This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T10:51:46+00:00 www.secnews.physaphae.fr Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed (published: June 24, 2022) ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection. Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families (published: June 24, 2022) Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes. Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: malware:BazarLoad]]> 2022-06-28T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-api-hammering-confuses-sandboxes-pirate-panda-wrote-in-nim-magecart-obfuscates-variable-names-and-more www.secnews.physaphae.fr/article.php?IdArticle=5436667 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat APT 23,APT 28 None Security Affairs - Blog Secu China-linked APT group Tropic Trooper has been spotted previously undocumented malware written in Nim language. Check Point Research uncovered an activity cluster with ties to China-linked APT Tropic Trooper (aka Earth Centaur, KeyBoy, and Pirate Panda) which involved the use of a previously undescribed loader (dubbed “Nimbda”) written in Nim language. The Tropic Trooper APT has been active at least […] ]]> 2022-06-23T18:40:55+00:00 https://securityaffairs.co/wordpress/132545/hacking/tropic-trooper-apt-new-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=5345458 False Malware,Tool APT 23 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-22T23:14:08+00:00 https://thehackernews.com/2022/06/chinese-hackers-distributing-sms-bomber.html www.secnews.physaphae.fr/article.php?IdArticle=5338508 False Malware,Tool,Threat APT 23 None Bleeping Computer - Magazine Américain 2022-06-22T14:28:14+00:00 https://www.bleepingcomputer.com/news/security/chinese-hackers-target-script-kiddies-with-info-stealer-trojan/ www.secnews.physaphae.fr/article.php?IdArticle=5329580 False None APT 23 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2021-12-21T04:40:36+00:00 https://thehackernews.com/2021/12/tropic-trooper-cyber-espionage-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=3839108 False None APT 23 None SecurityWeek - Security News 2021-12-17T19:43:13+00:00 https://www.securityweek.com/trend-micro-spots-chinese-hackers-targeting-transportation-sector www.secnews.physaphae.fr/article.php?IdArticle=3816074 False Threat APT 23 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-12-16T19:16:06+00:00 https://threatpost.com/tropic-trooper-transportation/177106/ www.secnews.physaphae.fr/article.php?IdArticle=3809435 False None APT 23 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Actively Exploited Bug Bypasses Authentication On Millions Of Routers (published: August 7, 2021) The ongoing attacks were discovered by Juniper Threat Labs researchers exploiting recently discovered vulnerability CVE-2021-20090. This is a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware that could allow unauthenticated remote attackers to bypass authentication. The total number of devices exposed to attacks likely reaches millions of routers. Researchers identified attacks originating from China and are deploying a variant of Mirai botnet on vulnerable routers. Analyst Comment: Attackers have continuous and automated routines to look out for publicly accessible vulnerable routers and exploit them as soon as the exploit is made public. To reduce the attack surface, routers management console should only be accessible from specific public IP addresses. Also default password and other security policies should be changed to make it more secure. Tags: CVE-2021-20090, Mirai, China Computer Hardware Giant GIGABYTE Hit By RansomEXX Ransomware (published: August 7, 2021) The attack occurred late Tuesday night into Wednesday and forced the company to shut down its systems in Taiwan. The incident also affected multiple websites of the company, including its support site and portions of the Taiwanese website. Attackers have threatened to publish 112GB of stolen data which they claim to include documents under NDA (Non Disclosure Agreement) from companies including Intel, AMD, American Megatrends unless a ransom is paid. Analyst Comment: At this point no official confirmation from GIGABYTE about the attack. Also no clarity yet on potential vulnerabilities or attack vectors used to carry out this attack. Tags: RansomEXX, Defray, Ransomware, Taiwan Millions of Senior Citizens' Personal Data Exposed By Misconfiguration (published: August 6, 2021) The researchers have discovered a misconfigured Amazon S3 bucket owned by the Senior Advisor website which hosts ratings and reviews for senior care services across the US and Canada. The bucket contained more than one million files and 182 GB of data containing names, emails, phone numbers of senior citizens from North America. This exposed data was not encrypted and did not require a password or login credentials to access. Analyst Comment: Senior citizens are at high risk of online frauds. Their personal information and context regarding appointments getting leaked can lead to targeted phishing scams. Tags: Data Leak, Phishing, North America, AWS ]]> 2021-08-10T17:39:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gigabyte-hit-by-ransomexx-ransomware-seniors-data-exposed-fatalrat-analysis-and-more www.secnews.physaphae.fr/article.php?IdArticle=3205930 False Malware,Vulnerability,Threat,Guideline APT 23,APT 27,APT 41,APT 41,APT 30 None Security Affairs - Blog Secu 2020-05-15T20:54:30+00:00 https://securityaffairs.co/wordpress/103292/apt/tropic-trooper-air-gapped-networks.html?utm_source=rss&utm_medium=rss&utm_campaign=tropic-trooper-air-gapped-networks www.secnews.physaphae.fr/article.php?IdArticle=1711847 False Threat APT 23 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading ]]> 2018-12-20T14:00:00+00:00 https://feeds.feedblitz.com/~/588421296/0/alienvault-blogs~Let%e2%80%99s-Chat-Healthcare-Threats-and-Who%e2%80%99s-Attacking www.secnews.physaphae.fr/article.php?IdArticle=956718 False Threat APT 23,APT 19,APT 18,Wannacry,APT 22 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC AlienVault Product Forum. Let’s take a look at the highlights from our October and November releases: Mac OS Support for the AlienVault Agent In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements. In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts. AlienVault Agent Queries as Response Actions USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.) To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule. Launch AlienVault Agent Queries from Agents Page In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed. ]]> 2018-12-17T14:00:00+00:00 https://feeds.feedblitz.com/~/587886980/0/alienvault-blogs~AlienVault-Monthly-Product-Roundup-October-November www.secnews.physaphae.fr/article.php?IdArticle=950699 False Threat,Guideline APT 23 None SecurityWeek - Security News 2018-10-10T17:01:03+00:00 https://www.securityweek.com/keyboy-abuses-popular-office-exploits-malware-delivery www.secnews.physaphae.fr/article.php?IdArticle=841462 False Malware APT 23 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy sector. Malware Delivery through Open Source Exploit Kits KeyBoy sent the following email to India's Ambassador to Ethiopia from an email address at nic[.]in, India's National Informatics Centre. The file f43f60b62002d0700ccbcbd9334520b6 The attached malicious document downloads and executes a script that installs the final payload: This script contains text (eg; “” ) which matches a pre-packed version of the popular CVE-2017-0199 exploit available on GitHub. We’ve seen other malicious documents where KeyBoy have tested another exploit generator. In that case KeyBoy didn’t change the default settings so the document meta-data provides some obvious hints that the document is malicious: Delivered Malware The next stage in these attacks is typically a malware family known as TSSL. This malware originally identified by PwC and more recently described by Trend Micro and CitizenLab. Most samples are built on the attackers machine fr]]> 2018-10-08T17:09:00+00:00 https://feeds.feedblitz.com/~/573602564/0/alienvault-blogs~Delivery-KeyBoy www.secnews.physaphae.fr/article.php?IdArticle=837210 False None APT 23 None TrendLabs Security - Editeur Antivirus Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network. ]]> 2018-03-14T14:01:00+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Sf3wvdC2UHo/ www.secnews.physaphae.fr/article.php?IdArticle=513419 False None APT 23 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro November's Patch Tuesday Includes Defense in Depth Update for Attacks Abusing Dynamic Data Exchange ]]> 2017-11-15T10:00:45+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/e9Cjxn9flqM/ www.secnews.physaphae.fr/article.php?IdArticle=433292 False None APT 23,APT 28 None InformationSecurityBuzzNews - Site de News Securite Keyboy Targeting US Companies]]> 2017-11-08T23:15:06+00:00 http://www.informationsecuritybuzz.com/expert-comments/keyboy-targeting-us-companies/ www.secnews.physaphae.fr/article.php?IdArticle=430180 False None APT 23 None Palo Alto Network - Site Constructeur 2016-11-26T12:00:30+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/GTzrZa1BNUg/ www.secnews.physaphae.fr/article.php?IdArticle=260927 False None APT 23 None SecurityWeek - Security News 2016-11-23T09:52:05+00:00 http://feedproxy.google.com/~r/Securityweek/~3/F0b0w1NCE8s/cyberspies-target-taiwan-government-energy-sector www.secnews.physaphae.fr/article.php?IdArticle=258935 False None APT 23 None Palo Alto Network - Site Constructeur 2016-11-22T11:30:24+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/Riiu7ZmaNEE/ www.secnews.physaphae.fr/article.php?IdArticle=258781 False None APT 23 None