This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-15T23:38:10+00:00 www.secnews.physaphae.fr Bleeping Computer - Magazine Américain 2021-11-10T12:08:04+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/ www.secnews.physaphae.fr/article.php?IdArticle=3639434 False Hack APT 38,APT 28 None SecurityWeek - Security News 2021-10-27T16:06:53+00:00 http://feedproxy.google.com/~r/securityweek/~3/gWK-Sb4KvR4/kaspersky-north-korean-hackers-targeting-it-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3573968 False None APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2021-10-27T09:30:00+00:00 https://www.infosecurity-magazine.com/news/north-korean-lazarus-software/ www.secnews.physaphae.fr/article.php?IdArticle=3571769 False Threat APT 38,APT 28 4.0000000000000000 Security Affairs - Blog Secu 2021-10-27T09:03:08+00:00 https://securityaffairs.co/wordpress/123831/apt/north-korea-lazarus-supply-chain.html?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-lazarus-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3571716 False Malware APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-10-27T00:14:47+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/nYK8fTcVuRM/latest-report-uncovers-supply-chain.html www.secnews.physaphae.fr/article.php?IdArticle=3571547 False Malware,Threat,Medical APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-10-26T19:30:37+00:00 https://threatpost.com/lazarus-apt-it-supply-chain/175772/ www.secnews.physaphae.fr/article.php?IdArticle=3568972 False None APT 38 None Bleeping Computer - Magazine Américain 2021-10-26T13:23:54+00:00 https://www.bleepingcomputer.com/news/security/north-korean-state-hackers-start-targeting-the-it-supply-chain/ www.secnews.physaphae.fr/article.php?IdArticle=3568293 False None APT 38,APT 28 None Wired Threat Level - Security News 2021-10-26T11:00:00+00:00 https://www.wired.com/story/this-groundbreaking-simulator-generates-a-huge-indoor-ocean www.secnews.physaphae.fr/article.php?IdArticle=3565883 False None APT 32 None Wired Threat Level - Security News 2021-10-14T14:36:04+00:00 https://www.wired.com/story/apt35-iran-hackers-phishing-telegram-bot www.secnews.physaphae.fr/article.php?IdArticle=3514384 False Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 29,APT 29,APT 39,APT 28,APT 41,APT 41 None CVE Liste - Common Vulnerability Exposure 2021-10-07T11:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32172 www.secnews.physaphae.fr/article.php?IdArticle=3483153 False None APT 33 None Anomali - Firm Blog Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. ]]> 2021-10-06T19:06:00+00:00 https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server www.secnews.physaphae.fr/article.php?IdArticle=3479896 False Malware,Tool,Threat APT 32,Uber None Wired Threat Level - Security News 2021-10-06T12:00:00+00:00 https://www.wired.com/story/astronomers-get-ready-to-probe-europas-hidden-ocean-for-life www.secnews.physaphae.fr/article.php?IdArticle=3477254 False None APT 32 None CISCO Talos - Cisco Research blog ]]> 2021-09-23T05:01:25+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/q-HOEjOIE_U/operation-armor-piercer.html www.secnews.physaphae.fr/article.php?IdArticle=3417081 False None APT 36 None TroyHunt - Blog Security 2021-09-16T23:30:08+00:00 https://arstechnica.com/?p=1792679 www.secnews.physaphae.fr/article.php?IdArticle=3381130 False Medical APT 38 None CVE Liste - Common Vulnerability Exposure 2021-09-01T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23428 www.secnews.physaphae.fr/article.php?IdArticle=3321324 False None APT 33 None CVE Liste - Common Vulnerability Exposure 2021-09-01T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23427 www.secnews.physaphae.fr/article.php?IdArticle=3321323 False None APT 33 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit (published: August 23, 2021) Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks. Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153 Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers (published: August 20, 2021) A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several]]> 2021-08-24T17:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-proxyshell-being-exploited-to-install-webshells-and-ransomware-neurevt-trojan-targeting-mexican-users-secret-terrorist-watchlist-exposed-and-more www.secnews.physaphae.fr/article.php?IdArticle=3276119 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-08-19T20:19:04+00:00 https://threatpost.com/inkysquid-exploiting-ie-bugs/168833/ www.secnews.physaphae.fr/article.php?IdArticle=3256492 False None APT 37 None Security Affairs - Blog Secu 2021-08-19T06:47:34+00:00 https://securityaffairs.co/wordpress/121262/apt/inkysquid-apt-ie-exploirs.html?utm_source=rss&utm_medium=rss&utm_campaign=inkysquid-apt-ie-exploirs www.secnews.physaphae.fr/article.php?IdArticle=3253548 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-08-18T01:33:33+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/f3Q4pG8_fI8/nk-hackers-deploy-browser-exploit-on.html www.secnews.physaphae.fr/article.php?IdArticle=3247579 False Malware,Threat,Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Actively Exploited Bug Bypasses Authentication On Millions Of Routers (published: August 7, 2021) The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers. Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure. Tags: CVE-2021-20090, Mirai, China Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware (published: August 7, 2021) The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid. Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack. Tags: RansomEXX, Defray, Ransomware, Taiwan Millions of Senior Citizens' Personal Data Exposed By Misconfiguration (published: August 6, 2021) The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access. Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams. Tags: Data Leak, Phishing, North America, AWS ]]> 2021-08-10T17:39:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gigabyte-hit-by-ransomexx-ransomware-seniors-data-exposed-fatalrat-analysis-and-more www.secnews.physaphae.fr/article.php?IdArticle=3205930 False Malware,Vulnerability,Threat,Guideline APT 23,APT 27,APT 41,APT 41,APT 30 None SecurityWeek - Security News 2021-08-05T15:48:35+00:00 http://feedproxy.google.com/~r/securityweek/~3/n6qIj2C2k4g/iran-linked-hackers-expand-arsenal-new-android-backdoor www.secnews.physaphae.fr/article.php?IdArticle=3178517 False Threat,Conference APT 35,APT 35 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-08-05T14:16:03+00:00 https://threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/ www.secnews.physaphae.fr/article.php?IdArticle=3177922 False None APT 35,APT 35 None InfoSecurity Mag - InfoSecurity Magazine 2021-08-04T22:54:00+00:00 https://www.infosecurity-magazine.com/news/bhusa-the-9-lives-of-the-charming/ www.secnews.physaphae.fr/article.php?IdArticle=3175787 False None APT 35,APT 35 5.0000000000000000 Security Intelligence - Site de news Américain 2021-08-04T20:30:00+00:00 http://feedproxy.google.com/~r/SecurityIntelligence/~3/xUwqxoI5yaA/ www.secnews.physaphae.fr/article.php?IdArticle=3174405 False Threat,Conference APT 35,APT 35 None Security Affairs - Blog Secu 2021-08-04T15:25:01+00:00 https://securityaffairs.co/wordpress/120796/apt/china-linked-apt31-targets-russia-for-the-first-time.html?utm_source=rss&utm_medium=rss&utm_campaign=china-linked-apt31-targets-russia-for-the-first-time www.secnews.physaphae.fr/article.php?IdArticle=3172502 False Malware APT 31 None CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24825 www.secnews.physaphae.fr/article.php?IdArticle=3172701 False Vulnerability APT 33 5.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24824 www.secnews.physaphae.fr/article.php?IdArticle=3172700 False None APT 33 5.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24821 www.secnews.physaphae.fr/article.php?IdArticle=3172697 False Vulnerability APT 33 4.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24823 www.secnews.physaphae.fr/article.php?IdArticle=3172699 False Vulnerability APT 33 5.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24826 www.secnews.physaphae.fr/article.php?IdArticle=3172702 False Vulnerability APT 33 5.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-08-04T15:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24827 www.secnews.physaphae.fr/article.php?IdArticle=3172703 False Vulnerability APT 33 2.0000000000000000 SecurityWeek - Security News 2021-08-04T12:03:07+00:00 http://feedproxy.google.com/~r/securityweek/~3/7vp2LzKnE0E/chinese-cyberspy-group-apt31-starts-targeting-russia www.secnews.physaphae.fr/article.php?IdArticle=3171665 False Malware APT 31 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-08-04T03:28:13+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/SfZ4rX3mo-s/new-chinese-spyware-being-used-in.html www.secnews.physaphae.fr/article.php?IdArticle=3170833 False Threat APT 31 None UnderNews - Site de news "pirate" francais Cybereason pointe les acteurs de la menace chinois qui compromettent des opérateurs télécoms en Asie du Sud-Est (et ailleurs ?) first appeared on UnderNews.]]> 2021-08-03T14:13:41+00:00 https://www.undernews.fr/hacking-hacktivisme/cybereason-pointe-les-acteurs-de-la-menace-chinois-qui-compromettent-des-operateurs-telecoms-en-asie-du-sud-est-et-ailleurs.html www.secnews.physaphae.fr/article.php?IdArticle=3166882 False None APT 31 None SecurityWeek - Security News APT27). ]]> 2021-08-03T04:00:51+00:00 http://feedproxy.google.com/~r/securityweek/~3/5y_WhvgvrlA/deadringer-three-pronged-attack-chinese-military-actors-against-major-telcos www.secnews.physaphae.fr/article.php?IdArticle=3164983 False Threat APT 27,APT 30 None UnderNews - Site de news "pirate" francais Attaques APT31 – réaction de Kaspersky first appeared on UnderNews.]]> 2021-07-31T10:10:28+00:00 https://www.undernews.fr/hacking-hacktivisme/attaques-apt31-reaction-de-kaspersky.html www.secnews.physaphae.fr/article.php?IdArticle=3155066 False None APT 31 None UnderNews - Site de news "pirate" francais TA453 usurpe secrètement l'université de Londres pour dérober des données personnelles récupérées ensuite par le gouvernement iranien first appeared on UnderNews.]]> 2021-07-31T09:53:50+00:00 https://www.undernews.fr/hacking-hacktivisme/ta453-usurpe-secretement-luniversite-de-londres-pour-derober-des-donnees-personnelles-recuperees-ensuite-par-le-gouvernement-iranien.html www.secnews.physaphae.fr/article.php?IdArticle=3154911 False Conference APT 35,APT 35 None Kaspersky - Kaspersky Research blog 2021-07-29T10:00:46+00:00 https://securelist.com/apt-trends-report-q2-2021/103517/ www.secnews.physaphae.fr/article.php?IdArticle=3147332 False Threat APT 29,APT 31 None CVE Liste - Common Vulnerability Exposure 2021-07-28T16:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23415 www.secnews.physaphae.fr/article.php?IdArticle=3145554 False None APT 33 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Windows “PetitPotam” Network Attack – How to Protect Against It (published: July 21, 2021) Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack. Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others. Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle APT31 Modus Operandi Attack Campaign Targeting France (published: July 21, 2021) The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.” Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 Tags: APT, APT31, Judgment Panda, Zirconium, Home routers StrongPity APT Group Deploys Android Malware for the First Time (published: July 21, 2021) Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r]]> 2021-07-27T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt31-targeting-french-home-routers-multiple-microsoft-vulnerabilities-strongpity-deploys-android-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=3140285 False Malware,Tool,Vulnerability,Threat APT 31,Uber None SecurityWeek - Security News 2021-07-22T12:54:44+00:00 http://feedproxy.google.com/~r/securityweek/~3/pf76t2WkXFI/china-linked-apt31-abuses-hacked-routers-attacks-france-warns www.secnews.physaphae.fr/article.php?IdArticle=3111878 False Threat APT 31 None Security Affairs - Blog Secu 2021-07-21T18:15:54+00:00 https://securityaffairs.co/wordpress/120392/apt/anssi-warns-apt31-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=anssi-warns-apt31-attacks www.secnews.physaphae.fr/article.php?IdArticle=3107411 False None APT 31 None Bleeping Computer - Magazine Américain 2021-07-21T10:13:53+00:00 https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=3105813 False None APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers (published: July 19, 2021) On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity. Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists (published: July 18, 2021) Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho]]> 2021-07-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-china-blamed-for-microsoft-exchange-attacks-israeli-cyber-surveillance-companies-help-oppressive-governments-and-more www.secnews.physaphae.fr/article.php?IdArticle=3100256 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Guideline,Industrial APT 31,APT 28,APT 40,APT 41 None TroyHunt - Blog Security 2021-07-17T14:25:03+00:00 https://arstechnica.com/?p=986461 www.secnews.physaphae.fr/article.php?IdArticle=3085228 False None APT 32 None CISCO Talos - Cisco Research blog ]]> 2021-07-16T07:14:51+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/6ZshnDVor7s/talos-takes-ep-61-sidecopy-sounds-so.html www.secnews.physaphae.fr/article.php?IdArticle=3078351 False None APT 36 2.0000000000000000 Data Security Breach - Site de news Francais 2021-07-14T22:29:21+00:00 https://www.datasecuritybreach.fr/11741-2/ www.secnews.physaphae.fr/article.php?IdArticle=3067772 False None APT 35 None CVE Liste - Common Vulnerability Exposure 2021-07-14T17:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23407 www.secnews.physaphae.fr/article.php?IdArticle=3065861 False None APT 33 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-07-13T16:44:59+00:00 https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/ www.secnews.physaphae.fr/article.php?IdArticle=3058387 False None APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Global Phishing Campaign Targets Energy Sector and Its Suppliers (published: July 8, 2021) Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE). Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055 Tags: FormBook, AgentTesla, Phishing, Europe, Middle East SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military (published: July 7, 2021) SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials. Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | ]]> 2021-07-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-global-phishing-campaign-magecart-data-theft-new-apt-group-and-more www.secnews.physaphae.fr/article.php?IdArticle=3057627 False Malware,Threat APT 36 None Wired Threat Level - Security News 2021-07-13T10:00:00+00:00 https://www.wired.com/story/a-son-is-rescued-at-sea-but-what-happened-to-his-mother www.secnews.physaphae.fr/article.php?IdArticle=3056178 False None APT 32 None SANS Institute - SANS est un acteur de defense et formation here. ]]> 2021-07-10T21:56:51+00:00 https://isc.sans.edu/diary/rss/27622 www.secnews.physaphae.fr/article.php?IdArticle=3047698 False None APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-07-09T10:50:37+00:00 https://threatpost.com/lazarus-engineers-malicious-docs/167647/ www.secnews.physaphae.fr/article.php?IdArticle=3041637 False None APT 38 None Graham Cluley - Blog Security 2021-07-08T15:34:48+00:00 https://www.tripwire.com/state-of-security/security-data-protection/lazarus-gang-targets-engineers-with-job-offers-using-poisoned-emails/ www.secnews.physaphae.fr/article.php?IdArticle=3038180 False None APT 38 None CISCO Talos - Cisco Research blog ]]> 2021-07-07T05:01:04+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/7sPQPB7nf_U/sidecopy.html www.secnews.physaphae.fr/article.php?IdArticle=3032498 False None APT 36,APT-C-17 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None Anomali - Firm Blog Building Custom Dashboard Widgets Based on Threat Model Data Dashboards in ThreatStream provide a quick, digestible, and timely source of key metrics on threat intelligence indicators. Custom dashboards can be tailored for a given organization’s or user’s requirements. Users can now develop their own dashboard with widgets based on Threat Model saved searches also, in addition to an Observable saved search. Users can also choose to incorporate out-of-the-box widgets or develop their own, based on an advanced saved search (of Observables or Threat Models). This new feature builds upon features we’ve been adding to ThreatStream over recent releases, i.e. the addition of custom widgets and also the enablement of Threat Model advanced saved searches. Industry News Trend Widgets in ThreatStream Dashboard ThreatStream Dashboards provide key decision-making data in an easy-to-digest visual format for all users of ThreatStream - whether research analyst, team manager or CISO. With this release, industry trending news on Actors, Malware and Common Vulnerabilities and Exposures (CVEs) are available as graph widgets within the ThreatStream dashboard. Our trending engine is based on data sourced from a huge array of public and private security news feeds, blogs, and other reputable sources.  The graphs provide current lists of trending entities, with pertinent information and graphs showing activity over various timelines. Currently, this feature is exclusive to Anomali Lens+ customers. MITRE ATT&CK Support for Sub-techniques  The MITRE ATT&CK Security Framework is one of the most widely used tools to help organizations un]]> 2021-07-01T10:00:00+00:00 https://www.anomali.com/blog/anomali-may-quarterly-product-release-democratizing-intelligence www.secnews.physaphae.fr/article.php?IdArticle=3006318 False Malware,Threat APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Signed a Malicious Netfilter Rootkit (published: June 25, 2021) Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver. Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running. MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130 Tags: Netfilter, China Dell BIOSConnect Flaws Affect 30 Million Devices (published: June 24, 2021) Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws. Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect Malicious Spam Campaigns Delivering Banking Trojans (published: June 24, 2021) Analysis from two mid-March 2021 spam campaignts revealed that th]]> 2021-06-29T16:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-microsoft-signs-malicious-netfilter-rootkit-ransomware-attackers-using-vms-fertility-clinic-hit-with-data-breach-and-more www.secnews.physaphae.fr/article.php?IdArticle=2996479 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Patching APT 30 None Security Affairs - Blog Secu 2021-06-27T11:25:36+00:00 https://securityaffairs.co/wordpress/119448/breaking-news/security-affairs-newsletter-round-320.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-320 www.secnews.physaphae.fr/article.php?IdArticle=2988080 False Hack,Guideline APT 31 None CyberArk - Software Vendor 2021-06-25T13:00:04+00:00 https://www.cyberark.com/blog/cryptomining-cloud-attack-compromise-sensitive-console-access/ www.secnews.physaphae.fr/article.php?IdArticle=4593680 False None APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Andariel Evolves to Target South Korea with Ransomware (published: June 15, 2021) Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack. Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros Matanbuchus: Malware-as-a-Service with Demonic Intentions (published: June 15, 2021) In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America Black Kingdom ransomware (published: June 17]]> 2021-06-22T18:18:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-klingon-rat-holding-on-for-dear-life-cvs-medical-records-breach-black-kingdom-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2966761 False Ransomware,Data Breach,Malware,Vulnerability,Threat,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2021-06-20T16:36:59+00:00 https://securityaffairs.co/wordpress/119161/apt/norway-blames-china-apt31.html?utm_source=rss&utm_medium=rss&utm_campaign=norway-blames-china-apt31 www.secnews.physaphae.fr/article.php?IdArticle=2956293 False Hack APT 31 None TroyHunt - Blog Security 2021-06-19T13:00:57+00:00 https://arstechnica.com/?p=1774420 www.secnews.physaphae.fr/article.php?IdArticle=2952689 False None APT 32 None Wired Threat Level - Security News 2021-06-16T18:00:00+00:00 https://www.wired.com/story/a-clever-robot-spies-on-creatures-in-the-oceans-twilight-zone www.secnews.physaphae.fr/article.php?IdArticle=2937551 False None APT 32 None TroyHunt - Blog Security 2021-06-16T10:15:07+00:00 https://arstechnica.com/?p=1773860 www.secnews.physaphae.fr/article.php?IdArticle=2934453 False None APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-06-16T05:25:25+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/Pj15o6lVbTE/malware-attack-on-south-korean-entities.html www.secnews.physaphae.fr/article.php?IdArticle=2935756 False Malware APT 38 None CVE Liste - Common Vulnerability Exposure 2021-06-14T17:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32682 www.secnews.physaphae.fr/article.php?IdArticle=2924787 False None APT 33 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-06-13T11:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23394 www.secnews.physaphae.fr/article.php?IdArticle=2919629 False None APT 33 None ProofPoint - Firm Security 2021-06-11T11:34:28+00:00 https://www.proofpoint.com/us/newsroom/news/fake-lazarus-ddos-gang-launches-new-attacks www.secnews.physaphae.fr/article.php?IdArticle=2921284 False None APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-06-10T21:54:21+00:00 https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/ www.secnews.physaphae.fr/article.php?IdArticle=2905365 False None APT 38 None UnderNews - Site de news "pirate" francais L'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour first appeared on UnderNews.]]> 2021-06-10T12:33:45+00:00 https://www.undernews.fr/hacking-hacktivisme/lacteur-fancy-lazarus-specialiste-des-extorsions-ddos-fait-son-grand-retour.html www.secnews.physaphae.fr/article.php?IdArticle=2902941 False None APT 38,APT 28 None ProofPoint - Firm Security 2021-06-10T11:18:22+00:00 https://www.proofpoint.com/us/newsroom/news/fancy-lazarus-criminal-group-launches-ddos-extortion-campaign www.secnews.physaphae.fr/article.php?IdArticle=2921287 False None APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Sophisticated Email-based Attack From NOBELIUM (published: May 28, 2021) NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement. Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military Evolution of JSWorm Ransomware (published: May 25, 2021) JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat. Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197]]> 2021-06-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-attacks-against-israeli-targets-macos-zero-days-conti-ransomware-targeting-us-healthcare-and-more www.secnews.physaphae.fr/article.php?IdArticle=2868449 False Ransomware,Malware,Threat,Medical APT 38,Solardwinds,APT 28 None CISCO Talos - Cisco Research blog ]]> 2021-05-28T07:30:24+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/yx6ko5zqIhA/talos-takes-ep-55-how-transparent-tribe.html www.secnews.physaphae.fr/article.php?IdArticle=2852396 False None APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-24T10:23:01+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/dvdck4LoGYE/researchers-link-cryptocore-attacks-on.html www.secnews.physaphae.fr/article.php?IdArticle=2832231 False Medical APT 38,APT 28 None Bleeping Computer - Magazine Américain 2021-05-24T10:02:03+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-cryptocore-multi-million-dollar-heists/ www.secnews.physaphae.fr/article.php?IdArticle=2830904 False Threat APT 38 None Security Affairs - Blog Secu 2021-05-23T12:33:32+00:00 https://securityaffairs.co/wordpress/118186/breaking-news/security-affairs-newsletter-round-315.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-315 www.secnews.physaphae.fr/article.php?IdArticle=2827928 False Ransomware,Tool APT 36 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps (published: May 14, 2021) A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices. Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described. Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge Threat Actors Use MSBuild to Deliver RATs Filelessly (published: May 13, 2021) Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection. Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks. MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | ]]> 2021-05-18T19:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-microsoft-azure-vulnerability-discovered-msbuild-used-to-deliver-malware-esclation-of-avaddon-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2807407 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 36 None CVE Liste - Common Vulnerability Exposure 2021-05-17T11:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29053 www.secnews.physaphae.fr/article.php?IdArticle=2799393 False None APT 33 None Security Affairs - Blog Secu 2021-05-16T08:39:52+00:00 https://securityaffairs.co/wordpress/117963/apt/transparent-tribe-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=transparent-tribe-malware www.secnews.physaphae.fr/article.php?IdArticle=2794435 False Malware APT 36 None Wired Threat Level - Security News 2021-05-15T11:00:00+00:00 https://www.wired.com/story/subnautica-below-zero-impressions www.secnews.physaphae.fr/article.php?IdArticle=2791679 False None APT 32 None TechRepublic - Security News US 2021-05-14T12:49:59+00:00 https://www.techrepublic.com/article/ai-under-the-sea-autonomous-robot-to-collect-data-from-new-depths/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2786139 False None APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-14T05:04:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/6_YF2n3KTQg/pakistan-linked-hackers-added-new.html www.secnews.physaphae.fr/article.php?IdArticle=2786036 False Malware APT 36 None Wired Threat Level - Security News 2021-05-13T19:00:20+00:00 https://www.wired.com/story/subnautica-noaa-whoi-oceanexplorer-stream www.secnews.physaphae.fr/article.php?IdArticle=2781388 False None APT 32 None CISCO Talos - Cisco Research blog ]]> 2021-05-13T05:09:57+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/z_NRqWmErnI/transparent-tribe-infra-and-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=2779664 False Malware APT 36 None Security Through Education - Security Through Education 2021-05-10T06:00:29+00:00 https://www.social-engineer.org/podcast/ep-145-baking-a-human-behavior-cake-with-jack-schafer/?utm_source=rss&utm_medium=rss&utm_campaign=ep-145-baking-a-human-behavior-cake-with-jack-schafer www.secnews.physaphae.fr/article.php?IdArticle=2759817 False Prediction APT 39 None Wired Threat Level - Security News 2021-05-06T15:00:00+00:00 https://www.wired.com/story/sharks-use-the-earths-magnetic-field-like-a-compass www.secnews.physaphae.fr/article.php?IdArticle=2746490 False None APT 32 None TroyHunt - Blog Security 2021-05-02T09:43:33+00:00 https://arstechnica.com/?p=1761816 www.secnews.physaphae.fr/article.php?IdArticle=2729091 False None APT 32 None Graham Cluley - Blog Security 2021-04-30T07:30:29+00:00 https://hotforsecurity.bitdefender.com/blog/digitalocean-admits-data-breach-exposed-customers-billing-details-25754.html www.secnews.physaphae.fr/article.php?IdArticle=2720021 False Data Breach APT 32 None SecurityWeek - Security News 2021-04-29T14:35:46+00:00 http://feedproxy.google.com/~r/Securityweek/~3/ChohrSXNhAY/digitalocean-discloses-breach-involving-billing-information www.secnews.physaphae.fr/article.php?IdArticle=2714728 False Vulnerability APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-29T03:19:09+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/RkNn6-LJ5CA/chinese-hackers-attacking-military.html www.secnews.physaphae.fr/article.php?IdArticle=2713697 False Threat APT 30 None Security Affairs - Blog Secu 2021-04-28T19:40:55+00:00 https://securityaffairs.co/wordpress/117321/apt/naikon-apt-nebulae-backdoor.html?utm_source=rss&utm_medium=rss&utm_campaign=naikon-apt-nebulae-backdoor www.secnews.physaphae.fr/article.php?IdArticle=2710429 False None APT 30 None Bleeping Computer - Magazine Américain 2021-04-28T16:09:13+00:00 https://www.bleepingcomputer.com/news/security/digitalocean-data-breach-exposes-customer-billing-information/ www.secnews.physaphae.fr/article.php?IdArticle=2710746 False Data Breach APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical APT 38,APT 28,Wannacry,Wannacry None McAfee Labs - Editeur Logiciel If you're like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean's 11 are riveting, but outside of cinema these types of heists don't really happen anymore, right? Think again. In 2019, the Green Vault Museum in Dresden, Germany reported a jewel burglary worthy of its own film. On […] ]]> 2021-04-26T15:00:44+00:00 https://www.mcafee.com/blogs/enterprise/cloud-security/you-dont-have-to-give-up-your-crown-jewels-in-hopes-of-better-cloud-security/ www.secnews.physaphae.fr/article.php?IdArticle=2696702 False None APT 32 5.0000000000000000 DarkTrace - DarkTrace: AI bases detection 2021-04-23T09:00:00+00:00 https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment www.secnews.physaphae.fr/article.php?IdArticle=2682631 False Conference APT 35 None Graham Cluley - Blog Security 2021-04-22T08:30:22+00:00 https://grahamcluley.com/smashing-security-podcast-224/ www.secnews.physaphae.fr/article.php?IdArticle=2677532 False Data Breach APT 38,APT 28 None Security Affairs - Blog Secu 2021-04-20T16:06:24+00:00 https://securityaffairs.co/wordpress/117035/apt/lazarus-apt-bmp-image.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-bmp-image www.secnews.physaphae.fr/article.php?IdArticle=2671574 False None APT 38,APT 28 None