This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T16:57:23+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader]]> 2023-12-14T18:00:00+00:00 https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html www.secnews.physaphae.fr/article.php?IdArticle=8422615 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de cyber-espionnage lié au gouvernement iranien a développé plusieurs nouveaux téléchargeurs de logiciels malveillants au cours des deux dernières années et les a récemment utilisés pour cibler des organisations en Israël.Des chercheurs de la société Slovaquie ESET attribué Les téléchargeurs nouvellement découverts au groupe iranien de menace persistant avancé Oilrig, également connu sous le nom d'APT34.Selon les rapports précédents

---

A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel. Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34. Previous reports said]]> 2023-12-14T16:30:00+00:00 https://therecord.media/oilrig-apt34-iran-linked-hackers-new-downloaders-israel www.secnews.physaphae.fr/article.php?IdArticle=8422737 False Malware,Threat APT 34 2.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications]]> 2023-12-14T10:30:00+00:00 https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/ www.secnews.physaphae.fr/article.php?IdArticle=8422763 False Cloud APT 34 2.0000000000000000 Dark Reading - Informationweek Branch The government-backed APT\'s new malware framework represents a step up in Iran\'s cyber sophistication.]]> 2023-11-02T14:46:00+00:00 https://www.darkreading.com/dr-global/-scarred-manticore-unleashes-most-advanced-iranian-espionage www.secnews.physaphae.fr/article.php?IdArticle=8404734 False Malware APT 34 3.0000000000000000 HackRead - Chercher Cyber deeba ahmed Les chercheurs pensent que l'objectif principal derrière cette campagne est l'espionnage. Ceci est un article de HackRead.com Lire le post original: L'Iran Manticore cicatriciel des Targets du Moyen-Orient avec des logiciels malveillants liontail

---

By Deeba Ahmed Researchers believe that the primary goal behind this campaign is espionage. This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware]]> 2023-11-01T08:20:47+00:00 https://www.hackread.com/iran-scarred-manticore-middle-east-liontail-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8403968 False Malware APT 34,APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS). The attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers. For stealth purposes, LIONTIAL implants utilize direct calls to Windows HTTP stack driver HTTP.sys to load memory-residents payloads. The current campaign peaked in mid-2023, going under the radar for at least a year. The campaign targets high-profile organizations in the Middle East with a focus on government, military, and telecommunications sectors, in addition to IT service providers, financial organizations and NGOs. Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants. While the main motivation behind Scarred Manticore\'s operation is espionage, some of the tools described in this report have been associated with the MOIS-sponsored destructive attack against Albanian government infrastructure (referred to as DEV-0861). #### Reference URL(s) 1. https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ #### Publication Date October 31, 2023 #### Author(s) Check Point Research ]]> 2023-10-31T19:45:32+00:00 https://community.riskiq.com/article/b37061cc www.secnews.physaphae.fr/article.php?IdArticle=8403717 False Malware,Tool APT 34,APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un acteur iranien de la menace nationale cible des organisations de haut niveau au Moyen-Orient dans une campagne d'espionnage en cours, selon un nouveau rapport.Suivi en tant que Manticore marqué, le groupe cible principalement les secteurs du gouvernement, des militaires et des télécommunications en Arabie saoudite, aux Émirats arabes unis, en Jordanie, au Koweït, à Oman, en Irak et en Israël.Ces dernières années, Manticore marqué a

---

An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report. Tracked as Scarred Manticore, the group primarily targets government, military, and telecom sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. In recent years, Scarred Manticore has]]> 2023-10-31T19:30:00+00:00 https://therecord.media/iranian-hackers-spy-on-governments-military-middle-east www.secnews.physaphae.fr/article.php?IdArticle=8403704 False Threat APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Discovered by Check Point Research (CPR) and Sygnia, the campaign peaked in mid-2023]]> 2023-10-31T16:30:00+00:00 https://www.infosecurity-magazine.com/news/scarred-manticore-targets-middle/ www.secnews.physaphae.fr/article.php?IdArticle=8403582 False Malware APT 34 3.0000000000000000 Checkpoint - Fabricant Materiel Securite Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]

---

>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] ]]> 2023-10-31T10:56:45+00:00 https://blog.checkpoint.com/security/unraveling-the-scarred-manticore-saga-a-riveting-epic-of-high-stakes-espionage-unfolding-in-the-heart-of-the-middle-east/ www.secnews.physaphae.fr/article.php?IdArticle=8403439 False Malware,Tool,Threat APT 34 2.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Résultats clés Introduction Les recherches sur les points de contrôle, en collaboration avec l'équipe de réponse aux incidents de Sygnia \\, ont suivi et répondu aux activités de & # 160; marqué Manticore, un acteur iranien de la menace nationale qui cible principalement le gouvernement etsecteurs de télécommunications au Moyen-Orient.Manticore marqué, lié au prolifique acteur iranien Oilrig (alias APT34, Europium, Hazel Sandstorm), a constamment poursuivi [& # 8230;]

---

>Key Findings Introduction Check Point Research, in collaboration with Sygnia\'s Incident Response Team, has been tracking and responding to the activities of Scarred Manticore, an Iranian nation-state threat actor that primarily targets government and telecommunication sectors in the Middle East. Scarred Manticore, linked to the prolific Iranian actor OilRig (a.k.a APT34, EUROPIUM, Hazel Sandstorm), has persistently pursued […] ]]> 2023-10-31T10:56:34+00:00 https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ www.secnews.physaphae.fr/article.php?IdArticle=8403445 False Threat APT 34,APT 34 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Résumé En octobre 2023, Netskope a analysé un document de mots malveillant et le malware qu'il contenait, surnommé «Menorah».Le malware a été attribué à un groupe de menaces persistant avancé APT34 et aurait été distribué par phisse de lance.Le fichier de bureau malveillant utilise le code VBA dispersé et obscurci pour échapper à la détection.Le groupe avancé des menaces persistantes cible [& # 8230;]

---

>Summary In October 2023, Netskope analyzed a malicious Word document and the  malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection.  The advanced persistent threat group targets […] ]]> 2023-10-25T19:00:00+00:00 https://www.netskope.com/blog/netskope-threat-coverage-menorah www.secnews.physaphae.fr/article.php?IdArticle=8400546 False Malware,Threat APT 34 2.0000000000000000 SecurityWeek - Security News Le groupe de piratage lié à l'Iran, Crambus, a passé huit mois dans un réseau compromis d'un gouvernement du Moyen-Orient, les rapports de l'unité de cybersécurité de Broadcom \\ de Broadcom.

---

>Iran-linked hacking group Crambus spent eight months inside a compromised network of a Middle Eastern government, Broadcom\'s Symantec cybersecurity unit reports. ]]> 2023-10-20T12:29:53+00:00 https://www.securityweek.com/iranian-hackers-lurked-for-8-months-in-government-network/ www.secnews.physaphae.fr/article.php?IdArticle=8398261 False None APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates liés au gouvernement d'Iran \\ ont passé huit mois à l'intérieur des systèmes d'un gouvernement du Moyen-Orient non spécifié, volant des fichiers et des e-mails, selon des chercheurs.La société de cybersécurité Symantec a attribué la campagne à un groupe qu'il appelle CambusMais d'autres appellent APT34, Oilrig ou Muddywater.L'intrusion a duré de février à septembre et tandis que le

---

Hackers connected to Iran\'s government spent eight months inside the systems of an unspecified Middle East government, stealing files and emails, according to researchers. Cybersecurity firm Symantec attributed the campaign to a group it calls Crambus but others refer to as APT34, OilRig or MuddyWater. The intrusion lasted from February to September, and while the]]> 2023-10-19T20:23:00+00:00 https://therecord.media/iran-linked-hackers-8-months-middle-east-government www.secnews.physaphae.fr/article.php?IdArticle=8397883 False Threat APT 34 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News]]> 2023-10-19T15:45:00+00:00 https://thehackernews.com/2023/10/iran-linked-oilrig-targets-middle-east.html www.secnews.physaphae.fr/article.php?IdArticle=8397652 False Threat APT 34 3.0000000000000000 Dark Reading - Informationweek Branch The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.]]> 2023-10-19T14:22:00+00:00 https://www.darkreading.com/dr-global/iran-linked-muddywater-spies-middle-east-govt-eight-months www.secnews.physaphae.fr/article.php?IdArticle=8397738 False Threat APT 34 2.0000000000000000 Dark Reading - Informationweek Branch The Menorah malware can upload and download files, as well as execute shell commands.]]> 2023-10-02T17:19:00+00:00 https://www.darkreading.com/dr-global/iran-linked-apt34-spy-campaign-targets-saudis www.secnews.physaphae.fr/article.php?IdArticle=8390594 False Malware APT 34,APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy]]> 2023-09-30T14:51:00+00:00 https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8389819 False Malware,Prediction APT 34 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates iraniens présumés ont récemment lancé une nouvelle opération de cyber-espionnage, infectant leurs victimes avec le malware Menorah nouvellement découvert, selon un rapport publié vendredi.Le groupe de piratage APT34, également connu sous le nom de Oilrig, Cobalt Gypsy, IRN2 et Helix Kitten, serait basé en Iran.Il cible les pays du Moyen-Orient depuis

---

Suspected Iranian hackers recently launched a new cyber espionage operation, infecting their victims with the newly discovered Menorah malware, according to a report published Friday. The hacking group APT34, also known as OilRig, Cobalt Gypsy, IRN2 and Helix Kitten, is believed to be based in Iran. It has been targeting Middle Eastern countries since at]]> 2023-09-29T18:15:00+00:00 https://therecord.media/alleged-iran-hackers-target-saudi-arabia-with-new-spy-malware www.secnews.physaphae.fr/article.php?IdArticle=8389606 False Malware APT 34 2.0000000000000000 TrendLabs Security - Editeur Antivirus We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.]]> 2023-09-29T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8389378 False Malware,Threat APT 34,APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as OilRig in 2021 and 2022. The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously documented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential]]> 2023-09-22T14:55:00+00:00 https://thehackernews.com/2023/09/iranian-nation-state-actor-oilrig.html www.secnews.physaphae.fr/article.php?IdArticle=8386640 False None APT 34 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-09-22T10:26:15+00:00 https://www.globalsecuritymag.fr/ESET-decouvre-que-le-groupe-OilRig-a-deploye-un-nouveau-malware-sur-des.html www.secnews.physaphae.fr/article.php?IdArticle=8386669 False Malware,Tool APT 34 3.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET ESET researchers document OilRig\'s Outer Space and Juicy Mix campaigns, targeting Israeli organizations in 2021 and 2022]]> 2023-09-21T18:30:13+00:00 https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/ www.secnews.physaphae.fr/article.php?IdArticle=8386564 False None APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by]]> 2023-09-06T19:20:00+00:00 https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html www.secnews.physaphae.fr/article.php?IdArticle=8379668 False Threat APT 34 2.0000000000000000 Dark Reading - Informationweek Branch The prolific APT, also known as OilRig and MuddyWater, was caught targeting an IT company\'s government clients in the region, with the aim of carrying out cyber espionage.]]> 2023-08-02T18:10:11+00:00 https://www.darkreading.com/dr-global/iran-apt34-uae-supply-chain-attack www.secnews.physaphae.fr/article.php?IdArticle=8364879 False None APT 34,APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain A new PowerShell-based malware dubbed PowerExchange was used in attacks linked to APT34 Iranian state hackers to backdoor on-premise Microsoft Exchange servers. [...]]]> 2023-05-24T15:17:19+00:00 https://www.bleepingcomputer.com/news/security/new-powerexchange-malware-backdoors-microsoft-exchange-servers/ www.secnews.physaphae.fr/article.php?IdArticle=8339110 False Malware APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-03T17:42:00+00:00 https://thehackernews.com/2023/02/iranian-oilrig-hackers-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8306848 False Prediction APT 34 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-03T16:00:00+00:00 https://www.infosecurity-magazine.com/news/credential-stealing-campaign-apt34/ www.secnews.physaphae.fr/article.php?IdArticle=8306880 False Malware APT 34 2.0000000000000000 InformationSecurityBuzzNews - Site de News Securite 2023-02-03T15:06:57+00:00 https://informationsecuritybuzz.com/oilrig-hackers-exfiltrate-data-govt-agencies-using-new-backdoors/ www.secnews.physaphae.fr/article.php?IdArticle=8306870 False Prediction APT 34 3.0000000000000000 TrendLabs Security - Editeur Antivirus 2023-02-02T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html www.secnews.physaphae.fr/article.php?IdArticle=8306460 False Malware APT 34 2.0000000000000000 RedCanary - Red Canary 2022-11-09T13:58:50+00:00 https://redcanary.com/blog/2022-mitre-attack-evals/ www.secnews.physaphae.fr/article.php?IdArticle=7905449 False None APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 27,APT 34 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None SANS Institute - SANS est un acteur de defense et formation MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordan's foreign ministry on an attack attributed to the Iranian group APT34. ]]> 2022-06-13T15:00:45+00:00 https://isc.sans.edu/diary/rss/28738 www.secnews.physaphae.fr/article.php?IdArticle=5133656 True None APT 34 None Malwarebytes Labs - MalwarebytesLabs A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. ]]> 2022-05-25T12:46:33+00:00 https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling/ www.secnews.physaphae.fr/article.php?IdArticle=4802470 False None APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None knowbe4 - cybersecurity services Researchers at Fortinet observed a spear phishing attack that targeted a Jordanian diplomat late last month. The researchers attribute this attack to the Iranian state-sponsored threat actor APT34 (also known as OilRig or Helix Kitten). The body of the phishing email isn't particularly detailed, but the attackers put a significant amount of effort into impersonating an employee at the targeted individual's organization.]]> 2022-05-17T13:30:09+00:00 https://blog.knowbe4.com/spear-phishing-a-diplomat www.secnews.physaphae.fr/article.php?IdArticle=4667538 False Threat APT 34 None SecurityWeek - Security News 2022-05-13T15:51:38+00:00 https://www.securityweek.com/iran-linked-oilrig-apt-caught-using-new-backdoor www.secnews.physaphae.fr/article.php?IdArticle=4591823 False None APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-13T02:32:11+00:00 https://thehackernews.com/2022/05/new-saitama-backdoor-targeted-official.html www.secnews.physaphae.fr/article.php?IdArticle=4589850 False Threat APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-05-12T17:30:15+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=4593838 False Threat APT 34 None Malwarebytes Labs - MalwarebytesLabs 2022-05-10T20:49:30+00:00 https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/ www.secnews.physaphae.fr/article.php?IdArticle=4594055 False None APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-09T03:25:23+00:00 https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html www.secnews.physaphae.fr/article.php?IdArticle=4098925 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Iran’s APT34 Returns with an Updated Arsenal (published: April 8, 2021) Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device. Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064 Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp (published: April 7, 2021) Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more. Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system. Tags: Android, FlixOnline, WhatsApp ]]> 2021-04-13T15:49:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-android-malware-government-middle-east-and-more www.secnews.physaphae.fr/article.php?IdArticle=2631341 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-08T06:37:05+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/hz96-cUbfVk/researchers-uncover-new-iranian-malware.html www.secnews.physaphae.fr/article.php?IdArticle=2604912 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google: This Spectre proof-of-concept shows how dangerous these attacks can be (published: March 15, 2021) Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls. Tags: CVE-2017-5753 Threat Assessment: DearCry Ransomware (published: March 12, 2021) A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers. Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | ]]> 2021-03-17T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-ransomware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2496898 False Ransomware,Tool,Vulnerability,Threat,Guideline APT 41,Wannacry,APT 34 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat APT 29,APT 31,APT 28,Wannacry,Wannacry,APT 34 None Schneier on Security - Chercheur Cryptologue Américain delightful essay matches APT hacker groups up with astrological signs. This is me: Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks...]]> 2021-01-08T20:19:37+00:00 https://www.schneier.com/blog/archives/2021/01/apt-horoscope.html www.secnews.physaphae.fr/article.php?IdArticle=2160466 False Conference APT 35,APT 35,APT 34 None ZD Net - Magazine Info 2020-08-04T16:20:12+00:00 https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1841913 False None APT 34 None Security Affairs - Blog Secu 2020-07-16T05:43:03+00:00 https://securityaffairs.co/wordpress/105959/intelligence/cia-covert-operations-fsb-apt34.html?utm_source=rss&utm_medium=rss&utm_campaign=cia-covert-operations-fsb-apt34 www.secnews.physaphae.fr/article.php?IdArticle=1807132 False Threat Yahoo,APT 34 None ZD Net - Magazine Info 2020-07-15T13:07:00+00:00 https://www.zdnet.com/article/report-cia-most-likely-behind-apt34-and-fsb-hacks-and-data-dumps/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1806326 True None APT 34 None ZD Net - Magazine Info 2020-07-15T13:07:00+00:00 https://www.zdnet.com/article/report-cia-behind-apt34-and-fsb-hacks-and-data-dumps/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1805829 False None APT 34 None Security Affairs - Blog Secu 2020-03-08T10:23:46+00:00 https://securityaffairs.co/wordpress/99151/breaking-news/security-affairs-newsletter-round-254.html www.secnews.physaphae.fr/article.php?IdArticle=1587970 False None APT 34 None Security Affairs - Blog Secu 2020-03-03T18:48:42+00:00 https://securityaffairs.co/wordpress/98878/malware/kimsuky-apt-south-korea.html www.secnews.physaphae.fr/article.php?IdArticle=1579381 False Threat APT 36,APT 34 None Security Affairs - Blog Secu 2020-03-02T19:19:39+00:00 https://securityaffairs.co/wordpress/98802/uncategorized/karkoff-malware-lebanon.html www.secnews.physaphae.fr/article.php?IdArticle=1577259 False None APT 34 None Security Affairs - Blog Secu 2020-01-31T07:53:00+00:00 https://securityaffairs.co/wordpress/97067/apt/apt34-westat-survey.html www.secnews.physaphae.fr/article.php?IdArticle=1519812 False None APT 34 None The State of Security - Magazine Américain Read More ]]> 2019-12-17T14:40:28+00:00 https://www.tripwire.com/state-of-security/ics-security/poison-frog-malware-samples-reveal-oilrigs-sloppiness/ www.secnews.physaphae.fr/article.php?IdArticle=1494023 False Malware,Threat APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2019-12-05T01:07:48+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/CjdnfVinShk/zerocleare-data-wiper-malware.html www.secnews.physaphae.fr/article.php?IdArticle=1493457 False Malware APT 34 None InformationSecurityBuzzNews - Site de News Securite Iranian Spying Operation Russian Hijack]]> 2019-10-22T13:25:29+00:00 https://www.informationsecuritybuzz.com/expert-comments/iranian-spying-operation-russian-hijack/ www.secnews.physaphae.fr/article.php?IdArticle=1419808 False None APT 34 None Bleeping Computer - Magazine Américain 2019-10-21T15:29:10+00:00 https://www.bleepingcomputer.com/news/security/russian-hackers-use-iranian-threat-groups-tools-servers-as-cover/ www.secnews.physaphae.fr/article.php?IdArticle=1418268 False Malware,Threat APT 34 None Security Affairs - Blog Secu 2019-08-07T13:47:02+00:00 https://securityaffairs.co/wordpress/89586/apt/oilrig-apt-techniques-evolution.html www.secnews.physaphae.fr/article.php?IdArticle=1248490 False None APT 34 None InformationSecurityBuzzNews - Site de News Securite Iranian Hackers Send Out Fake LinkedIn Invitations Laced With Malware]]> 2019-07-23T14:40:03+00:00 https://www.informationsecuritybuzz.com/expert-comments/iranian-hackers-send-out-fake-linkedin-invitations-laced-with-malware/ www.secnews.physaphae.fr/article.php?IdArticle=1220106 False Malware APT 34 None UnderNews - Site de news "pirate" francais Compte tenu des tensions géopolitiques croissantes au Moyen-Orient, FireEye s'attend à ce que l'Iran augmente considérablement le volume et la portée de ses campagnes de cyber-espionnage.]]> 2019-07-22T12:56:04+00:00 https://www.undernews.fr/hacking-hacktivisme/fireeye-identifie-une-nouvelle-campagne-de-cyber-espionnage-du-groupe-iranien-apt34.html www.secnews.physaphae.fr/article.php?IdArticle=1219531 False None APT 34 None Security Affairs - Blog Secu 2019-07-22T08:04:00+00:00 https://securityaffairs.co/wordpress/88737/apt/apt34-cyberspionage-linkedin.html www.secnews.physaphae.fr/article.php?IdArticle=1219314 False Malware APT 24,APT 34 None SecurityWeek - Security News 2019-07-19T17:46:01+00:00 https://www.securityweek.com/iranian-hackers-use-new-malware-recent-attacks www.secnews.physaphae.fr/article.php?IdArticle=1215568 False Malware APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran\'s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests. Fi]]> 2019-07-18T10:00:00+00:00 https://www.mandiant.com/resources/blog/hard-pass-declining-apt34-invite-to-join-their-professional-network www.secnews.physaphae.fr/article.php?IdArticle=8377692 False Malware APT 34,APT 34 4.0000000000000000 Security Affairs - Blog Secu 2019-06-27T05:32:05+00:00 https://securityaffairs.co/wordpress/87652/apt/muddywater-apt34-similarities.html www.secnews.physaphae.fr/article.php?IdArticle=1175900 False None APT 34 None Security Affairs - Blog Secu 2019-06-21T13:01:04+00:00 https://securityaffairs.co/wordpress/87404/apt/turla-new-campaigns.html www.secnews.physaphae.fr/article.php?IdArticle=1166901 False None APT 34 None SecurityWeek - Security News 2019-06-20T18:11:01+00:00 https://www.securityweek.com/russia-linked-hackers-hijack-infrastructure-iranian-threat-group www.secnews.physaphae.fr/article.php?IdArticle=1166425 False Threat APT 34 None Bleeping Computer - Magazine Américain 2019-06-20T12:34:02+00:00 https://www.bleepingcomputer.com/news/security/turla-espionage-group-hacks-oilrig-apt-infrastructure/ www.secnews.physaphae.fr/article.php?IdArticle=1165701 False None APT 34 5.0000000000000000 ZD Net - Magazine Info 2019-06-20T10:00:00+00:00 https://www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1165095 False None APT 34 None Security Affairs - Blog Secu 2019-06-06T11:00:05+00:00 https://securityaffairs.co/wordpress/86680/hacking/analyzing-apt34-jason-project.html www.secnews.physaphae.fr/article.php?IdArticle=1142506 False Tool APT 34 None Security Affairs - Blog Secu 2019-06-04T13:55:05+00:00 https://securityaffairs.co/wordpress/86569/hacking/oilrig-jason-email-hijacking.html www.secnews.physaphae.fr/article.php?IdArticle=1139201 False Tool APT 34 None Bleeping Computer - Magazine Américain 2019-06-03T12:56:01+00:00 https://www.bleepingcomputer.com/news/security/new-email-hacking-tool-from-oilrig-apt-group-leaked-online/ www.secnews.physaphae.fr/article.php?IdArticle=1137922 False Tool APT 34 None InformationSecurityBuzzNews - Site de News Securite Explained – APT34 Code Leak]]> 2019-04-19T15:45:02+00:00 https://www.informationsecuritybuzz.com/expert-comments/explained-apt34-code-leak/ www.secnews.physaphae.fr/article.php?IdArticle=1094820 False None APT 34 None Security Affairs - Blog Secu 2019-04-19T12:07:04+00:00 https://securityaffairs.co/wordpress/84180/apt/oilrig-apt-tools-leaked-online.html www.secnews.physaphae.fr/article.php?IdArticle=1094495 False None APT 34 None Security Affairs - Blog Secu 2019-04-18T20:47:05+00:00 https://securityaffairs.co/wordpress/84125/apt/oilrig-dns-tunneling.html www.secnews.physaphae.fr/article.php?IdArticle=1093975 False Malware APT 34 None Bleeping Computer - Magazine Américain 2019-04-18T10:10:01+00:00 https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/ www.secnews.physaphae.fr/article.php?IdArticle=1094143 False None APT 34 None ZD Net - Magazine Info 2019-04-17T23:24:00+00:00 https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1094087 False None APT 34 None Security Affairs - Blog Secu 2018-11-20T09:31:03+00:00 https://securityaffairs.co/wordpress/78218/apt/oilrig-testing-weaponized-docs.html www.secnews.physaphae.fr/article.php?IdArticle=908133 False None APT 34 None SecurityWeek - Security News 2018-11-19T14:26:03+00:00 https://www.securityweek.com/iran-linked-hackers-use-just-time-creation-weaponized-attack-docs www.secnews.physaphae.fr/article.php?IdArticle=909427 False None APT 34 None Security Affairs - Blog Secu 2018-09-14T13:15:04+00:00 https://securityaffairs.co/wordpress/76187/apt/oilrig-apt-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=807789 False None APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-13T21:19:00+00:00 https://threatpost.com/oilrig-apt-continues-its-ongoing-malware-evolution/137444/ www.secnews.physaphae.fr/article.php?IdArticle=806896 False Malware,Tool APT 34 None The State of Security - Magazine Américain Read More ]]> 2018-09-13T11:16:00+00:00 https://www.tripwire.com/state-of-security/security-data-protection/oilrig-launching-attack-campaigns-with-updated-bondupdater-trojan/ www.secnews.physaphae.fr/article.php?IdArticle=806062 False Threat APT 34 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload. In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables. Registry Persistence In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707 Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds. Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system.  We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query. The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters. ]]> 2018-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/568274998/0/alienvaultotx www.secnews.physaphae.fr/article.php?IdArticle=795252 False Malware,Threat APT 34 3.0000000000000000 Security Affairs - Blog Secu 2018-09-06T07:44:04+00:00 https://securityaffairs.co/wordpress/75927/apt/oilrig-apt-oopsie.html www.secnews.physaphae.fr/article.php?IdArticle=794785 False None APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-05T21:04:04+00:00 https://threatpost.com/oilrig-sends-an-oopsie-to-mideast-government-targets/137220/ www.secnews.physaphae.fr/article.php?IdArticle=795018 False None APT 34 None SecurityWeek - Security News 2018-09-05T14:16:03+00:00 https://www.securityweek.com/iranian-hackers-improve-recently-used-cyber-weapon www.secnews.physaphae.fr/article.php?IdArticle=796423 False None APT 34 None SecurityWeek - Security News Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant. The company's M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016. On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016. Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days). Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation. In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor. Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region. When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups. Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten). ]]> 2018-04-04T14:00:03+00:00 https://www.securityweek.com/breaches-increasingly-discovered-internally-mandiant www.secnews.physaphae.fr/article.php?IdArticle=565681 False Conference APT 35,APT 32,APT33,APT 33,APT 34 None SecurityWeek - Security News multiple tools and adopting new exploits fast, as well as switching to new Trojans in ]]> 2018-03-22T15:30:01+00:00 http://feedproxy.google.com/~r/Securityweek/~3/zBrgd5dQwlE/iran-linked-hackers-adopt-new-data-exfiltration-methods www.secnews.physaphae.fr/article.php?IdArticle=535286 True Guideline APT 34 None Security Affairs - Blog Secu 2018-02-24T09:18:03+00:00 http://securityaffairs.co/wordpress/69470/malware/oilrig-oopsie-trojan.html www.secnews.physaphae.fr/article.php?IdArticle=490014 False None APT 34 None SecurityWeek - Security News 2018-02-23T18:38:01+00:00 http://feedproxy.google.com/~r/Securityweek/~3/17ITyN_B24s/iranian-hackers-use-new-trojan-recent-attacks www.secnews.physaphae.fr/article.php?IdArticle=489793 False None APT 34 None Security Affairs - Blog Secu A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs. Once again thank you! ·Â Â Â Â Â  Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected ·Â Â Â Â Â  Download URLs for two packages of the phpBB forum software were compromised ·Â Â Â Â Â  Iran-linked APT OilRig target IIS Web Servers […] ]]> 2018-02-04T11:38:46+00:00 http://securityaffairs.co/wordpress/68633/breaking-news/security-affairs-newsletter-round-148-news-week.html www.secnews.physaphae.fr/article.php?IdArticle=463983 False None APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i]]> 2018-01-30T13:40:00+00:00 http://feeds.feedblitz.com/~/521337082/0/alienvault-blogs~OTX-Trends-Part-Threat-Actors www.secnews.physaphae.fr/article.php?IdArticle=461917 False None APT 38,APT 10,APT 28,APT 3,APT 1,APT 34 None Security Affairs - Blog Secu The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers. The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and […] ]]> 2018-01-28T10:51:00+00:00 http://securityaffairs.co/wordpress/68317/apt/oilrig-rgdoor-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=460859 False None APT 34 None SecurityWeek - Security News ]]> 2018-01-26T12:35:16+00:00 http://feedproxy.google.com/~r/Securityweek/~3/Gn1YoBZlv54/iranian-hackers-target-iis-web-servers-new-backdoor www.secnews.physaphae.fr/article.php?IdArticle=460582 False None APT 34 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC GitHub. Executive Summary Some of the standout findings from our data covering 2017 are: The most effective exploits quickly proliferate between a number of criminal and nation state groups. Some remain popular for a number of years after their initial discovery. njRat malware variants were the most prevalent malware we saw persisting on networks. Of the ten most popular domains associated with malware, four were sinkholed by MalwareTech. Confirmation of others’ findings of the changing targeted threat landscape. There has been a significant increase in reports on attackers reportedly located in Russia and North Korea. There has also been a significant drop in reports of activity emanating from groups operating from China. OTX Trends: Exploits This is the first of a three part series on the trends we identified in 2017: Part 1 focuses on exploits Part 2 will talk about the malware of concern and trends Part 3 will discuss threat actors and patterns Which exploits should I be most concerned about? There are many thousands of exploits that are assigned a CVE number every year, and many more that don’t go reported.  If you’re responsible for an organisation’s security, it’s important to know: Which ones are the most important to patch quickly? Which ones are being actively exploited in the wild? What exploits are being reported in vendor reports? The following table shows exploits in order of the number of times they have been referenced in vendor reports on OTX: A CVE 2017-0199 sample used by criminals This table is from a fairly small data-set of approximately 80 vendor reports from this 2017 – but it still provides a number of insights: Effective exploits proliferate quickly The #1 ranked exploit CVE-2017-0199 is extremely popular. It has been used by targeted attackers in locations as diverse as North Korea (FreeMilk), China (Winnti) and Iran (Oilrig). It has also been heavily abused by criminal gangs such as some of those deploying Dridex. ]]> 2018-01-16T14:00:00+00:00 http://feeds.feedblitz.com/~/517871006/0/alienvault-blogs~OTX-Trends-Part-Exploits www.secnews.physaphae.fr/article.php?IdArticle=459644 False None APT 34 None Mandiant - Blog Sécu de Mandiant CVE-2017-11882 Le 14 novembre 2017, Fireeye a observé un attaquant utilisant un exploit pour la vulnérabilité de Microsoft Office pour cibler une organisation gouvernementale au Moyen-Orient.Nous évaluons que cette activité a été réalisée par un groupe de menaces de cyber-espionnage iranien présumé, que nous appelons APT34, en utilisant une porte dérobée PowerShell personnalisée pour atteindre ses objectifs. Nous pensons que l'APT34 est impliqué dans une opération de cyber-espionnage à long terme largement axé sur les efforts de reconnaissance au profit des intérêts iraniens de l'État-nation et est opérationnel depuis

---

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at]]> 2017-12-07T17:00:00+00:00 https://www.mandiant.com/resources/blog/targeted-attack-in-middle-east-by-apt34 www.secnews.physaphae.fr/article.php?IdArticle=8377759 False Vulnerability,Threat APT 34,APT 34 4.0000000000000000 Security Affairs - Blog Secu The Iran-Linked cyberespionage group OilRig has been using a new Trojan in attacks aimed at targets in the Middle East. Experts from Palo Alto Networks spotted a new campaign launched by the notorious APT group OilRig against an organization within the government of the United Arab Emirates (UAE). The OilRig hacker group is an Iran-linked APT that has been around since at least […] ]]> 2017-10-10T13:38:53+00:00 http://securityaffairs.co/wordpress/64119/apt/oilrig-isminjector-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=417164 False None APT 34 None SecurityWeek - Security News 2017-07-27T14:57:39+00:00 http://feedproxy.google.com/~r/Securityweek/~3/g4Fzgx6tzRM/iranian-cyberspy-groups-share-malware-code www.secnews.physaphae.fr/article.php?IdArticle=389831 False None APT 34 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2017-07-27T14:00:36+00:00 https://threatpost.com/apt-group-uses-catfish-technique-to-ensnare-victims/127028/ www.secnews.physaphae.fr/article.php?IdArticle=389949 False None APT 34 None Palo Alto Network - Site Constructeur 2017-07-27T12:00:20+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/H8uZ_XzXa30/ www.secnews.physaphae.fr/article.php?IdArticle=389740 False None APT 34 None