This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-20T19:17:26+00:00 www.secnews.physaphae.fr Bleeping Computer - Magazine Américain The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanized software installers. [...]]]> 2024-05-16T09:28:37+00:00 https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-in-attacks-on-south-korea/ www.secnews.physaphae.fr/article.php?IdArticle=8501038 False Malware APT 43 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-13T13:30:14+00:00 https://community.riskiq.com/article/fd207107 www.secnews.physaphae.fr/article.php?IdArticle=8498946 False Spam,Malware,Tool,Vulnerability,Threat,Cloud APT 42 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week. "APT42 was]]> 2024-05-07T18:55:00+00:00 https://thehackernews.com/2024/05/apt42-hackers-pose-as-journalists-to.html www.secnews.physaphae.fr/article.php?IdArticle=8495241 False Cloud APT 42 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 Bleeping Computer - Magazine Américain The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. [...]]]> 2024-05-04T10:17:34+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8493646 False Malware,Threat,Cloud APT 42 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (]]> 2024-05-01T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8500390 False Malware,Tool,Threat,Cloud APT 35,APT 42,Yahoo 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 43,APT 29,APT 31,APT 42,APT 28,APT 40 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations]]> 2024-04-17T15:30:00+00:00 https://www.infosecurity-magazine.com/news/kimsuky-exploits-dmarc-web-beacons/ www.secnews.physaphae.fr/article.php?IdArticle=8484216 False None APT 43 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 43,APT 37 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Sysdig stated that by deploying multiple miners, the group decreased attack time and detection risk]]> 2024-04-09T14:30:00+00:00 https://www.infosecurity-magazine.com/news/rubycarps-multi-miner-assault/ www.secnews.physaphae.fr/article.php?IdArticle=8478743 False None APT 40 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description Trend Micro analyzed a cyberespionage attack the company has attributed to Earth Freybug, a subset of APT41 (tracked by Microsoft as [Brass Typhoon](https://sip.security.microsoft.com/intel-profiles/f0aaa62bfbaf3739bb92106688e6a00fc05eafc0d4158b0e389b4078112d37c6?)). According to Trend Micro, Earth Freybug has been active since at least 2012 and the Chinese-linked group has been active in espionage and financially motivated attacks. Earth Freybug employs diverse tools like LOLBins and custom malware, targeting organizations globally. The attack used techniques like dynamic link library (DLL) hijacking and API unhooking to avoid monitoring for a new malware called UNAPIMON. UNAPIMON evades detection by preventing child processes from being monitored. The attack flow involved creating remote scheduled tasks and executing reconnaissance commands to gather system information. Subsequently, a backdoor was launched using DLL side-loading via a service called SessionEnv, which loads a malicious DLL. UNAPIMON, the injected DLL, uses API hooking to evade monitoring and execute malicious commands undetected, showcasing the attackers\' sophistication. [Check out Microsoft\'s write-up on dynamic-link library (DLL) hijacking here.](https://sip.security.microsoft.com/intel-explorer/articles/91be20e8?) #### Reference URL(s) 1. https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html #### Publication Date April 2, 2024 #### Author(s) Christopher So]]> 2024-04-03T20:46:53+00:00 https://community.riskiq.com/article/327771c8 www.secnews.physaphae.fr/article.php?IdArticle=8475473 False Malware,Tool,Prediction APT 41 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According]]> 2024-03-24T11:08:00+00:00 https://thehackernews.com/2024/03/n-korea-linked-kimsuky-shifts-to.html www.secnews.physaphae.fr/article.php?IdArticle=8469454 False Malware,Threat APT 43 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-03-05T19:03:47+00:00 https://community.riskiq.com/article/ed40fbef www.secnews.physaphae.fr/article.php?IdArticle=8459485 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Medical,Technical ChatGPT,APT 28,APT 4 2.0000000000000000 Dark Reading - Informationweek Branch It\'s not theoretical anymore: the world\'s major powers are working with large language models to enhance their offensive cyber operations.]]> 2024-02-14T22:14:54+00:00 https://www.darkreading.com/threat-intelligence/microsoft-openai-nation-states-are-weaponizing-ai-in-cyberattacks www.secnews.physaphae.fr/article.php?IdArticle=8450171 False None APT 40 2.0000000000000000 Volexity - Cyber Firms Grâce à ses offres de services de sécurité gérées, la volexité identifie régulièrement des campagnes de phisseur de lance ciblant ses clients.Un acteur de menace persistant, dont la volexité des campagnes observe fréquemment, est l'acteur de menace d'origine iranienne CharmingCypress (alias Charming Kitten, Apt42, TA453).La volexité évalue que CharmingCypress est chargé de collecter des renseignements politiques contre les cibles étrangères, en particulier en se concentrant sur les groupes de réflexion, les ONG et les journalistes.Dans leurs campagnes de phishing, CharmingCypress utilise souvent des tactiques inhabituelles d'ingénierie sociale, comme engager des cibles dans des conversations prolongées par e-mail avant d'envoyer des liens vers un contenu malveillant.Dans une campagne de lance de lance particulièrement notable observée par volexité, CharmingCypress est allé jusqu'à créer une plate-forme de webinaire entièrement fausse à utiliser dans le cadre de l'attrait.CharmingCypress contrôlé un accès à cette plate-forme, nécessitant des cibles pour installer des applications VPN chargées de logiciels malveillants avant d'accorder l'accès.Remarque: Un contenu dans ce blog a récemment été discuté dans le rapport de Microsoft \\, de nouveaux TTP observés dans la campagne de Sandstorm de Mint ciblant des individus de haut niveau dans les universités et [& # 8230;]

---

>Through its managed security services offerings, Volexity routinely identifies spear-phishing campaigns targeting its customers. One persistent threat actor, whose campaigns Volexity frequently observes, is the Iranian-origin threat actor CharmingCypress (aka Charming Kitten, APT42, TA453). Volexity assesses that CharmingCypress is tasked with collecting political intelligence against foreign targets, particularly focusing on think tanks, NGOs, and journalists. In their phishing campaigns, CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content. In a particularly notable spear-phishing campaign observed by Volexity, CharmingCypress went so far as to craft an entirely fake webinar platform to use as part of the lure. CharmingCypress controlled access to this platform, requiring targets to install malware-laden VPN applications prior to granting access. Note: Some content in this blog was recently discussed in Microsoft\'s report, New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and […] ]]> 2024-02-13T14:47:15+00:00 https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/ www.secnews.physaphae.fr/article.php?IdArticle=8449587 False Threat APT 35,APT 42 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky. “A notable point about attacks that]]> 2023-12-29T14:39:00+00:00 https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html www.secnews.physaphae.fr/article.php?IdArticle=8430708 False Tool,Threat APT 43 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Kimsuky threat group, known to be supported by North Korea, has been active since 2013. The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed. In addition to JavaScript, Excel macro malware are also used to install AppleSeed. AppleSeed is a backdoor that can receive the threat actor\'s commands from the C&C server and execute the received commands. The threat actor can use AppleSeed to control the infected system. It also offers features such as a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by collecting files from the user system and sending them. AlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command execution and infostealing. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60054/ #### Publication Date December 27, 2023 #### Author(s) Sanseo ]]> 2023-12-28T19:18:50+00:00 https://community.riskiq.com/article/461188d1 www.secnews.physaphae.fr/article.php?IdArticle=8430436 False Malware,Threat,Prediction APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an]]> 2023-12-08T19:03:00+00:00 https://thehackernews.com/2023/12/n-korean-kimsuky-targeting-south-korean.html www.secnews.physaphae.fr/article.php?IdArticle=8420188 False Threat APT 43 3.0000000000000000 Dark Reading - Informationweek Branch Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime\'s sprawling cybercrime operations, expert says.]]> 2023-12-01T21:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/north-korea-apt-cyber-sanctions-satellite-launch www.secnews.physaphae.fr/article.php?IdArticle=8418407 False None APT 43,APT 43 3.0000000000000000 Recorded Future - FLux Recorded Future Les États-Unis se sont associés à plusieurs nations du Pacifique pour transmettre des sanctions contre la Corée du Nord - en particulier le groupe de cyber-espionnage du pays \\ du pays - après le pays Lancé Un satellite de surveillance la semaine dernière.Jeudi soir, le Office du Contrôle des actifs étrangers (OFAC) du Département américain du Trésor du Trésor a sanctionné huit agents nord-coréens pour

---

The U.S. partnered with several nations in the Pacific to hand down sanctions on North Korea - particularly the country\'s Kimsuky cyber espionage group - after the country launched a surveillance satellite last week. On Thursday evening, the U.S. Department of the Treasury\'s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for]]> 2023-12-01T18:15:00+00:00 https://therecord.media/us-sanctions-north-korean-kimsuky-hackers www.secnews.physaphae.fr/article.php?IdArticle=8418385 False None APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan]]> 2023-11-23T20:16:00+00:00 https://thehackernews.com/2023/11/konni-group-using-russian-language.html www.secnews.physaphae.fr/article.php?IdArticle=8416352 False None APT 43 2.0000000000000000 AhnLab - Korean Security Firm Les activités de Kimsuky Group & # 8217;Les activités d'autres types étaient relativement faibles.De plus, des échantillons de phishing ont été trouvés dans l'infrastructure connue pour la distribution de logiciels malveillants antérieurs (fleurs, randomquery et appleseed), et des échantillons de babyshark ont été découverts dans l'infrastructure RandomQuery.Cela suggère la probabilité de plusieurs types de logiciels malveillants en utilisant une seule infrastructure.Rapport de tendance AUG_TRÉTÉE sur le groupe Kimsuk

---

The Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities of other types were relatively low. Also, phishing samples were found in the infrastructure known for distributing previous malware (FlowerPower, RandomQuery, and AppleSeed), and BabyShark samples were discovered in the RandomQuery infrastructure. This suggests the likelihood of multiple types of malware utilizing a single infrastructure. Aug_Threat Trend Report on Kimsuky Group ]]> 2023-10-23T02:21:45+00:00 https://asec.ahnlab.com/en/57938/ www.secnews.physaphae.fr/article.php?IdArticle=8399125 False Malware,Threat,Prediction APT 43 3.0000000000000000 Dark Reading - Informationweek Branch The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.]]> 2023-10-18T16:11:47+00:00 https://www.darkreading.com/attacks-breaches/north-korea-s-kimsuky-doubles-down-on-remote-desktop-control www.secnews.physaphae.fr/article.php?IdArticle=8397354 False Malware APT 43 2.0000000000000000 AhnLab - Korean Security Firm Kimsuky, un groupe de menaces connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Au début, ils ont attaqué les instituts de recherche liés à la Corée du Nord en Corée du Sud avant d'attaquer une agence d'énergie sud-coréenne en 2014. D'autres pays sont également devenus des cibles de leur attaque depuis 2017. [1] Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, diplomatique diplomatique,, et les secteurs universitaires, les industries de la défense et des médias, ainsi que des organisations nationales.Leur objectif est d'exfiltrer les informations et la technologie internes ...

---

Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as national organizations. Their goal is to exfiltrate internal information and technology... ]]> 2023-10-17T09:08:51+00:00 https://asec.ahnlab.com/en/57873/ www.secnews.physaphae.fr/article.php?IdArticle=8396631 False Threat APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy. DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On]]> 2023-10-04T20:39:00+00:00 https://thehackernews.com/2023/10/researchers-link-dragonegg-android.html www.secnews.physaphae.fr/article.php?IdArticle=8391492 False Malware,Tool APT 41,APT 41 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ThreatFabric found evidence that LighSpy is linked to Android spyware DragonEgg, attributed to the Chinese-sponsored group]]> 2023-10-04T15:30:00+00:00 https://www.infosecurity-magazine.com/news/lightspy-iphone-spyware-linked/ www.secnews.physaphae.fr/article.php?IdArticle=8391493 False None APT 41,APT 41 2.0000000000000000 GoogleSec - Firm Security Blog whitepaper from Dekra, a safety certifications and testing lab, the security shortcomings of SMS can notably lead to: SMS Interception: Attackers can intercept SMS messages by exploiting vulnerabilities in mobile carrier networks. This can allow them to read the contents of SMS messages, including sensitive information such as two-factor authentication codes, passwords, and credit card numbers due to the lack of encryption offered by SMS. SMS Spoofing: Attackers can spoof SMS messages to launch phishing attacks to make it appear as if they are from a legitimate sender. This can be used to trick users into clicking on malicious links or revealing sensitive information. And because carrier networks have independently developed their approaches to deploying SMS texts over the years, the inability for carriers to exchange reputation signals to help identify fraudulent messages has made it tough to detect spoofed senders distributing potentially malicious messages. These findings add to the well-established facts about SMS\' weaknesses, lack of encryption chief among them. Dekra also compared SMS against a modern secure messaging protocol and found it lacked any built-in security functionality. According to Dekra, SMS users can\'t answer \'yes\' to any of the following basic security questions: Confidentiality: Can I trust that no one else can read my SMSs? Integrity: Can I trust that the content of the SMS that I receive is not modified? Authentication: Can I trust the identity of the sender of the SMS that I receive? But this isn\'t just theoretical: cybercriminals have also caught on to the lack of security protections SMS provides and have repeatedly exploited its weakness. Both novice hackers and advanced threat actor groups (such as UNC3944 / Scattered Spider and APT41 investigated by Mandiant, part of Google Cloud) leverage the security deficiencies in SMS to launch different ]]> 2023-09-27T12:51:29+00:00 http://security.googleblog.com/2023/09/sms-security-privacy-gaps-make-it-clear.html www.secnews.physaphae.fr/article.php?IdArticle=8388447 False Vulnerability,Threat,Studies APT 41 3.0000000000000000 IT Security Guru - Blog Sécurité Yesterday, Lookout, Inc., announced the discovery of sophisticated Android surveillanceware known as WyrmSpy and DragonEgg, which has been linked to the Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti). Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. […] ]]> 2023-07-20T09:34:15+00:00 https://www.itsecurityguru.org/2023/07/20/lookout-uncovers-advanced-android-surveillanceware-linked-to-chinas-apt41/?utm_source=rss&utm_medium=rss&utm_campaign=lookout-uncovers-advanced-android-surveillanceware-linked-to-chinas-apt41 www.secnews.physaphae.fr/article.php?IdArticle=8359177 False Mobile APT 41,APT 41 3.0000000000000000 Bleeping Computer - Magazine Américain The Chinese state-backed APT41 hacking group is targeting Android devices with two newly discovered spyware strains dubbed WyrmSpy and DragonEgg by Lookout security researchers.  [...]]]> 2023-07-20T07:01:12+00:00 https://www.bleepingcomputer.com/news/security/apt41-hackers-target-android-users-with-wyrmspy-dragonegg-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=8359232 False None APT 41,APT 41 2.0000000000000000 Dark Reading - Informationweek Branch Nation-states see the opportunity in targeting people directly through their mobile phones, in this case with sophisticated Android surveillanceware.]]> 2023-07-19T20:40:00+00:00 https://www.darkreading.com/threat-intelligence/china-s-apt41-linked-wyrmspy-dragonegg-mobile-spyware www.secnews.physaphae.fr/article.php?IdArticle=8358966 False None APT 41,APT 41 2.0000000000000000 Recorded Future - FLux Recorded Future Le tristement célèbre groupe de piratage chinois suivi en tant qu'APT41 a utilisé deux souches de logiciels espions nouvellement identifiées pour infecter les appareils Android, ont déclaré des chercheurs en cybersécurité.APT41, également connu sous le nom de Winnti et Brass Typhoon (anciennement Barium), est un groupe d'espionnage parrainé par l'État qui a été actif pour Plus d'une décennie et est connu pour cibler les organisations gouvernementales pour le renseignement

---

The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said. APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence]]> 2023-07-19T19:36:00+00:00 https://therecord.media/china-linked-hackers-target-mobile-devices-wyrmspy-dragonegg-spyware www.secnews.physaphae.fr/article.php?IdArticle=8358951 False None APT 41,APT 41,APT-C-17 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Lookout attributed WyrmSpy and DragonEgg to APT41 due to overlapping Android signing certificates]]> 2023-07-19T16:00:00+00:00 https://www.infosecurity-magazine.com/news/apt41-linked-wyrmspy-dragonegg/ www.secnews.physaphae.fr/article.php?IdArticle=8358867 False None APT 41,APT 41 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value]]> 2023-07-19T15:50:00+00:00 https://thehackernews.com/2023/07/chinese-apt41-hackers-target-mobile.html www.secnews.physaphae.fr/article.php?IdArticle=8358765 False Malware,Threat APT 41,APT 41 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-07-19T12:04:07+00:00 https://www.globalsecuritymag.fr/Lookout-decouvre-un-logiciel-de-surveillance-Android-avance-attribue-au-groupe.html www.secnews.physaphae.fr/article.php?IdArticle=8358785 False None APT 41,APT 41 3.0000000000000000 AhnLab - Korean Security Firm Les cas de grands groupes APT pour le mai 2023 réunis à partir de documents rendus publics par des sociétés de sécurité et des institutions sont comme commesuit.& # 8211;Agrius & # 8211;Andariel & # 8211;APT28 & # 8211;APT29 & # 8211;APT-C-36 (Blind Eagle) & # 8211;Camaro Dragon & # 8211;CloudWizard & # 8211;Earth Longzhi (APT41) & # 8211;Goldenjackal & # 8211;Kimsuky & # 8211;Lazarus & # 8211;Lancefly & # 8211;Oilalpha & # 8211;Red Eyes (Apt37, Scarcruft) & # 8211;Sidecopy & # 8211;Sidewinder & # 8211;Tribu transparente (APT36) & # 8211;Volt Typhoon (Silhouette de bronze) ATIP_2023_MAY_TRADEAT Rapport sur les groupes APT_20230609

---

The cases of major APT groups for May 2023 gathered from materials made public by security companies and institutions are as follows. – Agrius – Andariel – APT28 – APT29 – APT-C-36 (Blind Eagle) – Camaro Dragon – CloudWizard – Earth Longzhi (APT41) – GoldenJackal – Kimsuky – Lazarus – Lancefly – OilAlpha – Red Eyes (APT37, ScarCruft) – SideCopy – SideWinder – Transparent Tribe (APT36) – Volt Typhoon (Bronze Silhouette) ATIP_2023_May_Threat Trend Report on APT Groups_20230609 ]]> 2023-07-07T02:33:29+00:00 https://asec.ahnlab.com/en/55184/ www.secnews.physaphae.fr/article.php?IdArticle=8353225 False Threat,Prediction APT 38,GoldenJackal,GoldenJackal,APT-C-36,APT 29,APT 29,APT 37,APT 37,Guam,Guam,APT 28,APT 28,APT 41,APT 36,APT 36,APT-C-17,APT-C-17 3.0000000000000000 Recorded Future - FLux Recorded Future Les pirates soutenant le gouvernement de l'Iran ciblent des experts des affaires du Moyen-Orient et de la sécurité nucléaire dans une nouvelle campagne qui, selon les chercheurs, impliquait des logiciels malveillants pour les produits Apple et Microsoft.Les experts en cybersécurité de Proofpoint ont attribué la campagne à un groupe qu'ils appellent TA453 mais est également connu sous le nom de Charming Kitten, Mint Sandstorm ou APT42,

---

Hackers supporting the government of Iran are targeting experts in Middle Eastern affairs and nuclear security in a new campaign that researchers said involved malware for both Apple and Microsoft products. Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42,]]> 2023-07-06T17:42:00+00:00 https://therecord.media/iran-ta453-apt42-charming-kitten-espionage-nuclear-security-think-tanks www.secnews.physaphae.fr/article.php?IdArticle=8353083 False Malware APT 35,APT 42 3.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching ChatGPT,ChatGPT,APT 43,APT 37,Uber 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky\'s objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The]]> 2023-06-08T09:53:00+00:00 https://thehackernews.com/2023/06/kimsuky-targets-think-tanks-and-news.html www.secnews.physaphae.fr/article.php?IdArticle=8343243 False Threat APT 43 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine SentinelOne said the campaign specifically targets experts in North Korean affairs]]> 2023-06-07T16:00:00+00:00 https://www.infosecurity-magazine.com/news/kimsuky-expands-social-engineering/ www.secnews.physaphae.fr/article.php?IdArticle=8343055 False None APT 43 3.0000000000000000 Recorded Future - FLux Recorded Future Le groupe de piratage soutenu par le gouvernement nord-coréen Kimsuky vise des experts dans les affaires nord-coréennes et les médias dans le cadre d'une campagne pour recueillir des renseignements - même en recourant à voler des informations sur l'abonnement aux médias signalant des actualités sur les affaires du pays.Les résultats, publié mardi par Sentineone, coïncidant avec une alerte de la National Security Agency

---

The North Korean government-backed hacking group Kimsuky is targeting experts in North Korean affairs and media as part of a campaign to gather intelligence - even resorting to stealing subscription information for news outlets reporting on the country\'s affairs. The findings, published on Tuesday by SentinelOne, coincide with an alert from the National Security Agency]]> 2023-06-06T19:33:00+00:00 https://therecord.media/north-korean-group-kimsuky-targeting-regional-experts-outlets www.secnews.physaphae.fr/article.php?IdArticle=8342699 False None APT 43 2.0000000000000000 Data Security Breach - Site de news Francais 2023-06-05T16:17:19+00:00 https://www.datasecuritybreach.fr/kimsuky-thallium-ta406/ www.secnews.physaphae.fr/article.php?IdArticle=8342214 False None APT 43,APT 37 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee]]> 2023-06-02T16:00:00+00:00 https://www.infosecurity-magazine.com/news/us-korean-agencies-issue-warning/ www.secnews.physaphae.fr/article.php?IdArticle=8341524 False None APT 43,APT 43,APT 37 3.0000000000000000 Recorded Future - FLux Recorded Future Les agences de renseignement des États-Unis et de la Corée du Sud ont émis un avertissement qui décrit les méthodes d'espionnage de Kimsuky, un groupe de piratage nord-coréen nord-coréen qui cible les chars, le monde universitaire et les médias.Selon le consultatif publié jeudi, kimsuky piratesUtilisez des tactiques d'identification, se faisant passer pour des sources fiables pour gagner la confiance de

---

Intelligence agencies from the U.S. and South Korea have issued a warning that describes the spying methods of Kimsuky, a notorious North Korean nation-state hacking group that targets think tanks, academia and news media. According to the advisory published on Thursday, Kimsuky hackers use impersonation tactics, masquerading as reliable sources to gain the trust of]]> 2023-06-02T14:42:00+00:00 https://therecord.media/kimsuky-north-korea-cyber-espionage-us-south-korea-warning www.secnews.physaphae.fr/article.php?IdArticle=8341502 False None APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors\' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (]]> 2023-06-02T11:15:00+00:00 https://thehackernews.com/2023/06/north-koreas-kimsuky-group-mimics-key.html www.secnews.physaphae.fr/article.php?IdArticle=8341407 False None APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Malware,Tool,Threat APT 43,APT 37 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ReconShark is sent via emails containing OneDrive links leading to documents with malicious macros]]> 2023-05-05T16:00:00+00:00 https://www.infosecurity-magazine.com/news/north-korea-kimsuky-spear-phishing/ www.secnews.physaphae.fr/article.php?IdArticle=8333808 False None APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel]]> 2023-05-05T15:49:00+00:00 https://thehackernews.com/2023/05/n-korean-kimsuky-hackers-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8333757 False Tool,Threat APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO]]> 2023-05-03T18:57:00+00:00 https://thehackernews.com/2023/05/chinese-hacker-group-earth-longzhi.html www.secnews.physaphae.fr/article.php?IdArticle=8333157 False Malware APT 41 2.0000000000000000 SecurityWeek - Security News A subgroup of China-linked hacker group APT41 is using a new \'stack rumbling\' DoS technique to disable security software. ]]> 2023-05-03T10:46:02+00:00 https://www.securityweek.com/chinese-apt-uses-new-stack-rumbling-technique-to-disable-security-software/ www.secnews.physaphae.fr/article.php?IdArticle=8333095 False None APT 41 2.0000000000000000 Dark Reading - Informationweek Branch The notorious Chinese APT is spreading cyber maliciousness around Southeast Asia, and its next targets are already in sight.]]> 2023-05-02T21:58:00+00:00 https://www.darkreading.com/vulnerabilities-threats/apt41-subgroup-plows-through-asia-pacific-utilizing-layered-stealth-tactics www.secnews.physaphae.fr/article.php?IdArticle=8332939 False None APT 41,APT 41 2.0000000000000000 TrendLabs Security - Editeur Antivirus After months of dormancy, Earth Longzhi, a subgroup of advanced persistent threat (APT) group APT41, has reemerged using new techniques in its infection routine. This blog entry forewarns readers of Earth Longzhi\'s resilience as a noteworthy threat.]]> 2023-05-02T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html www.secnews.physaphae.fr/article.php?IdArticle=8332806 False Threat APT 41 2.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]

---

>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] ]]> 2023-05-01T11:32:18+00:00 https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/ www.secnews.physaphae.fr/article.php?IdArticle=8332629 False Threat APT 43,APT 37 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de piratage parrainé par l'État iranien a été accusé d'avoir déployé une nouvelle souche de logiciels malveillants nommé Bellaciao contre plusieurs victimes aux États-Unis, en Europe, en Inde, en Turquie et dans d'autres pays.Des chercheurs de la société de cybersécurité Bitdefender [attribuée] (https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciaooo-a-closer-look-at-irans-latest-malware/) le maline à APT35 / APT42 & #8211;également connu sous le nom de Mint Sandstorm ou Charming Kitten & # 8211;un groupe de menaces persistantes avancé qui

---

An Iranian state-sponsored hacking group has been accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries. Researchers from cybersecurity firm Bitdefender [attributed](https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/) the malware to APT35/APT42 – also known as Mint Sandstorm or Charming Kitten – an advanced persistent threat group that]]> 2023-04-30T16:51:00+00:00 https://therecord.media/iran-apt-charming-kitten-bellaciao-malware-us-europe-asia www.secnews.physaphae.fr/article.php?IdArticle=8332393 False Malware,Threat APT 35,APT 42 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 38,ChatGPT,APT 43,Uber 2.0000000000000000 Dark Reading - Informationweek Branch China-linked APT41 group targeted a Taiwanese media organization and an Italian job agency with standard, open source penetration test tools, in a change in strategy.]]> 2023-04-18T17:58:00+00:00 https://www.darkreading.com/vulnerabilities-threats/apt41-taps-google-red-teaming-tool-targeted-info-stealing-attacks www.secnews.physaphae.fr/article.php?IdArticle=8328985 False Tool APT 41,APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google\'s infrastructure for malicious ends. The tech giant\'s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO, which is]]> 2023-04-17T17:16:00+00:00 https://thehackernews.com/2023/04/google-uncovers-apt41s-use-of-open.html www.secnews.physaphae.fr/article.php?IdArticle=8328593 False Tool,Threat APT 41,APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. Google\'s Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43. The tech giant]]> 2023-04-05T17:49:00+00:00 https://thehackernews.com/2023/04/google-tag-warns-of-north-korean-linked.html www.secnews.physaphae.fr/article.php?IdArticle=8325066 False Threat APT 43 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates soutenus par le gouvernement seraient liés à l'armée nord-coréenne ciblée des personnes ayant une expertise en matière de questions politiques de Corée du Nord en se faisant passer pour des journalistes, selon un nouveau rapport.Des chercheurs du groupe d'analyse des menaces de Google (TAG) ont publié mercredi le rapport comme un suivi de One [publié la semaine dernière] (https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) par la société de cybersécurité Mandiant - qui appartient à

---

Government-backed hackers allegedly connected to the North Korean military targeted people with expertise in North Korea policy issues by posing as journalists, according to a new report. Researchers from Google\'s Threat Analysis Group (TAG) released the report Wednesday as a follow-up to one [published last week](https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) by cybersecurity firm Mandiant - which is owned by]]> 2023-04-05T12:00:00+00:00 https://therecord.media/north-korea-hackers-impersonate-journalists-google www.secnews.physaphae.fr/article.php?IdArticle=8325048 False Threat APT 43 4.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #14  |   April 4th, 2023 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam. It\'s not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes. This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor\'s domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there\'s the now-obvious problem with it looking very much like .com to the cursory glance). The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT). This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests. Blog post with screenshots and links:https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack [Live Demo] Ridiculously Easy Security Awareness Training and Phishing Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 i]]> 2023-04-04T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-14-eyes-on-the-price-how-crafty-cons-attempted-a-36-million-vendor-email-heist www.secnews.physaphae.fr/article.php?IdArticle=8324667 False Ransomware,Malware,Hack,Threat ChatGPT,ChatGPT,APT 43 2.0000000000000000 The Register - Site journalistique Anglais Mandiant identifies \'moderately sophisticated\' but \'prolific\' APT43 as global menace Google Cloud\'s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.…]]> 2023-03-30T04:40:47+00:00 https://go.theregister.com/feed/www.theregister.com/2023/03/30/mandian_apt43_north_korea/ www.secnews.physaphae.fr/article.php?IdArticle=8323334 False Studies,Prediction APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang\'s geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group\'s motives are both espionage- and financially-motivated, leveraging techniques like credential]]> 2023-03-29T11:02:00+00:00 https://thehackernews.com/2023/03/north-korean-apt43-group-uses.html www.secnews.physaphae.fr/article.php?IdArticle=8322852 False None APT 43 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Mandiant says unit is focused on espionage and crypto theft]]> 2023-03-29T08:30:00+00:00 https://www.infosecurity-magazine.com/news/selffunding-north-korean-group/ www.secnews.physaphae.fr/article.php?IdArticle=8322872 False None APT 43 2.0000000000000000 SecurityWeek - Security News Mandiant Flags APT43 comme un «cyber opérateur modérément sophistiqué qui soutient les intérêts du régime nord-coréen». "

---

>Mandiant flags APT43 as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime." ]]> 2023-03-28T21:57:06+00:00 https://www.securityweek.com/mandiant-catches-another-north-korean-gov-hacker-group/ www.secnews.physaphae.fr/article.php?IdArticle=8322676 False None APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Malware,Tool,Threat,Cloud APT 43,APT 37 2.0000000000000000 Dark Reading - Informationweek Branch In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.]]> 2023-03-28T17:05:00+00:00 https://www.darkreading.com/threat-intelligence/north-korea-kimsuky-evolves-full-fledged-persistent-threat www.secnews.physaphae.fr/article.php?IdArticle=8322589 False Threat,Cloud APT 43,APT 37 4.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber Researchers at Mandiant identified a new hacking group knowns as APT 43 that uses stolen bitcoin to fund cyberespionage operations. ]]> 2023-03-28T15:08:13+00:00 https://cyberscoop.com/north-korean-hackers-cloud-mining-cyrptocurrency/ www.secnews.physaphae.fr/article.php?IdArticle=8322571 False Threat APT 43 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-03-28T15:03:38+00:00 https://www.globalsecuritymag.fr/APT43-Un-groupe-nord-coreen-utilise-la-cybercriminalite-pour-financer-des.html www.secnews.physaphae.fr/article.php?IdArticle=8322553 False General Information APT 43 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Aujourd'hui, nous publions un rapport sur ]]> 2023-03-28T10:00:00+00:00 https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage www.secnews.physaphae.fr/article.php?IdArticle=8377376 False Threat APT 43,APT 43 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference ChatGPT,ChatGPT,APT 35,APT 42,APT 36 2.0000000000000000 Dark Reading - Informationweek Branch 2023-02-28T16:10:00+00:00 https://www.darkreading.com/endpoint/china-blackfly-targets-materials-sector-relentless-quest-ip www.secnews.physaphae.fr/article.php?IdArticle=8314200 False None APT 41 3.0000000000000000 Recorded Future - FLux Recorded Future Two separate but similar espionage campaigns from Russian and Iranian-linked groups have prompted a warning from Britain's National Cyber Security Centre. In a document published on Thursday local time the NCSC warned how instead of sending surprise phishing emails, the hacking groups – identified as “Russia-based” SEABORGIUM and “Iran-based” APT42, or Charming Kitten – are […]]> 2023-01-26T00:01:00+00:00 https://therecord.media/british-cyber-agency-issues-warning-over-russian-and-iranian-espionage-campaigns/ www.secnews.physaphae.fr/article.php?IdArticle=8304084 False Conference APT 35,APT 42 2.0000000000000000 Global Security Mag - Site de news francais Malware Update]]> 2022-12-14T10:20:58+00:00 https://www.globalsecuritymag.fr/Iranian-state-aligned-threat-actor-targets-new-victims-in-cyberespionage-and.html www.secnews.physaphae.fr/article.php?IdArticle=8291153 False Threat,Conference APT 35,APT 42 2.0000000000000000 Security Affairs - Blog Secu Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries. Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions […] ]]> 2022-11-15T08:46:34+00:00 https://securityaffairs.co/wordpress/138536/apt/earth-longzhi-subgroup-apt41.html www.secnews.physaphae.fr/article.php?IdArticle=8023019 False Threat,Guideline APT 41 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-14T18:33:00+00:00 https://thehackernews.com/2022/11/new-earth-longzhi-apt-targets-ukraine.html www.secnews.physaphae.fr/article.php?IdArticle=8009314 False Threat,Guideline APT 41 2.0000000000000000 TrendMicro - Security Firm Blog 2022-11-09T00:00:00+00:00 https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html www.secnews.physaphae.fr/article.php?IdArticle=7904747 False Threat,Guideline APT 41 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad) (published: October 27, 2022) ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group). Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring. MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity (published: October 27, 2022) The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop). Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction. MITRE ATT&CK: [MITRE ATT&CK] Replicat]]> 2022-11-01T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-active-probing-revealed-shadowpad-c2s-fodcha-hides-behind-obscure-tlds-awaiting-openssl-30-patch-and-more www.secnews.physaphae.fr/article.php?IdArticle=7765391 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Guideline APT 41 None Mandiant - Blog Sécu de Mandiant InfluencerCampagne Nous évaluons avec une grande confiance pour fonctionner à l'appui des intérêts politiques de la République de Chine du peuple, ciblant agressivement les États-Unis parCherchant à semer la division entre les États-Unis et ses alliés et au sein du système politique américain lui-même.Les récits récents incluent: affirme que le China-Nexus Threat Group apt41 est plutôt un acteur soutenu par le gouvernement américain. Tentatives agressives de discréditer le processus démocratique américain, y compris les tentatives de décourager les Américains de voter aux États-Unis

---

Mandiant has recently observed DRAGONBRIDGE, an influence campaign we assess with high confidence to be operating in support of the political interests of the People\'s Republic of China (PRC), aggressively targeting the United States by seeking to sow division both between the U.S. and its allies and within the U.S. political system itself. Recent narratives include: Claims that the China-nexus threat group APT41 is instead a U.S. government-backed actor. Aggressive attempts to discredit the U.S. democratic process, including attempts to discourage Americans from voting in the 2022 U.S]]> 2022-10-26T09:00:00+00:00 https://www.mandiant.com/resources/blog/prc-dragonbridge-influence-elections www.secnews.physaphae.fr/article.php?IdArticle=8377414 False Threat APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-10-18T15:41:00+00:00 https://thehackernews.com/2022/10/chinese-spyder-loader-malware-spotted.html www.secnews.physaphae.fr/article.php?IdArticle=7538339 False Malware,Threat,Guideline APT 41 None Security Affairs - Blog Secu China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage […] ]]> 2022-10-18T14:15:09+00:00 https://securityaffairs.co/wordpress/137300/apt/apt41-spyder-loader.html www.secnews.physaphae.fr/article.php?IdArticle=7541666 False Threat,Guideline APT 17,APT 41 None Bleeping Computer - Magazine Américain 2022-10-18T06:00:00+00:00 https://www.bleepingcomputer.com/news/security/hackers-compromised-hong-kong-govt-agency-network-for-a-year/ www.secnews.physaphae.fr/article.php?IdArticle=7540828 False Guideline APT 41 None GoogleSec - Firm Security Blog 1 Pixel phones also get better every few months with Feature Drops that provide the latest product updates, tips and tricks from Google. And Pixel 7 and Pixel 7 Pro users will receive at least five years of security updates2, so your Pixel gets even more secure over time. Your protection, built into PixelYour digital life and most sensitive information lives on your phone: financial information, passwords, personal data, photos – you name it. With Google Tensor G2 and our custom Titan M2 security chip, Pixel 7 and Pixel 7 Pro have multiple layers of hardware security to help keep you and your personal information safe. We take a comprehensive, end-to-end approach to security with verifiable protections at each layer - the network, application, operating system and multiple layers on the silicon itself. If you use Pixel for your business, this approach helps protect your company data, too. Google Tensor G2 is Pixel's newest powerful processor custom built with Google AI, and makes Pixel 7 faster, more efficient and secure3. Every aspect of Tensor G2 was designed to improve Pixel's performance and efficiency for great battery life, amazing photos and videos. Tensor's built-in security core works with our Titan M2 security chip to keep your personal information, PINs and passwords safe. Titan family chips are also used to protect Google Cloud data centers and Chromebooks, so the same hardware that protects Google servers also secures your sensitive information stored on Pixel. And, in a first for Google, Titan M2 hardware has now been certified under Common Criteria PP0084: the international gold standard for hardware security components also used for identity, SIM cards, and bankcard security chips.]]> 2022-10-11T19:22:42+00:00 http://security.googleblog.com/2022/10/google-pixel-7-and-pixel-7-pro-next.html www.secnews.physaphae.fr/article.php?IdArticle=7482584 False Spam,Malware,Vulnerability,Guideline,Industrial APT 40 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 15,APT 41 None CSO - CSO Daily Dashboard recently reported with medium confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)'s Intelligence Organization (IRGC-IO) and specializes in highly targeted social engineering.To read this article in full, please click here]]> 2022-09-14T05:09:00+00:00 https://www.csoonline.com/article/3673295/iranian-cyberspies-use-multi-persona-impersonation-in-phishing-threads.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=6887761 False Conference APT 35,APT 42 None Security Affairs - Blog Secu Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents. Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42 (formerly UNC788). The campaigns have been conducted since 2015 and are aimed at conducting information collection and surveillance operations against […] ]]> 2022-09-11T13:31:49+00:00 https://securityaffairs.co/wordpress/135581/apt/iran-apt42-espionage-attacks.html www.secnews.physaphae.fr/article.php?IdArticle=6844175 False None APT 42 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-11T09:51:00+00:00 https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html www.secnews.physaphae.fr/article.php?IdArticle=6836613 False Threat APT 42 None InfoSecurity Mag - InfoSecurity Magazine 2022-09-08T13:20:00+00:00 https://www.infosecurity-magazine.com/news/researchers-iranian-threat-group/ www.secnews.physaphae.fr/article.php?IdArticle=6785088 False Threat APT 42 None CyberScoop - scoopnewsgroup.com special Cyber The Iranian cyberespionage group known as APT 42 is characterized by targeted spear phishing campaigns and extensive surveillance operations. ]]> 2022-09-07T16:32:32+00:00 https://www.cyberscoop.com/iranian-cyberespionage-and-surveillance-group/ www.secnews.physaphae.fr/article.php?IdArticle=6769477 False None APT 42 None Global Security Mag - Site de news francais Malwares]]> 2022-09-07T15:07:57+00:00 http://www.globalsecuritymag.fr/Nouveau-groupe-de-cyberespionnage,20220907,129567.html www.secnews.physaphae.fr/article.php?IdArticle=6769018 False None APT 42 None Dark Reading - Informationweek Branch 2022-09-07T14:37:13+00:00 https://www.darkreading.com/vulnerabilities-threats/iran-linked-apt-cozies-up-enemies-trust-based-spy-game www.secnews.physaphae.fr/article.php?IdArticle=6807463 False None APT 42 None Bleeping Computer - Magazine Américain 2022-09-07T10:18:39+00:00 https://www.bleepingcomputer.com/news/security/new-iranian-hacking-group-apt42-deploys-custom-android-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=6768215 False Malware APT 42 None Mandiant - Blog Sécu de Mandiant Today, Mandiant is releasing a comprehensive report detailing APT42, an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. We estimate with moderate confidence that APT42 operates on behalf of the Islamic Revolutionary Guard Corps (IRGC)\'s Intelligence Organization (IRGC-IO) based on targeting patterns that align with the organization\'s operational mandates and priorities. The full published report covers APT42\'s recent and historical]]> 2022-09-07T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises www.secnews.physaphae.fr/article.php?IdArticle=8377432 False None APT 42,APT 42 4.0000000000000000 Security Affairs - Blog Secu Experts uncovered a cyber espionage campaign conducted by a China-linked APT group and aimed at several entities in the South China Sea. Proofpoint's Threat Research Team uncovered a cyber espionage campaign targeting entities across the world that was orchestrated by a China-linked threat actor. The campaign aimed at entities in Australia, Malaysia, and Europe, as […] ]]> 2022-08-31T13:03:30+00:00 https://securityaffairs.co/wordpress/135076/apt/apt40-scanbox-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=6645584 False Threat APT 40 None The Register - Site journalistique Anglais 2022-08-31T05:02:05+00:00 https://go.theregister.com/feed/www.theregister.com/2022/08/31/chinanexus_apt40_targeting_australian_government/ www.secnews.physaphae.fr/article.php?IdArticle=6640351 False None APT 40 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-08-30T16:00:43+00:00 https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/ www.secnews.physaphae.fr/article.php?IdArticle=6627513 False Industrial APT 40 None InfoSecurity Mag - InfoSecurity Magazine 2022-08-19T16:30:00+00:00 https://www.infosecurity-magazine.com/news/china-apt41-campaign-13-victims/ www.secnews.physaphae.fr/article.php?IdArticle=6416340 False None APT 41 None Dark Reading - Informationweek Branch 2022-08-18T18:34:08+00:00 https://www.darkreading.com/remote-workforce/china-apt41-baffling-approach-cobalt-strike-payload www.secnews.physaphae.fr/article.php?IdArticle=6397228 False Tool,Threat APT 41 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-18T06:33:50+00:00 https://thehackernews.com/2022/08/china-backed-apt41-hackers-targeted-13.html www.secnews.physaphae.fr/article.php?IdArticle=6394982 False Threat,Guideline APT 41 2.0000000000000000 TroyHunt - Blog Security 2022-06-30T13:49:56+00:00 https://arstechnica.com/?p=1863684 www.secnews.physaphae.fr/article.php?IdArticle=5471666 False Industrial APT 40 None Mandiant - Blog Sécu de Mandiant Manialiant Managed Defense . Dans cette édition, nous fournissons un aperçu de notre défense des entités ukrainiennes après avoir initié des mesures de protection supplémentaires pour les clients, observationsd'APT41, et une ventilation des attaques Web: perturber les attaques russes : en prévision de la poursuiteLes cyberattaques russes à l'appui de son invasion de l'Ukraine ont géré la défense améliorée des services de surveillance et de menace pour les clients à partir de février 2022 . Cela a conduit au

---

Available today is the latest edition of Trending Evil, our quarterly report that breaks down the most recent threats observed by Mandiant Managed Defense. In this edition we provide an inside look at our defense of Ukrainian entities after initiating additional protective measures for customers, observations of APT41, and a breakdown of web attacks: Disrupting Russian Attacks: In anticipation of continued Russian cyber attacks in support of its invasion of Ukraine, Managed Defense enhanced monitoring and threat hunting services for customers beginning in February 2022. This led to the]]> 2022-06-02T11:00:00+00:00 https://www.mandiant.com/resources/blog/trending-evil-spotlight-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8377462 False Threat APT 41 3.0000000000000000