This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:38:41+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Malware,Tool,Vulnerability,Threat,Patching,Guideline,Cloud APT 37,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-27T23:09:54+00:00 https://thehackernews.com/2022/07/us-offers-10-million-reward-for.html www.secnews.physaphae.fr/article.php?IdArticle=5985577 False Medical APT 38 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None ComputerWeekly - Computer Magazine 2022-07-27T08:40:00+00:00 https://www.computerweekly.com/news/252523213/US-doubles-bounty-on-Lazarus-cyber-crime-group-to-10m www.secnews.physaphae.fr/article.php?IdArticle=5969687 False None APT 38 None Security Affairs - Blog Secu North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka […] ]]> 2022-07-24T13:53:53+00:00 https://securityaffairs.co/wordpress/133605/apt/apt37-stiffbizon-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=5923023 False Threat,Cloud APT 37,APT 28 None Bleeping Computer - Magazine Américain 2022-07-23T12:08:04+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/ www.secnews.physaphae.fr/article.php?IdArticle=5907099 False Malware,Threat,Cloud APT 37 None SecurityWeek - Security News 2022-07-20T08:37:31+00:00 https://www.securityweek.com/belgium-says-chinese-apts-targeted-interior-defense-ministries www.secnews.physaphae.fr/article.php?IdArticle=5828610 False None APT 30,APT 27,APT 31 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-14T01:15:16+00:00 https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html www.secnews.physaphae.fr/article.php?IdArticle=5716161 False Malware,Threat APT 36 None CISCO Talos - Cisco Research blog 2022-07-13T16:08:15+00:00 http://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html www.secnews.physaphae.fr/article.php?IdArticle=5706785 False None APT 36 None Security Affairs - Blog Secu Apple plans to introduce a security feature, called Lockdown Mode, to protect its users against “highly targeted cyberattacks.” The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. The new feature will be implemented in iOS 16, iPadOS […] ]]> 2022-07-09T16:53:07+00:00 https://securityaffairs.co/wordpress/133065/mobile-2/apple-lockdown-mode.html www.secnews.physaphae.fr/article.php?IdArticle=5631802 False Cloud APT 37 None InfoSecurity Mag - InfoSecurity Magazine 2022-07-08T16:00:00+00:00 https://www.infosecurity-magazine.com/news/fake-job-offer-behind-axie/ www.secnews.physaphae.fr/article.php?IdArticle=5613385 False Hack APT 38 None Fortinet ThreatSignal - Harware Vendor 2022-07-07T08:14:35+00:00 https://fortiguard.fortinet.com/threat-signal-report/4663 www.secnews.physaphae.fr/article.php?IdArticle=5595940 False Ransomware,Threat,Patching,Medical Wannacry,Wannacry,APT 38 None 01net. Actualites - Securite - Magazine Francais L'équivalent de 100 millions de dollars ont été dérobés la semaine dernière sur la blockchain Harmony. Les premiers éléments de l'enquête font pointer le doigt vers le groupe Lazarus. L'article Les hackers nord-coréens, principaux suspects dans un énorme vol de cryptomonnaies est à retrouver sur 01net.com.]]> 2022-07-01T13:47:47+00:00 https://www.01net.com/actualites/les-hackers-nord-coreens-principaux-suspects-dans-un-enorme-vol-de-cryptomonnaies.html www.secnews.physaphae.fr/article.php?IdArticle=5492369 False None APT 38 None Security Affairs - Blog Secu North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge. Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident to the authorities, the FBI is investigating the cyber heist with the help of several cybersecurity firms.  Harmony's […] ]]> 2022-06-30T17:58:47+00:00 https://securityaffairs.co/wordpress/132759/hacking/harmony-hack-lazarus-apt.html www.secnews.physaphae.fr/article.php?IdArticle=5473880 False Hack,Threat APT 38 None SecurityWeek - Security News 2022-06-30T17:27:16+00:00 https://www.securityweek.com/north-korea-lazarus-hackers-blamed-100-million-horizon-bridge-heist www.secnews.physaphae.fr/article.php?IdArticle=5474531 False Hack APT 38 None InfoSecurity Mag - InfoSecurity Magazine 2022-06-30T16:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-suspected-harmony-hack/ www.secnews.physaphae.fr/article.php?IdArticle=5472677 False Hack APT 38 None IT Security Guru - Blog Sécurité 2022-06-30T10:40:51+00:00 https://www.itsecurityguru.org/2022/06/30/north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack/?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack www.secnews.physaphae.fr/article.php?IdArticle=5469045 True Medical APT 38 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-29T23:01:41+00:00 https://thehackernews.com/2022/06/north-korean-hackers-suspected-to-be.html www.secnews.physaphae.fr/article.php?IdArticle=5465954 False Hack,Medical APT 38 None Malwarebytes Labs - MalwarebytesLabs 2022-06-29T10:03:54+00:00 https://blog.malwarebytes.com/reports/2022/06/hermit-spyware-is-deployed-with-the-help-of-a-victims-isp/ www.secnews.physaphae.fr/article.php?IdArticle=5448875 False Cloud APT 37 None SecureMac - Security focused on MAC iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe. ]]> 2022-06-24T15:00:00+00:00 https://www.securemac.com/news/what-is-ios-hermit-spyware www.secnews.physaphae.fr/article.php?IdArticle=5360897 False Tool,Cloud APT 37 None ZD Net - Magazine Info 2022-06-24T12:37:15+00:00 https://www.zdnet.com/article/google-details-commercial-spyware-that-targets-both-android-and-ios-devices/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=5360803 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-24T03:40:50+00:00 https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html www.secnews.physaphae.fr/article.php?IdArticle=5358737 False Malware,Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E]]> 2022-06-21T15:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gallium-expands-targeting-across-telecommunications-government-and-finance-sectors-with-new-pingpull-tool-dragonforce-malaysia-opspatuk-opsindia-and-more www.secnews.physaphae.fr/article.php?IdArticle=5309464 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference Yahoo,APT 35 None IT Security Guru - Blog Sécurité 2022-06-21T08:58:07+00:00 https://www.itsecurityguru.org/2022/06/21/lookout-discovers-android-spyware-deployed-in-kazakhstan/?utm_source=rss&utm_medium=rss&utm_campaign=lookout-discovers-android-spyware-deployed-in-kazakhstan www.secnews.physaphae.fr/article.php?IdArticle=5306195 False Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-06-20T11:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25104 www.secnews.physaphae.fr/article.php?IdArticle=5298078 False Guideline APT 32 None Security Affairs - Blog Secu Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019. Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country. The latest samples of this spyware were detected by the researchers in April 2022, four […] ]]> 2022-06-17T20:00:33+00:00 https://securityaffairs.co/wordpress/132363/malware/hermit-spyware-italian-surveillance-firm.html www.secnews.physaphae.fr/article.php?IdArticle=5226610 False Malware,Threat,Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-17T06:12:54+00:00 https://thehackernews.com/2022/06/researchers-uncover-hermit-android.html www.secnews.physaphae.fr/article.php?IdArticle=5220711 False Cloud APT 37 None Dark Reading - Informationweek Branch 2022-06-16T19:09:44+00:00 https://www.darkreading.com/mobile/android-spyware-hermit-discovered-in-targeted-attacks www.secnews.physaphae.fr/article.php?IdArticle=5197725 False None APT 37 None Global Security Mag - Site de news francais Malwares]]> 2022-06-16T12:45:37+00:00 http://www.globalsecuritymag.fr/Lookout-decouvre-un-logiciel,20220616,126738.html www.secnews.physaphae.fr/article.php?IdArticle=5189830 False Cloud APT 37 None SecurityWeek - Security News 2022-06-16T11:55:20+00:00 https://www.securityweek.com/sophisticated-android-spyware-hermit-used-governments www.secnews.physaphae.fr/article.php?IdArticle=5189385 False None APT 37 None IT Security Guru - Blog Sécurité 2022-06-15T10:41:47+00:00 https://www.itsecurityguru.org/2022/06/15/new-iranian-spear-phishing-campaign-hijacks-email-conversations/?utm_source=rss&utm_medium=rss&utm_campaign=new-iranian-spear-phishing-campaign-hijacks-email-conversations www.secnews.physaphae.fr/article.php?IdArticle=5163528 False Conference APT 35 None SANS Institute - SANS est un acteur de defense et formation MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordan's foreign ministry on an attack attributed to the Iranian group APT34. ]]> 2022-06-13T15:00:45+00:00 https://isc.sans.edu/diary/rss/28738 www.secnews.physaphae.fr/article.php?IdArticle=5133656 True None APT 34 None Graham Cluley - Blog Security 2022-06-09T18:21:34+00:00 https://grahamcluley.com/smashing-security-podcast-278/ www.secnews.physaphae.fr/article.php?IdArticle=5060803 False Ransomware APT 38 None Checkpoint - Fabricant Materiel Securite By Omer Shmuelly, Security Researcher, Cloud Security, published June 8, 2022 As more and more organizations are migrating their infrastructure to the cloud, a unified cloud security tool, such as Check Point's CloudGuard becomes essential. In an ocean of standards and regulations, managing your cloud security posture (CSPM) can be a challenging task. While some… ]]> 2022-06-08T11:00:49+00:00 https://blog.checkpoint.com/2022/06/08/privilege-escalation-in-azure-keep-your-enemies-close-and-your-permissions-closer/ www.secnews.physaphae.fr/article.php?IdArticle=5038869 False None APT 32 None Kaspersky - Kaspersky Research blog 2022-05-27T08:00:43+00:00 https://securelist.com/it-threat-evolution-q1-2022/106513/ www.secnews.physaphae.fr/article.php?IdArticle=4834229 False Hack,Threat APT 38 3.0000000000000000 Malwarebytes Labs - MalwarebytesLabs A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. ]]> 2022-05-25T12:46:33+00:00 https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling/ www.secnews.physaphae.fr/article.php?IdArticle=4802470 False None APT 34 None Security Affairs - Blog Secu North Korea-linked Lazarus APT is exploiting the Log4J remote code execution (RCE) in attacks aimed at VMware Horizon servers. North Korea-linked group Lazarus is exploiting the Log4J RCE vulnerability (CVE-2021-44228) to compromise VMware Horizon servers. Multiple threat actors are exploiting this flaw since January, in January VMware urged customers to patch critical Log4j security vulnerabilities impacting Internet-exposed […] ]]> 2022-05-22T15:48:25+00:00 https://securityaffairs.co/wordpress/131483/apt/lazarus-apt-log4j-vmware-servers.html www.secnews.physaphae.fr/article.php?IdArticle=4758896 False Vulnerability,Threat APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-20T02:23:24+00:00 https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html www.secnews.physaphae.fr/article.php?IdArticle=4711794 False Vulnerability,Medical APT 38 None Bleeping Computer - Magazine Américain 2022-05-19T11:24:04+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/ www.secnews.physaphae.fr/article.php?IdArticle=4707701 False Vulnerability APT 38 None CVE Liste - Common Vulnerability Exposure 2022-05-17T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30954 www.secnews.physaphae.fr/article.php?IdArticle=4670394 False None APT 32 5.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-05-17T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30953 www.secnews.physaphae.fr/article.php?IdArticle=4670393 False Vulnerability APT 32 4.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-05-17T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30952 www.secnews.physaphae.fr/article.php?IdArticle=4670392 False None APT 32 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None knowbe4 - cybersecurity services Researchers at Fortinet observed a spear phishing attack that targeted a Jordanian diplomat late last month. The researchers attribute this attack to the Iranian state-sponsored threat actor APT34 (also known as OilRig or Helix Kitten). The body of the phishing email isn't particularly detailed, but the attackers put a significant amount of effort into impersonating an employee at the targeted individual's organization.]]> 2022-05-17T13:30:09+00:00 https://blog.knowbe4.com/spear-phishing-a-diplomat www.secnews.physaphae.fr/article.php?IdArticle=4667538 False Threat APT 34 None CSO - CSO Daily Dashboard NETSCOUT's 2H 2021 Threat Report. Why target VoIP providers? The short answer is financial gain. Attackers know bringing down VoIP providers that service a large number of customers causes a lot of pain and therefore is ripe for extortion.Cyber attackers launched three worldwide distributed denial-of-service (DDoS) extortion attack campaigns in 2021 – a startling new achievement carried out by a REvil copycat, Lazarus Bear Armada (LBA), and Fancy Lazarus. But threat actors did more than simply increase such global attacks.To read this article in full, please click here]]> 2022-05-17T08:44:00+00:00 https://www.csoonline.com/article/3660514/ddos-extortion-takes-voip-providers-offline.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=4668820 False Threat APT 38 None SecurityWeek - Security News 2022-05-13T15:51:38+00:00 https://www.securityweek.com/iran-linked-oilrig-apt-caught-using-new-backdoor www.secnews.physaphae.fr/article.php?IdArticle=4591823 False None APT 34 None SecurityWeek - Security News 2022-05-13T13:26:53+00:00 https://www.securityweek.com/devocean-emerges-stealth-cloud-native-security-operations-platform www.secnews.physaphae.fr/article.php?IdArticle=4590972 False None APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-13T02:32:11+00:00 https://thehackernews.com/2022/05/new-saitama-backdoor-targeted-official.html www.secnews.physaphae.fr/article.php?IdArticle=4589850 False Threat APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-05-12T17:30:15+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=4593838 False Threat APT 34 None SecurityWeek - Security News 2022-05-12T13:18:29+00:00 https://www.securityweek.com/iranian-cyberspy-group-launching-ransomware-attacks-against-us www.secnews.physaphae.fr/article.php?IdArticle=4584033 False Ransomware,Threat,Conference APT 35,APT 35 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-12T06:56:45+00:00 https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html www.secnews.physaphae.fr/article.php?IdArticle=4583977 False Ransomware,Malware,Threat,Conference APT 35,APT 15 4.0000000000000000 Malwarebytes Labs - MalwarebytesLabs 2022-05-10T20:49:30+00:00 https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/ www.secnews.physaphae.fr/article.php?IdArticle=4594055 False None APT 34 None Security Affairs - Blog Secu 2022-05-07T10:45:56+00:00 https://securityaffairs.co/wordpress/131015/cyber-crime/us-gov-sanctioned-blender-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=4560160 False None APT 38,APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-06T21:23:05+00:00 https://thehackernews.com/2022/05/us-sanctions-cryptocurrency-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=4559230 False Hack,Medical APT 38,APT 28 3.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-05-05T12:20:10+00:00 https://threatpost.com/vhd-ransomware-lazarus-group/179507/ www.secnews.physaphae.fr/article.php?IdArticle=4548365 False Ransomware,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-05-04T12:39:23+00:00 https://securityaffairs.co/wordpress/130892/apt/ransomware-strains-linked-to-nk-apt38.html www.secnews.physaphae.fr/article.php?IdArticle=4542648 False Ransomware,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | ]]> 2022-05-03T16:31:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-time-to-ransom-under-four-hours-mustang-panda-spies-on-russia-ricochet-chollima-sends-goldbackdoor-to-journalists-and-more www.secnews.physaphae.fr/article.php?IdArticle=4538825 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Cloud APT 37,APT 10,APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-02T06:39:38+00:00 https://thehackernews.com/2022/05/chinese-override-panda-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=4532702 False None APT 30 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29412 www.secnews.physaphae.fr/article.php?IdArticle=4518540 False Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29411 www.secnews.physaphae.fr/article.php?IdArticle=4518539 False Vulnerability,Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29413 www.secnews.physaphae.fr/article.php?IdArticle=4518541 False Guideline,Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:38+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29410 www.secnews.physaphae.fr/article.php?IdArticle=4518538 False Vulnerability,Cloud APT 37 None Security Affairs - Blog Secu 2022-04-26T18:00:59+00:00 https://securityaffairs.co/wordpress/130630/apt/iran-apt-exploiting-vmware-rce.html www.secnews.physaphae.fr/article.php?IdArticle=4509287 False Vulnerability APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical Uber,APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-04-26T11:38:17+00:00 https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/ www.secnews.physaphae.fr/article.php?IdArticle=4507846 False Malware,Cloud APT 37 None IT Security Guru - Blog Sécurité 2022-04-26T10:13:51+00:00 https://www.itsecurityguru.org/2022/04/26/north-korea-targets-journalists-with-novel-malware/?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-targets-journalists-with-novel-malware www.secnews.physaphae.fr/article.php?IdArticle=4507806 False Malware,Cloud APT 37 None Security Affairs - Blog Secu 2022-04-26T08:25:03+00:00 https://securityaffairs.co/wordpress/130606/apt/apt37-targets-journalists-goldbackdoor.html www.secnews.physaphae.fr/article.php?IdArticle=4507417 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-26T02:53:07+00:00 https://thehackernews.com/2022/04/north-korean-hackers-target-journalists.html www.secnews.physaphae.fr/article.php?IdArticle=4507625 False Malware,Threat,Cloud APT 37 None InfoSecurity Mag - InfoSecurity Magazine 2022-04-20T15:30:00+00:00 https://www.infosecurity-magazine.com/news/us-government-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=4482351 False Threat APT 38,APT 28 None knowbe4 - cybersecurity services North Korea's Lazarus Group is using social engineering attacks to target users of cryptocurrency, according to a joint advisory from the US FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department.]]> 2022-04-20T12:49:57+00:00 https://blog.knowbe4.com/tradertraitor-when-states-do-social-engineering www.secnews.physaphae.fr/article.php?IdArticle=4481014 False Medical APT 38,APT 28 None InformationSecurityBuzzNews - Site de News Securite 2022-04-20T09:29:58+00:00 https://informationsecuritybuzz.com/expert-comments/joint-cybersecurity-advisory-warns-of-blockchain-hackers-targeting-developers-and-devops-teams/ www.secnews.physaphae.fr/article.php?IdArticle=4480148 False None APT 38,APT 28 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lazarus Targets Chemical Sector (published: April 14, 2022) In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information. Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector Old Gremlins, New Methods (published: April 14, 2022) Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode]]> 2022-04-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-raidforums-seized-sandworm-attacks-ukrainian-power-stations-north-korea-steals-chemical-secrets-and-more www.secnews.physaphae.fr/article.php?IdArticle=4477972 False Ransomware,Spam,Malware,Vulnerability,Threat,Guideline,Medical APT 38,APT 28 None IT Security Guru - Blog Sécurité 2022-04-19T10:41:45+00:00 https://www.itsecurityguru.org/2022/04/19/blockchain-companies-warned-of-north-korean-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=blockchain-companies-warned-of-north-korean-hackers www.secnews.physaphae.fr/article.php?IdArticle=4476983 True Threat,Medical APT 38,APT 28 None SecurityWeek - Security News 2022-04-19T10:12:54+00:00 https://www.securityweek.com/us-hackers-continue-aiding-north-korea-generate-funds-cryptocurrency-attacks www.secnews.physaphae.fr/article.php?IdArticle=4476944 False None APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2022-04-19T09:00:00+00:00 https://www.infosecurity-magazine.com/news/ronin-crypto-heist-618m-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=4476653 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-19T00:02:44+00:00 https://thehackernews.com/2022/04/fbi-us-treasury-and-cisa-warns-of-north.html www.secnews.physaphae.fr/article.php?IdArticle=4476391 False Threat,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-04-17T09:53:35+00:00 https://securityaffairs.co/wordpress/130275/breaking-news/security-affairs-newsletter-round-361-by-pierluigi-paganini.html www.secnews.physaphae.fr/article.php?IdArticle=4467412 False None APT 38,APT 28 None Security Affairs - Blog Secu 2022-04-16T20:30:51+00:00 https://securityaffairs.co/wordpress/130260/apt/lazarus-ronin-validator-cyber-heist.html www.secnews.physaphae.fr/article.php?IdArticle=4466227 False None APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-16T01:31:45+00:00 https://thehackernews.com/2022/04/lazarus-hackers-behind-540-million-axie.html www.secnews.physaphae.fr/article.php?IdArticle=4463512 False Hack,Threat,Medical APT 38,APT 28 None SecurityWeek - Security News 2022-04-15T14:24:33+00:00 https://www.securityweek.com/north-korea-apt-lazarus-targeting-chemical-sector www.secnews.physaphae.fr/article.php?IdArticle=4457124 False None APT 38,APT 28 None SecurityWeek - Security News 2022-04-14T20:07:22+00:00 https://www.securityweek.com/us-gov-blames-north-korea-hackers-600m-cryptocurrency-heist www.secnews.physaphae.fr/article.php?IdArticle=4451205 False Medical APT 38,APT 28 None CVE Liste - Common Vulnerability Exposure 2022-04-11T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27115 www.secnews.physaphae.fr/article.php?IdArticle=4430135 False Vulnerability APT 33 None CVE Liste - Common Vulnerability Exposure 2022-04-07T17:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43421 www.secnews.physaphae.fr/article.php?IdArticle=4413221 False Vulnerability APT 33 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-04-04T16:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0403 www.secnews.physaphae.fr/article.php?IdArticle=4395076 False None APT 33 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-01T03:37:45+00:00 https://thehackernews.com/2022/04/north-korean-hackers-distributing.html www.secnews.physaphae.fr/article.php?IdArticle=4377812 False Medical APT 38 None Kaspersky - Kaspersky Research blog 2022-03-31T12:00:23+00:00 https://securelist.com/lazarus-trojanized-defi-app/106195/ www.secnews.physaphae.fr/article.php?IdArticle=4373277 False Malware APT 38 None ZD Net - Magazine Info 2022-03-29T12:00:00+00:00 https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4359426 False Malware APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-03-29T05:42:02+00:00 https://thehackernews.com/2022/03/new-hacking-campaign-by-transparent.html www.secnews.physaphae.fr/article.php?IdArticle=4359355 False Threat APT 36 None CISCO Talos - Cisco Research blog 2022-03-29T05:02:08+00:00 http://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=4359198 False Malware APT 36 None Mandiant - Blog Sécu de Mandiant Mandiant believes that North Korea\'s cyber capability supports both long-standing and immediate political and national security priorities, as well as financial goals. We assess most of North Korea\'s cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau. Meanwhile, the Ministry of State Security and United Front Department\'s missions appear to play limited roles in North Korea\'s cyber program. Open-source reporting often uses the Lazarus Group title as an umbrella term referring to]]> 2022-03-23T09:00:00+00:00 https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government www.secnews.physaphae.fr/article.php?IdArticle=8377489 False Threat APT 38 4.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-03-21T17:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26960 www.secnews.physaphae.fr/article.php?IdArticle=4319544 False None APT 33 None Security Affairs - Blog Secu 2022-03-09T21:09:28+00:00 https://securityaffairs.co/wordpress/128861/apt/google-blocked-apt31-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=google-blocked-apt31-attacks www.secnews.physaphae.fr/article.php?IdArticle=4251239 True None APT 31 None CVE Liste - Common Vulnerability Exposure 2022-02-24T19:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44663 www.secnews.physaphae.fr/article.php?IdArticle=4179316 False Vulnerability APT 33 None SecurityWeek - Security News 2022-02-22T15:18:36+00:00 https://www.securityweek.com/enterprise-iot-security-firm-phosphorus-raises-38-million www.secnews.physaphae.fr/article.php?IdArticle=4166870 False Patching,Conference APT 35,APT 35 None knowbe4 - cybersecurity services Scams follow fashion because money follows fashion. So it's no surprise that non-fungible tokens (NFTs), which have become a hot speculative property, have drawn scam artists for phishing campaigns. They're not so much interested in the NFTs themselves as they are in the speculators' cash. OceanSea, a leading NFT marketplace, has responded to panicky tweets from users to reassure them that it's on top of rumors of “an exploit” connected to the smart contracts traders use.]]> 2022-02-21T19:50:06+00:00 https://blog.knowbe4.com/phishing-campaign-targets-nft-speculators www.secnews.physaphae.fr/article.php?IdArticle=4162600 False Guideline APT 32 None Security Affairs - Blog Secu 2022-02-18T15:21:14+00:00 https://securityaffairs.co/wordpress/128159/apt/tunnelvision-exploits-log4j-vulnerability.html?utm_source=rss&utm_medium=rss&utm_campaign=tunnelvision-exploits-log4j-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=4144680 False Ransomware,Vulnerability,Conference APT 35 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-17T23:40:44+00:00 https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html www.secnews.physaphae.fr/article.php?IdArticle=4143060 False Ransomware,Conference APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,APT 43,APT 36,APT-C-17 None IT Security Guru - Blog Sécurité 2022-02-09T10:57:38+00:00 https://www.itsecurityguru.org/2022/02/09/cryptocurrency-organisations-hit-with-fake-job-offers/?utm_source=rss&utm_medium=rss&utm_campaign=cryptocurrency-organisations-hit-with-fake-job-offers www.secnews.physaphae.fr/article.php?IdArticle=4098829 False Threat,Medical APT 38,APT 28 2.0000000000000000 ZD Net - Magazine Info 2022-02-09T09:31:42+00:00 https://www.zdnet.com/article/lazarus-hackers-target-defense-industry-with-fake-lockheed-martin-job-offers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4098817 False None APT 38 None