This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T22:54:32+00:00 www.secnews.physaphae.fr Security Affairs - Blog Secu Cybersecurity researchers from Kaspersky linked the Maui ransomware to the North Korea-backed Andariel APT group. Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group,  North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic […] ]]> 2022-08-09T17:04:09+00:00 https://securityaffairs.co/wordpress/134195/malware/maui-ransomware-andariel-apt.html www.secnews.physaphae.fr/article.php?IdArticle=6213659 False Ransomware APT 38 None InfoSecurity Mag - InfoSecurity Magazine 2022-08-09T15:10:00+00:00 https://www.infosecurity-magazine.com/news/us-treasury-sanctions-tornado-cash/ www.secnews.physaphae.fr/article.php?IdArticle=6213011 False None APT 38 None Security Affairs - Blog Secu The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korea. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group. The mixers are essential components for cybercriminals that use […] ]]> 2022-08-09T10:28:00+00:00 https://securityaffairs.co/wordpress/134168/cyber-crime/us-treasury-sanctioned-tornado-cash.html www.secnews.physaphae.fr/article.php?IdArticle=6209517 False None APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-09T05:32:48+00:00 https://thehackernews.com/2022/08/us-sanctions-virtual-currency-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=6211497 False Medical APT 38 None CyberScoop - scoopnewsgroup.com special Cyber 2022-08-08T16:31:28+00:00 https://www.cyberscoop.com/treasury-department-sanctions-tornado-cash-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=6203842 False Medical APT 38 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-27T23:09:54+00:00 https://thehackernews.com/2022/07/us-offers-10-million-reward-for.html www.secnews.physaphae.fr/article.php?IdArticle=5985577 False Medical APT 38 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None ComputerWeekly - Computer Magazine 2022-07-27T08:40:00+00:00 https://www.computerweekly.com/news/252523213/US-doubles-bounty-on-Lazarus-cyber-crime-group-to-10m www.secnews.physaphae.fr/article.php?IdArticle=5969687 False None APT 38 None InfoSecurity Mag - InfoSecurity Magazine 2022-07-08T16:00:00+00:00 https://www.infosecurity-magazine.com/news/fake-job-offer-behind-axie/ www.secnews.physaphae.fr/article.php?IdArticle=5613385 False Hack APT 38 None Fortinet ThreatSignal - Harware Vendor 2022-07-07T08:14:35+00:00 https://fortiguard.fortinet.com/threat-signal-report/4663 www.secnews.physaphae.fr/article.php?IdArticle=5595940 False Ransomware,Threat,Patching,Medical Wannacry,Wannacry,APT 38 None 01net. Actualites - Securite - Magazine Francais L'équivalent de 100 millions de dollars ont été dérobés la semaine dernière sur la blockchain Harmony. Les premiers éléments de l'enquête font pointer le doigt vers le groupe Lazarus. L'article Les hackers nord-coréens, principaux suspects dans un énorme vol de cryptomonnaies est à retrouver sur 01net.com.]]> 2022-07-01T13:47:47+00:00 https://www.01net.com/actualites/les-hackers-nord-coreens-principaux-suspects-dans-un-enorme-vol-de-cryptomonnaies.html www.secnews.physaphae.fr/article.php?IdArticle=5492369 False None APT 38 None Security Affairs - Blog Secu North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge. Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms.  Harmony's […] ]]> 2022-06-30T17:58:47+00:00 https://securityaffairs.co/wordpress/132759/hacking/harmony-hack-lazarus-apt.html www.secnews.physaphae.fr/article.php?IdArticle=5473880 False Hack,Threat APT 38 None SecurityWeek - Security News 2022-06-30T17:27:16+00:00 https://www.securityweek.com/north-korea-lazarus-hackers-blamed-100-million-horizon-bridge-heist www.secnews.physaphae.fr/article.php?IdArticle=5474531 False Hack APT 38 None InfoSecurity Mag - InfoSecurity Magazine 2022-06-30T16:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-suspected-harmony-hack/ www.secnews.physaphae.fr/article.php?IdArticle=5472677 False Hack APT 38 None IT Security Guru - Blog Sécurité 2022-06-30T10:40:51+00:00 https://www.itsecurityguru.org/2022/06/30/north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack/?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack www.secnews.physaphae.fr/article.php?IdArticle=5469045 True Medical APT 38 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-29T23:01:41+00:00 https://thehackernews.com/2022/06/north-korean-hackers-suspected-to-be.html www.secnews.physaphae.fr/article.php?IdArticle=5465954 False Hack,Medical APT 38 None Graham Cluley - Blog Security 2022-06-09T18:21:34+00:00 https://grahamcluley.com/smashing-security-podcast-278/ www.secnews.physaphae.fr/article.php?IdArticle=5060803 False Ransomware APT 38 None Kaspersky - Kaspersky Research blog 2022-05-27T08:00:43+00:00 https://securelist.com/it-threat-evolution-q1-2022/106513/ www.secnews.physaphae.fr/article.php?IdArticle=4834229 False Hack,Threat APT 38 3.0000000000000000 Security Affairs - Blog Secu North Korea-linked Lazarus APT is exploiting the Log4J remote code execution (RCE) in attacks aimed at VMware Horizon servers. North Korea-linked group Lazarus is exploiting the Log4J RCE vulnerability (CVE-2021-44228) to compromise VMware Horizon servers. Multiple threat actors are exploiting this flaw since January, in January VMware urged customers to patch critical Log4j security vulnerabilities impacting Internet-exposed […] ]]> 2022-05-22T15:48:25+00:00 https://securityaffairs.co/wordpress/131483/apt/lazarus-apt-log4j-vmware-servers.html www.secnews.physaphae.fr/article.php?IdArticle=4758896 False Vulnerability,Threat APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-20T02:23:24+00:00 https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html www.secnews.physaphae.fr/article.php?IdArticle=4711794 False Vulnerability,Medical APT 38 None Bleeping Computer - Magazine Américain 2022-05-19T11:24:04+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/ www.secnews.physaphae.fr/article.php?IdArticle=4707701 False Vulnerability APT 38 None CSO - CSO Daily Dashboard NETSCOUT's 2H 2021 Threat Report. Why target VoIP providers? The short answer is financial gain. Attackers know bringing down VoIP providers that service a large number of customers causes a lot of pain and therefore is ripe for extortion.Cyber attackers launched three worldwide distributed denial-of-service (DDoS) extortion attack campaigns in 2021 – a startling new achievement carried out by a REvil copycat, Lazarus Bear Armada (LBA), and Fancy Lazarus. But threat actors did more than simply increase such global attacks.To read this article in full, please click here]]> 2022-05-17T08:44:00+00:00 https://www.csoonline.com/article/3660514/ddos-extortion-takes-voip-providers-offline.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=4668820 False Threat APT 38 None Security Affairs - Blog Secu 2022-05-07T10:45:56+00:00 https://securityaffairs.co/wordpress/131015/cyber-crime/us-gov-sanctioned-blender-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=4560160 False None APT 38,APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-06T21:23:05+00:00 https://thehackernews.com/2022/05/us-sanctions-cryptocurrency-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=4559230 False Hack,Medical APT 38,APT 28 3.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-05-05T12:20:10+00:00 https://threatpost.com/vhd-ransomware-lazarus-group/179507/ www.secnews.physaphae.fr/article.php?IdArticle=4548365 False Ransomware,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-05-04T12:39:23+00:00 https://securityaffairs.co/wordpress/130892/apt/ransomware-strains-linked-to-nk-apt38.html www.secnews.physaphae.fr/article.php?IdArticle=4542648 False Ransomware,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical Uber,APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2022-04-20T15:30:00+00:00 https://www.infosecurity-magazine.com/news/us-government-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=4482351 False Threat APT 38,APT 28 None knowbe4 - cybersecurity services North Korea's Lazarus Group is using social engineering attacks to target users of cryptocurrency, according to a joint advisory from the US FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department.]]> 2022-04-20T12:49:57+00:00 https://blog.knowbe4.com/tradertraitor-when-states-do-social-engineering www.secnews.physaphae.fr/article.php?IdArticle=4481014 False Medical APT 38,APT 28 None InformationSecurityBuzzNews - Site de News Securite 2022-04-20T09:29:58+00:00 https://informationsecuritybuzz.com/expert-comments/joint-cybersecurity-advisory-warns-of-blockchain-hackers-targeting-developers-and-devops-teams/ www.secnews.physaphae.fr/article.php?IdArticle=4480148 False None APT 38,APT 28 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lazarus Targets Chemical Sector (published: April 14, 2022) In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information. Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector Old Gremlins, New Methods (published: April 14, 2022) Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode]]> 2022-04-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-raidforums-seized-sandworm-attacks-ukrainian-power-stations-north-korea-steals-chemical-secrets-and-more www.secnews.physaphae.fr/article.php?IdArticle=4477972 False Ransomware,Spam,Malware,Vulnerability,Threat,Guideline,Medical APT 38,APT 28 None IT Security Guru - Blog Sécurité 2022-04-19T10:41:45+00:00 https://www.itsecurityguru.org/2022/04/19/blockchain-companies-warned-of-north-korean-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=blockchain-companies-warned-of-north-korean-hackers www.secnews.physaphae.fr/article.php?IdArticle=4476983 True Threat,Medical APT 38,APT 28 None SecurityWeek - Security News 2022-04-19T10:12:54+00:00 https://www.securityweek.com/us-hackers-continue-aiding-north-korea-generate-funds-cryptocurrency-attacks www.secnews.physaphae.fr/article.php?IdArticle=4476944 False None APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2022-04-19T09:00:00+00:00 https://www.infosecurity-magazine.com/news/ronin-crypto-heist-618m-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=4476653 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-19T00:02:44+00:00 https://thehackernews.com/2022/04/fbi-us-treasury-and-cisa-warns-of-north.html www.secnews.physaphae.fr/article.php?IdArticle=4476391 False Threat,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-04-17T09:53:35+00:00 https://securityaffairs.co/wordpress/130275/breaking-news/security-affairs-newsletter-round-361-by-pierluigi-paganini.html www.secnews.physaphae.fr/article.php?IdArticle=4467412 False None APT 38,APT 28 None Security Affairs - Blog Secu 2022-04-16T20:30:51+00:00 https://securityaffairs.co/wordpress/130260/apt/lazarus-ronin-validator-cyber-heist.html www.secnews.physaphae.fr/article.php?IdArticle=4466227 False None APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-16T01:31:45+00:00 https://thehackernews.com/2022/04/lazarus-hackers-behind-540-million-axie.html www.secnews.physaphae.fr/article.php?IdArticle=4463512 False Hack,Threat,Medical APT 38,APT 28 None SecurityWeek - Security News 2022-04-15T14:24:33+00:00 https://www.securityweek.com/north-korea-apt-lazarus-targeting-chemical-sector www.secnews.physaphae.fr/article.php?IdArticle=4457124 False None APT 38,APT 28 None SecurityWeek - Security News 2022-04-14T20:07:22+00:00 https://www.securityweek.com/us-gov-blames-north-korea-hackers-600m-cryptocurrency-heist www.secnews.physaphae.fr/article.php?IdArticle=4451205 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-01T03:37:45+00:00 https://thehackernews.com/2022/04/north-korean-hackers-distributing.html www.secnews.physaphae.fr/article.php?IdArticle=4377812 False Medical APT 38 None Kaspersky - Kaspersky Research blog 2022-03-31T12:00:23+00:00 https://securelist.com/lazarus-trojanized-defi-app/106195/ www.secnews.physaphae.fr/article.php?IdArticle=4373277 False Malware APT 38 None Mandiant - Blog Sécu de Mandiant Mandiant believes that North Korea\'s cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals. We assess most of North Korea\'s cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau. Meanwhile, the Ministry of State Security and United Front Department\'s missions appear to play limited roles in North Korea\'s cyber program. Open-source reporting often uses the Lazarus Group title as an umbrella term referring to]]> 2022-03-23T09:00:00+00:00 https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government www.secnews.physaphae.fr/article.php?IdArticle=8377489 False Threat APT 38 4.0000000000000000 IT Security Guru - Blog Sécurité 2022-02-09T10:57:38+00:00 https://www.itsecurityguru.org/2022/02/09/cryptocurrency-organisations-hit-with-fake-job-offers/?utm_source=rss&utm_medium=rss&utm_campaign=cryptocurrency-organisations-hit-with-fake-job-offers www.secnews.physaphae.fr/article.php?IdArticle=4098829 False Threat,Medical APT 38,APT 28 2.0000000000000000 ZD Net - Magazine Info 2022-02-09T09:31:42+00:00 https://www.zdnet.com/article/lazarus-hackers-target-defense-industry-with-fake-lockheed-martin-job-offers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4098817 False None APT 38 None SecurityWeek - Security News 2022-01-31T15:41:44+00:00 https://www.securityweek.com/north-korean-hackers-abuse-windows-update-client-attacks-defense-industry www.secnews.physaphae.fr/article.php?IdArticle=4059850 False Threat APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-01-28T21:47:21+00:00 https://threatpost.com/lazarus-apt-windows-update-malware-github/178096/ www.secnews.physaphae.fr/article.php?IdArticle=4048445 False Malware APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-01-28T01:24:28+00:00 https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html www.secnews.physaphae.fr/article.php?IdArticle=4045173 False Malware,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-01-27T20:30:53+00:00 https://securityaffairs.co/wordpress/127296/apt/lazarus-apt-windows-update-client.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-windows-update-client www.secnews.physaphae.fr/article.php?IdArticle=4043080 False Malware APT 38,APT 28 None Bleeping Computer - Magazine Américain 2022-01-27T13:31:40+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-use-windows-update-to-deploy-malware/ www.secnews.physaphae.fr/article.php?IdArticle=4042581 False Malware APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None knowbe4 - cybersecurity services A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang's Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.]]> 2022-01-18T16:59:26+00:00 https://blog.knowbe4.com/north-korean-cryptocurrency-theft-relies-on-social-engineering www.secnews.physaphae.fr/article.php?IdArticle=3987812 False Threat,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-01-14T15:46:18+00:00 https://securityaffairs.co/wordpress/126713/apt/bluenoroff-apt-cryptocurrency.html?utm_source=rss&utm_medium=rss&utm_campaign=bluenoroff-apt-cryptocurrency www.secnews.physaphae.fr/article.php?IdArticle=3964522 False None APT 38,APT 28 None SecurityWeek - Security News 2022-01-14T15:29:16+00:00 https://www.securityweek.com/north-korean-hackers-stole-400-million-worth-cryptocurrency-2021 www.secnews.physaphae.fr/article.php?IdArticle=3965198 False None APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-01-14T06:16:30+00:00 https://thehackernews.com/2022/01/north-korean-hackers-stole-millions.html www.secnews.physaphae.fr/article.php?IdArticle=3964446 False None APT 38,APT 28 None IT Security Guru - Blog Sécurité 2022-01-13T14:02:59+00:00 https://www.itsecurityguru.org/2022/01/13/lazarus-group-cobalt-gang-and-fin7-the-worst-threat-actors-targeting-the-financial-services-sector/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-group-cobalt-gang-and-fin7-the-worst-threat-actors-targeting-the-financial-services-sector www.secnews.physaphae.fr/article.php?IdArticle=3957365 False Threat APT 38 None ZD Net - Magazine Info 2022-01-13T08:00:02+00:00 https://www.zdnet.com/article/fingers-point-to-lazarus-cobalt-fin7-as-key-hacking-groups-focused-on-finance-industry/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=3956145 False None APT 38 None UnderNews - Site de news "pirate" francais Une campagne massive de spyware vise des milliers d'ordinateurs ICS dans le monde entier first appeared on UnderNews.]]> 2021-12-23T13:11:14+00:00 https://www.undernews.fr/malwares-virus-antivirus/une-campagne-massive-de-spyware-vise-des-milliers-dordinateurs-ics-dans-le-monde-entier.html www.secnews.physaphae.fr/article.php?IdArticle=3859596 False Malware APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group ]]> 2021-12-21T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-pseudomanuscrypt-mass-spyware-campaign-targets-35k-systems-apt31-intrusion-set-campaign-description-countermeasures-and-code-state-sponsored-hackers-abuse-slack-api-to-steal www.secnews.physaphae.fr/article.php?IdArticle=3841167 False Ransomware,Malware,Vulnerability,Threat,Guideline,Medical APT 41,APT 38,APT 28,APT 31 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2021-12-17T03:05:10+00:00 https://thehackernews.com/2021/12/new-pseudomanuscrypt-malware-infected.html www.secnews.physaphae.fr/article.php?IdArticle=3812806 False Malware APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-12-16T18:36:40+00:00 https://threatpost.com/pseudomanuscrypt-mass-spyware-campaign/177097/ www.secnews.physaphae.fr/article.php?IdArticle=3809256 False None APT 38 None Kaspersky - Kaspersky Research blog 2021-12-16T10:00:19+00:00 https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/ www.secnews.physaphae.fr/article.php?IdArticle=3806117 False Malware APT 38,APT 28 None Security Affairs - Blog Secu 2021-11-28T12:11:54+00:00 https://securityaffairs.co/wordpress/125071/apt/north-korea-zinc-targets-security-firms.html?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-zinc-targets-security-firms www.secnews.physaphae.fr/article.php?IdArticle=3718986 False Threat APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (published: November 8, 2021) US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries. Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks. MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075 Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom (published: November 9, 2021) A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t]]> 2021-11-16T17:34:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-revil-affiliates-arrested-electronics-retail-giant-hit-by-ransomware-robinhood-breach-zero-day-in-palo-alto-security-appliance-and-more www.secnews.physaphae.fr/article.php?IdArticle=3667130 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat,Medical APT 38,APT 27,APT 1 None Security Affairs - Blog Secu 2021-11-15T15:34:25+00:00 https://securityaffairs.co/wordpress/124630/apt/lazarus-trojanized-ida-pro.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-trojanized-ida-pro www.secnews.physaphae.fr/article.php?IdArticle=3663647 False Threat APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2021-11-15T02:21:24+00:00 https://thehackernews.com/2021/11/north-korean-hackers-target.html www.secnews.physaphae.fr/article.php?IdArticle=3662545 True None APT 38 None Bleeping Computer - Magazine Américain 2021-11-10T12:08:04+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/ www.secnews.physaphae.fr/article.php?IdArticle=3639434 False Hack APT 38,APT 28 None SecurityWeek - Security News 2021-10-27T16:06:53+00:00 http://feedproxy.google.com/~r/securityweek/~3/gWK-Sb4KvR4/kaspersky-north-korean-hackers-targeting-it-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3573968 False None APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2021-10-27T09:30:00+00:00 https://www.infosecurity-magazine.com/news/north-korean-lazarus-software/ www.secnews.physaphae.fr/article.php?IdArticle=3571769 False Threat APT 38,APT 28 4.0000000000000000 Security Affairs - Blog Secu 2021-10-27T09:03:08+00:00 https://securityaffairs.co/wordpress/123831/apt/north-korea-lazarus-supply-chain.html?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-lazarus-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3571716 False Malware APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-10-27T00:14:47+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/nYK8fTcVuRM/latest-report-uncovers-supply-chain.html www.secnews.physaphae.fr/article.php?IdArticle=3571547 False Malware,Threat,Medical APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-10-26T19:30:37+00:00 https://threatpost.com/lazarus-apt-it-supply-chain/175772/ www.secnews.physaphae.fr/article.php?IdArticle=3568972 False None APT 38 None Bleeping Computer - Magazine Américain 2021-10-26T13:23:54+00:00 https://www.bleepingcomputer.com/news/security/north-korean-state-hackers-start-targeting-the-it-supply-chain/ www.secnews.physaphae.fr/article.php?IdArticle=3568293 False None APT 38,APT 28 None TroyHunt - Blog Security 2021-09-16T23:30:08+00:00 https://arstechnica.com/?p=1792679 www.secnews.physaphae.fr/article.php?IdArticle=3381130 False Medical APT 38 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-07-09T10:50:37+00:00 https://threatpost.com/lazarus-engineers-malicious-docs/167647/ www.secnews.physaphae.fr/article.php?IdArticle=3041637 False None APT 38 None Graham Cluley - Blog Security 2021-07-08T15:34:48+00:00 https://www.tripwire.com/state-of-security/security-data-protection/lazarus-gang-targets-engineers-with-job-offers-using-poisoned-emails/ www.secnews.physaphae.fr/article.php?IdArticle=3038180 False None APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None Anomali - Firm Blog Building Custom Dashboard Widgets Based on Threat Model Data Dashboards in ThreatStream provide a quick, digestible, and timely source of key metrics on threat intelligence indicators. Custom dashboards can be tailored for a given organization’s or user’s requirements. Users can now develop their own dashboard with widgets based on Threat Model saved searches also, in addition to an Observable saved search. Users can also choose to incorporate out-of-the-box widgets or develop their own, based on an advanced saved search (of Observables or Threat Models). This new feature builds upon features we’ve been adding to ThreatStream over recent releases, i.e. the addition of custom widgets and also the enablement of Threat Model advanced saved searches. Industry News Trend Widgets in ThreatStream Dashboard ThreatStream Dashboards provide key decision-making data in an easy-to-digest visual format for all users of ThreatStream - whether research analyst, team manager or CISO. With this release, industry trending news on Actors, Malware and Common Vulnerabilities and Exposures (CVEs) are available as graph widgets within the ThreatStream dashboard. Our trending engine is based on data sourced from a huge array of public and private security news feeds, blogs, and other reputable sources.  The graphs provide current lists of trending entities, with pertinent information and graphs showing activity over various timelines. Currently, this feature is exclusive to Anomali Lens+ customers. MITRE ATT&CK Support for Sub-techniques  The MITRE ATT&CK Security Framework is one of the most widely used tools to help organizations un]]> 2021-07-01T10:00:00+00:00 https://www.anomali.com/blog/anomali-may-quarterly-product-release-democratizing-intelligence www.secnews.physaphae.fr/article.php?IdArticle=3006318 False Malware,Threat APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Andariel Evolves to Target South Korea with Ransomware (published: June 15, 2021) Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack. Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros Matanbuchus: Malware-as-a-Service with Demonic Intentions (published: June 15, 2021) In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America Black Kingdom ransomware (published: June 17]]> 2021-06-22T18:18:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-klingon-rat-holding-on-for-dear-life-cvs-medical-records-breach-black-kingdom-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2966761 False Ransomware,Data Breach,Malware,Vulnerability,Threat,Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-06-16T05:25:25+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/Pj15o6lVbTE/malware-attack-on-south-korean-entities.html www.secnews.physaphae.fr/article.php?IdArticle=2935756 False Malware APT 38 None ProofPoint - Firm Security 2021-06-11T11:34:28+00:00 https://www.proofpoint.com/us/newsroom/news/fake-lazarus-ddos-gang-launches-new-attacks www.secnews.physaphae.fr/article.php?IdArticle=2921284 False None APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-06-10T21:54:21+00:00 https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/ www.secnews.physaphae.fr/article.php?IdArticle=2905365 False None APT 38 None UnderNews - Site de news "pirate" francais L'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour first appeared on UnderNews.]]> 2021-06-10T12:33:45+00:00 https://www.undernews.fr/hacking-hacktivisme/lacteur-fancy-lazarus-specialiste-des-extorsions-ddos-fait-son-grand-retour.html www.secnews.physaphae.fr/article.php?IdArticle=2902941 False None APT 38,APT 28 None ProofPoint - Firm Security 2021-06-10T11:18:22+00:00 https://www.proofpoint.com/us/newsroom/news/fancy-lazarus-criminal-group-launches-ddos-extortion-campaign www.secnews.physaphae.fr/article.php?IdArticle=2921287 False None APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Sophisticated Email-based Attack From NOBELIUM (published: May 28, 2021) NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement. Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military Evolution of JSWorm Ransomware (published: May 25, 2021) JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat. Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197]]> 2021-06-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-attacks-against-israeli-targets-macos-zero-days-conti-ransomware-targeting-us-healthcare-and-more www.secnews.physaphae.fr/article.php?IdArticle=2868449 False Ransomware,Malware,Threat,Medical Solardwinds,APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-24T10:23:01+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/dvdck4LoGYE/researchers-link-cryptocore-attacks-on.html www.secnews.physaphae.fr/article.php?IdArticle=2832231 False Medical APT 38,APT 28 None Bleeping Computer - Magazine Américain 2021-05-24T10:02:03+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-cryptocore-multi-million-dollar-heists/ www.secnews.physaphae.fr/article.php?IdArticle=2830904 False Threat APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical Wannacry,Wannacry,APT 38,APT 28 None Graham Cluley - Blog Security 2021-04-22T08:30:22+00:00 https://grahamcluley.com/smashing-security-podcast-224/ www.secnews.physaphae.fr/article.php?IdArticle=2677532 False Data Breach APT 38,APT 28 None Security Affairs - Blog Secu 2021-04-20T16:06:24+00:00 https://securityaffairs.co/wordpress/117035/apt/lazarus-apt-bmp-image.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-bmp-image www.secnews.physaphae.fr/article.php?IdArticle=2671574 False None APT 38,APT 28 None ZD Net - Magazine Info 2021-04-20T10:35:48+00:00 https://www.zdnet.com/article/lazarus-state-hacking-group-now-hides-payloads-in-bmp-image-files/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2670526 False None APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-19T22:33:45+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/wHc4_FCN43Y/lazarus-apt-hackers-are-now-using-bmp.html www.secnews.physaphae.fr/article.php?IdArticle=2669656 False Malware,Threat,Medical APT 38 None Security Affairs - Blog Secu 2021-04-16T06:22:51+00:00 https://securityaffairs.co/wordpress/116874/apt/lazarus-btc-changer-js-sniffers.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-btc-changer-js-sniffers www.secnews.physaphae.fr/article.php?IdArticle=2651441 False None APT 38,APT 28 None ZD Net - Magazine Info 2021-04-08T09:36:31+00:00 https://www.zdnet.com/article/vyveva-lazarus-latest-weapon-strikes-south-african-freight/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2603579 False None APT 38,APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2021-04-08T09:30:57+00:00 http://feedproxy.google.com/~r/eset/blog/~3/Y8M7oPGFV8k/ www.secnews.physaphae.fr/article.php?IdArticle=2604696 False None APT 38,APT 28 None Bleeping Computer - Magazine Américain 2021-04-08T09:01:17+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-vyveva-malware-to-attack-freighters/ www.secnews.physaphae.fr/article.php?IdArticle=2604686 False Malware APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Bogus Android Clubhouse App Drops Credential-Swiping Malware (published: March 19, 2021) Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one. Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 Tags: LokiBot, BlackRock, Banking, Android, Clubhouse Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers (published: March 18, 2021) Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware (published: March 18, 2021) Cybereason detected a new campaig]]> 2021-03-23T14:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-malware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2522336 False Ransomware,Malware,Tool,Threat,Patching,Medical APT 38,APT 28 None UnderNews - Site de news "pirate" francais Le groupe APT Lazarus se tourne à présent vers l'industrie de la défense first appeared on UnderNews.]]> 2021-03-04T13:01:47+00:00 https://www.undernews.fr/malwares-virus-antivirus/le-groupe-apt-lazarus-se-tourne-a-present-vers-lindustrie-de-la-defense.html www.secnews.physaphae.fr/article.php?IdArticle=2433385 False None APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-26T19:56:39+00:00 https://threatpost.com/lazarus-targets-defense-threatneedle-malware/164321/ www.secnews.physaphae.fr/article.php?IdArticle=2405027 False Malware APT 38 None