This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-16T07:20:08+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant   Executive Summary  Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations.  Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event.  Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction  The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons:  Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified.  Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v]]> 2024-06-05T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics/ www.secnews.physaphae.fr/article.php?IdArticle=8513588 False Ransomware,Malware,Threat,Studies,Mobile,Cloud,Technical APT 31,APT 42,APT 15 2.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain Amplifiez l'intention humaine de l'intention humaineet capacité .C'était l'histoire de la révolution industrielle: nous pouvions contrôler la nature et construire de grandes sociétés humaines complexes, et plus nous employons et maîtrisons la technologie, mieux les choses sont devenues.Nous ne vivons plus dans ce monde.Non seulement la technologie est enchevêtrée avec la structure de la société, mais nous ne pouvons plus voir le monde qui nous entoure sans lui.La séparation a disparu et le contrôle que nous pensions que nous avions autrefois révélé comme un mirage.Nous & # 8217; re dans une période de transition de l'histoire en ce moment ...

---

Technology was once simply a tool—and a small one at that—used to amplify human intent and capacity. That was the story of the industrial revolution: we could control nature and build large, complex human societies, and the more we employed and mastered technology, the better things got. We don’t live in that world anymore. Not only has technology become entangled with the structure of society, but we also can no longer see the world around us without it. The separation is gone, and the control we thought we once had has revealed itself as a mirage. We’re in a transitional period of history right now...]]> 2024-06-03T11:06:54+00:00 https://www.schneier.com/blog/archives/2024/06/seeing-like-a-data-structure.html www.secnews.physaphae.fr/article.php?IdArticle=8512359 False Industrial APT 15 3.0000000000000000 Ars Technica - Risk Assessment Security Hacktivism Fixing the helium leak would delay Starliner crew test flight for months.]]> 2024-05-25T03:34:42+00:00 https://arstechnica.com/?p=2027053 www.secnews.physaphae.fr/article.php?IdArticle=8506506 False None APT 17 2.0000000000000000 The Register - Site journalistique Anglais Starliner or Padstayer? Boeing\'s Starliner, aka the Calamity Capsule, has suffered another setback after a hoped-for May 25 launch date has been dropped as engineers work to deal with a helium leak in the spacecraft\'s propulsion system.…]]> 2024-05-22T15:45:12+00:00 https://go.theregister.com/feed/www.theregister.com/2024/05/22/boeings_calamity_capsule_launch_date/ www.secnews.physaphae.fr/article.php?IdArticle=8504841 False None APT 17 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations.  By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities.  These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks.  Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp]]> 2024-05-22T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8504765 False Malware,Tool,Vulnerability,Threat,Prediction,Cloud,Commercial APT 31,APT 15,APT 5 3.0000000000000000 Ars Technica - Risk Assessment Security Hacktivism The first launch of astronauts aboard Boeing\'s Starliner capsule is now set for May 21.]]> 2024-05-14T19:47:22+00:00 https://arstechnica.com/?p=2024298 www.secnews.physaphae.fr/article.php?IdArticle=8499790 False None APT 17 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine France\'s employment agency suffered a massive breach, exposing the data of users who registered over the past 20 years]]> 2024-03-14T15:00:00+00:00 https://www.infosecurity-magazine.com/news/french-employment-agency-data/ www.secnews.physaphae.fr/article.php?IdArticle=8463831 False Data Breach APT 19 3.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain web3 va bien & # 8221;FAME & # 8212; critiques Chris Dixon & # 8217; s Blockchain Solutions Livre: lisez écrire propre : En fait, tout au long du livre, Dixon ne parvient pas à identifier un projet de blockchain qui a réussi à fournir un service non spécifique à tout type.Le plus proche qu'il arrive, c'est quand il parle de la façon dont & # 8220; Pendant des décennies, les technologues ont rêvé de construire un fournisseur d'accès Internet de base & # 8221;.Il décrit un projet qui est obtenu plus loin que quiconque & # 8221;: Helium.Il est raisonnable, tant que vous ignorez le fait que l'hélium fournissait à Lorawan, pas Internet, qu'au moment où il écrivait son livre, les hotspots d'hélium avaient depuis longtemps passé la phase où ils pourraient générer encore assez de jetons pour leurs opérateurs pour leurs opérateursPour se casser même, et que le réseau s'arrête dans environ 1 150 $ de frais d'utilisation par mois malgré le fait que l'entreprise soit évaluée à 1,2 milliard de dollars.Oh, et que l'entreprise avait largement menti au public sur ses supposés clients de renom, et que ses dirigeants ont été accusés d'avoir thésaurigeant le jeton du projet pour s'enrichir.Mais bon, A16Z a coulé des millions d'hélium (un fait que Dixon ne mentionne jamais), donc aussi bien essayer de stimuler un nouvel intérêt! ...

---

Molly White—of “Web3 is Going Just Great” fame—reviews Chris Dixon’s blockchain solutions book: Read Write Own: In fact, throughout the entire book, Dixon fails to identify a single blockchain project that has successfully provided a non-speculative service at any kind of scale. The closest he ever comes is when he speaks of how “for decades, technologists have dreamed of building a grassroots internet access provider”. He describes one project that “got further than anyone else”: Helium. He’s right, as long as you ignore the fact that Helium was providing LoRaWAN, not Internet, that by the time he was writing his book Helium hotspots had long since passed the phase where they might generate even enough tokens for their operators to merely break even, and that the network was pulling in somewhere around $1,150 in usage fees a month despite the company being valued at $1.2 billion. Oh, and that the company had widely lied to the public about its supposed big-name clients, and that its executives have been accused of hoarding the project’s token to enrich themselves. But hey, a16z sunk millions into Helium (a fact Dixon never mentions), so might as well try to drum up some new interest!...]]> 2024-02-13T12:07:03+00:00 https://www.schneier.com/blog/archives/2024/02/molly-white-reviews-blockchain-book.html www.secnews.physaphae.fr/article.php?IdArticle=8449566 False None APT 17 3.0000000000000000 Kovrr - cyber risk management platform 2023-11-28T00:00:00+00:00 https://www.kovrr.com/reports/investigating-the-risk-of-compromised-credentials-and-internet-exposed-assets www.secnews.physaphae.fr/article.php?IdArticle=8417472 False Ransomware,Threat,Studies,Prediction,Cloud APT 17,APT 39,APT 39 3.0000000000000000 Silicon - Site de News Francais 2023-10-24T08:07:41+00:00 https://www.silicon.fr/cloud-confiance-vision-environnementale-cigref-472634.html www.secnews.physaphae.fr/article.php?IdArticle=8399611 False Cloud APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-10-20T10:19:43+00:00 https://www.silicon.fr/metiers-it-scrum-master-fonction-formation-et-salaire-472576.html www.secnews.physaphae.fr/article.php?IdArticle=8398212 False None APT 15 2.0000000000000000 knowbe4 - cybersecurity services Resesecurity avertit que l'acteur de la triade de smirage a «largement élargi son empreinte d'attaque» aux Émirats arabes unis (EAU).

---

Resecurity warns that the Smishing Triad threat actor has “vastly expanded its attack footprint” in the United Arab Emirates (UAE).]]> 2023-10-10T20:05:50+00:00 https://blog.knowbe4.com/smishing-triad-sets-its-sights-on-uae www.secnews.physaphae.fr/article.php?IdArticle=8393944 False Threat APT 15 3.0000000000000000 Data Security Breach - Site de news Francais Continue reading Un groupe d'espionnage aligné avec les intérêts chinois usurpant Signal et Telegram]]> 2023-09-01T13:43:32+00:00 https://www.datasecuritybreach.fr/apt-gref/ www.secnews.physaphae.fr/article.php?IdArticle=8377844 False Tool APT 15 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-08-31T09:18:59+00:00 https://www.globalsecuritymag.fr/ESET-decouvre-un-groupe-d-espionnage-aligne-avec-les-interets-chinois-usurpant.html www.secnews.physaphae.fr/article.php?IdArticle=8377106 False Malware APT 15 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF. "Most likely active since July 2020 and since July 2022, respectively, the campaigns]]> 2023-08-30T19:13:00+00:00 https://thehackernews.com/2023/08/china-linked-badbazaar-android-spyware.html www.secnews.physaphae.fr/article.php?IdArticle=8376758 False None APT 15,APT 15 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine ESET said BadBazaar was available via the Google Play Store, Samsung Galaxy Store and various app sites]]> 2023-08-30T16:00:00+00:00 https://www.infosecurity-magazine.com/news/chinese-gref-target-badbazaar/ www.secnews.physaphae.fr/article.php?IdArticle=8376774 False None APT 15,APT 15 3.0000000000000000 Bleeping Computer - Magazine Américain Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF. [...]]]> 2023-08-30T11:16:48+00:00 https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegram-apps-on-google-play-delivered-spyware/ www.secnews.physaphae.fr/article.php?IdArticle=8376772 False None APT 15 3.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET ESET researchers have discovered active campaigns linked to the China-aligned APT group known as GREF, distributing espionage code that has previously targeted Uyghurs]]> 2023-08-30T09:30:18+00:00 https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/ www.secnews.physaphae.fr/article.php?IdArticle=8382224 False Tool APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain The China-aligned APT (advanced persistent threat) group known as \'Bronze Starlight\' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider. [...]]]> 2023-08-19T10:07:14+00:00 https://www.bleepingcomputer.com/news/security/hackers-use-vpn-providers-code-certificate-to-sign-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8372468 False Malware APT 10 3.0000000000000000 AhnLab - Korean Security Firm Tendances du groupe APT & # 8211;Juin 2023 1) Andariel 2) APT28 3) Cadet Blizzard (Dev-0586) 4) Camaro Dragon 5) Chicheau charmant (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3Chang (Apt15, Nickel) 8) Kimsuky 9) Lazarus 10) Eau boueuse 11) Mustang Panda 12) Oceanlotus 13) Patchwork (éléphant blanc) 14) REd Eyes (APT37) 15) Sharp Panda 16) Sidecopy 17) Soldat Stealth ATIP_2023_JUN_THREAT Rapport de tendance sur les groupes APT

---

APT Group Trends – June 2023  1) Andariel 2) APT28 3) Cadet Blizzard (DEV-0586) 4) Camaro Dragon 5) Charming Kitten (Mint Sandstorm) 6) Gamaredon (Shuckworm) 7) Ke3chang (APT15, Nickel) 8) Kimsuky 9) Lazarus 10) Muddy Water 11) Mustang Panda 12) OceanLotus 13) Patchwork (White Elephant) 14) Red Eyes (APT37) 15) Sharp Panda 16) SideCopy 17) Stealth Soldier ATIP_2023_Jun_Threat Trend Report on APT Groups ]]> 2023-08-16T06:46:45+00:00 https://asec.ahnlab.com/en/56195/ www.secnews.physaphae.fr/article.php?IdArticle=8370575 False Threat,Prediction APT 38,APT 35,APT 35,APT 25,APT 32,APT 32,APT 37,APT 37,APT 15,APT 15,APT 28,APT 28 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC AI-hallucinations: Artificial intelligence (AI) hallucinations, as described [2], refer to confident responses generated by AI systems that lack justification based on their training data. Similar to human psychological hallucinations, AI hallucinations involve the AI system providing information or responses that are not supported by the available data. However, in the context of AI, hallucinations are associated with unjustified responses or beliefs rather than false percepts. This phenomenon gained attention around 2022 with the introduction of large language models like ChatGPT, where users observed instances of seemingly random but plausible-sounding falsehoods being generated. By 2023, it was acknowledged that frequent hallucinations in AI systems posed a significant challenge for the field of language models. The exploitative process: Cybercriminals begin by deliberately publishing malicious packages under commonly hallucinated names produced by large language machines (LLMs) such as ChatGPT within trusted repositories. These package names closely resemble legitimate and widely used libraries or utilities, such as the legitimate package ‘arangojs’ vs the hallucinated package ‘arangodb’ as shown in the research done by Vulcan [1]. The trap unfolds: When developers, unaware of the malicious intent, utilize AI-based tools or large language models (LLMs) to generate code snippets for their projects, they inadvertently can fall into a trap. The AI-generated code snippets can include imaginary unpublished libraries, enabling cybercriminals to publish commonly used AI-generated imaginary package names. As a result, developers unknowingly import malicious packages into their projects, introducing vulnerabilities, backdoors, or other malicious functionalities that compromise the security and integrity of the software and possibly other projects. Implications for developers: The exploitation of AI-generated hallucinated package names poses significant risks to developers and their projects. Here are some key implications: Trusting familiar package names: Developers commonly rely on package names they recognize to introduce code snippets into their projects. The presence of malicious packages under commonly hallucinated names makes it increasingly difficult to distinguish between legitimate and malicious options when relying on the trust from AI generated code. Blind trust in AI-generated code: Many develo]]> 2023-08-02T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/code-mirage-how-cyber-criminals-harness-ai-hallucinated-code-for-malicious-machinations www.secnews.physaphae.fr/article.php?IdArticle=8364676 False Tool ChatGPT,ChatGPT,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-07-19T16:09:41+00:00 https://www.silicon.fr/ia-generative-cigref-470181.html www.secnews.physaphae.fr/article.php?IdArticle=8358883 False None APT 15 3.0000000000000000 Kovrr - cyber risk management platform 2023-07-13T00:00:00+00:00 https://www.kovrr.com/reports/the-ransomware-threat-landscape-h123 www.secnews.physaphae.fr/article.php?IdArticle=8393595 False Ransomware,Data Breach,Vulnerability,Threat,Cloud APT 17 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Social media reports suggest an individual allegedly dumped approximately 500GB of animation files]]> 2023-07-07T16:00:00+00:00 https://www.infosecurity-magazine.com/news/twitter-user-exposes-nickelodeon/ www.secnews.physaphae.fr/article.php?IdArticle=8353400 False None APT 15 2.0000000000000000 The Register - Site journalistique Anglais TV network\'s attorneys \'on a DMCA rampage\' ... are you sure you\'re ready, kids? Nickelodeon says it is probing claims that "decades old" material was stolen from it and leaked online. This follows reports on social media that someone had dumped 500GB of snatched animation files. Hilarity, and many SpongeBob SquarePants memes, ensued.…]]> 2023-07-06T22:45:12+00:00 https://go.theregister.com/feed/www.theregister.com/2023/07/06/nickelodeon_confirms_data_leak/ www.secnews.physaphae.fr/article.php?IdArticle=8353174 False None APT 15 2.0000000000000000 Recorded Future - FLux Recorded Future Le géant de la télévision des enfants, Nickelodeon, a déclaré qu'il enquêtait sur une violation présumée après que les pirates aient prétendu avoir volé 500 Go de données.Pendant des jours, les experts en cybersécurité ont averti que pirates partagent des documents volés du réseau qui comprenait des fuites du département d'animation Nickellodeon.Certaines des informations auraient remonté des décennies.[Captures d'écran du

---

Children\'s television giant Nickelodeon said it is investigating an alleged breach after hackers claimed to have stolen 500 GB of data. For days, cybersecurity experts have warned that hackers are sharing stolen documents from the network that included leaks from the Nickelodeon animation department. Some of the information allegedly dates back decades. [Screenshots of the]]> 2023-07-06T19:11:00+00:00 https://therecord.media/nickelodeon-alleged-data-breach www.secnews.physaphae.fr/article.php?IdArticle=8353124 False None APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain Nickelodeon has confirmed that the data leaked from an alleged breach of the company is legitimate but it appears to be decades old. [...]]]> 2023-07-06T11:03:36+00:00 https://www.bleepingcomputer.com/news/security/nickelodeon-investigates-breach-after-leak-of-decades-old-data/ www.secnews.physaphae.fr/article.php?IdArticle=8352923 False None APT 15 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #26  |   June 27th, 2023 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says. These are the top five text scams reported by the FTC: Copycat bank fraud prevention alerts Bogus "gifts" that can cost you Fake package delivery problems Phony job offers Not-really-from-Amazon security alerts "People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they\'ll get a call from a phony \'fraud department\' claiming they want to \'help get your money back.\' What they really want to do is make unauthorized transfers. "What\'s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft." Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there\'s a problem with a delivery. "The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small \'redelivery fee.\'" Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake \'mystery shopper\' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says. "Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person\'s money – and the phony \'employer\' – are long gone." Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from \'Amazon,\' asking to verify a big-ticket order they didn\'t place," the FTC says. "Concerned ]]> 2023-06-27T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-26-eyes-open-the-ftc-reveals-the-latest-top-five-text-message-scams www.secnews.physaphae.fr/article.php?IdArticle=8349704 False Ransomware,Spam,Malware,Hack,Tool,Threat ChatGPT,ChatGPT,APT 15,APT 28,FedEx 2.0000000000000000 SlashNext - Cyber Firm Un nouvel avertissement de Verizon de la montée en puissance des smirs, des messages texte et des escroqueries par texte et du FBI signalent 10,3 milliards de dollars de fraude sur Internet l'année dernière, les CISO sont de plus en plus préoccupés par les menaces mobiles ciblant les employés et l'impact sur leur organisation.La montée en puissance du smirage, des messages texte de spam et des escroqueries par texte.Dans une enquête récente [& # 8230;] Le post CISOS de plus en plus préoccupé par les menaces mobiles : //slashnext.com "> slashnext .

---

>A new warning from Verizon about the rise of smishing, spam text messages and text scams and the FBI reporting $10.3 billion in internet fraud last year, CISOs are increasingly concerned about mobile threats targeting employees and the impact to their organization.  The rise of smishing, spam text messages and text scams.  In recent survey […] The post CISOs Increasingly Concerned About Mobile Threats first appeared on SlashNext.]]> 2023-06-23T21:30:46+00:00 https://slashnext.com/blog/cisos-increasingly-concerned-about-mobile-threats/ www.secnews.physaphae.fr/article.php?IdArticle=8386745 False Spam APT 15 2.0000000000000000 Dark Reading - Informationweek Branch The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries.]]> 2023-06-21T21:35:00+00:00 https://www.darkreading.com/vulnerabilities-threats/20-year-old-chinese-apt15-new-life-foreign-ministry-attacks www.secnews.physaphae.fr/article.php?IdArticle=8347850 False Malware APT 15,APT 15 2.0000000000000000 Dark Reading - Informationweek Branch A threat you\'ve never heard of is using double extortion attacks on mom-and-pop shops around the globe.]]> 2023-06-21T18:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/emerging-ransomware-8base-doxxes-smbs-globally www.secnews.physaphae.fr/article.php?IdArticle=8347782 False Ransomware,Threat APT 17 2.0000000000000000 Recorded Future - FLux Recorded Future Le groupe de cyber-espionnage chinois connu sous le nom de nickel ou APT15 a utilisé une porte dérobée auparavant invisible pour attaquer mercredi des ministères des affaires étrangères en Amérique centrale et du Sud.Dans la campagne qui s'est déroulée de la fin de 2022 au début de 2023, les pirates ont ciblé un département des finances du gouvernement et une société anonyme ainsi que les affaires étrangères

---

The Chinese cyber-espionage group known as Nickel or APT15 used a previously unseen backdoor to attack ministries of foreign affairs in Central and South America, researchers reported Wednesday. In the campaign that ran from late 2022 into early 2023, hackers targeted a government finance department and an unnamed corporation as well as the foreign affairs]]> 2023-06-21T17:13:00+00:00 https://therecord.media/apt15-nickel-graphican-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8347784 False None APT 15,APT 15 2.0000000000000000 Bleeping Computer - Magazine Américain The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named \'Graphican\' in a new campaign between late 2022 and early 2023. [...]]]> 2023-06-21T06:00:00+00:00 https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8347642 False Malware APT 15,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-06-20T08:37:46+00:00 https://www.silicon.fr/cigref-performance-dsi-468130.html www.secnews.physaphae.fr/article.php?IdArticle=8347228 False None APT 15 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017). It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day. In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website. Figure 1. SeroXen features announced on its website. This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool. In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal. After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT. The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th]]> 2023-05-30T22:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale www.secnews.physaphae.fr/article.php?IdArticle=8340743 False Malware,Tool,Threat APT 10,Uber 2.0000000000000000 Silicon - Site de News Francais 2023-05-29T09:42:08+00:00 https://www.silicon.fr/cigref-scoring-rse-projets-it-466305.html www.secnews.physaphae.fr/article.php?IdArticle=8340178 False None APT 15 3.0000000000000000 DDoSecrets - Blog Sécu: Distributed Email of Secrets Emails from the Indonesian conglomerate involved in nickel, coal, and bauxite mining, ferronickel smelters, alumina refineries, logging, and palm oil plantations.]]> 2023-05-17T07:28:14+00:00 https://ddosecrets.substack.com/p/release-harita-group-510-gb www.secnews.physaphae.fr/article.php?IdArticle=8337280 False None APT 15 2.0000000000000000 GoogleSec - Firm Security Blog Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo]]> 2023-05-05T12:00:43+00:00 http://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html www.secnews.physaphae.fr/article.php?IdArticle=8333804 False None APT 38,APT 10,APT 15,Guam 2.0000000000000000 RedCanary - Red Canary Microsoft has awarded Red Canary\'s Director of Intelligence Operations its Security Changemaker award at its 2023 Security Excellence Awards.]]> 2023-04-26T16:11:23+00:00 https://redcanary.com/blog/katie-nickels-microsoft-security-award/ www.secnews.physaphae.fr/article.php?IdArticle=8331282 False None APT 15 2.0000000000000000 Recorded Future - FLux Recorded Future Le comté de Suffolk de New York a conclu une enquête sur une attaque de ransomware déstabilisatrice qui a forcé les travailleurs du gouvernement à s'appuyer sur des télécopies et des archives papier, découvrant des déficiences marquantes dans les pratiques de cybersécurité du greffier du comté.Steven Bellone du comté de Suffolk [a tenu une conférence de presse] (https://www.facebook.com/stevebellone/videos/550329996987344/) mercredi pour dévoiler les résultats de l'enquête médico-légale sur le septembre

---

New York\'s Suffolk County has concluded an investigation into a destabilizing ransomware attack that forced government workers to rely on fax machines and paper records, discovering stark deficiencies in the county clerk\'s cybersecurity practices. Suffolk County Executive Steven Bellone [held a press conference](https://www.facebook.com/SteveBellone/videos/550329996987344/) Wednesday to unveil the findings of the forensic investigation into the September]]> 2023-04-12T23:37:00+00:00 https://therecord.media/suffolk-county-new-york-ransomware-investigation www.secnews.physaphae.fr/article.php?IdArticle=8327274 False Ransomware APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-02-22T16:34:23+00:00 https://www.silicon.fr/gestion-crise-cyber-approche-cigref-7-chiffres-458946.html www.secnews.physaphae.fr/article.php?IdArticle=8312524 False None APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-02-20T16:33:54+00:00 https://www.silicon.fr/metiers-it-technologie-femmes-458752.html www.secnews.physaphae.fr/article.php?IdArticle=8311921 False None APT 15 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-02-17T17:00:00+00:00 https://www.infosecurity-magazine.com/news/eu-warns-chinese-apts/ www.secnews.physaphae.fr/article.php?IdArticle=8311285 False None APT 25,APT 31,APT 15,APT 27,APT 30 2.0000000000000000 Global Security Mag - Site de news francais Formations des Instituts privés et public]]> 2023-02-17T08:29:11+00:00 https://www.globalsecuritymag.fr/Fortinet-enrichit-son-offre-de-services-et-de-formations-pour-aider-les-equipes.html www.secnews.physaphae.fr/article.php?IdArticle=8311183 False None APT 15 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-08T14:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41620 www.secnews.physaphae.fr/article.php?IdArticle=8308289 False Vulnerability APT 19 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Roaming Mantis Implements New DNS Changer in Its Malicious Mobile App in 2022 (published: January 19, 2023) In December 2022, a financially-motivated group dubbed Roaming Mantis (Shaoye) continued targeting mobile users with malicious landing pages. iOS users were redirected to phishing pages, while Android users were provided with malicious APK files detected as XLoader (Wroba, Moqhao). Japan, Austria, France, and Germany were the most targeted for XLoader downloads (in that order). All but one targeted country had smishing as an initial vector. In South Korea, Roaming Mantis implemented a new DNS changer function. XLoader-infected Android devices were targeting specific Wi-Fi routers used mostly in South Korea. The malware would compromise routers with default credentials and change the DNS settings to serve malicious landing pages from legitimate domains. Analyst Comment: The XLoader DNS changer function is especially dangerous in the context of free/public Wi-Fi that serve many devices. Install anti-virus software for your mobile device. Users should be cautious when receiving messages with a link or unwarranted prompts to install software. MITRE ATT&CK: [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] T1584 - Compromise Infrastructure Tags: actor:Roaming Mantis, actor:Shaoye, file-type:APK, detection:Wroba, detection:Moqhao, detection:XLoader, malware-type:Trojan-Dropper, DNS changer, Wi-Fi routers, ipTIME, EFM Networks, Title router, DNS hijacking, Malicious app, Smishing, South Korea, target-country:KR, Japan, target-country:JP, Austria, target-country:AT, France, target-country:FR, Germany, target-country:DE, VK, Mobile, Android Hook: a New Ermac Fork with RAT Capabilities (published: January 19, 2023) ThreatFabric researchers analyzed a new Android banking trojan named Hook. It is a rebranded development of the Ermac malware that was based on the Android banker Cerberus. Hook added new capabilities in targeting banking and cryptocurrency-related applications. The malware also added capabilities of a remote access trojan and a spyware. Its device take-over capabilities include being able to remotely view and interact with the screen of the infected device, manipulate files on the devices file system, simulate clicks, fill text boxes, and perform gestures. Hook can start the social messaging application WhatsApp, extract all the messages present, and send new ones. Analyst Comment: Users should take their mobile device security seriously whether they use it for social messaging or actually provide access to their banking accounts and/or cryptocurrency holdings. Similar to its predecessors, Hook will likely be used by many threat actors (malware-as-as-service model). It means the need to protect from a wide range of attacks: smishing, prompts to install malicious apps, excessive]]> 2023-01-24T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-roaming-mantis-changes-dns-on-wi-fi-routers-hook-android-banking-trojan-has-device-take-over-capabilities-ke3chang-targeted-iran-with-updated-turian-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8303740 False Malware,Tool,Threat,Guideline APT 25,APT 15 3.0000000000000000 SkullSecurity - Blog Sécu CVE-2022-41352 - my AttackerKB analysis for Rapid7) that turned out to be a new(-ish) exploit path for a really old bug in cpio - CVE-2015-1194. But that was patched in 2019, so what happened? (I posted this as a tweet-thread awhile back, but I decided to flesh it out and make it into a full blog post!) cpio is an archive tool commonly used for system-level stuff (firmware images and such). It can also extract other format, like .tar, which we'll use since it's more familiar. cpio has a flag (--no-absolute-filenames), off by default, that purports to prevent writing files outside of the target directory. That's handy when, for example, extracting untrusted files with Amavis (like Zimbra does). The problem is, symbolic links can point to absolute paths, and therefore, even with --no-absolute-filenames, there was no safe way to extract an untrusted archive (outside of using a chroot environment or something similar, which they really ought to do). Much later, in 2019, the cpio team released cpio version 2.13, which includes a patch for CVE-2015-1194, with unit tests and everything. Some (not all) modern OSes include the patched version of cpio, which should be the end of the story, but it's not! I'm currently writing this on Fedora 35, so let's try exploiting it. We can confirm that the version of cpio installed with the OS is, indeed, the fixed version: ron@fedora ~ $ cpio --version cpio (GNU cpio) 2.13 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later . This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by Phil Nelson, David MacKenzie, John Oleynick, and Sergey Poznyakoff. That means that we shouldn't be able to use symlinks to write outside of the target directory, so let's create a .tar file that includes a symlink and a file written through that symlink (this is largely copied from this mailing list post: ron@fedora ~ $ mkdir cpiotest ron@fedora ~ $ cd cpiotest ron@fedora ~/cpiotest $ ln -s /tmp/ ./demo ron@fedora ~/cpiotest $ echo 'hello' > demo/imafile ron@fedora ~/cpiotest $ tar -cvf demo.tar demo demo/imafile demo demo/imafile ron@fedora ~/cpiotest $ ]]> 2023-01-23T20:14:17+00:00 https://www.skullsecurity.org/2023/blast-from-the-past--how-attackers-compromised-zimbra-with-a-patched-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8303535 False Tool,Vulnerability APT 17 4.0000000000000000 CSO - CSO Daily Dashboard Palo Alto Networks report. The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog. To read this article in full, please click here]]> 2023-01-19T04:27:00+00:00 https://www.csoonline.com/article/3686088/chinese-hackers-targeted-iranian-government-entities-for-months-report.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8302529 False Malware,Threat APT 25,APT 15 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-18T18:00:00+00:00 https://www.infosecurity-magazine.com/news/chinese-apt-group-vixen-panda/ www.secnews.physaphae.fr/article.php?IdArticle=8302416 False None APT 25,APT 15 3.0000000000000000 Silicon - Site de News Francais 2023-01-09T10:58:20+00:00 https://www.silicon.fr/low-code-enedis-pierre-fabre-stime-temoignent-455846.html www.secnews.physaphae.fr/article.php?IdArticle=8299144 False None APT 15 2.0000000000000000 Silicon - Site de News Francais 2023-01-09T09:34:59+00:00 https://www.silicon.fr/low-code-cigref-question-couts-455839.html www.secnews.physaphae.fr/article.php?IdArticle=8299130 False None APT 15 2.0000000000000000 Korben - Bloger francais Suite]]> 2023-01-01T08:00:00+00:00 https://korben.info/enlever-watermark-photo.html www.secnews.physaphae.fr/article.php?IdArticle=8296926 False None APT 19 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-12-17T13:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4584 www.secnews.physaphae.fr/article.php?IdArticle=8292381 False Vulnerability,Guideline APT 17 None InfoSecurity Mag - InfoSecurity Magazine 2022-12-09T16:00:00+00:00 https://www.infosecurity-magazine.com/news/iranian-hacker-uses-github-to/ www.secnews.physaphae.fr/article.php?IdArticle=8289582 False Malware APT 15 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2022-12-09T11:17:25+00:00 https://www.globalsecuritymag.fr/Un-groupe-soutenu-par-l-Iran-utilise-Github-pour-relayer-les-instructions-de.html www.secnews.physaphae.fr/article.php?IdArticle=8289522 False Malware APT 15 2.0000000000000000 SecureWork - SecureWork: incident response 2022-12-09T04:00:00+00:00 https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver www.secnews.physaphae.fr/article.php?IdArticle=8289504 False Malware,Threat APT 15 2.0000000000000000 Silicon - Site de News Francais 2022-12-08T15:27:58+00:00 https://www.silicon.fr/machine-learning-tensorflow-google-sheets-454628.html www.secnews.physaphae.fr/article.php?IdArticle=8289147 False None APT 15 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-12-07T20:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46770 www.secnews.physaphae.fr/article.php?IdArticle=8288886 False None APT 15 None Silicon - Site de News Francais 2022-11-29T08:46:30+00:00 https://www.silicon.fr/rse-positionnement-dsi-453513.html www.secnews.physaphae.fr/article.php?IdArticle=8277891 False General Information APT 15 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-11-13T10:15:10+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3974 www.secnews.physaphae.fr/article.php?IdArticle=8042470 False Vulnerability,Guideline APT 17 None Silicon - Site de News Francais 2022-11-07T08:46:21+00:00 https://www.silicon.fr/crise-energetique-pistes-cigref-directions-numeriques-451957.html www.secnews.physaphae.fr/article.php?IdArticle=7879100 False None APT 15 None CVE Liste - Common Vulnerability Exposure 2022-11-02T13:15:16+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3809 www.secnews.physaphae.fr/article.php?IdArticle=7783701 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-02T13:15:16+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3810 www.secnews.physaphae.fr/article.php?IdArticle=7783702 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3812 www.secnews.physaphae.fr/article.php?IdArticle=7772558 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3817 www.secnews.physaphae.fr/article.php?IdArticle=7772564 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3814 www.secnews.physaphae.fr/article.php?IdArticle=7772560 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3813 www.secnews.physaphae.fr/article.php?IdArticle=7772559 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3816 www.secnews.physaphae.fr/article.php?IdArticle=7772563 False Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-11-01T22:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3815 www.secnews.physaphae.fr/article.php?IdArticle=7772562 False Guideline APT 17 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-01T20:45:00+00:00 https://thehackernews.com/2022/11/chinese-hackers-using-new-stealthy.html www.secnews.physaphae.fr/article.php?IdArticle=7766451 False Malware,Threat APT 10 None CVE Liste - Common Vulnerability Exposure 2022-11-01T20:15:22+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3807 www.secnews.physaphae.fr/article.php?IdArticle=7770916 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-31T21:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3784 www.secnews.physaphae.fr/article.php?IdArticle=7758363 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-31T21:15:12+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3785 www.secnews.physaphae.fr/article.php?IdArticle=7758364 False Vulnerability,Guideline APT 17 None Bleeping Computer - Magazine Américain 2022-10-31T11:34:52+00:00 https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/ www.secnews.physaphae.fr/article.php?IdArticle=7755377 False Malware APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:54+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/ www.secnews.physaphae.fr/article.php?IdArticle=7751558 False None APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:52+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/ www.secnews.physaphae.fr/article.php?IdArticle=7751559 False None APT 10 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:27+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3670 www.secnews.physaphae.fr/article.php?IdArticle=7691534 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:26+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3669 www.secnews.physaphae.fr/article.php?IdArticle=7691533 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:25+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3668 www.secnews.physaphae.fr/article.php?IdArticle=7691532 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:24+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3667 www.secnews.physaphae.fr/article.php?IdArticle=7691531 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:23+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3666 www.secnews.physaphae.fr/article.php?IdArticle=7691530 False Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:22+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3665 www.secnews.physaphae.fr/article.php?IdArticle=7691529 False Vulnerability,Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:21+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3664 www.secnews.physaphae.fr/article.php?IdArticle=7691528 False Vulnerability,Guideline APT 17 2.0000000000000000 CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:19+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3663 www.secnews.physaphae.fr/article.php?IdArticle=7691527 False Vulnerability,Guideline APT 17 None CVE Liste - Common Vulnerability Exposure 2022-10-26T19:15:17+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3662 www.secnews.physaphae.fr/article.php?IdArticle=7691526 False Vulnerability,Guideline APT 17 None Silicon - Site de News Francais 2022-10-18T15:36:10+00:00 https://www.silicon.fr/low-code-metavers-projections-cigref-450377.html www.secnews.physaphae.fr/article.php?IdArticle=7542509 False None APT 15 None Security Affairs - Blog Secu China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage […] ]]> 2022-10-18T14:15:09+00:00 https://securityaffairs.co/wordpress/137300/apt/apt41-spyder-loader.html www.secnews.physaphae.fr/article.php?IdArticle=7541666 False Threat,Guideline APT 17,APT 41 None CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud APT 38,APT 19,APT 29,APT 10,APT 37,Uber,APT 15,Yahoo None Security Affairs - Blog Secu Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying […] ]]> 2022-10-04T07:05:05+00:00 https://securityaffairs.co/wordpress/136611/malware/apt10-cheerscrypt-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=7293585 False Ransomware APT 10 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 15,APT 41 None Global Security Mag - Site de news francais RGPD / cybersecurite_home_gauche]]> 2022-09-13T09:53:05+00:00 http://www.globalsecuritymag.fr/Sanction-de-250-000-euros-a-l,20220913,129744.html www.secnews.physaphae.fr/article.php?IdArticle=6867504 False None APT 15 None Silicon - Site de News Francais 2022-09-06T13:39:03+00:00 https://www.silicon.fr/cigref-evoluer-metiers-si-446406.html www.secnews.physaphae.fr/article.php?IdArticle=6750215 False None APT 15 None CISCO Talos - Cisco Research blog By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H]]> 2022-08-18T08:00:00+00:00 http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html www.secnews.physaphae.fr/article.php?IdArticle=6392803 False Ransomware,Threat,Guideline,Cloud APT 10,APT 32,APT 37,APT 21,NotPetya,Uber,Guam,APT 28 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None 01net. Actualites - Securite - Magazine Francais Des centaines de trolls basés à Saint-Pétersbourg généraient des commentaires pro-russes en série sur les réseaux sociaux. Mais au final, l'opération était d'un niveau médiocre et peu efficace. L'article Meta a chassé de Facebook et d’Instagram des centaines de trolls russes payés pour manipuler l’opinion est à retrouver sur 01net.com.]]> 2022-08-05T11:34:14+00:00 https://www.01net.com/actualites/meta-a-chasse-des-centaines-de-trolls-russes-aux-pieds-nickeles.html www.secnews.physaphae.fr/article.php?IdArticle=6141252 False None APT 15 None CISCO Talos - Cisco Research blog By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.What is "Dark Utilities?"In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing develo]]> 2022-08-04T08:00:13+00:00 http://blog.talosintelligence.com/2022/08/dark-utilities.html www.secnews.physaphae.fr/article.php?IdArticle=6123175 False Spam,Malware,Hack,Tool,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Asheer Malhotra and Vitor Ventura.Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.IntroductionCisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable - a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese - on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an advers]]> 2022-08-02T08:00:14+00:00 http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html www.secnews.physaphae.fr/article.php?IdArticle=6089620 False Malware,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None Dark Reading - Informationweek Branch 2022-07-20T19:46:17+00:00 https://www.darkreading.com/application-security/lax-security-fuels-cloud-botnet-army-surge www.secnews.physaphae.fr/article.php?IdArticle=5837722 False Threat APT 17 None SANS Institute - SANS est un acteur de defense et formation 2022-07-13T11:27:07+00:00 https://isc.sans.edu/diary/rss/28836 www.secnews.physaphae.fr/article.php?IdArticle=5691329 False None APT 19 None