This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:52:33+00:00 www.secnews.physaphae.fr Bleeping Computer - Magazine Américain 2021-07-21T10:13:53+00:00 https://www.bleepingcomputer.com/news/security/france-warns-of-apt31-cyberspies-targeting-french-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=3105813 False None APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers (published: July 19, 2021) On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity. Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists (published: July 18, 2021) Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho]]> 2021-07-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-china-blamed-for-microsoft-exchange-attacks-israeli-cyber-surveillance-companies-help-oppressive-governments-and-more www.secnews.physaphae.fr/article.php?IdArticle=3100256 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Guideline,Industrial APT 41,APT 40,APT 28,APT 31 None TroyHunt - Blog Security 2021-07-17T14:25:03+00:00 https://arstechnica.com/?p=986461 www.secnews.physaphae.fr/article.php?IdArticle=3085228 False None APT 32 None CISCO Talos - Cisco Research blog ]]> 2021-07-16T07:14:51+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/6ZshnDVor7s/talos-takes-ep-61-sidecopy-sounds-so.html www.secnews.physaphae.fr/article.php?IdArticle=3078351 False None APT 36 2.0000000000000000 Data Security Breach - Site de news Francais 2021-07-14T22:29:21+00:00 https://www.datasecuritybreach.fr/11741-2/ www.secnews.physaphae.fr/article.php?IdArticle=3067772 False None APT 35 None CVE Liste - Common Vulnerability Exposure 2021-07-14T17:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23407 www.secnews.physaphae.fr/article.php?IdArticle=3065861 False None APT 33 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-07-13T16:44:59+00:00 https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/ www.secnews.physaphae.fr/article.php?IdArticle=3058387 False None APT 35 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Global Phishing Campaign Targets Energy Sector and Its Suppliers (published: July 8, 2021) Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE). Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055 Tags: FormBook, AgentTesla, Phishing, Europe, Middle East SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military (published: July 7, 2021) SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials. Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | ]]> 2021-07-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-global-phishing-campaign-magecart-data-theft-new-apt-group-and-more www.secnews.physaphae.fr/article.php?IdArticle=3057627 False Malware,Threat APT 36 None Wired Threat Level - Security News 2021-07-13T10:00:00+00:00 https://www.wired.com/story/a-son-is-rescued-at-sea-but-what-happened-to-his-mother www.secnews.physaphae.fr/article.php?IdArticle=3056178 False None APT 32 None SANS Institute - SANS est un acteur de defense et formation here. ]]> 2021-07-10T21:56:51+00:00 https://isc.sans.edu/diary/rss/27622 www.secnews.physaphae.fr/article.php?IdArticle=3047698 False None APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-07-09T10:50:37+00:00 https://threatpost.com/lazarus-engineers-malicious-docs/167647/ www.secnews.physaphae.fr/article.php?IdArticle=3041637 False None APT 38 None Graham Cluley - Blog Security 2021-07-08T15:34:48+00:00 https://www.tripwire.com/state-of-security/security-data-protection/lazarus-gang-targets-engineers-with-job-offers-using-poisoned-emails/ www.secnews.physaphae.fr/article.php?IdArticle=3038180 False None APT 38 None CISCO Talos - Cisco Research blog ]]> 2021-07-07T05:01:04+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/7sPQPB7nf_U/sidecopy.html www.secnews.physaphae.fr/article.php?IdArticle=3032498 False None APT 36,APT-C-17 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None Anomali - Firm Blog Building Custom Dashboard Widgets Based on Threat Model Data Dashboards in ThreatStream provide a quick, digestible, and timely source of key metrics on threat intelligence indicators. Custom dashboards can be tailored for a given organization’s or user’s requirements. Users can now develop their own dashboard with widgets based on Threat Model saved searches also, in addition to an Observable saved search. Users can also choose to incorporate out-of-the-box widgets or develop their own, based on an advanced saved search (of Observables or Threat Models). This new feature builds upon features we’ve been adding to ThreatStream over recent releases, i.e. the addition of custom widgets and also the enablement of Threat Model advanced saved searches. Industry News Trend Widgets in ThreatStream Dashboard ThreatStream Dashboards provide key decision-making data in an easy-to-digest visual format for all users of ThreatStream - whether research analyst, team manager or CISO. With this release, industry trending news on Actors, Malware and Common Vulnerabilities and Exposures (CVEs) are available as graph widgets within the ThreatStream dashboard. Our trending engine is based on data sourced from a huge array of public and private security news feeds, blogs, and other reputable sources.  The graphs provide current lists of trending entities, with pertinent information and graphs showing activity over various timelines. Currently, this feature is exclusive to Anomali Lens+ customers. MITRE ATT&CK Support for Sub-techniques  The MITRE ATT&CK Security Framework is one of the most widely used tools to help organizations un]]> 2021-07-01T10:00:00+00:00 https://www.anomali.com/blog/anomali-may-quarterly-product-release-democratizing-intelligence www.secnews.physaphae.fr/article.php?IdArticle=3006318 False Malware,Threat APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Signed a Malicious Netfilter Rootkit (published: June 25, 2021) Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver. Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running. MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130 Tags: Netfilter, China Dell BIOSConnect Flaws Affect 30 Million Devices (published: June 24, 2021) Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws. Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect Malicious Spam Campaigns Delivering Banking Trojans (published: June 24, 2021) Analysis from two mid-March 2021 spam campaignts revealed that th]]> 2021-06-29T16:29:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-microsoft-signs-malicious-netfilter-rootkit-ransomware-attackers-using-vms-fertility-clinic-hit-with-data-breach-and-more www.secnews.physaphae.fr/article.php?IdArticle=2996479 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Patching APT 30 None Security Affairs - Blog Secu 2021-06-27T11:25:36+00:00 https://securityaffairs.co/wordpress/119448/breaking-news/security-affairs-newsletter-round-320.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-320 www.secnews.physaphae.fr/article.php?IdArticle=2988080 False Hack,Guideline APT 31 None CyberArk - Software Vendor 2021-06-25T13:00:04+00:00 https://www.cyberark.com/blog/cryptomining-cloud-attack-compromise-sensitive-console-access/ www.secnews.physaphae.fr/article.php?IdArticle=4593680 False None APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Andariel Evolves to Target South Korea with Ransomware (published: June 15, 2021) Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack. Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros Matanbuchus: Malware-as-a-Service with Demonic Intentions (published: June 15, 2021) In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America Black Kingdom ransomware (published: June 17]]> 2021-06-22T18:18:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-klingon-rat-holding-on-for-dear-life-cvs-medical-records-breach-black-kingdom-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2966761 False Ransomware,Data Breach,Malware,Vulnerability,Threat,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2021-06-20T16:36:59+00:00 https://securityaffairs.co/wordpress/119161/apt/norway-blames-china-apt31.html?utm_source=rss&utm_medium=rss&utm_campaign=norway-blames-china-apt31 www.secnews.physaphae.fr/article.php?IdArticle=2956293 False Hack APT 31 None TroyHunt - Blog Security 2021-06-19T13:00:57+00:00 https://arstechnica.com/?p=1774420 www.secnews.physaphae.fr/article.php?IdArticle=2952689 False None APT 32 None Wired Threat Level - Security News 2021-06-16T18:00:00+00:00 https://www.wired.com/story/a-clever-robot-spies-on-creatures-in-the-oceans-twilight-zone www.secnews.physaphae.fr/article.php?IdArticle=2937551 False None APT 32 None TroyHunt - Blog Security 2021-06-16T10:15:07+00:00 https://arstechnica.com/?p=1773860 www.secnews.physaphae.fr/article.php?IdArticle=2934453 False None APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-06-16T05:25:25+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/Pj15o6lVbTE/malware-attack-on-south-korean-entities.html www.secnews.physaphae.fr/article.php?IdArticle=2935756 False Malware APT 38 None CVE Liste - Common Vulnerability Exposure 2021-06-14T17:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32682 www.secnews.physaphae.fr/article.php?IdArticle=2924787 False None APT 33 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2021-06-13T11:15:14+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23394 www.secnews.physaphae.fr/article.php?IdArticle=2919629 False None APT 33 None ProofPoint - Firm Security 2021-06-11T11:34:28+00:00 https://www.proofpoint.com/us/newsroom/news/fake-lazarus-ddos-gang-launches-new-attacks www.secnews.physaphae.fr/article.php?IdArticle=2921284 False None APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-06-10T21:54:21+00:00 https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/ www.secnews.physaphae.fr/article.php?IdArticle=2905365 False None APT 38 None UnderNews - Site de news "pirate" francais L'acteur Fancy Lazarus spécialiste des extorsions DDoS fait son grand retour first appeared on UnderNews.]]> 2021-06-10T12:33:45+00:00 https://www.undernews.fr/hacking-hacktivisme/lacteur-fancy-lazarus-specialiste-des-extorsions-ddos-fait-son-grand-retour.html www.secnews.physaphae.fr/article.php?IdArticle=2902941 False None APT 38,APT 28 None ProofPoint - Firm Security 2021-06-10T11:18:22+00:00 https://www.proofpoint.com/us/newsroom/news/fancy-lazarus-criminal-group-launches-ddos-extortion-campaign www.secnews.physaphae.fr/article.php?IdArticle=2921287 False None APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Sophisticated Email-based Attack From NOBELIUM (published: May 28, 2021) NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement. Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military Evolution of JSWorm Ransomware (published: May 25, 2021) JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat. Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197]]> 2021-06-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-attacks-against-israeli-targets-macos-zero-days-conti-ransomware-targeting-us-healthcare-and-more www.secnews.physaphae.fr/article.php?IdArticle=2868449 False Ransomware,Malware,Threat,Medical Solardwinds,APT 38,APT 28 None CISCO Talos - Cisco Research blog ]]> 2021-05-28T07:30:24+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/yx6ko5zqIhA/talos-takes-ep-55-how-transparent-tribe.html www.secnews.physaphae.fr/article.php?IdArticle=2852396 False None APT 36 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-24T10:23:01+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/dvdck4LoGYE/researchers-link-cryptocore-attacks-on.html www.secnews.physaphae.fr/article.php?IdArticle=2832231 False Medical APT 38,APT 28 None Bleeping Computer - Magazine Américain 2021-05-24T10:02:03+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-cryptocore-multi-million-dollar-heists/ www.secnews.physaphae.fr/article.php?IdArticle=2830904 False Threat APT 38 None Security Affairs - Blog Secu 2021-05-23T12:33:32+00:00 https://securityaffairs.co/wordpress/118186/breaking-news/security-affairs-newsletter-round-315.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-315 www.secnews.physaphae.fr/article.php?IdArticle=2827928 False Ransomware,Tool APT 36 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Cross-Browser Tracking Vulnerability Tracks You Via Installed Apps (published: May 14, 2021) A new method of fingerprinting users has been developed using any browser. Using URL schemes, certain applications can be launched from the browser. With this knowledge, an attacker can flood a client with multiple URL schemes to determine installed applications and create a fingerprint. Google Chrome has certain protections against this attack, but a workaround exists when using the built-in PDF viewer; this resets a flag used for flood protection. The only known protection against scheme flooding is to use browsers across multiple devices. Analyst Comment: It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described. Tags: Scheme Flooding, Vulnerability, Chrome, Firefox, Edge Threat Actors Use MSBuild to Deliver RATs Filelessly (published: May 13, 2021) Anomali Threat Research have identified a campaign in which threat actors are using MSBuild project files to deliver malware. The project files contain a payload, either Remcos RAT, RedLine, or QuasarRAT, with shellcode used to inject that payload into memory. Using this technique the malware is delivered filelessly, allowing the malware to evade detection. Analyst Comment: Threat actors are always looking for new ways to evade detection. Users should make use of a runtime protection solution that can detect memory based attacks. MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Trusted Developer Utilities - T1127 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] File and Directory Discovery - T1083 | ]]> 2021-05-18T19:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-microsoft-azure-vulnerability-discovered-msbuild-used-to-deliver-malware-esclation-of-avaddon-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2807407 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 36 None CVE Liste - Common Vulnerability Exposure 2021-05-17T11:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29053 www.secnews.physaphae.fr/article.php?IdArticle=2799393 False None APT 33 None Security Affairs - Blog Secu 2021-05-16T08:39:52+00:00 https://securityaffairs.co/wordpress/117963/apt/transparent-tribe-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=transparent-tribe-malware www.secnews.physaphae.fr/article.php?IdArticle=2794435 False Malware APT 36 None Wired Threat Level - Security News 2021-05-15T11:00:00+00:00 https://www.wired.com/story/subnautica-below-zero-impressions www.secnews.physaphae.fr/article.php?IdArticle=2791679 False None APT 32 None TechRepublic - Security News US 2021-05-14T12:49:59+00:00 https://www.techrepublic.com/article/ai-under-the-sea-autonomous-robot-to-collect-data-from-new-depths/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2786139 False None APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-14T05:04:00+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/6_YF2n3KTQg/pakistan-linked-hackers-added-new.html www.secnews.physaphae.fr/article.php?IdArticle=2786036 False Malware APT 36 None Wired Threat Level - Security News 2021-05-13T19:00:20+00:00 https://www.wired.com/story/subnautica-noaa-whoi-oceanexplorer-stream www.secnews.physaphae.fr/article.php?IdArticle=2781388 False None APT 32 None CISCO Talos - Cisco Research blog ]]> 2021-05-13T05:09:57+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/z_NRqWmErnI/transparent-tribe-infra-and-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=2779664 False Malware APT 36 None Security Through Education - Security Through Education 2021-05-10T06:00:29+00:00 https://www.social-engineer.org/podcast/ep-145-baking-a-human-behavior-cake-with-jack-schafer/?utm_source=rss&utm_medium=rss&utm_campaign=ep-145-baking-a-human-behavior-cake-with-jack-schafer www.secnews.physaphae.fr/article.php?IdArticle=2759817 False Prediction APT 39 None Wired Threat Level - Security News 2021-05-06T15:00:00+00:00 https://www.wired.com/story/sharks-use-the-earths-magnetic-field-like-a-compass www.secnews.physaphae.fr/article.php?IdArticle=2746490 False None APT 32 None TroyHunt - Blog Security 2021-05-02T09:43:33+00:00 https://arstechnica.com/?p=1761816 www.secnews.physaphae.fr/article.php?IdArticle=2729091 False None APT 32 None Graham Cluley - Blog Security 2021-04-30T07:30:29+00:00 https://hotforsecurity.bitdefender.com/blog/digitalocean-admits-data-breach-exposed-customers-billing-details-25754.html www.secnews.physaphae.fr/article.php?IdArticle=2720021 False Data Breach APT 32 None SecurityWeek - Security News 2021-04-29T14:35:46+00:00 http://feedproxy.google.com/~r/Securityweek/~3/ChohrSXNhAY/digitalocean-discloses-breach-involving-billing-information www.secnews.physaphae.fr/article.php?IdArticle=2714728 False Vulnerability APT 32 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-29T03:19:09+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/RkNn6-LJ5CA/chinese-hackers-attacking-military.html www.secnews.physaphae.fr/article.php?IdArticle=2713697 False Threat APT 30 None Security Affairs - Blog Secu 2021-04-28T19:40:55+00:00 https://securityaffairs.co/wordpress/117321/apt/naikon-apt-nebulae-backdoor.html?utm_source=rss&utm_medium=rss&utm_campaign=naikon-apt-nebulae-backdoor www.secnews.physaphae.fr/article.php?IdArticle=2710429 False None APT 30 None Bleeping Computer - Magazine Américain 2021-04-28T16:09:13+00:00 https://www.bleepingcomputer.com/news/security/digitalocean-data-breach-exposes-customer-billing-information/ www.secnews.physaphae.fr/article.php?IdArticle=2710746 False Data Breach APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical Wannacry,Wannacry,APT 38,APT 28 None McAfee Labs - Editeur Logiciel If you're like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean's 11 are riveting, but outside of cinema these types of heists don't really happen anymore, right? Think again. In 2019, the Green Vault Museum in Dresden, Germany reported a jewel burglary worthy of its own film. On […] ]]> 2021-04-26T15:00:44+00:00 https://www.mcafee.com/blogs/enterprise/cloud-security/you-dont-have-to-give-up-your-crown-jewels-in-hopes-of-better-cloud-security/ www.secnews.physaphae.fr/article.php?IdArticle=2696702 False None APT 32 5.0000000000000000 DarkTrace - DarkTrace: AI bases detection 2021-04-23T09:00:00+00:00 https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment www.secnews.physaphae.fr/article.php?IdArticle=2682631 False Conference APT 35 None Graham Cluley - Blog Security 2021-04-22T08:30:22+00:00 https://grahamcluley.com/smashing-security-podcast-224/ www.secnews.physaphae.fr/article.php?IdArticle=2677532 False Data Breach APT 38,APT 28 None Security Affairs - Blog Secu 2021-04-20T16:06:24+00:00 https://securityaffairs.co/wordpress/117035/apt/lazarus-apt-bmp-image.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-bmp-image www.secnews.physaphae.fr/article.php?IdArticle=2671574 False None APT 38,APT 28 None ZD Net - Magazine Info 2021-04-20T10:35:48+00:00 https://www.zdnet.com/article/lazarus-state-hacking-group-now-hides-payloads-in-bmp-image-files/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2670526 False None APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-19T22:33:45+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/wHc4_FCN43Y/lazarus-apt-hackers-are-now-using-bmp.html www.secnews.physaphae.fr/article.php?IdArticle=2669656 False Malware,Threat,Medical APT 38 None Team Cymru - Equipe de Threat Intelligence [...] ]]> 2021-04-16T15:00:29+00:00 https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/ www.secnews.physaphae.fr/article.php?IdArticle=2653449 False Threat APT 36 None Security Affairs - Blog Secu 2021-04-16T06:22:51+00:00 https://securityaffairs.co/wordpress/116874/apt/lazarus-btc-changer-js-sniffers.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-btc-changer-js-sniffers www.secnews.physaphae.fr/article.php?IdArticle=2651441 False None APT 38,APT 28 None Wired Threat Level - Security News 2021-04-14T12:00:00+00:00 https://www.wired.com/story/will-future-electric-vehicles-be-powered-by-deep-sea-metals www.secnews.physaphae.fr/article.php?IdArticle=2637561 False None APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Iran’s APT34 Returns with an Updated Arsenal (published: April 8, 2021) Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device. Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064 Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp (published: April 7, 2021) Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more. Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system. Tags: Android, FlixOnline, WhatsApp ]]> 2021-04-13T15:49:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-android-malware-government-middle-east-and-more www.secnews.physaphae.fr/article.php?IdArticle=2631341 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 34 None ZD Net - Magazine Info 2021-04-08T09:36:31+00:00 https://www.zdnet.com/article/vyveva-lazarus-latest-weapon-strikes-south-african-freight/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2603579 False None APT 38,APT 28 None We Live Security - Editeur Logiciel Antivirus ESET 2021-04-08T09:30:57+00:00 http://feedproxy.google.com/~r/eset/blog/~3/Y8M7oPGFV8k/ www.secnews.physaphae.fr/article.php?IdArticle=2604696 False None APT 38,APT 28 None Bleeping Computer - Magazine Américain 2021-04-08T09:01:17+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-vyveva-malware-to-attack-freighters/ www.secnews.physaphae.fr/article.php?IdArticle=2604686 False Malware APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-08T06:37:05+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/hz96-cUbfVk/researchers-uncover-new-iranian-malware.html www.secnews.physaphae.fr/article.php?IdArticle=2604912 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence The Leap of a Cycldek-Related Threat Actor (published: April 5, 2021) A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek. Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107 Tags: Chinese-speaking, Cycldek-related Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool (published: April 1, 2021) Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic. Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach. MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082 Tags: Hancitor, Malspam, Cobalt Strike ]]> 2021-04-06T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-data-breach-malspam-and-more www.secnews.physaphae.fr/article.php?IdArticle=2593638 False Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 10 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-03-31T12:48:58+00:00 https://threatpost.com/charming-kitten-pounces-on-researchers/165129/ www.secnews.physaphae.fr/article.php?IdArticle=2566195 False None APT 35,APT 35 None TroyHunt - Blog Security 2021-03-30T23:09:47+00:00 https://arstechnica.com/?p=1753206 www.secnews.physaphae.fr/article.php?IdArticle=2564254 False None APT 32 None TroyHunt - Blog Security 2021-03-24T18:51:31+00:00 https://arstechnica.com/?p=1751997 www.secnews.physaphae.fr/article.php?IdArticle=2528131 False None APT 32 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Bogus Android Clubhouse App Drops Credential-Swiping Malware (published: March 19, 2021) Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one. Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 Tags: LokiBot, BlackRock, Banking, Android, Clubhouse Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers (published: March 18, 2021) Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware (published: March 18, 2021) Cybereason detected a new campaig]]> 2021-03-23T14:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-malware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2522336 False Ransomware,Malware,Tool,Threat,Patching,Medical APT 38,APT 28 None Wired Threat Level - Security News 2021-03-20T12:00:00+00:00 https://www.wired.com/story/where-shoes-ordered-check-ocean-floor www.secnews.physaphae.fr/article.php?IdArticle=2509708 False None APT 32 None InfoSecurity Mag - InfoSecurity Magazine 2021-03-19T15:37:00+00:00 https://www.infosecurity-magazine.com:443/news/apt31-cyberattack-finnish/ www.secnews.physaphae.fr/article.php?IdArticle=2506079 False Threat APT 31 None SecurityWeek - Security News APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country's parliament. ]]> 2021-03-18T18:30:27+00:00 http://feedproxy.google.com/~r/Securityweek/~3/A0vwQYUzY8E/finland-ids-hackers-linked-parliament-spying-attack www.secnews.physaphae.fr/article.php?IdArticle=2501742 False None APT 31 None Security Affairs - Blog Secu 2021-03-18T16:21:29+00:00 https://securityaffairs.co/wordpress/115723/apt/apt31-attack-parliament-finland.html?utm_source=rss&utm_medium=rss&utm_campaign=apt31-attack-parliament-finland www.secnews.physaphae.fr/article.php?IdArticle=2501470 False None APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google: This Spectre proof-of-concept shows how dangerous these attacks can be (published: March 15, 2021) Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls. Tags: CVE-2017-5753 Threat Assessment: DearCry Ransomware (published: March 12, 2021) A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers. Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | ]]> 2021-03-17T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-ransomware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2496898 False Ransomware,Tool,Vulnerability,Threat,Guideline Wannacry,APT 41,APT 34 None Wired Threat Level - Security News 2021-03-12T13:00:00+00:00 https://www.wired.com/story/ocean-acidification-could-make-tiny-fish-lose-their-hearing www.secnews.physaphae.fr/article.php?IdArticle=2474076 False None APT 32 None UnderNews - Site de news "pirate" francais Le groupe APT Lazarus se tourne à présent vers l'industrie de la défense first appeared on UnderNews.]]> 2021-03-04T13:01:47+00:00 https://www.undernews.fr/malwares-virus-antivirus/le-groupe-apt-lazarus-se-tourne-a-present-vers-lindustrie-de-la-defense.html www.secnews.physaphae.fr/article.php?IdArticle=2433385 False None APT 38,APT 28 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat Wannacry,Wannacry,APT 29,APT 28,APT 31,APT 34 None CISCO Talos - Cisco Research blog ]]> 2021-03-02T05:49:51+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/TszHfxDii4A/obliquerat-new-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=2422553 False Malware APT 36 None Errata Security - Errata Security Baltimore ransomware attack. When the attack happened, the entire cybersecurity community agreed that EternalBlue wasn't responsible.But this New York Times article said otherwise, blaming the Baltimore attack on EternalBlue. And there are hundreds of other news articles [eg] that agree, citing the New York Times. There are no news articles that dispute this.In a recent book, the author of that article admits it's not true, that EternalBlue didn't cause the ransomware to spread. But they defend themselves as it being essentially true, that EternalBlue is responsible for a lot of bad things, even if technically, not in this case. Such errors are justified, on the grounds they are generalizations and simplifications needed for the mass audience.So we are left with the situation Orwell describes: all records tell the same tale -- when the lie passes into history, it becomes the truth.Orwell continues:He wondered, as he had many times wondered before, whether he himself was a lunatic. Perhaps a lunatic was simply a minority of one. At one time it had been a sign of madness to believe that the earth goes round the sun; today, to believe that the past is inalterable. He might be ALONE in holding that belief, and if alone, then a lunatic. But the thought of being a lunatic did not greatly trouble him: the horror was that he might also be wrong.I'm definitely a lunatic, alone in my beliefs. I sure hope I'm not wrong.

---

Update: Other lunatics document their struggles with Minitrue: When I was investigating the TJX breach, there were NYT articles citing unnamed sources that were made up & then outlets would publish citing the NYT. The TJX lawyers would require us to disprove the articles. Each time we would. It was maddening fighting lies for 8 months.— Nicholas J. Percoco (@c7five) March 1, 2021 ]]> 2021-02-28T20:05:19+00:00 https://blog.erratasec.com/2021/02/we-are-living-in-1984-eternalblue.html www.secnews.physaphae.fr/article.php?IdArticle=2414565 False Ransomware NotPetya,Wannacry,APT 32 None CVE Liste - Common Vulnerability Exposure 2021-02-26T23:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36079 www.secnews.physaphae.fr/article.php?IdArticle=2406959 False Guideline APT 33 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-26T19:56:39+00:00 https://threatpost.com/lazarus-targets-defense-threatneedle-malware/164321/ www.secnews.physaphae.fr/article.php?IdArticle=2405027 False Malware APT 38 None SecurityWeek - Security News 2021-02-26T04:48:42+00:00 http://feedproxy.google.com/~r/Securityweek/~3/W31waojQwU8/heres-how-north-korean-hackers-stole-data-isolated-network-segment www.secnews.physaphae.fr/article.php?IdArticle=2401911 False Threat APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-02-26T03:02:08+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/70y1849WSoA/north-korean-hackers-targeting-defense.html www.secnews.physaphae.fr/article.php?IdArticle=2402885 False Malware,Medical APT 38 2.0000000000000000 Security Affairs - Blog Secu 2021-02-25T17:50:39+00:00 https://securityaffairs.co/wordpress/115013/apt/lazarus-apt-threatneedle.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-threatneedle www.secnews.physaphae.fr/article.php?IdArticle=2399558 False None APT 38,APT 28 None TechRepublic - Security News US 2021-02-25T16:49:06+00:00 https://www.techrepublic.com/article/north-korean-hackers-find-another-new-target-the-defense-industry/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2399288 False Medical APT 38,APT 28 None Kaspersky - Kaspersky Research blog 2021-02-25T10:00:53+00:00 https://securelist.com/lazarus-threatneedle/100803/ www.secnews.physaphae.fr/article.php?IdArticle=2397206 False Malware APT 38,APT 28 None SecurityWeek - Security News 2021-02-24T12:46:50+00:00 http://feedproxy.google.com/~r/Securityweek/~3/vz_bQiZcJU8/vietnamese-hackers-target-human-rights-defenders-amnesty www.secnews.physaphae.fr/article.php?IdArticle=2392196 False None APT 32 None Bleeping Computer - Magazine Américain 2021-02-23T20:00:00+00:00 https://www.bleepingcomputer.com/news/security/apt32-state-hackers-target-human-rights-defenders-with-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=2390678 False None APT 32 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-22T21:07:03+00:00 https://threatpost.com/chinese-hackers-hijacked-nsa-hacking-tool/164155/ www.secnews.physaphae.fr/article.php?IdArticle=2384417 False Threat APT 31 None CVE Liste - Common Vulnerability Exposure 2021-02-22T17:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27228 www.secnews.physaphae.fr/article.php?IdArticle=2384083 False None APT 32 None SecurityWeek - Security News Shadow Brokers' “Lost in Translation” leak, cybersecurity firm Check Point says in a new report. ]]> 2021-02-22T15:06:35+00:00 http://feedproxy.google.com/~r/Securityweek/~3/WdkRgZ0AUog/chinese-hackers-cloned-equation-group-exploit-years-shadow-brokers-leak www.secnews.physaphae.fr/article.php?IdArticle=2382803 False Vulnerability,Threat APT 31 None InfoSecurity Mag - InfoSecurity Magazine 2021-02-18T11:10:00+00:00 https://www.infosecurity-magazine.com:443/news/lazarus-group-indicted-north/ www.secnews.physaphae.fr/article.php?IdArticle=2365436 True None Wannacry,Wannacry,APT 38,APT 28 3.0000000000000000 Security Affairs - Blog Secu 2021-02-17T22:25:42+00:00 https://securityaffairs.co/wordpress/114700/apt/nk-lazarus-apt-indictment.html?utm_source=rss&utm_medium=rss&utm_campaign=nk-lazarus-apt-indictment www.secnews.physaphae.fr/article.php?IdArticle=2363331 False Threat APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-17T18:20:28+00:00 https://threatpost.com/us-accuses-north-korean-hackers/164039/ www.secnews.physaphae.fr/article.php?IdArticle=2362036 True Medical APT 38,APT 28 None ZD Net - Magazine Info 2021-02-17T17:33:00+00:00 https://www.zdnet.com/article/us-charges-two-more-members-of-the-lazarus-north-korean-hacking-group/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2362153 True Guideline APT 38 None ComputerWeekly - Computer Magazine 2021-02-17T12:25:00+00:00 https://www.computerweekly.com/news/252496494/North-Korean-Lazarus-Group-hackers-indicted-in-US www.secnews.physaphae.fr/article.php?IdArticle=2362111 True None APT 38,APT 28 None TroyHunt - Blog Security 2021-02-11T19:00:02+00:00 https://arstechnica.com/?p=1741444 www.secnews.physaphae.fr/article.php?IdArticle=2332140 False None APT 32 None InfoSecurity Mag - InfoSecurity Magazine 2021-02-11T11:00:00+00:00 https://www.infosecurity-magazine.com:443/news/un-links-north-korea-281m-crypto/ www.secnews.physaphae.fr/article.php?IdArticle=2329491 False Cloud APT 37 None