06-19T08:15:46+00:00 http://www.informationsecuritybuzz.com/study-research/hidden-cobra-deltacharlie-explainer/ www.secnews.physaphae.fr/article.php?IdArticle=375850 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-16T16:00:31+00:00 https://threatpost.com/threatpost-news-wrap-june-16-2017/126332/ www.secnews.physaphae.fr/article.php?IdArticle=375739 False Medical APT 38 None InformationSecurityBuzzNews - Site de News Securite US Blames North Korean ‘Hidden Cobra’ Group For Cyber Attacks Since 2009]]> 2017-06-14T17:55:58+00:00 http://www.informationsecuritybuzz.com/expert-comments/us-blames-north-korean-hidden-cobra-group-cyber-attacks-since-2009/ www.secnews.physaphae.fr/article.php?IdArticle=374391 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-06-14T17:17:21+00:00 https://threatpost.com/dhs-fbi-warn-of-north-korea-hidden-cobra-strikes-against-us-assets/126263/ www.secnews.physaphae.fr/article.php?IdArticle=374251 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T14:22:31+00:00 http://www.techrepublic.com/article/us-indicts-north-korea-for-host-of-cyberattacks-expects-more-to-come/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374186 False Medical APT 38 None SecurityWeek - Security News 2017-06-14T10:44:45+00:00 http://feedproxy.google.com/~r/Securityweek/~3/uXZJuAMl5L4/us-warns-north-koreas-hidden-cobra-attacks www.secnews.physaphae.fr/article.php?IdArticle=373938 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-06-14T05:23:04+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/zQCuoN_v69E/north-korea-hacking-malware.html www.secnews.physaphae.fr/article.php?IdArticle=373927 False Medical APT 38 None TechRepublic - Security News US 2017-06-14T04:00:00+00:00 http://www.techrepublic.com/videos/video-north-korean-hacking-group-has-been-hitting-the-us-since-2009/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=374191 False Medical Wannacry,APT 38 4.0000000000000000 SANS Institute - SANS est un acteur de defense et formation previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px" /> Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions. Digital Shadows WCry ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows: A sophisticated financially-motivated cybercriminal actor - H1 An unsophisticated financially-motivated cybercriminal actor - H2 A nation state or state-affiliated actor conducting a disruptive operation - H3 A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px" /> Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H3 way closer. My WCry ACH Analysis Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses. When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it.]]> 2017-05-31T07:33:02+00:00 https://isc.sans.edu/diary.html?storyid=22470&rss www.secnews.physaphae.fr/article.php?IdArticle=369903 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-05-30T14:00:19+00:00 https://www.bleepingcomputer.com/news/security/new-evidence-cements-theory-that-north-korea-is-behind-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=369722 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-05-29T11:10:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/UUyO_atN2_Q/china-wannacry-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=369372 False Medical Wannacry,APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-05-19T13:00:19+00:00 https://threatpost.com/threatpost-news-wrap-may-19-2017/125796/ www.secnews.physaphae.fr/article.php?IdArticle=366984 False Medical Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2017-05-17T06:50:12+00:00 https://www.bleepingcomputer.com/news/security/3-security-firms-say-wannacry-ransomware-shares-code-with-north-korean-malware/ www.secnews.physaphae.fr/article.php?IdArticle=366168 False Medical Wannacry,APT 38 None BAE - BAE Systelm Threat Research ANALYSIS: Initial VectorThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.There is also a working theory that initial compromise may have come from SMB shares exposed to the public internet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected those shares directly.The Dropper/WormThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe. Depending on how it's executed, it can function as a dropper or as a worm.When run, the executable first checks if it can connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com The connection is checked with the WinINet functions, shown below: 01 qmemcpy(&szUrl, 02         "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com", 03         57u); 04 h1 = InternetOpenA(0,&nbs]]> 2017-05-17T03:33:55+00:00 http://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html www.secnews.physaphae.fr/article.php?IdArticle=365767 False Guideline,Medical Wannacry,APT 38 None IT Security Guru - Blog Sécurité 2017-05-16T10:39:48+00:00 http://www.itsecurityguru.org/2017/05/16/wannacry-ransomware-cyber-attack-may-n-korea-link/ www.secnews.physaphae.fr/article.php?IdArticle=365710 False Medical Wannacry,APT 38 None Network World - Magazine Info banking heist hackers and North Korea.While Lazarus is a notorious cyber-espionage and sabotage group, a subgroup of Lazarus, called Bluenoroff by Kaspersky researchers, focuses only on financial attacks with the goal of “invisible theft without leaving a trace.”The group has four main types of targets: financial institutions, casinos, companies involved in the development of financial trade software and crypto-currency businesses.To read this article in full or to leave a comment, please click here]]> 2017-04-04T08:22:00+00:00 http://www.networkworld.com/article/3187548/security/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=352653 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-04-03T20:38:44+00:00 https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ www.secnews.physaphae.fr/article.php?IdArticle=352251 False Medical APT 38 None Network World - Magazine Info $81 million theft from Bangladesh's central bank through the SWIFT transaction software.However, hackers working for the group recently made a mistake: They failed to wipe the logs from a server the group had hacked in Europe, security firm Kaspersky Lab said on Monday.To read this article in full or to leave a comment, please click here]]> 2017-04-03T16:33:01+00:00 http://www.networkworld.com/article/3187391/security/banking-hackers-left-a-clue-that-may-link-them-to-north-korea.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=351700 False Medical APT 38 None BAE - BAE Systelm Threat Research article that detailed a series of attacks directed at Polish financial institutions. The article is brief, but states that "This is – by far – the most serious information security incident we have seen in Poland" followed by a claim that over 20 commercial banks had been confirmed as victims.This report provides an outline of the attacks based on what was shared in the article, and our own additional findings. ANALYSISAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority (knf.gov[.]pl), shown below:From at least 2016-10-07 to late January the website code had been modified to cause visitors to download malicious JavaScript files from the following locations: hxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1hxxps://www.eye-watch[.]in/design/fancybox/Pnf.action Both of these appear to be compromised domains given they are also hosting legitimate content and have done for some time. The malicious JavaScript leads to the download of malware to the victim's device. Some hashes of the backdoor have been provided in BadCyber's technical analysis: 85d316590edfb4212049c4490db08c4bc1364bbf63b3617b25b58209e4529d8c1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae The C&Cs given in the BadCyber analysis were the following IP addresses: 125.214.195.17196.29.166.218 LAZARUS MALWAREOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we cannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this either. MD5 hash Filename File Info First seen ]]> 2017-03-06T12:13:22+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=352308 False Guideline,Medical APT 38 None BAE - BAE Systelm Threat Research We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017. MD5 hash Filename Compile Time File Info Submitted 9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A 8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A e29fe3c181ac9ddb]]> 2017-03-06T12:13:03+00:00 http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html www.secnews.physaphae.fr/article.php?IdArticle=352307 False Guideline,Medical APT 38 None Graham Cluley - Blog Security A hacking gang known as the Lazarus Group might be responsible for malware attacks that have targeted Polish banks and other financial organizations. David Bisson reports. ]]> 2017-02-13T20:39:54+00:00 https://www.grahamcluley.com/lazarus-gang-possibly-behind-malware-attacks-polish-banks/ www.secnews.physaphae.fr/article.php?IdArticle=313179 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC subscribe to our blog to ensure you get all the new goodies either daily or a weekly summary in your inbox. With our further ado, following are the top 12 AlienVault blogs of 2016: Building a Home Lab to Become a Malware Hunter - A Beginner’s Guide - The top blog of 2016 was written by @sudosev and explains how he set up his own home malware lab. How Penetration Testers Use Google Hacking - Jayme Hancock describes how to do Google hacking / dorking cleverly as a pen tester. It even includes a helpful "cheat sheet". Security Issues of WiFi - How it Works - Everyone loves WiFi, but Joe Gray explains how WiFi works and describes the many security issues and nuances associated with WiFi. Reverse Engineering Malware - In this blog, I interview some members of our AlienVault Labs team to learn how they reverse engineer malware when they're doing security research. The team describes several approaches and tools to use in analyzing malware samples. The Mirai Botnet, Tip of the IoT Iceberg - Javvad Malik talks about IoT security challenges in general, and focuses on the Mirai botnet which focused on XiongMai Technologies IoT equipment in a recent attack. Web Application Security: Methods and Best Practices - The OWASP top 10 and web application security testing are covered in this educational blog by Garrett Gross. Common Types of Malware, 2016 Update - Lauren Barraco outlines the different categories of malware and highlights What's New in 2016. PowerWare or PoshCoder? Comparison and Decryption - Peter Ewane of the Labs team talks about his research into PowerShell vulnerabilities and exploits. He focuses on PowerWare, whick seems to be heavily based on PoshCoder. Can You Explain Encryption to Me? - In this blog by Javvad Malik, he describes encryption to his boss in a hilarious exchange of notes. Javvad then outlines the basics of encryption in a very understandable way. OceanLotus for OS X – an Application Bundl]]> 2017-01-03T14:00:00+00:00 http://feeds.feedblitz.com/~/252664318/0/alienvault-blogs~Top-AlienVault-Blogs-of www.secnews.physaphae.fr/article.php?IdArticle=284657 False Medical APT 38,APT 32 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC 360 SkyEye Labs published a detailed analysis of the OnionDog APT earlier this year, and during the dog-days of Summer (see what I did there?) it seems appropriate to revisit this malware. OnionDog has been around for several years and exploits a vulnerability in Hangul office software, which is a popular Korean-language productivity suite. Hangul software is also widely deployed in South Korean Government agencies and facilities.The group behind OnionDog is the Lazarus Group, exposed by AlienVault and other threat intelligence teams as part of Operation Blockbuster for its targeting of Sony Pictures and a range of other targets.How it WorksOnionDog used various techniques to entice victims to open the malicious attachment. The attachments targeted a range of government agencies and utilities, such as power, water, ports, transit, and rail to lure its victims (see the screenshot of the ‘Investigation Report of the Korean Railway Accident” below).Source: 360 SkyEye LabsThe malware installs a back door to the compromised system, collects and forwards information about the compromised systems to the C&C server, as well as infecting any device attached to the USB drive.Impact on youThe regional nature of OnionDog will likely limit your exposure to this particular version of the threat if you’re not located in South Korea. However, if there is a user of Hangul software on your network, or if someone in your office may have visited an office that uses Hangul software and plugged a device into a compromised system, you may be at risk of data loss. However, although this version of the malware is localized to South Korea, the Lazarus Group could easily choose another popular application to target specific organizations in other countries.How AlienVault HelpsThe AlienVaultâ Unified Security Management (USM)™ platform delivers the essential security capabilities that organizations of all sizes need to detect, prioritize, and respond to threats like OnionDog. The AlienVault Labs team regularly updates the rulesets that drive the threat detection and response capabilities of the AlienVault USM platform, to keep you up to date with new and evolving threats such as OnionDog. The Labs team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves on the latest threats, and how to detect and respond to them.The Labs team recently updated the USM platform’s ability to detect this new threat by adding IDS signatures to detect the malicious traffic and a correlation directive to link events from across a network that indicate a system compromised by OnionDog. Learn more about the]]> 2016-08-09T13:00:00+00:00 http://feeds.feedblitz.com/~/176703272/0/alienvault-blogs~OnionDog-%e2%80%93-An-Example-of-a-Regional-Targeted-Attack www.secnews.physaphae.fr/article.php?IdArticle=7188 False Medical APT 38 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group.This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection.We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema.]]> 2016-02-24T14:00:00+00:00 http://feeds.feedblitz.com/~/140108184/0/alienvaultotx~Operation-BlockBuster-unveils-the-actors-behind-the-Sony-attacks www.secnews.physaphae.fr/article.php?IdArticle=59 False Medical Yahoo,APT 38 None