This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-13T08:50:52+00:00 www.secnews.physaphae.fr InfoSecurity Mag - InfoSecurity Magazine France\'s employment agency suffered a massive breach, exposing the data of users who registered over the past 20 years]]> 2024-03-14T15:00:00+00:00 https://www.infosecurity-magazine.com/news/french-employment-agency-data/ www.secnews.physaphae.fr/article.php?IdArticle=8463831 False Data Breach APT 19 3.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain web3 va bien & # 8221;FAME & # 8212; critiques Chris Dixon & # 8217; s Blockchain Solutions Livre: lisez écrire propre : En fait, tout au long du livre, Dixon ne parvient pas à identifier un projet de blockchain qui a réussi à fournir un service non spécifique à tout type.Le plus proche qu'il arrive, c'est quand il parle de la façon dont & # 8220; Pendant des décennies, les technologues ont rêvé de construire un fournisseur d'accès Internet de base & # 8221;.Il décrit un projet qui est obtenu plus loin que quiconque & # 8221;: Helium.Il est raisonnable, tant que vous ignorez le fait que l'hélium fournissait à Lorawan, pas Internet, qu'au moment où il écrivait son livre, les hotspots d'hélium avaient depuis longtemps passé la phase où ils pourraient générer encore assez de jetons pour leurs opérateurs pour leurs opérateursPour se casser même, et que le réseau s'arrête dans environ 1 150 $ de frais d'utilisation par mois malgré le fait que l'entreprise soit évaluée à 1,2 milliard de dollars.Oh, et que l'entreprise avait largement menti au public sur ses supposés clients de renom, et que ses dirigeants ont été accusés d'avoir thésaurigeant le jeton du projet pour s'enrichir.Mais bon, A16Z a coulé des millions d'hélium (un fait que Dixon ne mentionne jamais), donc aussi bien essayer de stimuler un nouvel intérêt! ...

---

Molly White—of “Web3 is Going Just Great” fame—reviews Chris Dixon’s blockchain solutions book: Read Write Own: In fact, throughout the entire book, Dixon fails to identify a single blockchain project that has successfully provided a non-speculative service at any kind of scale. The closest he ever comes is when he speaks of how “for decades, technologists have dreamed of building a grassroots internet access provider”. He describes one project that “got further than anyone else”: Helium. He’s right, as long as you ignore the fact that Helium was providing LoRaWAN, not Internet, that by the time he was writing his book Helium hotspots had long since passed the phase where they might generate even enough tokens for their operators to merely break even, and that the network was pulling in somewhere around $1,150 in usage fees a month despite the company being valued at $1.2 billion. Oh, and that the company had widely lied to the public about its supposed big-name clients, and that its executives have been accused of hoarding the project’s token to enrich themselves. But hey, a16z sunk millions into Helium (a fact Dixon never mentions), so might as well try to drum up some new interest!...]]> 2024-02-13T12:07:03+00:00 https://www.schneier.com/blog/archives/2024/02/molly-white-reviews-blockchain-book.html www.secnews.physaphae.fr/article.php?IdArticle=8449566 False None APT 17 3.0000000000000000 Kovrr - cyber risk management platform 2023-11-28T00:00:00+00:00 https://www.kovrr.com/reports/investigating-the-risk-of-compromised-credentials-and-internet-exposed-assets www.secnews.physaphae.fr/article.php?IdArticle=8417472 False Ransomware,Threat,Studies,Prediction,Cloud APT 17,APT 39,APT 39 3.0000000000000000 Silicon - Site de News Francais 2023-10-24T08:07:41+00:00 https://www.silicon.fr/cloud-confiance-vision-environnementale-cigref-472634.html www.secnews.physaphae.fr/article.php?IdArticle=8399611 False Cloud APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-10-20T10:19:43+00:00 https://www.silicon.fr/metiers-it-scrum-master-fonction-formation-et-salaire-472576.html www.secnews.physaphae.fr/article.php?IdArticle=8398212 False None APT 15 2.0000000000000000 knowbe4 - cybersecurity services Resesecurity avertit que l'acteur de la triade de smirage a «largement élargi son empreinte d'attaque» aux Émirats arabes unis (EAU).

---

Resecurity warns that the Smishing Triad threat actor has “vastly expanded its attack footprint” in the United Arab Emirates (UAE).]]> 2023-10-10T20:05:50+00:00 https://blog.knowbe4.com/smishing-triad-sets-its-sights-on-uae www.secnews.physaphae.fr/article.php?IdArticle=8393944 False Threat APT 15 3.0000000000000000 Data Security Breach - Site de news Francais Continue reading Un groupe d'espionnage aligné avec les intérêts chinois usurpant Signal et Telegram]]> 2023-09-01T13:43:32+00:00 https://www.datasecuritybreach.fr/apt-gref/ www.secnews.physaphae.fr/article.php?IdArticle=8377844 False Tool APT 15 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-08-31T09:18:59+00:00 https://www.globalsecuritymag.fr/ESET-decouvre-un-groupe-d-espionnage-aligne-avec-les-interets-chinois-usurpant.html www.secnews.physaphae.fr/article.php?IdArticle=8377106 False Malware APT 15 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns]]> 2023-08-30T19:13:00+00:00 https://thehackernews.com/2023/08/china-linked-badbazaar-android-spyware.html www.secnews.physaphae.fr/article.php?IdArticle=8376758 False None APT 15,APT 15 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ESET said BadBazaar was available via the Google Play Store, Samsung Galaxy Store and various app sites]]> 2023-08-30T16:00:00+00:00 https://www.infosecurity-magazine.com/news/chinese-gref-target-badbazaar/ www.secnews.physaphae.fr/article.php?IdArticle=8376774 False None APT 15,APT 15 3.0000000000000000 Bleeping Computer - Magazine Américain Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF. [...]]]> 2023-08-30T11:16:48+00:00 https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegram-apps-on-google-play-delivered-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=8376772 False None APT 15 3.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET ESET researchers have discovered active campaigns linked to the China-aligned APT group known as GREF, distributing espionage code that has previously targeted Uyghurs]]> 2023-08-30T09:30:18+00:00 https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/ www.secnews.physaphae.fr/article.php?IdArticle=8382224 False Tool APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain The China-aligned APT (advanced persistent threat) group known as \'Bronze Starlight\' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider. [...]]]> 2023-08-19T10:07:14+00:00 https://www.bleepingcomputer.com/news/security/hackers-use-vpn-providers-code-certificate-to-sign-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8372468 False Malware APT 10 3.0000000000000000 AhnLab - Korean Security Firm Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT

---

APT Group Trends – June 2023  1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups ]]> 2023-08-16T06:46:45+00:00 https://asec.ahnlab.com/en/56195/ www.secnews.physaphae.fr/article.php?IdArticle=8370575 False Threat,Prediction APT 38,APT 35,APT 35,APT 25,APT 32,APT 32,APT 37,APT 37,APT 15,APT 15,APT 28,APT 28 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC AI-hallucinations: Artificial intelligence (AI) hallucinations, as described [2], refer to confident responses generated by AI systems that lack justification based on their training data. Similar to human psychological hallucinations, AI hallucinations involve the AI system providing information or responses that are not supported by the available data. However, in the context of AI, hallucinations are associated with unjustified responses or beliefs rather than false percepts. This phenomenon gained attention around 2022 with the introduction of large language models like ChatGPT, where users observed instances of seemingly random but plausible-sounding falsehoods being generated. By 2023, it was acknowledged that frequent hallucinations in AI systems posed a significant challenge for the field of language models. The exploitative process: Cybercriminals begin by deliberately publishing malicious packages under commonly hallucinated names produced by large language machines (LLMs) such as ChatGPT within trusted repositories. These package names closely resemble legitimate and widely used libraries or utilities, such as the legitimate package ‘arangojs’ vs the hallucinated package ‘arangodb’ as shown in the research done by Vulcan [1]. The trap unfolds: When developers, unaware of the malicious intent, utilize AI-based tools or large language models (LLMs) to generate code snippets for their projects, they inadvertently can fall into a trap. The AI-generated code snippets can include imaginary unpublished libraries, enabling cybercriminals to publish commonly used AI-generated imaginary package names. As a result, developers unknowingly import malicious packages into their projects, introducing vulnerabilities, backdoors, or other malicious functionalities that compromise the security and integrity of the software and possibly other projects. Implications for developers: The exploitation of AI-generated hallucinated package names poses significant risks to developers and their projects. Here are some key implications: Trusting familiar package names: Developers commonly rely on package names they recognize to introduce code snippets into their projects. The presence of malicious packages under commonly hallucinated names makes it increasingly difficult to distinguish between legitimate and malicious options when relying on the trust from AI generated code. Blind trust in AI-generated code: Many develo]]> 2023-08-02T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/code-mirage-how-cyber-criminals-harness-ai-hallucinated-code-for-malicious-machinations www.secnews.physaphae.fr/article.php?IdArticle=8364676 False Tool ChatGPT,ChatGPT,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-07-19T16:09:41+00:00 https://www.silicon.fr/ia-generative-cigref-470181.html www.secnews.physaphae.fr/article.php?IdArticle=8358883 False None APT 15 3.0000000000000000 Kovrr - cyber risk management platform 2023-07-13T00:00:00+00:00 https://www.kovrr.com/reports/the-ransomware-threat-landscape-h123 www.secnews.physaphae.fr/article.php?IdArticle=8393595 False Ransomware,Data Breach,Vulnerability,Threat,Cloud APT 17 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Social media reports suggest an individual allegedly dumped approximately 500GB of animation files]]> 2023-07-07T16:00:00+00:00 https://www.infosecurity-magazine.com/news/twitter-user-exposes-nickelodeon/ www.secnews.physaphae.fr/article.php?IdArticle=8353400 False None APT 15 2.0000000000000000 The Register - Site journalistique Anglais TV network\'s attorneys \'on a DMCA rampage\' ... are you sure you\'re ready, kids? Nickelodeon says it is probing claims that "decades old" material was stolen from it and leaked online. This follows reports on social media that someone had dumped 500GB of snatched animation files. Hilarity, and many SpongeBob SquarePants memes, ensued.…]]> 2023-07-06T22:45:12+00:00 https://go.theregister.com/feed/www.theregister.com/2023/07/06/nickelodeon_confirms_data_leak/ www.secnews.physaphae.fr/article.php?IdArticle=8353174 False None APT 15 2.0000000000000000 Recorded Future - FLux Recorded Future Le géant de la télévision des enfants, Nickelodeon, a déclaré qu'il enquêtait sur une violation présumée après que les pirates aient prétendu avoir volé 500 Go de données.Pendant des jours, les experts en cybersécurité ont averti que pirates partagent des documents volés du réseau qui comprenait des fuites du département d'animation Nickellodeon.Certaines des informations auraient remonté des décennies.[Captures d'écran du

---

Children\'s television giant Nickelodeon said it is investigating an alleged breach after hackers claimed to have stolen 500 GB of data. For days, cybersecurity experts have warned that hackers are sharing stolen documents from the network that included leaks from the Nickelodeon animation department. Some of the information allegedly dates back decades. [Screenshots of the]]> 2023-07-06T19:11:00+00:00 https://therecord.media/nickelodeon-alleged-data-breach www.secnews.physaphae.fr/article.php?IdArticle=8353124 False None APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain Nickelodeon has confirmed that the data leaked from an alleged breach of the company is legitimate but it appears to be decades old. [...]]]> 2023-07-06T11:03:36+00:00 https://www.bleepingcomputer.com/news/security/nickelodeon-investigates-breach-after-leak-of-decades-old-data/ www.secnews.physaphae.fr/article.php?IdArticle=8352923 False None APT 15 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #26  |   June 27th, 2023 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says. These are the top five text scams reported by the FTC: Copycat bank fraud prevention alerts Bogus "gifts" that can cost you Fake package delivery problems Phony job offers Not-really-from-Amazon security alerts "People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they\'ll get a call from a phony \'fraud department\' claiming they want to \'help get your money back.\' What they really want to do is make unauthorized transfers. "What\'s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft." Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there\'s a problem with a delivery. "The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small \'redelivery fee.\'" Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake \'mystery shopper\' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says. "Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person\'s money – and the phony \'employer\' – are long gone." Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from \'Amazon,\' asking to verify a big-ticket order they didn\'t place," the FTC says. "Concerned ]]> 2023-06-27T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-26-eyes-open-the-ftc-reveals-the-latest-top-five-text-message-scams www.secnews.physaphae.fr/article.php?IdArticle=8349704 False Ransomware,Spam,Malware,Hack,Tool,Threat ChatGPT,ChatGPT,APT 15,APT 28,FedEx 2.0000000000000000 SlashNext - Cyber Firm Un nouvel avertissement de Verizon de la montée en puissance des smirs, des messages texte et des escroqueries par texte et du FBI signalent 10,3 milliards de dollars de fraude sur Internet l'année dernière, les CISO sont de plus en plus préoccupés par les menaces mobiles ciblant les employés et l'impact sur leur organisation.La montée en puissance du smirage, des messages texte de spam et des escroqueries par texte.Dans une enquête récente [& # 8230;] Le post CISOS de plus en plus préoccupé par les menaces mobiles : //slashnext.com "> slashnext .

---

>A new warning from Verizon about the rise of smishing, spam text messages and text scams and the FBI reporting $10.3 billion in internet fraud last year, CISOs are increasingly concerned about mobile threats targeting employees and the impact to their organization.  The rise of smishing, spam text messages and text scams.  In recent survey […] The post CISOs Increasingly Concerned About Mobile Threats first appeared on SlashNext.]]> 2023-06-23T21:30:46+00:00 https://slashnext.com/blog/cisos-increasingly-concerned-about-mobile-threats/ www.secnews.physaphae.fr/article.php?IdArticle=8386745 False Spam APT 15 2.0000000000000000 Dark Reading - Informationweek Branch The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries.]]> 2023-06-21T21:35:00+00:00 https://www.darkreading.com/vulnerabilities-threats/20-year-old-chinese-apt15-new-life-foreign-ministry-attacks www.secnews.physaphae.fr/article.php?IdArticle=8347850 False Malware APT 15,APT 15 2.0000000000000000 Dark Reading - Informationweek Branch A threat you\'ve never heard of is using double extortion attacks on mom-and-pop shops around the globe.]]> 2023-06-21T18:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally www.secnews.physaphae.fr/article.php?IdArticle=8347782 False Ransomware,Threat APT 17 2.0000000000000000 Recorded Future - FLux Recorded Future Le groupe de cyber-espionnage chinois connu sous le nom de nickel ou APT15 a utilisé une porte dérobée auparavant invisible pour attaquer mercredi des ministères des affaires étrangères en Amérique centrale et du Sud.Dans la campagne qui s'est déroulée de la fin de 2022 au début de 2023, les pirates ont ciblé un département des finances du gouvernement et une société anonyme ainsi que les affaires étrangères

---

The Chinese cyber-espionage group known as Nickel or APT15 used a previously unseen backdoor to attack ministries of foreign affairs in Central and South America, researchers reported Wednesday. In the campaign that ran from late 2022 into early 2023, hackers targeted a government finance department and an unnamed corporation as well as the foreign affairs]]> 2023-06-21T17:13:00+00:00 https://therecord.media/apt15-nickel-graphican-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8347784 False None APT 15,APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named \'Graphican\' in a new campaign between late 2022 and early 2023. [...]]]> 2023-06-21T06:00:00+00:00 https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8347642 False Malware APT 15,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-06-20T08:37:46+00:00 https://www.silicon.fr/cigref-performance-dsi-468130.html www.secnews.physaphae.fr/article.php?IdArticle=8347228 False None APT 15 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017). It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day. In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website. Figure 1. SeroXen features announced on its website. This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool. In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal. After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT. The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th]]> 2023-05-30T22:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale www.secnews.physaphae.fr/article.php?IdArticle=8340743 False Malware,Tool,Threat APT 10,Uber 2.0000000000000000 Silicon - Site de News Francais 2023-05-29T09:42:08+00:00 https://www.silicon.fr/cigref-scoring-rse-projets-it-466305.html www.secnews.physaphae.fr/article.php?IdArticle=8340178 False None APT 15 3.0000000000000000 DDoSecrets - Blog Sécu: Distributed Email of Secrets Emails from the Indonesian conglomerate involved in nickel, coal, and bauxite mining, ferronickel smelters, alumina refineries, logging, and palm oil plantations.]]> 2023-05-17T07:28:14+00:00 https://ddosecrets.substack.com/p/release-harita-group-510-gb www.secnews.physaphae.fr/article.php?IdArticle=8337280 False None APT 15 2.0000000000000000 GoogleSec - Firm Security Blog Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo]]> 2023-05-05T12:00:43+00:00 http://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html www.secnews.physaphae.fr/article.php?IdArticle=8333804 False None APT 38,APT 10,APT 15,Guam 2.0000000000000000 RedCanary - Red Canary Microsoft has awarded Red Canary\'s Director of Intelligence Operations its Security Changemaker award at its 2023 Security Excellence Awards.]]> 2023-04-26T16:11:23+00:00 https://redcanary.com/blog/katie-nickels-microsoft-security-award/ www.secnews.physaphae.fr/article.php?IdArticle=8331282 False None APT 15 2.0000000000000000 Recorded Future - FLux Recorded Future Le comté de Suffolk de New York a conclu une enquête sur une attaque de ransomware déstabilisatrice qui a forcé les travailleurs du gouvernement à s'appuyer sur des télécopies et des archives papier, découvrant des déficiences marquantes dans les pratiques de cybersécurité du greffier du comté.Steven Bellone du comté de Suffolk [a tenu une conférence de presse] (https://www.facebook.com/stevebellone/videos/550329996987344/) mercredi pour dévoiler les résultats de l'enquête médico-légale sur le septembre

---

New York\'s Suffolk County has concluded an investigation into a destabilizing ransomware attack that forced government workers to rely on fax machines and paper records, discovering stark deficiencies in the county clerk\'s cybersecurity practices. Suffolk County Executive Steven Bellone [held a press conference](https://www.facebook.com/SteveBellone/videos/550329996987344/) Wednesday to unveil the findings of the forensic investigation into the September]]> 2023-04-12T23:37:00+00:00 https://therecord.media/suffolk-county-new-york-ransomware-investigation www.secnews.physaphae.fr/article.php?IdArticle=8327274 False Ransomware APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-02-22T16:34:23+00:00 https://www.silicon.fr/gestion-crise-cyber-approche-cigref-7-chiffres-458946.html www.secnews.physaphae.fr/article.php?IdArticle=8312524 False None APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-02-20T16:33:54+00:00 https://www.silicon.fr/metiers-it-technologie-femmes-458752.html www.secnews.physaphae.fr/article.php?IdArticle=8311921 False None APT 15 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-17T17:00:00+00:00 https://www.infosecurity-magazine.com/news/eu-warns-chinese-apts/ www.secnews.physaphae.fr/article.php?IdArticle=8311285 False None APT 25,APT 31,APT 15,APT 27,APT 30 2.0000000000000000 Global Security Mag - Site de news francais Formations des Instituts privés et public]]> 2023-02-17T08:29:11+00:00 https://www.globalsecuritymag.fr/Fortinet-enrichit-son-offre-de-services-et-de-formations-pour-aider-les-equipes.html www.secnews.physaphae.fr/article.php?IdArticle=8311183 False None APT 15 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-08T14:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41620 www.secnews.physaphae.fr/article.php?IdArticle=8308289 False Vulnerability APT 19 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Malware,Tool,Threat,Guideline APT 25,APT 15 3.0000000000000000 SkullSecurity - Blog Sécu CVE-2022-41352 - my AttackerKB analysis for Rapid7) that turned out to be a new(-ish) exploit path for a really old bug in cpio - CVE-2015-1194. But that was patched in 2019, so what happened? (I posted this as a tweet-thread awhile back, but I decided to flesh it out and make it into a full blog post!) cpio is an archive tool commonly used for system-level stuff (firmware images and such). It can also extract other format, like .tar, which we'll use since it's more familiar. cpio has a flag (--no-absolute-filenames), off by default, that purports to prevent writing files outside of the target directory. That's handy when, for example, extracting untrusted files with Amavis (like Zimbra does). The problem is, symbolic links can point to absolute paths, and therefore, even with --no-absolute-filenames, there was no safe way to extract an untrusted archive (outside of using a chroot environment or something similar, which they really ought to do). Much later, in 2019, the cpio team released cpio version 2.13, which includes a patch for CVE-2015-1194, with unit tests and everything. Some (not all) modern OSes include the patched version of cpio, which should be the end of the story, but it's not! I'm currently writing this on Fedora 35, so let's try exploiting it. We can confirm that the version of cpio installed with the OS is, indeed, the fixed version: ron@fedora ~ $ cpio --version cpio (GNU cpio) 2.13 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Phil Nelson, David MacKenzie, John Oleynick, and Sergey Poznyakoff. That means that we shouldn't be able to use symlinks to write outside of the target directory, so let's create a .tar file that includes a symlink and a file written through that symlink (this is largely copied from this mailing list post: ron@fedora ~ $ mkdir cpiotest ron@fedora ~ $ cd cpiotest ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile demo demo/imafile ron@fedora ~/cpiotest $ ]]> 2023-01-23T20:14:17+00:00 https://www.skullsecurity.org/2023/blast-from-the-past--how-attackers-compromised-zimbra-with-a-patched-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8303535 False Tool,Vulnerability APT 17 4.0000000000000000 CSO - CSO Daily Dashboard Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here]]> 2023-01-19T04:27:00+00:00 https://www.csoonline.com/article/3686088/chinese-hackers-targeted-iranian-government-entities-for-months-report.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8302529 False Malware,Threat APT 25,APT 15 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-18T18:00:00+00:00 https://www.infosecurity-magazine.com/news/chinese-apt-group-vixen-panda/ www.secnews.physaphae.fr/article.php?IdArticle=8302416 False None APT 25,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-01-09T10:58:20+00:00 https://www.silicon.fr/low-code-enedis-pierre-fabre-stime-temoignent-455846.html www.secnews.physaphae.fr/article.php?IdArticle=8299144 False None APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-01-09T09:34:59+00:00 https://www.silicon.fr/low-code-cigref-question-couts-455839.html www.secnews.physaphae.fr/article.php?IdArticle=8299130 False None APT 15 2.0000000000000000 Korben - Bloger francais Suite]]> 2023-01-01T08:00:00+00:00 https://korben.info/enlever-watermark-photo.html www.secnews.physaphae.fr/article.php?IdArticle=8296926 False None APT 19 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-12-17T13:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4584 www.secnews.physaphae.fr/article.php?IdArticle=8292381 False Vulnerability,Guideline APT 17 None InfoSecurity Mag - InfoSecurity Magazine 2022-12-09T16:00:00+00:00 https://www.infosecurity-magazine.com/news/iranian-hacker-uses-github-to/ www.secnews.physaphae.fr/article.php?IdArticle=8289582 False Malware APT 15 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2022-12-09T11:17:25+00:00 https://www.globalsecuritymag.fr/Un-groupe-soutenu-par-l-Iran-utilise-Github-pour-relayer-les-instructions-de.html www.secnews.physaphae.fr/article.php?IdArticle=8289522 False Malware APT 15 2.0000000000000000 SecureWork - SecureWork: incident response 2022-12-09T04:00:00+00:00 https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver www.secnews.physaphae.fr/article.php?IdArticle=8289504 False Malware,Threat APT 15 2.0000000000000000 Silicon - Site de News Francais 2022-12-08T15:27:58+00:00 https://www.silicon.fr/machine-learning-tensorflow-google-sheets-454628.html www.secnews.physaphae.fr/article.php?IdArticle=8289147 False None APT 15 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-12-07T20:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46770 www.secnews.physaphae.fr/article.php?IdArticle=8288886 False None APT 15 None Silicon - Site de News Francais 2022-11-29T08:46:30+00:00 https://www.silicon.fr/rse-positionnement-dsi-453513.html www.secnews.physaphae.fr/article.php?IdArticle=8277891 False General Information APT 15 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-11-13T10:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3974 www.secnews.physaphae.fr/article.php?IdArticle=8042470 False Vulnerability,Guideline APT 17 None Silicon - Site de News Francais 2022-11-07T08:46:21+00:00 https://www.silicon.fr/crise-energetique-pistes-cigref-directions-numeriques-451957.html www.secnews.physaphae.fr/article.php?IdArticle=7879100 False None APT 15 None CVE Liste - Common Vulnerability Exposure 2022-11-02T13:15:16+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3809 www.secnews.physaphae.fr/article.php?IdArticle=7783701 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-02T13:15:16+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3810 www.secnews.physaphae.fr/article.php?IdArticle=7783702 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3813 www.secnews.physaphae.fr/article.php?IdArticle=7772559 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3817 www.secnews.physaphae.fr/article.php?IdArticle=7772564 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3815 www.secnews.physaphae.fr/article.php?IdArticle=7772562 False Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3812 www.secnews.physaphae.fr/article.php?IdArticle=7772558 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3814 www.secnews.physaphae.fr/article.php?IdArticle=7772560 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3816 www.secnews.physaphae.fr/article.php?IdArticle=7772563 False Guideline APT 17 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-01T20:45:00+00:00 https://thehackernews.com/2022/11/chinese-hackers-using-new-stealthy.html www.secnews.physaphae.fr/article.php?IdArticle=7766451 False Malware,Threat APT 10 None CVE Liste - Common Vulnerability Exposure 2022-11-01T20:15:22+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3807 www.secnews.physaphae.fr/article.php?IdArticle=7770916 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-31T21:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3784 www.secnews.physaphae.fr/article.php?IdArticle=7758363 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-31T21:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3785 www.secnews.physaphae.fr/article.php?IdArticle=7758364 False Vulnerability,Guideline APT 17 None Bleeping Computer - Magazine Américain 2022-10-31T11:34:52+00:00 https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/ www.secnews.physaphae.fr/article.php?IdArticle=7755377 False Malware APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:54+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/ www.secnews.physaphae.fr/article.php?IdArticle=7751558 False None APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:52+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/ www.secnews.physaphae.fr/article.php?IdArticle=7751559 False None APT 10 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:27+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3670 www.secnews.physaphae.fr/article.php?IdArticle=7691534 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:26+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3669 www.secnews.physaphae.fr/article.php?IdArticle=7691533 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:25+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3668 www.secnews.physaphae.fr/article.php?IdArticle=7691532 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:24+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3667 www.secnews.physaphae.fr/article.php?IdArticle=7691531 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:23+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3666 www.secnews.physaphae.fr/article.php?IdArticle=7691530 False Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:22+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3665 www.secnews.physaphae.fr/article.php?IdArticle=7691529 False Vulnerability,Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:21+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3664 www.secnews.physaphae.fr/article.php?IdArticle=7691528 False Vulnerability,Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:19+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3663 www.secnews.physaphae.fr/article.php?IdArticle=7691527 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:17+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3662 www.secnews.physaphae.fr/article.php?IdArticle=7691526 False Vulnerability,Guideline APT 17 None Silicon - Site de News Francais 2022-10-18T15:36:10+00:00 https://www.silicon.fr/low-code-metavers-projections-cigref-450377.html www.secnews.physaphae.fr/article.php?IdArticle=7542509 False None APT 15 None Security Affairs - Blog Secu China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage […] ]]> 2022-10-18T14:15:09+00:00 https://securityaffairs.co/wordpress/137300/apt/apt41-spyder-loader.html www.secnews.physaphae.fr/article.php?IdArticle=7541666 False Threat,Guideline APT 17,APT 41 None CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud APT 38,APT 19,APT 29,APT 10,APT 37,Uber,APT 15,Yahoo None Security Affairs - Blog Secu Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying […] ]]> 2022-10-04T07:05:05+00:00 https://securityaffairs.co/wordpress/136611/malware/apt10-cheerscrypt-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=7293585 False Ransomware APT 10 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 15,APT 41 None Global Security Mag - Site de news francais RGPD / cybersecurite_home_gauche]]> 2022-09-13T09:53:05+00:00 http://www.globalsecuritymag.fr/Sanction-de-250-000-euros-a-l,20220913,129744.html www.secnews.physaphae.fr/article.php?IdArticle=6867504 False None APT 15 None Silicon - Site de News Francais 2022-09-06T13:39:03+00:00 https://www.silicon.fr/cigref-evoluer-metiers-si-446406.html www.secnews.physaphae.fr/article.php?IdArticle=6750215 False None APT 15 None CISCO Talos - Cisco Research blog By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H]]> 2022-08-18T08:00:00+00:00 http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html www.secnews.physaphae.fr/article.php?IdArticle=6392803 False Ransomware,Threat,Guideline,Cloud APT 10,APT 32,APT 37,APT 21,NotPetya,Uber,Guam,APT 28 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None 01net. Actualites - Securite - Magazine Francais Des centaines de trolls basés à Saint-Pétersbourg généraient des commentaires pro-russes en série sur les réseaux sociaux. Mais au final, l'opération était d'un niveau médiocre et peu efficace. L'article Meta a chassé de Facebook et d’Instagram des centaines de trolls russes payés pour manipuler l’opinion est à retrouver sur 01net.com.]]> 2022-08-05T11:34:14+00:00 https://www.01net.com/actualites/meta-a-chasse-des-centaines-de-trolls-russes-aux-pieds-nickeles.html www.secnews.physaphae.fr/article.php?IdArticle=6141252 False None APT 15 None CISCO Talos - Cisco Research blog By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.What is "Dark Utilities?"In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing develo]]> 2022-08-04T08:00:13+00:00 http://blog.talosintelligence.com/2022/08/dark-utilities.html www.secnews.physaphae.fr/article.php?IdArticle=6123175 False Spam,Malware,Hack,Tool,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Asheer Malhotra and Vitor Ventura.Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.IntroductionCisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable - a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese - on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an advers]]> 2022-08-02T08:00:14+00:00 http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html www.secnews.physaphae.fr/article.php?IdArticle=6089620 False Malware,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None Dark Reading - Informationweek Branch 2022-07-20T19:46:17+00:00 https://www.darkreading.com/application-security/lax-security-fuels-cloud-botnet-army-surge www.secnews.physaphae.fr/article.php?IdArticle=5837722 False Threat APT 17 None SANS Institute - SANS est un acteur de defense et formation 2022-07-13T11:27:07+00:00 https://isc.sans.edu/diary/rss/28836 www.secnews.physaphae.fr/article.php?IdArticle=5691329 False None APT 19 None NoticeBored - Experienced IT Security professional Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g.]]> 2022-07-10T13:41:08+00:00 http://blog.noticebored.com/2022/07/complexity-simplified.html www.secnews.physaphae.fr/article.php?IdArticle=5638390 False Guideline APT 10 None Silicon - Site de News Francais 2022-06-28T11:03:27+00:00 https://www.silicon.fr/cloud-proteger-europe-loi-extraterritoriale-442355.html www.secnews.physaphae.fr/article.php?IdArticle=5486504 False None APT 15 None Silicon - Site de News Francais 2022-06-27T15:01:06+00:00 https://www.silicon.fr/rachat-vmware-broadcom-cigref-alerte-442283.html www.secnews.physaphae.fr/article.php?IdArticle=5486507 False None APT 15 None Security Affairs - Blog Secu China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations. Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10), is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as […] ]]> 2022-06-26T13:40:00+00:00 https://securityaffairs.co/wordpress/132624/apt/bronze-starlight-deploy-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=5401371 False Ransomware APT 10 None NoticeBored - Experienced IT Security professional  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:]]> 2022-06-24T13:40:08+00:00 http://blog.noticebored.com/2022/06/the-sadly-neglected-risk-treatment-plan.html www.secnews.physaphae.fr/article.php?IdArticle=5350915 False Threat,Guideline APT 19,APT 10 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Credit Card Stealer Targets PsiGate Payment Gateway Software (published: May 25, 2022) Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data. Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity. MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056 Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX How the Saitama Backdoor uses DNS Tunneling (published: May 25, 2022) MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2. Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling ]]> 2022-06-01T17:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turlas-new-phishing-based-reconnaissance-campaign-in-eastern-europe-unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion-and-more www.secnews.physaphae.fr/article.php?IdArticle=4921519 False Ransomware,Malware,Tool,Threat APT 19 None