This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-10T00:41:19+00:00 www.secnews.physaphae.fr InfoSecurity Mag - InfoSecurity Magazine Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations]]> 2024-04-17T15:30:00+00:00 https://www.infosecurity-magazine.com/news/kimsuky-exploits-dmarc-web-beacons/ www.secnews.physaphae.fr/article.php?IdArticle=8484216 False None APT 43 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 43,APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According]]> 2024-03-24T11:08:00+00:00 https://thehackernews.com/2024/03/n-korea-linked-kimsuky-shifts-to.html www.secnews.physaphae.fr/article.php?IdArticle=8469454 False Malware,Threat APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky. “A notable point about attacks that]]> 2023-12-29T14:39:00+00:00 https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html www.secnews.physaphae.fr/article.php?IdArticle=8430708 False Tool,Threat APT 43 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Description The Kimsuky threat group, known to be supported by North Korea, has been active since 2013. The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed. In addition to JavaScript, Excel macro malware are also used to install AppleSeed. AppleSeed is a backdoor that can receive the threat actor\'s commands from the C&C server and execute the received commands. The threat actor can use AppleSeed to control the infected system. It also offers features such as a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by collecting files from the user system and sending them. AlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command execution and infostealing. #### Reference URL(s) 1. https://asec.ahnlab.com/en/60054/ #### Publication Date December 27, 2023 #### Author(s) Sanseo ]]> 2023-12-28T19:18:50+00:00 https://community.riskiq.com/article/461188d1 www.secnews.physaphae.fr/article.php?IdArticle=8430436 False Malware,Threat,Prediction APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an]]> 2023-12-08T19:03:00+00:00 https://thehackernews.com/2023/12/n-korean-kimsuky-targeting-south-korean.html www.secnews.physaphae.fr/article.php?IdArticle=8420188 False Threat APT 43 3.0000000000000000 Dark Reading - Informationweek Branch Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime\'s sprawling cybercrime operations, expert says.]]> 2023-12-01T21:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/north-korea-apt-cyber-sanctions-satellite-launch www.secnews.physaphae.fr/article.php?IdArticle=8418407 False None APT 43,APT 43 3.0000000000000000 Recorded Future - FLux Recorded Future Les États-Unis se sont associés à plusieurs nations du Pacifique pour transmettre des sanctions contre la Corée du Nord - en particulier le groupe de cyber-espionnage du pays \\ du pays - après le pays Lancé Un satellite de surveillance la semaine dernière.Jeudi soir, le Office du Contrôle des actifs étrangers (OFAC) du Département américain du Trésor du Trésor a sanctionné huit agents nord-coréens pour

---

The U.S. partnered with several nations in the Pacific to hand down sanctions on North Korea - particularly the country\'s Kimsuky cyber espionage group - after the country launched a surveillance satellite last week. On Thursday evening, the U.S. Department of the Treasury\'s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for]]> 2023-12-01T18:15:00+00:00 https://therecord.media/us-sanctions-north-korean-kimsuky-hackers www.secnews.physaphae.fr/article.php?IdArticle=8418385 False None APT 43 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan]]> 2023-11-23T20:16:00+00:00 https://thehackernews.com/2023/11/konni-group-using-russian-language.html www.secnews.physaphae.fr/article.php?IdArticle=8416352 False None APT 43 2.0000000000000000 AhnLab - Korean Security Firm Les activités de Kimsuky Group & # 8217;Les activités d'autres types étaient relativement faibles.De plus, des échantillons de phishing ont été trouvés dans l'infrastructure connue pour la distribution de logiciels malveillants antérieurs (fleurs, randomquery et appleseed), et des échantillons de babyshark ont été découverts dans l'infrastructure RandomQuery.Cela suggère la probabilité de plusieurs types de logiciels malveillants en utilisant une seule infrastructure.Rapport de tendance AUG_TRÉTÉE sur le groupe Kimsuk

---

The Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities of other types were relatively low. Also, phishing samples were found in the infrastructure known for distributing previous malware (FlowerPower, RandomQuery, and AppleSeed), and BabyShark samples were discovered in the RandomQuery infrastructure. This suggests the likelihood of multiple types of malware utilizing a single infrastructure. Aug_Threat Trend Report on Kimsuky Group ]]> 2023-10-23T02:21:45+00:00 https://asec.ahnlab.com/en/57938/ www.secnews.physaphae.fr/article.php?IdArticle=8399125 False Malware,Threat,Prediction APT 43 3.0000000000000000 Dark Reading - Informationweek Branch The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.]]> 2023-10-18T16:11:47+00:00 https://www.darkreading.com/attacks-breaches/north-korea-s-kimsuky-doubles-down-on-remote-desktop-control www.secnews.physaphae.fr/article.php?IdArticle=8397354 False Malware APT 43 2.0000000000000000 AhnLab - Korean Security Firm Kimsuky, un groupe de menaces connu pour être soutenu par la Corée du Nord, est actif depuis 2013. Au début, ils ont attaqué les instituts de recherche liés à la Corée du Nord en Corée du Sud avant d'attaquer une agence d'énergie sud-coréenne en 2014. D'autres pays sont également devenus des cibles de leur attaque depuis 2017. [1] Le groupe lance généralement des attaques de phishing de lance contre la défense nationale, diplomatique diplomatique,, et les secteurs universitaires, les industries de la défense et des médias, ainsi que des organisations nationales.Leur objectif est d'exfiltrer les informations et la technologie internes ...

---

Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1] The group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors, defense and media industries, as well as national organizations. Their goal is to exfiltrate internal information and technology... ]]> 2023-10-17T09:08:51+00:00 https://asec.ahnlab.com/en/57873/ www.secnews.physaphae.fr/article.php?IdArticle=8396631 False Threat APT 43 3.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching ChatGPT,ChatGPT,APT 43,APT 37,Uber 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky\'s objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The]]> 2023-06-08T09:53:00+00:00 https://thehackernews.com/2023/06/kimsuky-targets-think-tanks-and-news.html www.secnews.physaphae.fr/article.php?IdArticle=8343243 False Threat APT 43 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine SentinelOne said the campaign specifically targets experts in North Korean affairs]]> 2023-06-07T16:00:00+00:00 https://www.infosecurity-magazine.com/news/kimsuky-expands-social-engineering/ www.secnews.physaphae.fr/article.php?IdArticle=8343055 False None APT 43 3.0000000000000000 Recorded Future - FLux Recorded Future Le groupe de piratage soutenu par le gouvernement nord-coréen Kimsuky vise des experts dans les affaires nord-coréennes et les médias dans le cadre d'une campagne pour recueillir des renseignements - même en recourant à voler des informations sur l'abonnement aux médias signalant des actualités sur les affaires du pays.Les résultats, publié mardi par Sentineone, coïncidant avec une alerte de la National Security Agency

---

The North Korean government-backed hacking group Kimsuky is targeting experts in North Korean affairs and media as part of a campaign to gather intelligence - even resorting to stealing subscription information for news outlets reporting on the country\'s affairs. The findings, published on Tuesday by SentinelOne, coincide with an alert from the National Security Agency]]> 2023-06-06T19:33:00+00:00 https://therecord.media/north-korean-group-kimsuky-targeting-regional-experts-outlets www.secnews.physaphae.fr/article.php?IdArticle=8342699 False None APT 43 2.0000000000000000 Data Security Breach - Site de news Francais 2023-06-05T16:17:19+00:00 https://www.datasecuritybreach.fr/kimsuky-thallium-ta406/ www.secnews.physaphae.fr/article.php?IdArticle=8342214 False None APT 43,APT 37 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine The advisory identifies several actors: Kimsuky, Thallium, APT43, Velvet Chollima and Black Banshee]]> 2023-06-02T16:00:00+00:00 https://www.infosecurity-magazine.com/news/us-korean-agencies-issue-warning/ www.secnews.physaphae.fr/article.php?IdArticle=8341524 False None APT 43,APT 43,APT 37 3.0000000000000000 Recorded Future - FLux Recorded Future Les agences de renseignement des États-Unis et de la Corée du Sud ont émis un avertissement qui décrit les méthodes d'espionnage de Kimsuky, un groupe de piratage nord-coréen nord-coréen qui cible les chars, le monde universitaire et les médias.Selon le consultatif publié jeudi, kimsuky piratesUtilisez des tactiques d'identification, se faisant passer pour des sources fiables pour gagner la confiance de

---

Intelligence agencies from the U.S. and South Korea have issued a warning that describes the spying methods of Kimsuky, a notorious North Korean nation-state hacking group that targets think tanks, academia and news media. According to the advisory published on Thursday, Kimsuky hackers use impersonation tactics, masquerading as reliable sources to gain the trust of]]> 2023-06-02T14:42:00+00:00 https://therecord.media/kimsuky-north-korea-cyber-espionage-us-south-korea-warning www.secnews.physaphae.fr/article.php?IdArticle=8341502 False None APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors\' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (]]> 2023-06-02T11:15:00+00:00 https://thehackernews.com/2023/06/north-koreas-kimsuky-group-mimics-key.html www.secnews.physaphae.fr/article.php?IdArticle=8341407 False None APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution (published: May 5, 2023) McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure. MITRE ATT&CK: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information Tags: malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows Eastern Asian Android Assault – FluHorse (published: May 4, 2023) Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages. Analyst Comment: FluHorse\'s ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official com]]> 2023-05-09T20:02:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-custom-virtual-environment-hides-fluhorse-babyshark-evolved-into-reconshark-fleckpe-infected-apps-add-expensive-subscriptions www.secnews.physaphae.fr/article.php?IdArticle=8334939 False Malware,Tool,Threat APT 43,APT 37 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ReconShark is sent via emails containing OneDrive links leading to documents with malicious macros]]> 2023-05-05T16:00:00+00:00 https://www.infosecurity-magazine.com/news/north-korea-kimsuky-spear-phishing/ www.secnews.physaphae.fr/article.php?IdArticle=8333808 False None APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel]]> 2023-05-05T15:49:00+00:00 https://thehackernews.com/2023/05/n-korean-kimsuky-hackers-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=8333757 False Tool,Threat APT 43 3.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Introduction des principales conclusions des nombreux rapports sur APT37 Au cours des derniers mois, à l'annonce de Mandiant \\ sur & # 160; APT43, beaucoup d'attention est actuellement axée sur les acteurs des menaces nord-coréennes & # 8211;Et pour raison.La Corée du Nord a une longue histoire d'attaque de son voisin du sud, en particulier par la cyber-guerre qui se poursuit aujourd'hui.Dans ce [& # 8230;]

---

>Key findings Introduction From the many reports on APT37 in recent months, to Mandiant\'s announcement on APT43, a lot of attention is currently focused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern neighbor, especially by means of cyber warfare which continues today. In this […] ]]> 2023-05-01T11:32:18+00:00 https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/ www.secnews.physaphae.fr/article.php?IdArticle=8332629 False Threat APT 43,APT 37 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 38,ChatGPT,APT 43,Uber 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. Google\'s Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO, which it said is a subset of another threat group tracked by Mandiant under the name APT43. The tech giant]]> 2023-04-05T17:49:00+00:00 https://thehackernews.com/2023/04/google-tag-warns-of-north-korean-linked.html www.secnews.physaphae.fr/article.php?IdArticle=8325066 False Threat APT 43 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates soutenus par le gouvernement seraient liés à l'armée nord-coréenne ciblée des personnes ayant une expertise en matière de questions politiques de Corée du Nord en se faisant passer pour des journalistes, selon un nouveau rapport.Des chercheurs du groupe d'analyse des menaces de Google (TAG) ont publié mercredi le rapport comme un suivi de One [publié la semaine dernière] (https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) par la société de cybersécurité Mandiant - qui appartient à

---

Government-backed hackers allegedly connected to the North Korean military targeted people with expertise in North Korea policy issues by posing as journalists, according to a new report. Researchers from Google\'s Threat Analysis Group (TAG) released the report Wednesday as a follow-up to one [published last week](https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage) by cybersecurity firm Mandiant - which is owned by]]> 2023-04-05T12:00:00+00:00 https://therecord.media/north-korea-hackers-impersonate-journalists-google www.secnews.physaphae.fr/article.php?IdArticle=8325048 False Threat APT 43 4.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #14  |   April 4th, 2023 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam. It\'s not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes. This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor\'s domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there\'s the now-obvious problem with it looking very much like .com to the cursory glance). The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT). This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests. Blog post with screenshots and links:https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack [Live Demo] Ridiculously Easy Security Awareness Training and Phishing Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 i]]> 2023-04-04T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-14-eyes-on-the-price-how-crafty-cons-attempted-a-36-million-vendor-email-heist www.secnews.physaphae.fr/article.php?IdArticle=8324667 False Ransomware,Malware,Hack,Threat ChatGPT,ChatGPT,APT 43 2.0000000000000000 The Register - Site journalistique Anglais Mandiant identifies \'moderately sophisticated\' but \'prolific\' APT43 as global menace Google Cloud\'s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.…]]> 2023-03-30T04:40:47+00:00 https://go.theregister.com/feed/www.theregister.com/2023/03/30/mandian_apt43_north_korea/ www.secnews.physaphae.fr/article.php?IdArticle=8323334 False Studies,Prediction APT 43 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang\'s geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group\'s motives are both espionage- and financially-motivated, leveraging techniques like credential]]> 2023-03-29T11:02:00+00:00 https://thehackernews.com/2023/03/north-korean-apt43-group-uses.html www.secnews.physaphae.fr/article.php?IdArticle=8322852 False None APT 43 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Mandiant says unit is focused on espionage and crypto theft]]> 2023-03-29T08:30:00+00:00 https://www.infosecurity-magazine.com/news/selffunding-north-korean-group/ www.secnews.physaphae.fr/article.php?IdArticle=8322872 False None APT 43 2.0000000000000000 SecurityWeek - Security News Mandiant Flags APT43 comme un «cyber opérateur modérément sophistiqué qui soutient les intérêts du régime nord-coréen». "

---

>Mandiant flags APT43 as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime." ]]> 2023-03-28T21:57:06+00:00 https://www.securityweek.com/mandiant-catches-another-north-korean-gov-hacker-group/ www.secnews.physaphae.fr/article.php?IdArticle=8322676 False None APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces campagne de phishingCible l'industrie chinoise de l'énergie nucléaire (Publié: 24 mars 2023) Actif Depuis 2013, le groupe amer (T-APT-17) est soupçonné d'être parrainé par le gouvernement indien.Des chercheurs Intezer ont découvert une nouvelle campagne amère ciblant les universitaires, le gouvernement et d'autres organisations de l'industrie de l'énergie nucléaire en Chine.Les techniques sont cohérentes avec les campagnes amères observées précédemment.L'intrusion commence par un e-mail de phishing censé provenir d'un véritable employé de l'ambassade du Kirghizistan.Les pièces jointes malveillantes observées étaient soit des fichiers HTML (CHM) compilés à Microsoft, soit des fichiers Microsoft Excel avec des exploits d'éditeur d'équation.L'objectif des charges utiles est de créer de la persistance via des tâches planifiées et de télécharger d'autres charges utiles de logiciels malveillants (les campagnes amères précédentes ont utilisé le voleur d'identification du navigateur, le voleur de fichiers, le keylogger et les plugins d'outils d'accès à distance).Les attaquants se sont appuyés sur la compression LZX et la concaténation des cordes pour l'évasion de détection. Commentaire de l'analyste: De nombreuses attaques avancées commencent par des techniques de base telles que des e-mails injustifiés avec une pièce jointe qui oblige l'utilisateur à l'ouvrir.Il est important d'enseigner l'hygiène de base en ligne à vos utilisateurs et la sensibilisation au phishing.Il est sûr de recommander de ne jamais ouvrir de fichiers CHM joints et de garder votre bureau MS Office entièrement mis à jour.Tous les indicateurs connus associés à cette campagne amère sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1589.002 - rassembler l'identité des victimesInformations: Adresses e-mail | [mitre att & amp; ck] t1566.001 -Phishing: attachement de espionnage | [mitre at]]> 2023-03-28T21:28:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-account-takeover-apt-banking-trojans-china-cyberespionage-india-malspam-north-korea-phishing-skimmers-ukraine-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8322667 False Malware,Tool,Threat,Cloud APT 43,APT 37 2.0000000000000000 Dark Reading - Informationweek Branch In cyberattacks against the US, South Korea, and Japan, the group (aka APT43 or Thallium) is using advanced social engineering and cryptomining tactics that set it apart from other threat actors.]]> 2023-03-28T17:05:00+00:00 https://www.darkreading.com/threat-intelligence/north-korea-kimsuky-evolves-full-fledged-persistent-threat www.secnews.physaphae.fr/article.php?IdArticle=8322589 False Threat,Cloud APT 43,APT 37 4.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber Researchers at Mandiant identified a new hacking group knowns as APT 43 that uses stolen bitcoin to fund cyberespionage operations. ]]> 2023-03-28T15:08:13+00:00 https://cyberscoop.com/north-korean-hackers-cloud-mining-cyrptocurrency/ www.secnews.physaphae.fr/article.php?IdArticle=8322571 False Threat APT 43 2.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-03-28T15:03:38+00:00 https://www.globalsecuritymag.fr/APT43-Un-groupe-nord-coreen-utilise-la-cybercriminalite-pour-financer-des.html www.secnews.physaphae.fr/article.php?IdArticle=8322553 False General Information APT 43 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Aujourd'hui, nous publions un rapport sur ]]> 2023-03-28T10:00:00+00:00 https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage www.secnews.physaphae.fr/article.php?IdArticle=8377376 False Threat APT 43,APT 43 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 43,Uber,APT 36,APT-C-17 None knowbe4 - cybersecurity services [Heads Up] FBI Warns Against New Criminal QR Code Scams   Email not displaying? | CyberheistNews Vol 12 #07  |   Feb. 15th., 2022 [Heads Up] FBI Warns Against New Criminal QR Code Scams QR codes have been around for many years. While they were adopted for certain niche uses, they never did quite reach their full potential. They are a bit like Rick Astley in that regard, really popular for one song, but well after the boat had sailed. Do not get me wrong, Rick Astley achieved a lot. In recent years, he has become immortalized as a meme and Rick roller, but he could have been so much more. However, in recent years, with lockdown and the drive to keep things at arms length, QR codes have become an efficient way to facilitate contactless communications, or the transfer of offers without physically handing over a coupon. As this has grown in popularity, more people have become familiar with how to generate their own QR codes and how to use them as virtual business cards, discount codes, links to videos and all sorts of other things. QRime Codes As with most things, once they begin to gain a bit of popularity, criminals move in to see how they can manipulate the situation to their advantage. Recently, we have seen fake QR codes stuck to parking meters enticing unwitting drivers to scan the code, and hand over their payment details believing they were paying for parking, whereas they were actually handing over their payment information to criminals. The rise in QR code fraud resulted in the FBI releasing an advisory warning against fake QR codes that are being used to scam users. In many cases, a fake QR code will lead people to a website that looks like the intended legitimate site. So, the usual verification process of checking the URL and any other red flags apply. CONTINUED with links and 4 example malicious QR codes on the KnowBe4 blog: https://blog.knowbe4.com/qr-codes-in-the-time-of-cybercrime ]]> 2022-02-15T14:24:51+00:00 https://blog.knowbe4.com/cyberheistnews-vol-12-07-heads-up-fbi-warns-against-new-criminal-qr-code-scams www.secnews.physaphae.fr/article.php?IdArticle=4133418 False Ransomware,Data Breach,Spam,Malware,Threat,Guideline APT 43,APT 15 None Bleeping Computer - Magazine Américain 2022-02-08T15:35:47+00:00 https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodity-rats-with-custom-gold-dragon-malware/ www.secnews.physaphae.fr/article.php?IdArticle=4095821 False Malware APT 43 None IT Security Guru - Blog Sécurité 2020-11-17T11:19:05+00:00 https://www.itsecurityguru.org/2020/11/17/covid-19-vaccine-research-firms-targeted-by-russian-and-north-korean-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=covid-19-vaccine-research-firms-targeted-by-russian-and-north-korean-hackers www.secnews.physaphae.fr/article.php?IdArticle=2039786 False Medical APT 38,APT 43,APT 28 None Security Affairs - Blog Secu 2020-11-13T17:18:12+00:00 https://securityaffairs.co/wordpress/110871/apt/apt-groups-covid-19-vaccine.html?utm_source=rss&utm_medium=rss&utm_campaign=apt-groups-covid-19-vaccine www.secnews.physaphae.fr/article.php?IdArticle=2032995 False Medical APT 38,APT 43,APT 28 None ZD Net - Magazine Info 2020-11-13T14:00:00+00:00 https://www.zdnet.com/article/microsoft-says-three-apts-have-targeted-seven-covid-19-vaccine-makers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2032686 False Medical APT 38,APT 43,APT 28 None