This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T22:59:55+00:00 www.secnews.physaphae.fr We Live Security - Editeur Logiciel Antivirus ESET 2018-04-24T12:56:02+00:00 https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ www.secnews.physaphae.fr/article.php?IdArticle=611344 False None APT 28 None SecurityWeek - Security News sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the destructive NotPetya campaign and operations targeting energy firms. The Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert via US-CERT last year to warn about attacks launched by a group known as Dragonfly, Crouching Yeti and Energetic Bear on critical infrastructure. Researchers previously linked Dragonfly to the Russian government and now the DHS has officially stated the same. US-CERT has updated its alert with some additional information. The new version of the alert replaces “APT actors” with “Russian government cyber actors.” The DHS said that based on its analysis of malware and indicators of compromise, Dragonfly attacks are ongoing, with threat actors “actively pursuing their ultimate objectives over a long-term campaign.” This is not the first time the U.S. has imposed sanctions on Russia over its attempt to influence elections. Russia has also been accused by Washington and others of launching the NotPetya attack last year. The Kremlin has always denied the accusations, but President Vladimir Putin did admit at one point that patriotic hackers could be behind the attacks. If Dragonfly and Sofacy (aka Fancy Bear, APT28, Sednit, Tsar Team and Pawn Storm) are truly operating out of Russia, they don't seem to be discouraged by sanctions and accusations. On March 12 and March 14, security firm Palo Alto Networks spotted attacks launched by Sofacy against an unnamed European government agency using an updated variant of a known tool. Sofacy has been using a Flash Player exploit platform dubbed DealersChoice since at least 2016 and it has continued improving it. The latest version has been delivered to a government organization in Europe using a spear phishing email referencing the “Underwat]]> 2018-03-16T14:40:02+00:00 http://feedproxy.google.com/~r/Securityweek/~3/H_qjWOR2vLM/sofacy-targets-european-govt-us-accuses-russia-hacking www.secnews.physaphae.fr/article.php?IdArticle=519656 False None NotPetya,APT 28 None SecurityWeek - Security News fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware. These were the primary threats outlined in the latest McAfee Lab's Threat Report (PDF) covering Q4 2017. The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users' CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection. Since December, Bitcoin's value has fallen to $9,000 (at the time of publishing). Criminals' focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. "We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure," comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team. The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. "Adversaries," writes Samani, "have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders' level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun." Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few we]]> 2018-03-13T15:50:02+00:00 http://feedproxy.google.com/~r/Securityweek/~3/oZrY8mCN0zo/usual-threats-more-sophisticated-and-faster-report www.secnews.physaphae.fr/article.php?IdArticle=510719 True None NotPetya,Equifax,APT 28 None UnderNews - Site de news "pirate" francais Les chercheurs de Kaspersky Lab ont observé que le groupe malveillant russophone Sofacy, également connu sous le nom de APT28 ou Fancy Bear, déplace son terrain d'action vers l'Extrême-Orient, avec un intérêt marqué pour des cibles militaires et diplomatiques, en plus de celles traditionnellement liées à l'OTAN.]]> 2018-03-10T09:38:00+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/bQKMrMPpgmA/sofacy-fancy-bear-soriente-vers-des-cibles-militaires-et-diplomatiques-en-extreme-orient.html www.secnews.physaphae.fr/article.php?IdArticle=504681 False None APT 28 None The State of Security - Magazine Américain Read More ]]> 2018-03-01T11:51:01+00:00 https://www.tripwire.com/state-of-security/latest-security-news/germany-blames-russian-black-hat-hackers-for-breach-of-federal-agencies/ www.secnews.physaphae.fr/article.php?IdArticle=493527 False None APT 28 None Security Affairs - Blog Secu 2018-03-01T08:38:02+00:00 http://securityaffairs.co/wordpress/69682/apt/apt28-hacked-german-government.html www.secnews.physaphae.fr/article.php?IdArticle=493637 False None APT 28 None Bleeping Computer - Magazine Américain 2018-03-01T08:10:05+00:00 https://www.bleepingcomputer.com/news/government/infamous-russian-cyber-espionage-group-hacks-german-government/ www.secnews.physaphae.fr/article.php?IdArticle=493623 False None APT 28 None UnderNews - Site de news "pirate" francais L'année dernière, des pirates liés au groupe de hackers russe APT28 ont démarré une attaque comme en 1999 avec un malware basé sur Microsoft Word qui ne déclenche aucune alerte de sécurité dans son parcours. Ces types d'attaques sont appelées " macro-less malware " car ils contournent les alertes de sécurité mises en place dans les logiciels Microsoft Office en réponse aux macro malwares traditionnels tels que le virus Melissa à la fin du 20ème siècle.]]> 2018-02-23T13:51:02+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/Ec7Q6F7UhCU/quest-ce-quun-malware-macro-less-et-pourquoi-cela-vous-dit-il-quelque-chose.html www.secnews.physaphae.fr/article.php?IdArticle=489968 False None APT 28 None Security Affairs - Blog Secu 2018-02-21T20:25:00+00:00 http://securityaffairs.co/wordpress/69365/apt/sofacy-apt-east.html www.secnews.physaphae.fr/article.php?IdArticle=487758 False None APT 28 None SecurityWeek - Security News 2018-02-20T18:41:02+00:00 http://feedproxy.google.com/~r/Securityweek/~3/56CeXXwJ6pI/russian-cyberspies-shift-focus-nato-countries-asia www.secnews.physaphae.fr/article.php?IdArticle=486815 False None APT 28 None IT Security Guru - Blog Sécurité AlienVault researchers have listed Sofacy, also known as Fancy Bear or APT28, as the most capable hacking group in the world. This was based on ranking the top threat actors which have been reported the most frequently on the AlienVault Open Threat Exchange (OTX) Platform.   The results were then formulated to measure the cyber ... ]]> 2018-02-02T09:55:56+00:00 http://www.itsecurityguru.org/2018/02/02/dangerous-global-hacking-cyber-group-alienvault-research/ www.secnews.physaphae.fr/article.php?IdArticle=463618 False None APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i]]> 2018-01-30T13:40:00+00:00 http://feeds.feedblitz.com/~/521337082/0/alienvault-blogs~OTX-Trends-Part-Threat-Actors www.secnews.physaphae.fr/article.php?IdArticle=461917 False None APT 38,APT 28,APT 10,APT 3,APT 1,APT 34 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro Update on Pawn Storm: New Targets and Politically Motivated Campaigns ]]> 2018-01-12T13:00:23+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/dEwRiIXzA5M/ www.secnews.physaphae.fr/article.php?IdArticle=459308 False None APT 28 None Security Affairs - Blog Secu Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop. The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy,  Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to. According to a new report published by experts from security firm ESET, the […] ]]> 2017-12-23T13:48:25+00:00 http://securityaffairs.co/wordpress/67029/apt/fancy-bear-apt-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=454669 False None APT 28 None Dark Reading - Informationweek Branch 2017-12-21T16:20:00+00:00 https://www.darkreading.com/attacks-breaches/russias-fancy-bear-apt-group-gets-more-dangerous/d/d-id/1330702?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=454132 False None APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2017-12-21T13:58:28+00:00 http://feedproxy.google.com/~r/eset/blog/~3/_L65c96kaEQ/ www.secnews.physaphae.fr/article.php?IdArticle=454019 False None APT 28 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro November's Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange ]]> 2017-11-15T10:00:45+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/e9Cjxn9flqM/ www.secnews.physaphae.fr/article.php?IdArticle=433292 False None APT 28,APT 23 None InformationSecurityBuzzNews - Site de News Securite Fancy Bears Use Microsoft Vulnerability To Play On US Terrorism Fears]]> 2017-11-14T19:30:02+00:00 http://www.informationsecuritybuzz.com/expert-comments/fancy-bears-use-microsoft-vulnerability-play-us-terrorism-fears/ www.secnews.physaphae.fr/article.php?IdArticle=433017 False None APT 28 None IT Security Guru - Blog Sécurité The Russian linked hacking group Fancy Bear has been discovered in delivering malware to targeted users by exposing a recently disclosed technique that involves Microsoft Windows feature Dynamic Data Exchange. View Full Story ORIGINAL SOURCE: Security Week ]]> 2017-11-10T11:43:05+00:00 http://www.itsecurityguru.org/2017/11/10/fancy-bear-found-distributing-malware/ www.secnews.physaphae.fr/article.php?IdArticle=431480 False None APT 28 None Security Affairs - Blog Secu Security experts at McAfee observed the Russian APT28 group using the recently reported the DDE attack technique to deliver malware in espionage campaign. Security experts at McAfee observed the Russian APT group APT28 using the recently reported the DDE technique to deliver malware in targeted attacks. The cyber spies were conducting a cyber espionage campaign that involved blank documents […] ]]> 2017-11-09T06:54:05+00:00 http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html www.secnews.physaphae.fr/article.php?IdArticle=430510 False None APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-11-09T01:14:31+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/NJpDug3pK2o/apt28-office-dde-malware.html www.secnews.physaphae.fr/article.php?IdArticle=430398 False None APT 28 None SecurityWeek - Security News 2017-11-08T08:41:21+00:00 http://feedproxy.google.com/~r/Securityweek/~3/AUJO2VclBI0/russia-linked-spies-deliver-malware-dde-attack www.secnews.physaphae.fr/article.php?IdArticle=429856 False None APT 28 None McAfee Labs - Editeur Logiciel This blog post was co-written by Michael Rea. During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first … ]]> 2017-11-07T18:00:00+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=705910 False None APT 28 4.0000000000000000 The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/486500376/0/thesecurityledger -->»]]> 2017-11-05T16:59:02+00:00 https://feeds.feedblitz.com/~/486500376/0/thesecurityledger~Dark-Markets-do-it-better-surveying-the-Phishing-underground-and-dissecting-a-Fancy-Bear-attack/ www.secnews.physaphae.fr/article.php?IdArticle=428269 False None APT 28 None SecurityWeek - Security News 2017-11-03T08:52:21+00:00 http://feedproxy.google.com/~r/Securityweek/~3/rfFnl95DqHU/russian-fancy-bear-hackers-abuse-blogspot-phishing www.secnews.physaphae.fr/article.php?IdArticle=427714 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/484600838/0/thesecurityledger -->»]]> 2017-11-02T21:51:07+00:00 https://feeds.feedblitz.com/~/484600838/0/thesecurityledger~AP-Russia-hackers-had-targets-worldwide-beyond-US-election/ www.secnews.physaphae.fr/article.php?IdArticle=427643 False None APT 28 None Security Affairs - Blog Secu A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Once again thank you! ·Â Â Â Â Â  A leaked document raises a doubt about NSA knew the #Krack attack since 2010 ·Â Â Â Â Â  APT28 group is rushing to exploit recent CVE-2017-11292 Flash 0-Day before users apply the patches ·Â Â Â Â Â  DHS […] ]]> 2017-10-29T09:28:35+00:00 http://securityaffairs.co/wordpress/64917/breaking-news/security-affairs-newsletter-round-134.html www.secnews.physaphae.fr/article.php?IdArticle=424925 False None APT 28 None InformationSecurityBuzzNews - Site de News Securite Fancy Bear Hackers Race To Exploit Flash Bug Against The US And Europe]]> 2017-10-26T15:16:29+00:00 http://www.informationsecuritybuzz.com/expert-comments/fancy-bear-hackers-race-exploit-flash-bug-us-europe/ www.secnews.physaphae.fr/article.php?IdArticle=424370 False None APT 28 None Security Affairs - Blog Secu Russian cyber espionage group APT28 targeted individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference. Researchers with Cisco Talos have spotted a Russian cyber espionage group targeting individuals with spear-phishing messages using documents referencing a NATO cybersecurity conference. Experts attributed the attack to the dreaded Russian APT28 group, aka Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, […] ]]> 2017-10-24T06:32:53+00:00 http://securityaffairs.co/wordpress/64668/cyber-warfare-2/apt28-security-experts-conference.html www.secnews.physaphae.fr/article.php?IdArticle=422613 False None APT 28 None Security Affairs - Blog Secu The APT28 group is trying to exploit the CVE-2017-11292 Flash zero-day before users receive patches or update their systems. Security experts at Proofpoint collected evidence of several malware campaigns, powered by the Russian APT28 group, that rely on a Flash zero-day vulnerability that Adobe patched earlier this week. According to the experts who observed attacks on organizations […] ]]> 2017-10-22T11:29:08+00:00 http://securityaffairs.co/wordpress/64611/apt/cve-2017-11292-apt28.html www.secnews.physaphae.fr/article.php?IdArticle=421871 False None APT 28 None SecurityWeek - Security News 2017-10-20T11:06:44+00:00 http://feedproxy.google.com/~r/Securityweek/~3/IV_WEWgHz7M/russian-hackers-exploit-recently-patched-flash-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=421625 False None APT 28 None IT Security Guru - Blog Sécurité Russian hacking group, the Fancy Bear’s, are rushing to exploit the recently disclosed Adobe Flash bug before patches are widely used. View Full Story  ORIGINAL SOURCE: IBTimes ]]> 2017-10-20T10:04:46+00:00 http://www.itsecurityguru.org/2017/10/20/fancy-bear-hackers-rush-exploit-flash-bug/ www.secnews.physaphae.fr/article.php?IdArticle=421754 False None APT 28 None Bleeping Computer - Magazine Américain 2017-10-20T00:30:00+00:00 https://www.bleepingcomputer.com/news/security/russian-cyberspies-are-rushing-to-exploit-recent-flash-0-day-before-it-goes-cold/ www.secnews.physaphae.fr/article.php?IdArticle=421558 False None APT 28 5.0000000000000000 Security Affairs - Blog Secu 2017-10-05T04:55:20+00:00 http://securityaffairs.co/wordpress/63835/cyber-warfare-2/cse-zlab-apt28-hospitality-malware.html www.secnews.physaphae.fr/article.php?IdArticle=415271 False None APT 28 None IT Security Guru - Blog Sécurité 2017-09-12T09:21:47+00:00 http://www.itsecurityguru.org/2017/09/12/fa-beef-cybersecurity-england-qualify-russia-world-cup/ www.secnews.physaphae.fr/article.php?IdArticle=406700 False None APT 28 None UnderNews - Site de news "pirate" francais Selon FireEye, le groupe APT28 cible le secteur de l'hôtellerie, ce qui présente une menace pour les voyageurs.]]> 2017-08-29T11:07:06+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/eSttZ-UHVAQ/selon-fireeye-le-groupe-apt28-cible-le-secteur-de-lhotellerie.html www.secnews.physaphae.fr/article.php?IdArticle=401874 False None APT 28 None Data Security Breach - Site de news Francais Fancy Bear : Fuite de données sur le dopage dans le football ! est diffusé par Data Security Breach. ]]> 2017-08-25T12:59:44+00:00 http://www.datasecuritybreach.fr/fancy-bear-fuite-de-donnees-dopage-football/ www.secnews.physaphae.fr/article.php?IdArticle=400821 False None APT 28 None InformationSecurityBuzzNews - Site de News Securite Fancy Bears Leak Names Of Footballers Using Banned Medicines During World Cup In 2010]]> 2017-08-24T08:00:14+00:00 http://www.informationsecuritybuzz.com/expert-comments/fancy-bears-leak-names-footballers-using-banned-medicines-world-cup-2010/ www.secnews.physaphae.fr/article.php?IdArticle=400184 False None APT 28 None ComputerWeekly - Computer Magazine 2017-08-23T04:30:44+00:00 http://www.computerweekly.com/news/450424977/Russian-hackers-expose-allegedly-doping-footballers www.secnews.physaphae.fr/article.php?IdArticle=399999 False None APT 28 None Naked Security - Blog sophos ]]> 2017-08-15T16:22:58+00:00 https://nakedsecurity.sophos.com/2017/08/15/fancy-bear-bites-hotel-networks-as-eternalblue-mystery-deepens/ www.secnews.physaphae.fr/article.php?IdArticle=396784 False None APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-08-12T12:00:32+00:00 https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/ www.secnews.physaphae.fr/article.php?IdArticle=396015 False None APT 28 None Mandiant - Blog Sécu de Mandiant apt28 .Nous pensons que cette activité, qui remonte au moins en juillet 2017, était destinée à cibler les voyageurs dans des hôtels à travers l'Europe et le Moyen-Orient.L'acteur a utilisé plusieurs techniques notables dans ces incidents tels que renifler les mots de passe du trafic Wi-Fi, empoisonner le service de nom NetBios et se propager latéralement via le eternalblue exploit. APT28 utilise un document malveillant pour cibler l'industrie hôtelière Fireeye a découvert un document malveillant envoyé en lance

---

FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.  APT28 Uses Malicious Document to Target Hospitality Industry FireEye has uncovered a malicious document sent in spear]]> 2017-08-11T08:00:00+00:00 https://www.mandiant.com/resources/blog/apt28-targets-hospitality-sector-presents-threat-travelers www.secnews.physaphae.fr/article.php?IdArticle=8377769 False Threat Wannacry,APT 28,APT 28 4.0000000000000000 01net. Actualites - Securite - Magazine Francais ]]> 2017-07-25T12:40:52+00:00 http://www.01net.com/actualites/microsoft-a-initie-une-veritable-guerilla-contre-les-hackers-d-apt28-1223255.html www.secnews.physaphae.fr/article.php?IdArticle=388859 False None APT 28 3.0000000000000000 SecurityWeek - Security News 2017-07-25T11:45:09+00:00 http://feedproxy.google.com/~r/Securityweek/~3/-b3dQY_VWks/tech-firms-target-domains-used-russia-linked-threat-group www.secnews.physaphae.fr/article.php?IdArticle=388581 False None APT 28 None Naked Security - Blog sophos ]]> 2017-07-24T16:11:50+00:00 https://nakedsecurity.sophos.com/2017/07/24/microsoft-opens-up-a-new-front-in-the-battle-against-fancy-bear/ www.secnews.physaphae.fr/article.php?IdArticle=388290 False None APT 28 None Ars Technica - Risk Assessment Security Hacktivism 2017-07-21T18:55:14+00:00 https://arstechnica.com/?p=1136461 www.secnews.physaphae.fr/article.php?IdArticle=387792 False None APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-07-21T01:53:45+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/Zx147lAKIaY/russian-fancy-bear-hacking-group.html www.secnews.physaphae.fr/article.php?IdArticle=387476 False None APT 28 None UnderNews - Site de news "pirate" francais En raison de son adhésion à l'OTAN, le Monténégro sera probablement la cible de nouvelles attaques similaires. Selon FireEye, le groupe russe APT28 serait impliqué...]]> 2017-06-07T07:15:33+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/u3sIm6slDcI/selon-fireeye-le-groupe-russe-apt28-est-a-lorigine-de-cyberattaques-contre-le-gouvernement-du-montenegro.html www.secnews.physaphae.fr/article.php?IdArticle=371846 False None APT 28 None IT Security Guru - Blog Sécurité 2017-06-02T15:33:37+00:00 http://www.itsecurityguru.org/2017/06/02/bodies-held-ransom-tsar-team-hack/ www.secnews.physaphae.fr/article.php?IdArticle=371110 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/333997546/0/thesecurityledger -->»Related StoriesEmboldened, Fancy Bear hacking crew targets French, German PoliticiansReport warns of Robot Hacks, TamperingFBI: Business Email Compromise is a $5 Billion Industry ]]> 2017-05-25T22:52:31+00:00 https://feeds.feedblitz.com/~/333997546/0/thesecurityledger~Report-Major-Upgrade-Investments-Needed-to-Secure-Connected-Vehicles-Infrastructure/ www.secnews.physaphae.fr/article.php?IdArticle=368727 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/324578408/0/thesecurityledger -->»      Related StoriesEmboldened, Fancy Bear hacking crew targets French, German PoliticiansAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsFatal Flaw Slows WannaCry Ransomware Spread, but Threats Remain ]]> 2017-05-18T02:12:30+00:00 https://feeds.feedblitz.com/~/324578408/0/thesecurityledger~APT-Inc-Research-Finds-Ties-Between-Chinese-Security-Firm-and-Advanced-Threat-Group/ www.secnews.physaphae.fr/article.php?IdArticle=366383 False None Wannacry,APT 28,APT 3 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/318229288/0/thesecurityledger -->»      Related StoriesAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsEmboldened, Fancy Bear hacking crew targets French, German PoliticiansThe Billion Dollar Headache: Sophisticated Ransomware takes aim at Small Business ]]> 2017-05-12T16:56:43+00:00 https://feeds.feedblitz.com/~/318229288/0/thesecurityledger~Update-UK-Hospitals-among-Victims-of-Massive-Ransomware-Attack/ www.secnews.physaphae.fr/article.php?IdArticle=364917 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/318039726/0/thesecurityledger -->»      Related StoriesEstonia 10 Years Later: Lessons learned from the World’s First Internet WarEmboldened, Fancy Bear hacking crew targets French, German PoliticiansPodcast: Hack, or Phreak – What Really Happened in Dallas? ]]> 2017-05-12T13:31:09+00:00 https://feeds.feedblitz.com/~/318039726/0/thesecurityledger~Mush-and-Muscle-Mixed-Reaction-to-Trumps-Executive-Order-on-Cyber/ www.secnews.physaphae.fr/article.php?IdArticle=364918 False None APT 28 None SecurityWeek - Security News 2017-05-11T15:15:18+00:00 http://feedproxy.google.com/~r/Securityweek/~3/TJZHeTdaSK0/who-hacked-french-president-elect-emmanuel-macrons-campaign www.secnews.physaphae.fr/article.php?IdArticle=364329 False None APT 28 5.0000000000000000 Dark Reading - Informationweek Branch 2017-05-11T13:00:00+00:00 http://www.darkreading.com/threat-intelligence/apt28-turla-nation-state-groups-deployed-multiple-0days-in-recent-attacks/d/d-id/1328854?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=364433 False None APT 28 None Ars Technica - Risk Assessment Security Hacktivism 2017-05-10T13:58:56+00:00 https://arstechnica.com/security/2017/05/macron-campaign-team-used-honeypot-accounts-to-fake-out-fancy-bear/ www.secnews.physaphae.fr/article.php?IdArticle=363945 False None APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2017-05-09T18:00:14+00:00 http://feedproxy.google.com/~r/eset/blog/~3/gMPIIJJXLk4/ www.secnews.physaphae.fr/article.php?IdArticle=363650 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/314052424/0/thesecurityledger -->»      Related StoriesEmboldened, Fancy Bear hacking crew targets French, German PoliticiansGoogle Looks Beyond Passwords To Secure Data, AssetsAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top Targets ]]> 2017-05-08T20:21:06+00:00 https://feeds.feedblitz.com/~/314052424/0/thesecurityledger~FBI-Business-Email-Compromise-is-a-Billion-Industry/ www.secnews.physaphae.fr/article.php?IdArticle=363222 False None APT 28 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC number of domains, identified by Trend Micro as linked to a group of attackers known as APT28, were registered for use in attacks against Emmanuel Macron's campaign. It appears they were registered in two stages - first in the middle of March, then more in the middle of April. The links between these attacks and others in the US elections is strong. I haven’t seen a definitive link that the documents leaked yesterday were the result of these attacks in March and April, but it seems a likely scenario. Suspicious edits of the leaked documents in March Many noted that all of the documents in one of the smaller archives released yesterday (xls_cedric) appeared to have been edited over a 4 minute period on the 27th of March. These were edited by a Russian language version of Microsoft Excel. About half recorded a user named "Рошка Георгий Петрович / Roshka Georgy Petrovich" performing the edits. It's suspicious that these documents, some which were created over ten years ago, were all edited so recently during the same 4 minutes. It suggests the edits may be following their theft, not before. Before linking any individual to these attacks though it's important to note: A number of people have that name; This could be false information planted by the attackers; or An entirely innocent employee at a bank somewhere has been unfortunate enough to get caught up in this. Similar previous mail dumps have included a mix of real and fake information, and the Macron campaign have also said that the dump is a mix of real and fake documents. It's important to keep that in mind – particularly when you see e-mails in the dump suggesting that politicians have bought drugs online. Documents shared on 4Chan on Wednesday A first small set of two documents were shared on 4Chan's politics board /pol just prior to the election debates on Wednesday: These suggested that Macron had secret bank accounts. The post was made by a user from a Latvian IP. The geolocation is likely incorrect and the “Latvian” poster themselves said they were connecting through proxies from another location. The documents were picked up by fringe news sites quickly, and Le Pen made similar claims during the live debate against Macron that night. It wasn’t long before some suggested the documents looked like they had been photo-shopped. The “Latvian” poster claimed the problems were due to the how the copies were obtained - by taking photos of the documents "in a short w]]> 2017-05-06T19:08:00+00:00 http://feeds.feedblitz.com/~/311915540/0/alienvaultotx~MacronLeaks-%e2%80%93-A-Timeline-of-Events www.secnews.physaphae.fr/article.php?IdArticle=362604 False None APT 28 None Errata Security - Errata Security Tonight (Friday May 5 2017) hackers dumped emails (and docs) related to French presidential candidate Emmanuel Macron. He's the anti-Putin candidate running against the pro-Putin Marin Le Pen. I thought I'd write up some notes.Are they Macron's emails?No. They are e-mails from members of his staff/supporters, namely Alain Tourret, Pierre Person, Cedric O??, Anne-Christine Lang, and Quentin Lafay.There are some documents labeled "Macron" which may have been taken from his computer, cloud drive -- his own, or an assistant.Who done it?Obviously, everyone assumes that Russian hackers did it, but there's nothing (so far) that points to anybody in particular.It appears to be the most basic of phishing attacks, which means anyone could've done it, including your neighbor's pimply faced teenager.Update: Several people [*] have pointed out Trend Micro reporting that Russian/APT28 hackers were targeting Macron back on April 24. Coincidentally, this is also the latest that emails appear in the dump.What's the hacker's evil plan?Everyone is proposing theories about the hacker's plan, but the most likely answer is they don't have one. Hacking is opportunistic. They likely targeted everyone in the campaign, and these were the only victims they could hack. It's probably not the outcome they were hoping for.But since they've gone through all the work, it'd be a shame to waste it. Thus, they are likely releasing the dump not because they believe it will do any good, but because it'll do them no harm. It's a shame to waste all the work they put into it.If there's any plan, it's probably a long range one, serving notice that any political candidate that goes against Putin will have to deal with Russian hackers dumping email.Why now? Why not leak bits over time like with Clinton?France has a campaign blackout starting tonight at midnight until the election on Sunday. Thus, it's the perfect time to leak the files. Anything salacious, or even rumors of something bad, will spread viraly through Facebook and Twitter, without the candidate or the media having a good chance to rebut the allegations.The last emails in the logs appear to be from April 24, the day after the first round vote (Sunday's vote is the second, runoff, round). Thus, the hackers could've leaked this dump any time in the last couple weeks. They chose now to do it.Are the emails verified?Yes and no.Yes, we have DKIM signatures between people's accounts, so we know for certain that hackers successfully breached these accounts. DKIM is an anti-spam method that cryptographically signs emails by the sending domain (e.g. @gmail.com), and thus, can also verify the email hasn't been altered or forged.But no, when a salacious email or document is found in the dump]]> 2017-05-06T04:15:35+00:00 http://blog.erratasec.com/2017/05/some-notes-on-macronleak.html www.secnews.physaphae.fr/article.php?IdArticle=362806 False None Uber,APT 28 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC When users clicked on the button, they were prompted to give “Google Docs” permission to read / send email, manage their email, and access their contact lists.  In reality, this was a malicious application registered by the attackers. And, in fact, is one of the most well-crafted phishing attempts in the last year. By clicking on the ALLOW button, users authorized the malicious application to perform actions on their behalf. The users’ browsers were redirected to one of the malicious servers set up by the attackers, for example: https://googledocs[.]docscloud[.]win/g.php. The AlienVault Labs Security Research Team detected the activity, and while the attack was still in progress, we created a Pulse in the Open Threat Exchange (OTX) with all the indicators of the infrastructure the attackers used (mainly the domains they used in redirection). In addition, several OTX users jumped in and shared more malicious infrastructure in a matter of minutes! This helped get the indicators out immediately to the 30,000+ people that follow the AlienVault OTX account. Kudos to the OTX members who jumped in and delivered this valuable information so quickly to the community! Sign up to OTX to join the 53,000+ users who already benefit from this free service > Going back to the attack–when the user was redirected to one of the servers after allowing the malicious application to perform those actions, it was served with the JavaScript code that contained the self-replication / worm functionality. First, the malicious JavaScript would get access to the contact list (first 1000 entries): The code parsed the names and email addresses of those contacts and then prioritize addresses from gmail.com, avoiding addresses containing the words “google”, “keeper” and “unty”. Once the list of potential victims was crafted, the code sent the same email to them as well, thus propagating the attack: When sending the email, the attackers also decided to BCC the address hhhhhhhhhhhhhhhh[at]mailinator[.]com -, presumably to monitor progress or collect the list of victims. Impact Luckily, Google reacted to this quickly, and the malicious applications were shut down in about an hour after the start of the campaign. Cloudflare, which the attackers used in front of the malicious infrastructure, took down that part of the attack infrastructure quickly, too. It is important to mentio]]> 2017-05-04T17:18:00+00:00 http://feeds.feedblitz.com/~/309131881/0/alienvaultotx~OAuth-Worm-Targeting-Google-Users-You-Need-to-Watch-Cloud-Services www.secnews.physaphae.fr/article.php?IdArticle=362065 False Guideline Yahoo,APT 28 None Wired Threat Level - Security News The Fancy Bear group's continued attacks on electoral campaigns shows how easily the Kremlin brushed off Obama's sanctions. The post US Sanctions Didn't Stop Russia's Election Hacking---Or Even Slow It Down]]> 2017-05-04T16:07:32+00:00 https://www.wired.com/2017/05/us-sanctions-didnt-stop-russias-election-hacking-even-slow/ www.secnews.physaphae.fr/article.php?IdArticle=362987 False None APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC That Google Phish There was a lot of buzz as many people received phishing emails disguised as invitations to open a Google Doc. By authorising it, users unwittingly gave access to their emails to attackers. The size and scale of the attack was reminiscent of the viruses of days gone by, such as Melissa. While Google has worked to close the flaw, it doesn't help those users that have clicked on the link. If you have clicked on the link, then you need to follow these steps: Go to google account permissions page and remove access for the fake app Change passwords on Google and any other sites that may have been using the same password. Enable two factor / two step verification (like needing an SMS code in order to log on). Some are suggesting that given the similarities between this fresh phishing scam and the past activity of the DNC hackers, known as APT28, the Google phishers could be the allegedly Kremlin-backed crew. But to Jaime Blasco, chief scientist at security company AlienVault, that's unlikely: "I don't believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted." - Full article Threat post article Smaller nations hacking skills As the joke goes, on the internet, nobody knows that you’re a dog. Technology has done a great job in balancing the shift of power into the hands of the many. Now, with modest budgets and technology, startups can challenge well-established brands. But that also means small nations can build cyber capabilities that match those of much larger nations. We knew the U.S. and Russia were hacking powers, but Ethiopia and Pakistan? GDPR While a lot of European companies are looking to the future wondering what GDPR will bring, the Register looked back and retrospectively estimated what regulator fines on data loss would have been last year had GDPR been implemented. Where last year British companies were fined £880,500; under GDPR regulation that sum could have been £69 million. Register Story Gartner predicts GDPR flouters will be in the majority Google cloud will be ready for GDPR in May 2018 It’s just Metadata It's why many governments have pushed for mandatory metadata retention laws, and have been successful. Because in the minds of many, it's only metadata. Troy Hunt wrote a good article on why Australia just showed the world the problem with mandatory data retention ]]> 2017-05-03T16:49:00+00:00 http://feeds.feedblitz.com/~/309240180/0/alienvault-blogs~Alien-Eye-in-the-Sky-%e2%80%93-th-May www.secnews.physaphae.fr/article.php?IdArticle=362127 False Guideline APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/300891133/0/thesecurityledger -->»      Related StoriesAnalysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsEmboldened, Fancy Bear hacking crew targets French, German PoliticiansSeven Years After Stuxnet, Industrial Firms Still Lag on Security ]]> 2017-04-27T11:26:45+00:00 https://feeds.feedblitz.com/~/300891133/0/thesecurityledger~Report-well-know-antivirus-is-dead-when-it-goes-quiet/ www.secnews.physaphae.fr/article.php?IdArticle=360797 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/300249042/0/thesecurityledger -->»      Related StoriesPodcast: Hack, or Phreak – What Really Happened in Dallas?Seven Years After Stuxnet, Industrial Firms Still Lag on SecurityEmboldened, Fancy Bear hacking crew targets French, German Politicians ]]> 2017-04-26T21:47:58+00:00 https://feeds.feedblitz.com/~/300249042/0/thesecurityledger~Analysis-of-K-Remote-Desktop-Hacks-Finds-Education-Healthcare-Top-Targets/ www.secnews.physaphae.fr/article.php?IdArticle=360798 False None APT 28 None Network World - Magazine Info Fancy Bear or Pawn Storm, has been carrying out the attack with its favored tactic of sending out phishing emails, Trend Micro said in a report Tuesday. To read this article in full or to leave a comment, please click here]]> 2017-04-25T17:54:20+00:00 http://www.networkworld.com/article/3192469/security/russian-hackers-use-oauth-fake-google-apps-to-phish-users.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=358660 False None APT 28 None Naked Security - Blog sophos ]]> 2017-04-25T16:52:36+00:00 https://nakedsecurity.sophos.com/2017/04/25/news-in-brief-uber-under-fire-in-hell-lawsuit-europe-could-be-hit-by-laptop-ban-fancy-bear-targeted-macron/ www.secnews.physaphae.fr/article.php?IdArticle=358806 False None Uber,APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/298666506/0/thesecurityledger -->»      Related StoriesAs Trump and Xi Meet, Reports of China-Sponsored Hacks Flare | Digital GuardianPodcast: Hack, or Phreak – What Really Happened in Dallas?Podcast: Facebook Makes a Stand. But can Fake News be stopped? ]]> 2017-04-25T15:11:55+00:00 https://feeds.feedblitz.com/~/298666506/0/thesecurityledger~Update-Emboldened-Fancy-Bear-hacking-crew-targets-French-German-Politicians/ www.secnews.physaphae.fr/article.php?IdArticle=360800 False None APT 28 None ZD Net - Magazine Info 2017-04-25T12:00:18+00:00 http://www.zdnet.com/article/pawn-storm-threat-group-targets-fresh-victims-to-sway-public-opinion/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=358639 False None APT 28 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks ]]> 2017-04-25T08:00:14+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/G0NZBdD306o/ www.secnews.physaphae.fr/article.php?IdArticle=358531 False None APT 28 None The Security Ledger - Blog Sécurité Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/295783494/0/thesecurityledger -->»      Related StoriesPodcast: Facebook Makes a Stand. But can Fake News be stopped?Analysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top TargetsEmboldened, Fancy Bear hacking crew targets French, German Politicians ]]> 2017-04-21T22:23:05+00:00 https://feeds.feedblitz.com/~/295783494/0/thesecurityledger~Google-Looks-Beyond-Passwords-To-Secure-Data-Assets/ www.secnews.physaphae.fr/article.php?IdArticle=360802 False None APT 28 None 01net. Actualites - Securite - Magazine Francais ]]> 2017-04-09T09:32:27+00:00 http://www.01net.com/actualites/presidentielle-comment-les-hackers-russes-veulent-influencer-l-election-1138099.html www.secnews.physaphae.fr/article.php?IdArticle=359093 False None APT 28 4.0000000000000000 Contagio - Site d infos ransomware This is the second part of Russian APT series."APT29 - The Dukes Cozy Bear: APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.1210 This group reportedly compromised the Democratic National Committee starting in the summer of 2015" (src.  Mitre ATT&CK)Please see the first post here: Russian APT - APT28 collection of samples including OSX XAgentI highly recommend reading and studying these resources first:Mitre ATT&CK2017-03 Disinformation. A Primer In Russian Active Measures And Influence Campaigns. Hearings before the   Select Committee on Intelligence, March 20172014-08 Mikko Hipponen. Governments as Malware Authors. Presentation ppt.2016. No Easy Breach: Challenges and Lessons from an Epic Investigation. Mandiant. Matthew Dunwoody, Nick Carr. VideoBeyond 'Cyber War': Russia's Use of Strategic Cyber Espionage and Information Operations in Ukraine. NATO Cooperative Cyber Defence Centre of Excellence/ Fireeye - Jen WeedonList of References (and samples mentioned) listed from oldest to newest:2012-02 FSecure. COZYDUKE2013-02_Crysys_Miniduke Indicators2013-04_Bitdefender_A Closer Look at MiniDuke2014-04 FSecure_Targeted Attacks and Ukraine2014-05_FSecure.Miniduke still duking it out2014-07_Kaspersky_Miniduke is back_Nemesis Gemina and the Botgen Studio2014-07_Kaspersky_The MiniDuke Mystery PDF 0-day2014-11_FSecure_OnionDuke APT Attacks Via the Tor Network2014_FSecure_Cosmicduke Cosmu with a twist of MiniDuke2015-04_Kaspersky_CozyDuke-CozyBear]]> 2017-04-05T22:57:33+00:00 http://contagiodump.blogspot.com/2017/03/part-ii-apt29-russian-apt-including.html www.secnews.physaphae.fr/article.php?IdArticle=358910 False None APT 29,APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2017-04-04T15:29:27+00:00 http://feedproxy.google.com/~r/eset/blog/~3/48GXPJ-KjyE/ www.secnews.physaphae.fr/article.php?IdArticle=352838 False None APT 28 None Dark Reading - Informationweek Branch 2017-04-04T09:35:00+00:00 http://www.darkreading.com/hackers-hit-iaaf-compromise-athlete-records-/d/d-id/1328548?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=352441 False None APT 28 None SecurityWeek - Security News 2017-04-04T08:38:10+00:00 http://feedproxy.google.com/~r/Securityweek/~3/H6Y087W3qyo/iaaf-says-russia-linked-hackers-accessed-medical-records www.secnews.physaphae.fr/article.php?IdArticle=351837 False None APT 28 None BBC - BBC News - Technology 2017-04-03T09:48:28+00:00 http://www.bbc.co.uk/sport/athletics/39477302 www.secnews.physaphae.fr/article.php?IdArticle=355518 False None APT 28 None Contagio - Site d infos ransomware  This post is for all of you, Russian malware lovers/haters. Analyze it all to your heart's content. Prove or disprove Russian hacking in general or DNC hacking in particular, or find that "400 lb hacker" or  nail another country altogether.  You can also have fun and exercise your malware analysis skills without any political agenda.The post contains malware samples analyzed in the APT28 reports linked below. I will post APT29 and others later.Read about groups and types of targeted threats here: Mitre ATT&CKList of References (and samples mentioned) listed from oldest to newest:APT28_2011-09_Telus_Trojan.Win32.Sofacy.AAPT28_2014-08_MhtMS12-27_PrevenityAPT28_2014-10_Fireeye_A_Window_into_Russia_Cyber_Esp.OperationsAPT28_2014-10_Telus_Coreshell.AAPT28_2014-10_TrendMicro Operation Pawn Storm. Using Decoys to Evade DetectionAPT28_2015-07_Digital Attack on German ParliamentAPT28_2015-07_ESET_Sednit_meet_HackingAPT28_2015-07_Telus_Trojan-Downloader.Win32.Sofacy.BAPT28_2015-09_Root9_APT28_Technical_FollowupAPT28_2015-09_SFecure_Sofacy-recycles-carberp-and-metasploit-codeAPT28_2015-10_New Adobe Flash Zero-Day Used in Pawn StormAPT28_2015-10_Root9_APT28_targets Financial MarketsAPT28_2015-12_Bitdefender_In-depth_anal]]> 2017-03-31T02:03:28+00:00 http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html www.secnews.physaphae.fr/article.php?IdArticle=358911 False None APT 29,APT 28 None Mandiant - Blog Sécu de Mandiant application de cacao de trojan qui envoie des informations systèmey compris les données de trousseau à l'attaquant, un version macOS d'APT28\'s xagent malware , et un new-trojan ransomware . Dans ce blog, l'équipe Flare souhaite introduire deux petits outils qui peuvent aider à la tâche des applications de cacao en ingénierie inverse pour MacOS.Afin de

---

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker, a macOS version of APT28\'s Xagent malware, and a new Trojan ransomware. In this blog, the FLARE team would like to introduce two small tools that can aid in the task of reverse engineering Cocoa applications for macOS. In order to]]> 2017-03-08T17:15:00+00:00 https://www.mandiant.com/resources/blog/introduction-to-reve www.secnews.physaphae.fr/article.php?IdArticle=8377788 False Malware,Tool APT 28 4.0000000000000000 01net. Actualites - Securite - Magazine Francais ]]> 2017-02-16T05:10:57+00:00 http://www.01net.com/actualites/les-hackers-russes-d-apt28-ciblent-les-mac-et-exfiltrent-les-sauvegardes-iphone-1104243.html www.secnews.physaphae.fr/article.php?IdArticle=316980 False None APT 28 5.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-02-16T01:38:41+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/72Sj8IAJtdQ/xagent-malware-apt28.html www.secnews.physaphae.fr/article.php?IdArticle=316264 False None APT 28 None UnderNews - Site de news "pirate" francais Le malware sophistiqué Xagent s'attaque désormais aux utilisateurs Mac pour détourner des mots de passe et des sauvegardes iPhone.]]> 2017-02-15T12:01:50+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/G9u7t1Vc1yA/les-utilisateurs-mac-vises-par-une-nouvelle-variante-du-malware-xagent-lie-a-lapt28.html www.secnews.physaphae.fr/article.php?IdArticle=315185 False None APT 28,APT 21 None SecurityWeek - Security News 2017-02-15T09:56:45+00:00 http://feedproxy.google.com/~r/Securityweek/~3/8Oksqy71zaU/russian-cyberspies-use-new-mac-malware-steal-data www.secnews.physaphae.fr/article.php?IdArticle=314774 True None APT 28 None Bleeping Computer - Magazine Américain 2017-02-15T07:35:38+00:00 https://www.bleepingcomputer.com/news/security/mac-malware-linked-to-infamous-russian-cyber-espionage-group/ www.secnews.physaphae.fr/article.php?IdArticle=315283 False None APT 28 None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2017-02-14T10:09:15+00:00 http://www.networkworld.com/article/3169930/security/russian-cyberspies-blamed-for-us-election-hacks-are-now-targeting-macs.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=313885 False None APT 28 None Naked Security - Blog sophos ]]> 2017-02-13T16:53:47+00:00 https://nakedsecurity.sophos.com/2017/02/13/fancy-bear-whos-behind-the-group-implicated-in-so-many-political-hacks/ www.secnews.physaphae.fr/article.php?IdArticle=312626 False None APT 28 None SecurityWeek - Security News 2017-02-13T16:52:34+00:00 http://feedproxy.google.com/~r/Securityweek/~3/ZMjfdMqZfPk/dhs-uses-cyber-kill-chain-analyze-russia-linked-election-hacks www.secnews.physaphae.fr/article.php?IdArticle=313106 False None APT 29,APT 28 None Naked Security - Blog sophos ]]> 2017-01-27T17:55:54+00:00 https://nakedsecurity.sophos.com/2017/01/27/news-in-brief-fancy-bear-attacked-tv-network-lavabit-comes-back-to-life-museum-does-geek-history/ www.secnews.physaphae.fr/article.php?IdArticle=301667 False None APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2017-01-27T13:00:41+00:00 http://feedproxy.google.com/~r/eset/blog/~3/g9lO72vpekI/ www.secnews.physaphae.fr/article.php?IdArticle=301418 False None APT 28 None The State of Security - Magazine Américain Read More ]]> 2017-01-11T04:00:46+00:00 https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/10-questions-that-need-to-be-asked-about-every-cybersecurity-story/ www.secnews.physaphae.fr/article.php?IdArticle=289173 False None APT 29,APT 28 None Dark Reading - Informationweek Branch 2017-01-04T17:40:00+00:00 http://www.darkreading.com/threat-intelligence/dhs-fbi-report-shows-russian-attributions-a-bear/d/d-id/1327828?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=285828 False None APT 29,APT 28 None Errata Security - Errata Security Instead of communicating with the America people, you worked through your typical system of propaganda, such as stories in the New York Times quoting unnamed "senior government officials". We don't want "unnamed" officials -- we want named officials (namely you) who we can pin down and question. When you work through this system of official leaks, we believe you have something to hide, that the evidence won't stand on its own.We still don't believe the CIA's conclusions because we don't know, precisely, what those conclusions are. Are they derived purely from companies like FireEye and CloudStrike based on digital forensics? Or do you have spies in Russian hacker communities that give better information? This is such an important issue that it's worth degrading sources of information in order to tell us, the American public, the truth.You had the DHS and US-CERT issue the "GRIZZLY-STEPPE" report "attributing those compromises to Russian malicious cyber activity". It does nothing of the sort. It's full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an "Indicator of Compromise".For example, I checked my web browser [chrome://net-internals/#dns] and found that last year on November 20th, it accessed two IP addresses that are on the Grizzley-Steppe list:No, this doesn't mean I've been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzley-Steppe IoCs are garbage.If your intent was to show technical information to experts to confirm Russia's involvement, you've done the precise opposite. Grizzley-Steppe proves such enormous incompetence that we doubt all the technical details you might have. I mean, it's possible that you classified the important details and de-classified the junk, but even then, that junk isn't worth publishing. There's no excuse for those Yahoo addresses to be in there, or the numerous other problems.Among the consequences is that Washington Post story claiming Russians hacked into the Vermont power grid. What really happened is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid) is your responsibility. This misinformation is your fault.You announced sanctions for the Russian hacking [*]. At the same time, you announced sanctions for Russian harassment of diplomati]]> 2017-01-03T21:33:01+00:00 http://blog.erratasec.com/2017/01/dear-obama-from-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=284726 False None Yahoo,APT 29,APT 28 None SecurityWeek - Security News Joint Analysis Report (JAR) published by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) to detail tools used by Russian hackers in cyber attacks against the United States election didn't deliver on its promise, security experts argue. ]]> 2017-01-02T16:29:22+00:00 http://feedproxy.google.com/~r/Securityweek/~3/NJpEfw0rqRs/us-govs-grizzly-steppe-report-fails-achieve-purpose-experts www.secnews.physaphae.fr/article.php?IdArticle=283705 False None APT 29,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-12-30T19:30:10+00:00 https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/ www.secnews.physaphae.fr/article.php?IdArticle=283376 False None APT 29,APT 28 None Errata Security - Errata Security GRIZZLY STEPPE" announcement:What is this? What does this mean? What do I do with this information?It's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward -- such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.What this YARA rule detects is, as the name suggests, the "PAS TOOL WEB KIT", a web shell tool that's popular among Russia/Ukraine hackers. If you google "PAS TOOL PHP WEB KIT", the second result points to the tool in question. You can download a copy here [*], or you can view it on GitHub here [*].Once a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at tracking the activity of that hacker, to see which other attacks they've been involved in, since it will find the same web shell on all the victims.The problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes using the YARA signature for attribution problematic: just because you found P.A.S. in two different places doesn't mean it's the same hacker.A web shell, by the way, is one of the most common things hackers use once they've broken into a server. It allows further hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP, ASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they've got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor.In other words, these rules can be a reflection of the fact the government has excellent information for attribution. Or, it could be a reflection that they've got only weak bits and pieces. It's impossible for us outsiders to tell. IoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the complexity and context around the rules, often misunderstanding what's going on. (I've written thousands of the things -- I'm constantly annoyed by the ignorance among those not understanding what they mean).I see on]]> 2016-12-29T20:40:33+00:00 http://blog.erratasec.com/2016/12/some-notes-on-iocs.html www.secnews.physaphae.fr/article.php?IdArticle=282206 False None APT 29,APT 28 None Dark Reading - Informationweek Branch 2016-12-29T17:00:00+00:00 http://www.darkreading.com/threat-intelligence/fbi-dhs-report-implicates-cozy-bear-fancy-bear-in-election-related-hacks/d/d-id/1327811?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=282231 False None APT 29,APT 28 None Graham Cluley - Blog Security Security researchers claim that a malicious Android app helped Russian forces deal heavy blows in Ukrainian crisis. David Bisson reports. ]]> 2016-12-22T17:57:31+00:00 https://www.grahamcluley.com/fancy-bear-used-android-malware-to-track-ukrainian-artillery/ www.secnews.physaphae.fr/article.php?IdArticle=278974 False None APT 28 None SecurityWeek - Security News 2016-12-22T12:35:40+00:00 http://feedproxy.google.com/~r/Securityweek/~3/QAdQzbAlBXw/russia-used-android-malware-track-ukrainian-troops-report www.secnews.physaphae.fr/article.php?IdArticle=278491 False None APT 28 None Dark Reading - Informationweek Branch 2016-12-22T12:15:00+00:00 http://www.darkreading.com/threat-intelligence/malware-used-in-dnc-breach-found-tracking-ukraine-military/d/d-id/1327778?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=279046 False None APT 28 None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2016-12-22T11:51:45+00:00 http://www.networkworld.com/article/3153022/security/the-group-that-hacked-the-dnc-infiltrated-ukrainian-artillery-units.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=278755 False None APT 28 None