This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-26T05:11:33+00:00 www.secnews.physaphae.fr Bleeping Computer - Magazine Américain 2019-05-09T16:59:05+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-electricfish-malware-to-steal-data/ www.secnews.physaphae.fr/article.php?IdArticle=1101338 True Malware APT 38 None SentinelOne (SecIntel) - Cyber Firms Threat actors have the know-how to develop campaigns that target your weakest link. Learn how Lazarus APT took their malware to Apple\'s macOS platform.]]> 2019-04-25T18:28:33+00:00 https://www.sentinelone.com/labs/lazarus-apt-targets-mac-users-with-poisoned-word-document/ www.secnews.physaphae.fr/article.php?IdArticle=8388362 False Malware APT 38 3.0000000000000000 Malwarebytes Labs - MalwarebytesLabs A roundup of security news from April 15–21, including an explanation of like-farming, Ellen DeGeneres scam, flaws in VPN services, funky malware formats found in Ocean Lotus, and more. Categories: Security world Week in security Tags: a week in securitycyber resilienceEllen DeGeneresfake Airbnb sitesFlame 2.0IE vulnerabilitylike-farmingnotre dame disinformationVPN flawweek in security (Read more...) ]]> 2019-04-22T15:47:02+00:00 https://blog.malwarebytes.com/security-world/2019/04/a-week-in-security-april-15-21/ www.secnews.physaphae.fr/article.php?IdArticle=1095519 True Malware APT 32 None Malwarebytes Labs - MalwarebytesLabs Recently, one of our researchers presented at the SAS conference on "Funky malware formats"-atypical executable formats used by malware that are only loaded by proprietary loaders. In this post, we analyze one of those formats in a sample called Ocean Lotus from the APT 32 threat group in Vietnam. Categories: Malware Threat analysis Tags: APT 32atypical malware formatsBLOBCABcustom formatmalware formatocean lotusVietnam (Read more...) ]]> 2019-04-19T18:37:05+00:00 https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/ www.secnews.physaphae.fr/article.php?IdArticle=1095040 False Malware,Threat APT 32 None Security Affairs - Blog Secu 2019-04-18T20:47:05+00:00 https://securityaffairs.co/wordpress/84125/apt/oilrig-dns-tunneling.html www.secnews.physaphae.fr/article.php?IdArticle=1093975 False Malware APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2019-04-12T14:58:05+00:00 https://threatpost.com/north-koreas-hidden-cobra-strikes-u-s-targets-with-hoplight/143740/ www.secnews.physaphae.fr/article.php?IdArticle=1093322 False Malware,Tool APT 38 None InformationSecurityBuzzNews - Site de News Securite DHS And FBI Issue Advisory On North Korean HOPLIGHT Malware]]> 2019-04-11T17:00:04+00:00 https://www.informationsecuritybuzz.com/expert-comments/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/ www.secnews.physaphae.fr/article.php?IdArticle=1093133 True Malware APT 38 None IT Security Guru - Blog Sécurité 2019-04-11T12:28:03+00:00 https://hellofromhony.com/goaway?temp=5&/2019/04/11/new-hoplight-malware-marks-re-emergence-of-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=1092926 False Malware,Medical APT 38 None Bleeping Computer - Magazine Américain 2019-04-10T14:06:04+00:00 https://www.bleepingcomputer.com/news/security/dhs-and-fbi-issue-advisory-on-north-korean-hoplight-malware/ www.secnews.physaphae.fr/article.php?IdArticle=1092654 False Malware APT 38 None We Live Security - Editeur Logiciel Antivirus ESET Latest ESET research describes the inner workings of a recently found addition to OceanLotus's toolset for targeting Mac users ]]> 2019-04-09T09:30:05+00:00 https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ www.secnews.physaphae.fr/article.php?IdArticle=1091885 False Malware APT 32 None Security Affairs - Blog Secu 2019-03-28T08:20:04+00:00 https://securityaffairs.co/wordpress/82985/apt/lazarus-targets-mac.html www.secnews.physaphae.fr/article.php?IdArticle=1084744 False Malware,Medical APT 38 None ZD Net - Magazine Info 2019-03-27T10:52:01+00:00 https://www.zdnet.com/article/north-korean-hackers-continue-attacks-on-cryptocurrency-businesses/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1083251 False Malware,Medical APT 38 None Security Affairs - Blog Secu 2019-03-05T21:23:03+00:00 https://securityaffairs.co/wordpress/82004/breaking-news/chafer-apt-python-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=1055754 False Malware,Prediction APT 39 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2019-02-01T19:35:02+00:00 https://threatpost.com/chafer-iran-apt-malware/141420/ www.secnews.physaphae.fr/article.php?IdArticle=1019750 False Malware APT 39 None IT Security Guru - Blog Sécurité 2019-01-16T15:51:01+00:00 https://www.itsecurityguru.org/2019/01/16/disclosure-of-chilean-redbanc-intrusion-leads-to-lazarus-ties/ www.secnews.physaphae.fr/article.php?IdArticle=995243 False Malware,Threat APT 38 None Security Affairs - Blog Secu 2019-01-16T08:59:01+00:00 https://securityaffairs.co/wordpress/79929/breaking-news/chilean-research-redbank-lazarus.html www.secnews.physaphae.fr/article.php?IdArticle=994669 False Malware APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Time to look back on the top AlienVault blogs of 2018! Here we go: A North Korean Monero Cryptocurrency Miner by Chris Doman Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.  VLAN Hopping and Mitigation by Pam This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques. DNS Poisoning and How To Prevent It by Jeff Thompson  The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 867.53.0.9 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]  4 SIEM Use Cases That Will Dramatically Improve Your Enterprise Security by Stephen Roe Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill. Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks. Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen. For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress. If you’re worried about malware infection, commun]]> 2019-01-10T14:00:00+00:00 https://feeds.feedblitz.com/~/591487326/0/alienvault-blogs~Top-Blogs-of www.secnews.physaphae.fr/article.php?IdArticle=984743 False Malware,Guideline APT 38,Wannacry None Mandiant - Blog Sécu de Mandiant Juin 2019 Campagne d'intrusion Les secteurs financiers, de vente au détail, des médias et de l'éducation & # 8211;ainsi que U.S.Cyber Command \'s Juillet 2019 CVE-2017-11774 Indicateurs , que Fireeye attribue également à APT33.Le processus rigoureux de FireEye \\ pour le regroupement et l'attribution de ce

---

UPDATE (Jul. 3, 2019): On May 16, 2019 FireEye\'s Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The malware and tradecraft in this blog post are consistent with the June 2019 intrusion campaign targeting U.S. federal government agencies and financial, retail, media, and education sectors – as well as U.S. Cyber Command\'s July 2019 CVE-2017-11774 indicators, which FireEye also attributes to APT33. FireEye\'s rigorous process for clustering and attributing this]]> 2018-12-21T19:00:00+00:00 https://www.mandiant.com/resources/blog/overruled-containing-a-potentially-destructive-adversary www.secnews.physaphae.fr/article.php?IdArticle=8377719 False Malware APT33,APT 33,APT 33 4.0000000000000000 ZD Net - Magazine Info 2018-12-20T05:16:00+00:00 https://www.zdnet.com/article/shamoons-data-wiping-malware-believed-to-be-the-work-of-iranian-hackers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=955897 False Malware APT33,APT 33 None Security Affairs - Blog Secu 2018-12-13T15:01:02+00:00 https://securityaffairs.co/wordpress/78884/hacking/operation-sharpshooter.html www.secnews.physaphae.fr/article.php?IdArticle=944317 False Malware,Threat APT 38 None Bleeping Computer - Magazine Américain 2018-12-12T11:26:05+00:00 https://www.bleepingcomputer.com/news/security/op-sharpshooter-uses-lazarus-group-tactics-techniques-and-procedures/ www.secnews.physaphae.fr/article.php?IdArticle=943040 False Malware,Tool,Threat,Medical APT 38 None Security Affairs - Blog Secu 2018-11-24T10:23:02+00:00 https://securityaffairs.co/wordpress/78382/apt/lazarus-latin-american-banks.html www.secnews.physaphae.fr/article.php?IdArticle=915607 False Malware,Medical APT 38 None Security Affairs - Blog Secu 2018-11-10T14:47:00+00:00 https://securityaffairs.co/wordpress/77877/apt/lazarus-apt-fastcash-trojan.html www.secnews.physaphae.fr/article.php?IdArticle=890512 True Malware,Hack,Medical APT 38 None Dark Reading - Informationweek Branch 2018-11-08T17:45:00+00:00 https://www.darkreading.com/attacks-breaches/symantec-uncovers-north-korean-groups-atm-attack-malware-/d/d-id/1333233?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=887602 False Malware,Medical APT 38 None CSO - CSO Daily Dashboard worst botnets and banking trojans, according to Webroot, were Emotet, Trickbot, and Zeus Panda. Crysis/Dharma, GandCrab, and SamSam were the worst among ransomware. The top three in cryptomining/cryptojacking were GhostMiner, Wanna Mine, and Coinhive.And included in the list of top 10 threat actors so far this year, we find Lazarus Group, Sofacy and MuddyWater coming in the top three spots, according to AlienVault. Lazarus Group took the top spot from Sofacy this year. The reported locations for the top 10 threat actors are North Korea, with two groups; Russia, with three groups; Iran, with two groups; China, with two groups; and India, with one. Microsoft Office was the most exploited application, but Adobe Flash, WebLogic, Microsoft Windows, Drupal and GPON routers were also listed in the top 10.]]> 2018-11-06T08:56:00+00:00 https://www.csoonline.com/article/3319116/malware/worst-malware-and-threat-actors-of-2018-so-far.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=883049 False Malware,Threat,Medical APT 38 None Security Affairs - Blog Secu 2018-10-19T07:06:03+00:00 https://securityaffairs.co/wordpress/77228/apt/operation-oceansalt.html www.secnews.physaphae.fr/article.php?IdArticle=854509 False Malware,Threat APT 32,APT 1 None ZD Net - Magazine Info 2018-10-18T04:01:00+00:00 https://www.zdnet.com/article/seasalt-cyberattack-wave-linked-to-chinese-apt-comment-crew/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=852815 False Malware APT 32,APT 1 None Mandiant - Blog Sécu de Mandiant un groupe avancé de menace persistante qui, selon nous, est responsable de la conduite d'un crime financierAu nom du régime nord-coréen, volant des millions de dollars aux banques dans le monde.Le groupe est particulièrement agressif;Ils utilisent régulièrement des logiciels malveillants destructeurs pour rendre les réseaux de victimes inopérables après le vol.Plus important encore, les efforts diplomatiques, y compris la récente plainte du ministère de la Justice (DOJ) qui ont décrit l'attribution à la Corée du Nord, n'ont jusqu'à présent pas mis fin à leur activité.Nous appelons ce groupe apt38. nous publions un

---

Today, we are releasing details on a advanced persistent threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38. We are releasing a]]> 2018-10-03T07:00:00+00:00 https://www.mandiant.com/resources/blog/apt38-details-on-new-north-korean-regime-backed-threat-group www.secnews.physaphae.fr/article.php?IdArticle=8377729 False Malware,Threat APT 38,APT 38 4.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-10-02T19:23:03+00:00 https://threatpost.com/nokki-malware-sports-mysterious-link-to-reaper-apt-group/137883/ www.secnews.physaphae.fr/article.php?IdArticle=828913 False Malware APT 37 None Bleeping Computer - Magazine Américain 2018-10-01T11:00:00+00:00 https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/ www.secnews.physaphae.fr/article.php?IdArticle=827138 False Malware,Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-13T21:19:00+00:00 https://threatpost.com/oilrig-apt-continues-its-ongoing-malware-evolution/137444/ www.secnews.physaphae.fr/article.php?IdArticle=806896 False Malware,Tool APT 34 None ZD Net - Magazine Info 2018-09-06T21:43:04+00:00 https://www.zdnet.com/article/how-us-authorities-tracked-down-the-north-korean-hacker-behind-wannacry/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=796102 False Malware,Medical APT 38,Wannacry None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload. In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables. Registry Persistence In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707 Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds. Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system.  We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query. The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters. ]]> 2018-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/568274998/0/alienvaultotx www.secnews.physaphae.fr/article.php?IdArticle=795252 False Malware,Threat APT 34 3.0000000000000000 SecureMac - Security focused on MAC Download MacScan ]]> 2018-09-01T15:54:03+00:00 https://www.securemac.com/definitions/Lazarus www.secnews.physaphae.fr/article.php?IdArticle=788908 True Malware,Threat APT 38 None Dark Reading - Informationweek Branch 2018-08-23T15:07:00+00:00 https://www.darkreading.com/vulnerabilities---threats/lazarus-group-builds-its-first-macos-malware/d/d-id/1332653?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=783029 False Malware,Medical APT 38 None ZD Net - Magazine Info 2018-08-23T08:00:00+00:00 https://www.zdnet.com/article/applejeus-macos-users-targeted-in-new-lazarus-attacks/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=782783 False Malware APT 38 None Security Affairs - Blog Secu 2018-08-10T16:15:03+00:00 https://securityaffairs.co/wordpress/75227/malware/north-korea-malware-lazarus.html www.secnews.physaphae.fr/article.php?IdArticle=775338 False Malware,Medical,Cloud APT 38,APT 37 None SecurityWeek - Security News ]]> 2018-08-09T19:34:03+00:00 https://www.securityweek.com/researchers-say-code-reuse-links-north-koreas-malware www.secnews.physaphae.fr/article.php?IdArticle=775112 False Malware,Threat APT 38 None McAfee Labs - Editeur Logiciel This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story.  Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to … ]]> 2018-08-09T13:00:01+00:00 https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/ www.secnews.physaphae.fr/article.php?IdArticle=773111 False Malware,Guideline,Medical,Cloud APT 38,APT 37 None Dark Reading - Informationweek Branch 2018-06-25T18:30:00+00:00 https://www.darkreading.com/attacks-breaches/malware-in-south-korean-cyberattacks-linked-to-bithumb-heist/d/d-id/1332144?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=722895 False Malware,Medical APT 38,Bithumb,Bithumb None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea. Below we’ve shared our brief analysis of of the attack. Profiling Script The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ. This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit. Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time: ]]> 2018-06-11T13:00:00+00:00 http://feeds.feedblitz.com/~/557751910/0/alienvaultotx~More-Details-on-an-ActiveX-Vulnerability-Recently-Used-to-Target-Users-in-South-Korea www.secnews.physaphae.fr/article.php?IdArticle=740342 False Malware,Vulnerability APT 38 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Blog détaillant l'utilisation d'une vulnérabilité Adobe Flash Zero-Day (CVE-2018-4878) par un groupe de cyber-espionnage nord-coréen présumé que nous suivons maintenant comme APT37 (Reaper). Notre analyse de l'activité récente d'APT37 \\ révèle que les opérations du groupe \\ se développent en portée et en sophistication, avec un ensemble d'outils qui comprend l'accès aux vulnérabilités zéro-jour et aux logiciels malveillants d'essuie-glace.Nous évaluons avec une grande confiance que cette activité est réalisée au nom du gouvernement nord-coréen compte tenu des artefacts de développement de logiciels malveillants et ciblant qui s'aligne sur l'État nord-coréen

---

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Our analysis of APT37\'s recent activity reveals that the group\'s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state]]> 2018-02-20T13:30:00+00:00 https://www.mandiant.com/resources/blog/apt37-overlooked-north-korean-actor www.secnews.physaphae.fr/article.php?IdArticle=8377752 False Malware,Vulnerability APT 37,APT 37 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Groupe iranien présumé qui utilisait auparavant Shamoon & # 8211;AKA distrtrack & # 8211;pour cibler les organisations dans le golfe Persique.Cependant, au cours des dernières années, nous avons suivi un groupe iranien suspect séparé et moins largement connu avec des capacités destructrices potentielles, que nous appelons APT33.Notre analyse révèle que l'APT33 est un groupe capable qui a effectué des opérations de cyber-espionnage depuis au moins 2013. Nous évaluons les œuvres APT33 à la demande du gouvernement iranien. récent

---

When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. Recent]]> 2017-09-20T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage www.secnews.physaphae.fr/article.php?IdArticle=8377764 False Malware APT33,APT 33,APT 33 4.0000000000000000