This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:36:10+00:00 www.secnews.physaphae.fr Global Security Mag - Site de news francais Malwares

---

Cyberattaque majeure : 40 Go de données clients Peugeot aux mains des hackers de Cicada 3301 - Malwares]]> 2024-12-24T13:13:55+00:00 https://www.globalsecuritymag.fr/cyberattaque-majeure-40-go-de-donnees-clients-peugeot-aux-mains-des-hackers-de.html www.secnews.physaphae.fr/article.php?IdArticle=8629519 False None APT 10 4.0000000000000000 Zataz - Magazine Francais de secu Le groupe de hackers malveillants Cicada 3301 menace Peugeot après avoir prétendument volé 40 Go de données liées à ses concessions. Diffusion prévue : 6 janvier 2025....]]> 2024-12-22T19:03:49+00:00 https://www.zataz.com/les-pirates-du-groupe-cicada-3301-revendiquent-une-attaque-contre-les-concessions-peugeot/ www.secnews.physaphae.fr/article.php?IdArticle=8628803 False None APT 10 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-25T12:11:18+00:00 https://community.riskiq.com/article/2bbfcf8e www.secnews.physaphae.fr/article.php?IdArticle=8617686 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Industrial,Prediction,Cloud APT 10 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-19T21:54:53+00:00 https://community.riskiq.com/article/e1cbba96 www.secnews.physaphae.fr/article.php?IdArticle=8614334 False Malware,Tool,Vulnerability,Threat,Prediction APT 10 2.0000000000000000 TrendMicro - Security Firm Blog LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.]]> 2024-11-19T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html www.secnews.physaphae.fr/article.php?IdArticle=8613956 False Malware,Prediction APT 10 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-14T21:26:20+00:00 https://community.riskiq.com/article/cd213500 www.secnews.physaphae.fr/article.php?IdArticle=8597846 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Industrial,Medical,Cloud APT 29,APT 10,GoldenJackal 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-07T19:22:45+00:00 https://community.riskiq.com/article/d47fc595 www.secnews.physaphae.fr/article.php?IdArticle=8593838 False Malware,Tool,Threat,Industrial,Cloud APT 10 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-23T16:05:03+00:00 https://community.riskiq.com/article/2cc779bd www.secnews.physaphae.fr/article.php?IdArticle=8583096 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Industrial,Prediction,Cloud,Conference APT 10 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-20T13:20:01+00:00 https://community.riskiq.com/article/8f34c36c www.secnews.physaphae.fr/article.php?IdArticle=8580523 False Malware,Tool,Threat,Industrial,Commercial APT 10 2.0000000000000000 Contagio - Site d infos ransomware 2024 -08 -30 truesec : disséquant la cigale (ransomware ) & nbsp; ESXi ransomware cicada3301, un groupe de ransomware d'abord d'aborddétecté en juin 2024, semble être une version rebaptisée ou dérivée du groupe Ransomware AlphV, utilisant un modèle Ransomware-as-a-Service (RAAS).Le ransomware, écrit en rouille, cible les environnements Windows et Linux / Esxi, en utilisant Chacha20 pour le cryptage.L'analyse technique révèle plusieurs similitudes clés avec AlPHV: les deux utilisent des structures de commande presque identiques pour arrêter les machines virtuelles et supprimer des instantanés, et partager une convention de dénomination de fichiers similaire.Le binaire de Ransomware \\ est un fichier ELF, avec son origine de rouille confirmée par des références de chaîne et une enquête de la section .comment. Les paramètres clés incluent Sleep , qui retarde l'exécution de Ransomware \\, et ui , qui affiche la progression du chiffrement à l'écran.Le paramètre clé est crucial pour le déchiffrement;S'il n'est pas fourni ou incorrect, le ransomware cessera de fonctionner.La fonction principale, linux_enc , démarre le processus de chiffrement en générant une clé aléatoire à l'aide de osrng .Les fichiers supérieurs à 100 Mo sont chiffrés en pièces, tandis que les fichiers plus petits sont chiffrés entièrement à l'aide de Chacha20.La clé chacha20 est ensuite sécurisée avec une clé publique RSA et ajoutée, ainsi qu'une extension de fichier spécifique, à la fin du fichier crypté. L'accès initial semble être facilité par le botnet Brutus, avec des acteurs de menace utilisant des informations d'identification volées ou forcées pour accéder via ScreenConnect.L'adresse IP associée à cette attaque est liée au botnet Brutus, ce qui augmente la possibilité d'une connexion directe entre les opérateurs de botnet et CICADA3301.Le ransomware dispose également d'une routine de vérification de décryptage, où une note de ransomware codée et cryptée stockée dans le binaire est décryptée à l'aide de la clé fournie, validant le décryptage correct. Télécharger Télécharger.(Envoyez-moi un e-mail si vous avez besoin du schéma de mot de passe) ]]> 2024-09-07T17:31:39+00:00 https://contagiodump.blogspot.com/2024/09/2024-08-30-cicada-esxi-ransomware-sample.html www.secnews.physaphae.fr/article.php?IdArticle=8572211 False Ransomware,Threat,Technical APT 10 2.0000000000000000 The State of Security - Magazine Américain What is the Cicada ransomware? Cicada (also known as Cicada3301) is sophisticated ransomware written in Rust that has claimed more than 20 victims since its discovery in June 2024. Why is the ransomware called Cicada? The criminals behind Cicada appear to have named it after the mysterious Cicada 3301 puzzles posted on the internet between 2012 and 2014, seemingly to recruit highly intelligent individuals. Of course, there is no reason to believe that the ransomware is in any fashion related to the enigmatic puzzles that appeared a decade before it - other than through the name. Fair enough...]]> 2024-09-05T09:54:06+00:00 https://www.tripwire.com/state-of-security/cicada-ransomware-what-you-need-know www.secnews.physaphae.fr/article.php?IdArticle=8570547 False Ransomware APT 10 2.0000000000000000 The Register - Site journalistique Anglais Researchers find many similarities, and nasty new customizations such as embedded compromised user credentials The Cicada3301 ransomware, which has claimed at least 20 victims since it was spotted in June, shares "striking similarities" with the notorious BlackCat ransomware, according to security researchers at Israeli outfit endpoint security outfit Morphisec.…]]> 2024-09-04T14:29:06+00:00 https://go.theregister.com/feed/www.theregister.com/2024/09/04/cicada_ransomware_blackcat_links/ www.secnews.physaphae.fr/article.php?IdArticle=8569778 False Ransomware APT 10 2.0000000000000000 TrendLabs Security - Editeur Antivirus To test the effectiveness of managed services like our Trend Micro managed detection and response offering, MITRE Engenuity™ combined the tools, techniques, and practices of two globally notorious bad actors: menuPass and ALPHV/BlackCat. This blog tells the story of why they were chosen and what makes them threats to be reckoned with.]]> 2024-06-26T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/f/menupass-alphv-blackcat-threats.html www.secnews.physaphae.fr/article.php?IdArticle=8526072 False Tool,Prediction APT 10 3.0000000000000000 BlackBerry - Fabricant Matériel et Logiciels BlackBerry recently participated in the MITRE Engenuity ATT&CK Evaluations for Managed Services. This round of independent testing emulated the BlackCat/ALPHV and menuPass threat groups, highlighting the need for robust, adaptive security solutions in the face of sophisticated adversaries.]]> 2024-06-18T05:00:00+00:00 https://blogs.blackberry.com/en/2024/06/blackberry-effective-against-blackcat-alphv-and-menupass-in-mitre-attack-evaluations www.secnews.physaphae.fr/article.php?IdArticle=8520543 False Threat APT 10 2.0000000000000000 TrendLabs Security - Editeur Antivirus The latest MITRE Engenuity ATT&CK Evaluations pitted leading managed detection and response (MDR) services against threats modeled on the menuPass and BlackCat/AlphV adversary groups. Trend Micro achieved 100% detection across all 15 major attack steps with an 86% actionable rate for those steps- balancing detections and business priorities including operational continuity and minimized disruption.]]> 2024-06-18T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/f/mitre-enginuity-attack-evaluations.html www.secnews.physaphae.fr/article.php?IdArticle=8520494 False Prediction APT 10 2.0000000000000000 Bleeping Computer - Magazine Américain The China-aligned APT (advanced persistent threat) group known as \'Bronze Starlight\' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider. [...]]]> 2023-08-19T10:07:14+00:00 https://www.bleepingcomputer.com/news/security/hackers-use-vpn-providers-code-certificate-to-sign-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8372468 False Malware APT 10 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017). It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day. In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website. Figure 1. SeroXen features announced on its website. This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool. In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal. After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT. The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th]]> 2023-05-30T22:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale www.secnews.physaphae.fr/article.php?IdArticle=8340743 False Malware,Tool,Threat Uber,APT 10 2.0000000000000000 GoogleSec - Firm Security Blog Google announced its next step toward a passwordless future: passkeys. Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. They are designed to enhance online security for users. Because they are based on the public key cryptographic protocols that underpin security keys, they are resistant to phishing and other online attacks, making them more secure than SMS, app based one-time passwords and other forms of multi-factor authentication (MFA). And since passkeys are standardized, a single implementation enables a passwordless experience across browsers and operating systems. Passkeys can be used in two different ways: on the same device or from a different device. For example, if you need to sign in to a website on an Android device and you have a passkey stored on that same device, then using it only involves unlocking the phone. On the other hand, if you need to sign in to that website on the Chrome browser on your computer, you simply scan a QR code to connect the phone and computer to use the passkey.The technology behind the former (“same device passkey”) is not new: it was originally developed within the FIDO Alliance and first implemented by Google in August 2019 in select flows. Google and other FIDO members have been working together on enhancing the underlying technology of passkeys over the last few years to improve their usability and convenience. This technology behind passkeys allows users to log in to their account using any form of device-based user verification, such as biometrics or a PIN code. A credential is only registered once on a user\'s personal device, and then the device proves possession of the registered credential to the remote server by asking the user to use their device\'s screen lock. The user\'s biometric, or other screen lock data, is never sent to Google\'s servers - it stays securely stored on the device, and only cryptographic proof that the user has correctly provided it is sent to Google. Passkeys are also created and stored on your devices and are not sent to websites or apps. If you create a passkey on one device the Google Password Manager can make it available on your other devices that are signed into the same system account.Learn more on how passkey works under the hoo]]> 2023-05-05T12:00:43+00:00 http://security.googleblog.com/2023/05/making-authentication-faster-than-ever.html www.secnews.physaphae.fr/article.php?IdArticle=8333804 False None APT 38,APT 15,APT 10,Guam 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-11-01T20:45:00+00:00 https://thehackernews.com/2022/11/chinese-hackers-using-new-stealthy.html www.secnews.physaphae.fr/article.php?IdArticle=7766451 False Malware,Threat APT 10 None Bleeping Computer - Magazine Américain 2022-10-31T11:34:52+00:00 https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/ www.secnews.physaphae.fr/article.php?IdArticle=7755377 False Malware APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:54+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/ www.secnews.physaphae.fr/article.php?IdArticle=7751558 False None APT 10 None Kaspersky - Kaspersky Research blog 2022-10-31T08:00:52+00:00 https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/ www.secnews.physaphae.fr/article.php?IdArticle=7751559 False None APT 10 None CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud Yahoo,Uber,APT 38,APT 37,APT 29,APT 19,APT 15,APT 10 None Security Affairs - Blog Secu Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying […] ]]> 2022-10-04T07:05:05+00:00 https://securityaffairs.co/wordpress/136611/malware/apt10-cheerscrypt-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=7293585 False Ransomware APT 10 None CISCO Talos - Cisco Research blog By Joe Marshall.The war in Ukraine has had far-reaching global implications and one of the most immediate effects felt will be on the global supply chain for food. This war-induced fragility has exposed the weaknesses of how we feed ourselves globally. Ransomware cartels and other adversaries are well aware of this and are actively exploiting that fragility. For the past six years, Cisco Talos has been actively involved in assisting public and private institutions in Ukraine to defend themselves against state-sponsored actors. Our involvement stretches the gamut from commercial to critical infrastructure, to election security. Our presence has afforded us unique opportunities and observations about cybersecurity in a macro and micro way. Ukraine has been a frequent victim of state-sponsored cyber attacks aimed at critical infrastructures like power and transportation. Talos is proud to stand with our partners in Ukraine and help defend their critical networks and help users there maintain access to necessary services. Now that Russia has invaded Ukraine, those threats have escalated to kinetic attacks that are wreaking havoc on a critical element of our world: agriculture and our global food supply chain. Even worse is the implications this war will have for future cyber attacks, as fragility is considered a lucrative element in deciding victimology by threat actors like ransomware cartels. To truly grasp the implications of the war in Ukraine, we have to examine how vital Ukrainian agriculture feeds the world, the current state of affairs, and what this means for the global cybersecurity posture to protect agricultural assets. Where there is weakness, there is opportunityRansomware cartels and their affiliates are actively targeting the agricultural industry. Moreover, these actors have done their homework and are targeting agricultural companies during the two times of the year where they cannot suffer disruptions: planting and harvesting. Per the published FBI PIN Alert: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.” This is far from unusual for these adversaries - they are shrewd and calculating, and understand their victims' weaknesses and industries. H]]> 2022-08-18T08:00:00+00:00 http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html www.secnews.physaphae.fr/article.php?IdArticle=6392803 False Ransomware,Threat,Guideline,Cloud NotPetya,Uber,APT 37,APT 32,APT 28,APT 10,APT 21,Guam None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None NoticeBored - Experienced IT Security professional Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g.]]> 2022-07-10T13:41:08+00:00 http://blog.noticebored.com/2022/07/complexity-simplified.html www.secnews.physaphae.fr/article.php?IdArticle=5638390 False Guideline APT 10 None Security Affairs - Blog Secu China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations. Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10), is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as […] ]]> 2022-06-26T13:40:00+00:00 https://securityaffairs.co/wordpress/132624/apt/bronze-starlight-deploy-ransomware.html www.secnews.physaphae.fr/article.php?IdArticle=5401371 False Ransomware APT 10 None NoticeBored - Experienced IT Security professional  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:]]> 2022-06-24T13:40:08+00:00 http://blog.noticebored.com/2022/06/the-sadly-neglected-risk-treatment-plan.html www.secnews.physaphae.fr/article.php?IdArticle=5350915 False Threat,Guideline APT 19,APT 10 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity (published: April 28, 2022) ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs). Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | ]]> 2022-05-03T16:31:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-time-to-ransom-under-four-hours-mustang-panda-spies-on-russia-ricochet-chollima-sends-goldbackdoor-to-journalists-and-more www.secnews.physaphae.fr/article.php?IdArticle=4538825 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Cloud APT 37,APT 10,APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-05T03:11:07+00:00 https://thehackernews.com/2022/04/researchers-trace-widespread-espionage.html www.secnews.physaphae.fr/article.php?IdArticle=4398270 False Threat APT 10 None Security Affairs - Blog Secu 2022-02-22T13:20:44+00:00 https://securityaffairs.co/wordpress/128273/apt/apt10-targets-taiwan-financial-trading.html?utm_source=rss&utm_medium=rss&utm_campaign=apt10-targets-taiwan-financial-trading www.secnews.physaphae.fr/article.php?IdArticle=4166388 False None APT 10,APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-22T00:11:01+00:00 https://thehackernews.com/2022/02/chinese-hackers-target-taiwans.html www.secnews.physaphae.fr/article.php?IdArticle=4165848 False Threat APT 10,APT 10 None CybeReason - Vendor blog "Hello. We are looking for highly intelligent individuals. To find them, we have devised a test…" These words, found in a message posted on 4Chan in January 2012, started a global treasure hunt, with thousands of crypto-puzzle-loving and curious individuals desperately competing with one another to be the first to crack the devilish puzzles created by the mysterious Cicada 3301. Who is Cicada3301, and what are their goals? Check it out…]]> 2022-01-18T14:18:17+00:00 https://www.cybereason.com/blog/malicious-life-podcast-the-mystery-of-cicada-3301 www.secnews.physaphae.fr/article.php?IdArticle=3986932 False None APT 10 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients (published: July 4, 2021) A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password. Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP). MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073 Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools IndigoZebra APT Continues To Attack Central Asia With Evolving Tools (published: July 1, 2021) Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I]]> 2021-07-06T15:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-thousands-attacked-as-revil-ransomware-hijacks-kaseya-vsa-leaked-babuk-locker-ransomware-builder-used-in-new-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=3028191 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Guideline APT 19,APT 10 None Wired Threat Level - Security News 2021-05-30T11:00:00+00:00 https://www.wired.com/story/cicada-horny-human-not-the-same www.secnews.physaphae.fr/article.php?IdArticle=2859098 False None APT 10 None Wired Threat Level - Security News 2021-05-21T11:00:00+00:00 https://www.wired.com/story/we-hiked-along-with-cicada-biologists-so-you-dont-have-to www.secnews.physaphae.fr/article.php?IdArticle=2820045 False None APT 10 None Wired Threat Level - Security News 2021-05-11T11:00:00+00:00 https://www.wired.com/story/eating-cicadas-brood-x www.secnews.physaphae.fr/article.php?IdArticle=2766856 False None APT 10 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence The Leap of a Cycldek-Related Threat Actor (published: April 5, 2021) A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a "DLL side-loading triad" previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek. Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading - T1073 | [MITRE ATT&CK] File Deletion - T1107 Tags: Chinese-speaking, Cycldek-related Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool (published: April 1, 2021) Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic. Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user's inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach. MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Rundll32 - T1085 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] System Information Discovery - T1082 Tags: Hancitor, Malspam, Cobalt Strike ]]> 2021-04-06T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-data-breach-malspam-and-more www.secnews.physaphae.fr/article.php?IdArticle=2593638 False Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-03-31T01:42:43+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/M8y5bq-NcEM/hackers-are-implanting-multiple.html www.secnews.physaphae.fr/article.php?IdArticle=2565387 False Malware APT 10,APT 10 None Kaspersky - Kaspersky Research blog 2021-03-30T10:00:07+00:00 https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ www.secnews.physaphae.fr/article.php?IdArticle=2560457 False Malware APT 10 5.0000000000000000 Security Affairs - Blog Secu 2020-11-18T20:27:53+00:00 https://securityaffairs.co/wordpress/111138/apt/apt10-zerologon-attacks.html?utm_source=rss&utm_medium=rss&utm_campaign=apt10-zerologon-attacks www.secnews.physaphae.fr/article.php?IdArticle=2043021 False Threat APT 10 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC These days, effective cybersecurity in healthcare is as critical as ever. Last year, more than 32 million patients had their personal and medical information stolen in data breaches across the United States. While moves are being made, the fact remains that healthcare providers still have many holes to plug when it comes to the illegal or accidental outpouring of patient data. The issue is that current problems need to be solved now before hackers move on to new, more advanced attack strategies. The good news is that there are many methods currently available to mitigate the chances of data leakage if medical professionals are proactive enough to enforce them. HIPAA on the front lines When patients visit the doctor, they expect to go to a safe place where their best interests are always the top priority. To foster that confidence, the Health Insurance Portability and Accountability Act was created to protect patient data while also giving the patients control over who can see their information. Along with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, encourages medical practices also to ensure that all technology they use is protected to eliminate wrongful data leakage. Medical records contain an abundance of private information that can be used for any number of malicious means. Full medical records can often go for $1000 on the black market where the addresses, social security numbers, and financial information within can be used to create fake identification or take out large loans that can leave the patient in debt. If a hacker catches wind of a patient’s surgery date, they can even attempt to shut down hospital functions until a ransom is paid, like the $14K one paid by Columbia Surgical Specialists. For these security reasons and to retain the trust of the patients, proper data security is essential, and it starts on the front lines. Nurse leaders should train their staff on how to retain patient confidentiality properly. When discussing the patients near the front desk, only use first names, and conversations should be had behind a closed door or as quietly as possible. Hard copies of patent data should never be left lying around, and your printer should be set to print pages facing down. The last thing you need is to have security precautions in place but still allow a criminal to simply walk up and take private information out of the office. Proper record keeping Because hackers have so much to gain from stealing patient data, proper record-keeping is essential. Per HIPAA, medical records are required to be kept between five to 10 years, based on the state and the patient’s last treatment or discharge. If paperwork is to be discarded, it must be properly shredded. If you keep paper records, they must be stored in locked cabinet]]> 2020-01-07T14:00:00+00:00 https://feeds.feedblitz.com/~/615057256/0/alienvault-blogs~Healthcare-cybersecurity-for-and-beyond www.secnews.physaphae.fr/article.php?IdArticle=1497829 False Threat,Guideline APT 10 None InformationSecurityBuzzNews - Site de News Securite US Utility Firms Targeted By Spear-phishing Campaign – Comments]]> 2019-09-24T14:54:31+00:00 https://www.informationsecuritybuzz.com/expert-comments/us-utility-firms-targeted-by-spear-phishing-campaign-comments/ www.secnews.physaphae.fr/article.php?IdArticle=1358610 False None APT 10 None ZD Net - Magazine Info 2019-07-24T18:24:00+00:00 https://www.zdnet.com/article/apt-doxing-group-expose-apt17-as-jinan-bureau-of-chinas-security-ministry/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1221757 False None APT 17,APT 10,APT 3 None SecurityWeek - Security News 2019-06-28T13:19:00+00:00 https://www.securityweek.com/industry-reactions-nation-state-hacking-global-telcos www.secnews.physaphae.fr/article.php?IdArticle=1179006 False None APT 10 None SecurityWeek - Security News 2019-05-28T16:27:04+00:00 https://www.securityweek.com/new-apt10-activity-detected-southeast-asia www.secnews.physaphae.fr/article.php?IdArticle=1129548 False None APT 10 None Security Affairs - Blog Secu 2019-05-28T05:48:02+00:00 https://securityaffairs.co/wordpress/86213/apt/apt10-new-loaders.html www.secnews.physaphae.fr/article.php?IdArticle=1128559 False Malware APT 10 None InformationSecurityBuzzNews - Site de News Securite APT10 Targeted Norwegian MSP And US Companies In Sustained Cyber Attack]]> 2019-02-11T21:30:02+00:00 https://www.informationsecuritybuzz.com/expert-comments/apt10-targeted-norwegian/ www.secnews.physaphae.fr/article.php?IdArticle=1023008 False None APT 10 None ZD Net - Magazine Info 2019-02-06T15:01:00+00:00 https://www.zdnet.com/article/china-hacked-norways-visma-cloud-software-provider/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1020001 False None APT 10 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Threat Actors That Don’t Discriminate  When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch. Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX). The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet. The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”: The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain. As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures. How Can APT10 Group Impact You? If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run! Wired Maga]]> 2019-01-31T17:24:00+00:00 https://feeds.feedblitz.com/~/594984126/0/alienvault-blogs~APT-Group-Targets-Multiple-Sectors-But-Seems-to-Really-Love-MSSPs www.secnews.physaphae.fr/article.php?IdArticle=1017733 False Malware,Vulnerability,Threat APT 10 None Malwarebytes Labs - MalwarebytesLabs A roundup of last week's security news from January 14 to 20, including APT10, Fallout EK, Colllection 1 data, Youtube challenges, hosting malicious sites and a Fortnite security flaw. Categories: Security world Week in security Tags: APT10ArsTechnicaBleepingComputerCoinDeskcollection 1cryptopiacve-2019-0543DASFallout EKfortnitegarminGarmin watchhostingHTTPSoregonpowershellPowerShell Team BlogSC Mediashutdowntelegramthreadxyoutube (Read more...) ]]> 2019-01-21T16:48:03+00:00 https://blog.malwarebytes.com/security-world/2019/01/week-security-january-14-20/ www.secnews.physaphae.fr/article.php?IdArticle=1002626 False None APT 10 None Malwarebytes Labs - MalwarebytesLabs While security companies are getting good at analyzing the tactics of nation-state threat actors, they still struggle with placing these actions in context and making solid risk assessments. So in this series, we're going to take a look at a few APT groups, and see how they fit into the larger threat landscape-starting with APT10. Categories: Cybercrime Hacking Tags: advanced persistent threatadvanced persistent threatsaerospaceAPTAPT10APTschinaChinese Ministry of State SecurityconstructionengineeringFireEyeMSSPlugXPoison Ivyscanboxsogutelecomsthreat actors (Read more...) ]]> 2019-01-16T17:00:00+00:00 https://blog.malwarebytes.com/cybercrime/2019/01/advanced-persistent-threat-files-apt10/ www.secnews.physaphae.fr/article.php?IdArticle=995575 False Threat APT 10 None SecurityWeek - Security News pointed the finger at China for sophisticated cyberattacks launched by a threat group known as APT10 against organizations around the world. The U.S. ]]> 2018-12-21T15:51:02+00:00 https://www.securityweek.com/industry-reactions-us-charging-apt10-hackers-feedback-friday www.secnews.physaphae.fr/article.php?IdArticle=960598 False Threat APT 10 None ZD Net - Magazine Info 2018-12-21T15:44:05+00:00 https://www.zdnet.com/article/five-other-countries-formally-accuse-china-of-apt10-hacking-spree/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=958707 False None APT 10 None Bleeping Computer - Magazine Américain 2018-12-21T09:55:03+00:00 https://www.bleepingcomputer.com/news/security/historic-apt10-cyber-espionage-group-breached-systems-in-over-12-countries/ www.secnews.physaphae.fr/article.php?IdArticle=958588 False None APT 10 None SecurityWeek - Security News 2018-12-21T07:24:01+00:00 https://www.securityweek.com/five-eyes-nations-blame-china-apt10-attacks www.secnews.physaphae.fr/article.php?IdArticle=958289 False Threat APT 10 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2018-12-20T23:45:03+00:00 https://thehackernews.com/2018/12/chinese-hacker-wanted-by-fbi.html www.secnews.physaphae.fr/article.php?IdArticle=958015 False None APT 10 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-12-20T19:38:02+00:00 https://threatpost.com/china-duo-charged-spy-campaign/140227/ www.secnews.physaphae.fr/article.php?IdArticle=957261 False None APT 10 None ZD Net - Magazine Info 2018-12-20T16:38:00+00:00 https://www.zdnet.com/article/us-charges-two-chinese-nationals-for-hacking-cloud-providers-nasa-the-us-navy/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=957052 False None APT 10 None ZD Net - Magazine Info 2018-10-03T17:00:00+00:00 https://www.zdnet.com/article/dhs-aware-of-ongoing-apt-attacks-on-cloud-service-providers/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=830249 False None APT 10 None Security Affairs - Blog Secu 2018-09-15T08:34:01+00:00 https://securityaffairs.co/wordpress/76204/breaking-news/apt10-japanese-media-sector.html www.secnews.physaphae.fr/article.php?IdArticle=809152 False None APT 10 None SecurityWeek - Security News 2018-09-14T17:23:01+00:00 https://www.securityweek.com/china-linked-apt10-hackers-update-attack-techniques www.secnews.physaphae.fr/article.php?IdArticle=814005 False Threat APT 10 None Mandiant - Blog Sécu de Mandiant ciblant les entités japonaises . Dans cette campagne, le groupe a envoyé des e-mails de phishing de lance contenant des documents malveillants qui ont conduit à l'installation de la porte dérobée Uppercut.Cette porte dérobée est bien connue dans la communauté de la sécurité comme Anel , et il venait en bêta ou en RC (candidat à la libération) jusqu'à récemment.Une partie de cet article de blog discutera du

---

Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 (Menupass) activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. This backdoor is well-known in the security community as ANEL, and it used to come in beta or RC (release candidate) until recently. Part of this blog post will discuss the]]> 2018-09-13T11:00:00+00:00 https://www.mandiant.com/resources/blog/apt10-targeting-japanese-corporations-using-updated-ttps www.secnews.physaphae.fr/article.php?IdArticle=8377731 False Technical APT 10,APT 10 4.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2018-09-03T12:49:03+00:00 https://threatpost.com/apt10-under-close-scrutiny-as-potential-chinese-ministry-of-state-security-contractor/137139/ www.secnews.physaphae.fr/article.php?IdArticle=795027 False Threat APT 10 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned about will vary greatly. A flower shop will have a very different threat profile from a defense contractor. Therefore below we’ve limited ourselves to some very high level trends of particular threat actors below- many of which may not be relevant to your organisation. Which threat actors are most active? The following graph describes the number of vendor reports for each threat actor over the past two years by quarter: For clarity, we have limited the graph to the five threat actors reported on most in OTX. This is useful as a very rough indication of which actors are particularly busy. Caveats There are a number of caveats to consider here. One news-worthy event against a single target may be reported in multiple vendor reports. Whereas a campaign against thousands of targets may be only represented by one report. Vendors are also more inclined to report on something that is “commercially interesting”. For example activity targeting banks in the United States is more likely to be reported than attacks targeting the Uyghur population in China. It’s also likely we missed some reports, particularly in the earlier days of OTX which may explain some of the increase in reports between 2016 and 2017. The global targeted threat landscape There are a number of suggested methods to classify the capability of different threat actors. Each have their problems however. For example – if a threat actor never deploys 0-day exploits do they lack the resources to develop them, or are they mature enough to avoid wasting resources unnecessarily? Below we have plotted out a graph of the threat actors most reported on in the last two years. We have excluded threat actors whose motivation is thought to be criminal, as that wouldn’t be an apples to apples comparison. Both the measure of their activity (the number of vendor reports) and the measure of their capability (a rough rule of thumb) are not scientific, but can provide some rough insights: A rough chart of the activity and capability of notable threat actors in the last year Perhaps most notable here is which threat actors are not listed here. Some, such as APT1 and Equation Group, seem to have disappeared under their existing formation following from very public reporting. It seems unlikely groups which likely employ thousands of people such as those have disappeared completely. The lack of such reporting is more likely a result of significantly changed tactics and identification following their outing. Others remain visibly active, but not enough to make our chart of “worst offenders”. A review of the most reported on threat actors The threat actor referenced i]]> 2018-01-30T13:40:00+00:00 http://feeds.feedblitz.com/~/521337082/0/alienvault-blogs~OTX-Trends-Part-Threat-Actors www.secnews.physaphae.fr/article.php?IdArticle=461917 False None APT 38,APT 28,APT 10,APT 3,APT 1,APT 34 None TrendLabs Security - Editeur Antivirus Trendlabs Security Intelligence Blog - by Trend Micro ChessMaster Makes its Move: A Look into the Campaign's Cyberespionage Arsenal ]]> 2017-07-27T11:30:10+00:00 http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/8XGEVNIxCaU/ www.secnews.physaphae.fr/article.php?IdArticle=389605 False None APT 10 None IT Security Guru - Blog Sécurité 2017-05-10T08:54:57+00:00 http://www.itsecurityguru.org/2017/05/10/anti-virus-defences-leaving-global-businesses-vulnerable-china-syndrome/ www.secnews.physaphae.fr/article.php?IdArticle=363724 True None APT 10 None Dark Reading - Informationweek Branch 2017-04-06T19:15:00+00:00 http://www.darkreading.com/attacks-breaches/china-based-threat-actor-apt10-ramps-up-cyber-espionage-activity/d/d-id/1328584?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=355257 False None APT 10 None Mandiant - Blog Sécu de Mandiant blog conjoint >

---

APT10 Background APT10 (MenuPass Group) is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations. PwC and BAE recently issued a joint blog detailing extensive APT10 activity.]]> 2017-04-06T14:00:00+00:00 https://www.mandiant.com/resources/blog/apt10-menupass-group www.secnews.physaphae.fr/article.php?IdArticle=8377784 False Threat,Technical APT 10,APT 10 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2017-04-06T11:03:37+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/4y3dTLA8bok/hacking-trump-xi-trade.html www.secnews.physaphae.fr/article.php?IdArticle=354396 False None APT 10 None Network World - Magazine Info according to security vendor Fidelis Cybersecurity.The NFTC lobbies for open and fair trade and has pledged to work with U.S. President Donald Trump to "find ways to address Chinese policies that frustrate access to their market and undermine fair trade, while at the same time encouraging a positive trend in our trade relationship." Trump will meet with China President Xi Jinping in Florida this week.To read this article in full or to leave a comment, please click here]]> 2017-04-06T10:13:00+00:00 http://www.networkworld.com/article/3187846/security/us-trade-lobbying-group-attacked-by-suspected-chinese-hackers.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=354462 False None APT 10 None Dark Reading - Informationweek Branch 2017-04-05T09:15:00+00:00 http://www.darkreading.com/attacks-breaches/chinese-apt10-hacking-group-suspected-of-global-campaign-targeting-msps/d/d-id/1328563?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=353868 False None APT 10 None Network World - Magazine Info joint report.That's because these suppliers often have direct access to their client's networks. APT10 has been found stealing intellectual property as part of a global cyberespionage campaign that ramped up last year, PwC said on Monday.To read this article in full or to leave a comment, please click here]]> 2017-04-04T13:39:28+00:00 http://www.networkworld.com/article/3187359/security/chinese-hackers-go-after-third-party-it-suppliers-to-steal-data.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=352635 False None APT 10 None BAE - BAE Systelm Threat Research For many businesses the network now extends to suppliers who provide management of applications, cloud storage, helpdesk, and other functions. With the right integration and service levels Managed Service Providers (MSPs) can become a key enabler for businesses by allowing them to focus on their core mission while suppliers take care of background tasks. However, the network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump through. Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks.Since late 2016 we have been investigating a campaign of intrusions against several major MSPs. These attacks can be attributed to the actor known as APT10 (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM). Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organisations.Figure 1 – Attack stages for APT10 in targeting MSP end-customersWe have joined forces with PwC to release our findings from investigations into these on-going attacks and raise awareness. This joint analysis report can be found on PwC's blog at:https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.htmlOVERVIEWThe current campaign linked to APT10 can be split into two sets of activity:1. Attacks targeting MSPs, engineering and other sectors with common as well as custom malware;2. Attacks targeting Japanese organisations with the 'ChChes' malware;The latter campaign has been well covered in the public domain, however the MSP targeting is the focus of our joint analysis report with PwC.The group use a custom dropper for their various implants. This dropper makes use of DLL side-loading to execute the main payload.In our analysis the attackers have used several payloads including:1. PlugX – a well-known espionage tool in use by several threat actors2. RedLeaves – a newly developed, fully-featured backdoor, first used by APT10 in recent monthsINFRASTRUCTUREThe C&C domains chosen by the APT10 actors for their MSP-related campaign are predominantly dynamic-DNS domains.The various domains are highly-interconnected through shared IP address hosting, even linking back historically to the group's much older operations. The graph below depicts infrastructure used by the attackers in late 2016.Figure 2 – Infrastructure view from late 2016In recent months the infrastructure has expanded significantly. The nodes number into the thousands and cannot be easily visualised.The below graph represents a linkage between one of the PlugX C&Cs used in the group's newer ope]]> 2017-04-03T18:09:04+00:00 http://baesystemsai.blogspot.com/2017/04/apt10-operation-cloud-hopper_3.html www.secnews.physaphae.fr/article.php?IdArticle=352306 False None APT 10,APT 1 None Palo Alto Network - Site Constructeur 2017-02-16T19:00:11+00:00 http://feedproxy.google.com/~r/PaloAltoNetworks/~3/m_xRUo8R3cs/ www.secnews.physaphae.fr/article.php?IdArticle=317019 False None APT 10 None SANS Institute - SANS est un acteur de defense et formation 2016-12-02T14:35:57+00:00 https://isc.sans.edu/diary.html?storyid=21779&rss www.secnews.physaphae.fr/article.php?IdArticle=266294 False None APT 10 None The State of Security - Magazine Américain Read More ]]> 2016-12-01T04:01:02+00:00 https://www.tripwire.com/state-of-security/security-data-protection/amplify-it-security-by-integrating-solutions/ www.secnews.physaphae.fr/article.php?IdArticle=263487 False None APT 10 None UnderNews - Site de news "pirate" francais Au cours des turbulences liées à l'affaire de pédophilie Playpen, un juge américain a déclaré que le FBI n'avait pas besoin de mandat pour obtenir s'introduire et fouiller un ordinateur à distance. Dérive ?]]> 2016-06-29T08:21:43+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/m-BCvNxk4CI/etats-unis-le-fbi-libre-de-pirater-nimporte-quel-pc-legalement.html www.secnews.physaphae.fr/article.php?IdArticle=3441 False None APT 10 None