This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-03T06:43:11+00:00 www.secnews.physaphae.fr InfoSecurity Mag - InfoSecurity Magazine France\'s employment agency suffered a massive breach, exposing the data of users who registered over the past 20 years]]> 2024-03-14T15:00:00+00:00 https://www.infosecurity-magazine.com/news/french-employment-agency-data/ www.secnews.physaphae.fr/article.php?IdArticle=8463831 False Data Breach APT 19 3.0000000000000000 CVE Liste - Common Vulnerability Exposure 2023-02-08T14:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41620 www.secnews.physaphae.fr/article.php?IdArticle=8308289 False Vulnerability APT 19 None Korben - Bloger francais Suite]]> 2023-01-01T08:00:00+00:00 https://korben.info/enlever-watermark-photo.html www.secnews.physaphae.fr/article.php?IdArticle=8296926 False None APT 19 3.0000000000000000 CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud APT 38,APT 19,APT 29,APT 10,APT 37,Uber,APT 15,Yahoo None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None CISCO Talos - Cisco Research blog By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.Executive SummaryDark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.What is "Dark Utilities?"In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing develo]]> 2022-08-04T08:00:13+00:00 http://blog.talosintelligence.com/2022/08/dark-utilities.html www.secnews.physaphae.fr/article.php?IdArticle=6123175 False Spam,Malware,Hack,Tool,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Asheer Malhotra and Vitor Ventura.Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.The implants for the new malware family are written in the Rust language for Windows and Linux.A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.IntroductionCisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable - a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese - on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an advers]]> 2022-08-02T08:00:14+00:00 http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html www.secnews.physaphae.fr/article.php?IdArticle=6089620 False Malware,Threat,Guideline APT 19 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None SANS Institute - SANS est un acteur de defense et formation 2022-07-13T11:27:07+00:00 https://isc.sans.edu/diary/rss/28836 www.secnews.physaphae.fr/article.php?IdArticle=5691329 False None APT 19 None NoticeBored - Experienced IT Security professional  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:]]> 2022-06-24T13:40:08+00:00 http://blog.noticebored.com/2022/06/the-sadly-neglected-risk-treatment-plan.html www.secnews.physaphae.fr/article.php?IdArticle=5350915 False Threat,Guideline APT 19,APT 10 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Credit Card Stealer Targets PsiGate Payment Gateway Software (published: May 25, 2022) Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data. Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity. MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056 Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX How the Saitama Backdoor uses DNS Tunneling (published: May 25, 2022) MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2. Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling ]]> 2022-06-01T17:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-turlas-new-phishing-based-reconnaissance-campaign-in-eastern-europe-unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion-and-more www.secnews.physaphae.fr/article.php?IdArticle=4921519 False Ransomware,Malware,Tool,Threat APT 19 None Security Affairs - Blog Secu 2022-04-03T15:44:11+00:00 https://securityaffairs.co/wordpress/129784/apt/deep-panda-fire-chili-rootkit.html www.secnews.physaphae.fr/article.php?IdArticle=4389478 False None APT 19 None ZD Net - Magazine Info 2022-04-01T11:54:00+00:00 https://www.zdnet.com/article/chinese-hackers-deep-panda-return-with-log4shell-exploits-new-fire-chili-rootkit/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4379063 False None APT 19 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-01T03:41:53+00:00 https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html www.secnews.physaphae.fr/article.php?IdArticle=4377810 False Threat APT 19 None Fortinet - Fabricant Materiel Securite ]]> 2022-03-30T00:00:00+00:00 https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits www.secnews.physaphae.fr/article.php?IdArticle=4375212 False None APT 19 4.0000000000000000 UnderNews - Site de news "pirate" francais Comparatif – Top 10 des meilleurs hébergeurs Web francophones first appeared on UnderNews.]]> 2021-11-28T10:31:12+00:00 https://www.undernews.fr/culture-web-emploi/comparatif-top-10-des-meilleurs-hebergeurs-web-francophones.html www.secnews.physaphae.fr/article.php?IdArticle=3723148 False None APT 19 None TroyHunt - Blog Security 2021-11-22T21:09:00+00:00 https://arstechnica.com/?p=1814777 www.secnews.physaphae.fr/article.php?IdArticle=3695339 False None APT 19 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients (published: July 4, 2021) A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password. Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP). MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073 Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools IndigoZebra APT Continues To Attack Central Asia With Evolving Tools (published: July 1, 2021) Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I]]> 2021-07-06T15:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-thousands-attacked-as-revil-ransomware-hijacks-kaseya-vsa-leaked-babuk-locker-ransomware-builder-used-in-new-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=3028191 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Guideline APT 19,APT 10 None 01net. Actualites - Securite - Magazine Francais ]]> 2020-12-15T11:01:00+00:00 https://www.01net.com/actualites/18000entreprises-et-organisations-ont-telecharge-la-backdoor-des-hackers-de-poutine-2019017.html www.secnews.physaphae.fr/article.php?IdArticle=2104485 False None APT 19,APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence German-made FinSpy Spyware Found in Egypt, and Mac and Linux Versions Revealed (published: September 25, 2020) Security Researchers from Amnesty International have identified new variants of FinSpy, spyware that can access private data and record audio/video. While used as a law enforcement tool, authoritarian governments have been using FinSpy to spy on activists and dissidents. Spreading through fake Flash Player updates, the malware is installed as root with use of exploits, and persistence is gained by creating a logind.pslist file. Once a system is infected with the malware, it has the ability to run shell scripts, record audio, keylogging, view network information, and list files. Samples have been found of FinSpy for macOS, Windows, Android, and Linux. Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from threat actors, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 Tags: Amnesty, Android, Backdoor, Linux, macOS, FinSpy, Spyware Magento Credit Card Stealing Malware: gstaticapi (published: September 25, 2020) Security researchers, at Sucuri, have identified a malicious script, dubbed “gstaticapi,” that is designed to steal payment information from Magento-based websites. The script first attempts to find the “checkout” string in a web browser URL and, if found, will create an element to the web pages header. This allows the JavaScript to handle external code-loading capabilities that are used to process the theft of billing and payment card information. Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external-facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Data Encoding - T1132 T]]> 2020-09-29T14:00:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-federal-agency-breach-exploits-malware-and-spyware www.secnews.physaphae.fr/article.php?IdArticle=2103280 False Data Breach,Malware,Vulnerability,Threat APT 19 5.0000000000000000 InformationSecurityBuzzNews - Site de News Securite Security Expert Re: New WordPress RCE Exploit (CVSS Score 10.0 )]]> 2020-07-13T09:07:16+00:00 https://www.informationsecuritybuzz.com/expert-comments/security-expert-re-new-wordpress-rce-exploit-cvss-score-10-0/ www.secnews.physaphae.fr/article.php?IdArticle=1801657 False Vulnerability,Guideline APT 19 None ZD Net - Magazine Info 2020-01-17T13:10:22+00:00 https://www.zdnet.com/article/wordpress-plugin-vulnerability-can-be-exploited-for-full-website-hijacking/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1501815 False Vulnerability APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC back-door SEO. For instance, a hacker wants to put a link on your site, or add a web page. Sometimes they even target your domain and redirect it to another site altogether. Sucuri has an excellent example of a common hack they see on WordPress sites. These hacks make your website look like an untrustworthy page, or may even draw penalties from Google that cause your site to be blacklisted. Sometimes, no matter how much effort you put into SEO, failures in cybersecurity can drastically impact how Google sees your site, therefore also impacting your place in the SERPs. The First Step in Security to Boost SEO One of the first things you need to do to protect your website and boost your Google ranking is to install HTTPS. Google named this security protocol a ranking signal several years ago, so it’s obvious that your SEO results will be tied to it. You’ll need to make sure you have a proper certificate and allow indexing so that Google can still read your website. However, this is only the beginning. An HTTPS setup does not secure a website, it only secures the connection and encrypts data that is sent. That means that communication between your server and the web browser a visitor is using is secure and data — like a credit card number used for purchase — cannot be stolen. Other Important Security Steps Information security, or keeping your stored data secure, is another important part of keeping your website secure and helping it rank well, and the good news is that this security requires the same vigilance that SEO does. As a result, you can monitor both simultaneously. Platform Security Be sure you’ve chosen a good web host that has strong security on their end. Use security software or plugins as appropriate. For smaller websites using WordPress, you can use Wordfence, iThemes Security, or Bulletproof Security, for example. Overall, you want plugins that address the known security issues in the platform you use. All websites can also benefit from using SiteLock, which not only closes security loopholes but also monitors your website daily for malware, viruses, and more. Secure Passwords Believe it or not, the ]]> 2019-11-18T14:00:00+00:00 https://feeds.feedblitz.com/~/609461063/0/alienvault-blogs~How-website-security-and-SEO-are-intimately-connected www.secnews.physaphae.fr/article.php?IdArticle=1474066 False Malware,Hack APT 19 None Zataz - Magazine Francais de secu Un bon référencement pour contrer les pirates ? est apparu en premier sur ZATAZ. ]]> 2019-03-10T00:12:05+00:00 https://www.zataz.com/un-bon-referencement-pour-contrer-les-pirates/ www.secnews.physaphae.fr/article.php?IdArticle=1073292 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more. Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself. So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.   SamSam attackers are known to: Gain remote access through traditional attacks, such as JBoss exploits Deploy web-shells Connect to RDP over HTTP tunnels such as ReGeorg Run batch scripts to deploy the ransomware over machines SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading ]]> 2018-12-20T14:00:00+00:00 https://feeds.feedblitz.com/~/588421296/0/alienvault-blogs~Let%e2%80%99s-Chat-Healthcare-Threats-and-Who%e2%80%99s-Attacking www.secnews.physaphae.fr/article.php?IdArticle=956718 False Threat APT 23,APT 19,APT 18,Wannacry,APT 22 None ZD Net - Magazine Info 2018-10-30T00:08:00+00:00 https://www.zdnet.com/article/google-launches-recaptcha-v3-that-detects-bad-traffic-without-user-interaction/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=869675 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was listed as identical to the x86 Install module.  However, this is not correct.  The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis. In addition, take care with this portion of the malware.  The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine. Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies.  Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit.  While madominer was earning $6,000 a month as of the last analysis, Around 10/14, MineXMR closed the old address due to botnet reports.  A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again.  Currently, the hashrate is at 109Kh/s, and steadily rising. Also, around the time that the address changed, MadoMiner also became drastically different. Malware Analysis Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files.  In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet. Domains In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server: http://d.honker[dot]info However, the domain is currently dead.  In addition, the mining server currently used is pool.minexmr[dot]com A C2 server(newly updated version): http://qq.honker[dot]info Previously identified distribution domains: http://da[dot]alibuf.com:3/ http://bmw[dot]hobuff.info:3/ Previously Identified IPs: 61.130.31.174 Previously identified mining servers: http://gle[dot]freebuf.info http://etc[dot]freebuf.info http://xmr[dot]freebuf.info http://xt[dot]freebuf.info http://boy[dot]freebuf.info http://liang[dot]alibuf.com http://dns[dot]alibuf.com http://x[dot]alibuf.com In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling. Exploits During the execution]]> 2018-10-29T17:00:00+00:00 https://feeds.feedblitz.com/~/577320150/0/alienvault-blogs~MadoMiner-Part-Mask www.secnews.physaphae.fr/article.php?IdArticle=869226 False None APT 19 None Bleeping Computer - Magazine Américain 2018-05-05T12:13:02+00:00 https://www.bleepingcomputer.com/news/security/new-service-blocks-eu-users-so-companies-can-save-thousands-on-gdpr-compliance/ www.secnews.physaphae.fr/article.php?IdArticle=629274 False None APT 19 None Bleeping Computer - Magazine Américain 2018-05-03T14:35:04+00:00 https://www.bleepingcomputer.com/news/security/facebooks-phishing-detection-tool-now-recognizes-homograph-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=625181 False None APT 19 None Bleeping Computer - Magazine Américain 2018-03-02T05:51:02+00:00 https://www.bleepingcomputer.com/news/security/new-tools-make-checking-for-leaked-passwords-a-lot-easier/ www.secnews.physaphae.fr/article.php?IdArticle=494453 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Exact match domains (EMDs) used to be a thing (or still are, depending on who you talk to). You stuffed a few keywords into the domain before checkout to give yourself that extra edge to rank for cut-throat queries like “bestvitaminshop.com.” Domain age has also been rumored to influence rankings. Somehow, the older the domain and the longer you register it for tells Google… to like you more? Admittedly, the logic is flimsy. But Google originally debunked these myths in 2009, according to some digging by Matt McGee at Search Engine Land. First, they had a Google Webmaster Help forum thread where Googler, John Mueller, addressed this question head-on: “A bunch of TLDs do not publish expiration dates — how could we compare domains with expiration dates to domains without that information? It seems that would be pretty hard, and likely not worth the trouble. Even when we do have that data, what would it tell us when comparing sites that are otherwise equivalent? A year (the minimum duration, as far as I know) is pretty long in internet-time :-).” Next up, they had former Google PR chief, Matt Cutts, on the record several times addressing this issue: “To the best of my knowledge, no search engine has ever confirmed that they use length-of-registration as a factor in scoring. If a company is asserting that as a fact, that would be troubling.” So there you have it. “Officially,” domain registrations don’t affect SEO. At least, not directly. Recently, there’s some evidence that search engine result page (SERP) click-through rate (CTR) affects rankings. One experiment had a sizable group of people click on a random listing in the seventh position to see what (if any) changes occurred. And within just a few hours? Straight to the top. (image source) The finding shows an odd correlation between SERP performance and its influence on ranks. The point of this being that it is possible that a better domain name, one that’s more credible and interesting for people to click, could indirectly influence rankings. The industry standard .com domain is still seen as the most credible, even though new top-level domains (TLDs) continue to pop up and gain acceptance. Studies have backed this up, showing that .com domains generally dr]]> 2018-02-06T14:00:00+00:00 http://feeds.feedblitz.com/~/523389918/0/alienvault-blogs~Debunking-these-Domain-Name-Registration-Myths-Once-and-For-All www.secnews.physaphae.fr/article.php?IdArticle=465029 False None APT 19 None Bleeping Computer - Magazine Américain 2017-12-13T10:05:21+00:00 https://www.bleepingcomputer.com/news/google/google-releases-an-updated-seo-starter-guide/ www.secnews.physaphae.fr/article.php?IdArticle=450112 False None APT 19 None ZD Net - Magazine Info 2017-11-02T09:19:30+00:00 http://www.zdnet.com/article/wordpress-patches-sql-injection-bug-in-emergency-release/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=427038 False None APT 19 None Bleeping Computer - Magazine Américain 2017-09-15T11:10:39+00:00 https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/ www.secnews.physaphae.fr/article.php?IdArticle=408931 False None APT 19 None Bleeping Computer - Magazine Américain 2017-07-07T10:26:58+00:00 https://www.bleepingcomputer.com/news/security/zip-bombs-can-protect-websites-from-getting-hacked/ www.secnews.physaphae.fr/article.php?IdArticle=382398 False None APT 19 None ZD Net - Magazine Info 2017-07-06T15:30:00+00:00 http://www.zdnet.com/article/lets-encrypt-brings-wildcard-certificates-to-the-web/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=381840 False None APT 19 None Mandiant - Blog Sécu de Mandiant Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the]]> 2017-06-06T17:30:00+00:00 https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel www.secnews.physaphae.fr/article.php?IdArticle=8377775 False Vulnerability APT 19 4.0000000000000000 UnderNews - Site de news "pirate" francais D'après Google, il est aujourd'hui facile pour les pirates informatiques de pirater les sites Web. La raison ? Leur obsolescence surtout. Le géant américain met en garde les webmasters pour 2017 face aux dangers.]]> 2017-03-22T08:29:52+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/6Br6NtfrPPA/piratages-lavertissement-de-google-pour-2017.html www.secnews.physaphae.fr/article.php?IdArticle=342843 False None APT 19 None Dark Reading - Informationweek Branch 2017-03-21T10:05:00+00:00 http://www.darkreading.com/cloud/hacked-sites-up-by-32--in-2016-over-2015-says-google/d/d-id/1328445?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=342699 False None APT 19 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Daniel Cid is the founder and CTO for Sucuri. He’s also on the AlienVault Technology Advisory Board and is the founder of OSSEC HIDS. I interviewed him to get his thoughts on website security, and the security of content management systems (CMS). Q: What are the most serious challenges and trends you are seeing with website security? At a high level, the most popular CMS platforms (eg. WordPress, Magento, Drupal, etc) and frameworks are getting a lot better in terms of security, whether it’s a secure by default configurations or employing more appropriate security coding and best practices. We rarely see major issues in the core of these applications, and even when they do have issues there is a system in place that helps streamline the process of patching environments at scale. The platform that is leading the charge on this is WordPress, and a perfect example of this system is best illustrated with the vulnerability we disclosed in the new REST API. Via their auto-update feature they were able to patch very quickly and effectively millions of sites in a one-week time period. As impactful as these change are however, they aren't& stopping the attacks and the compromises. Simply put, it’s not because platform security is the problem, but rather website security is much more complex than code or tools, and needs the people and processes behind it to remain secure. Consider WordPress, for example. They have their famous 5-minute install. What a great message, and it has been huge in achieving their broad user adoption. Note, it actually takes a lot more than 5 minutes to secure and harden the environment, let it alone configure it to be fully functional to your liking. That isn’t the message a webmaster wants to receive, and this becomes especially challenging when you take into consideration the technical aptitude of most of today’s webmasters - which is very low. So I think the main challenge I see right now is that there needs to be a level of education to the people deploying websites. There are additional steps that go beyond the basic installation and configuration requirements, and it includes investing some energy into security. These steps need to be more visible, actionable and easier to adopt. Q: Can just buying products really fix website security? No. Technology alone will never be the solution; just buying a product won’t work at any level of security. Note that we do sell a cloud-based security software (a WAF for websites), but we work very hard to have a dialog with our customers where we try to educate and communicate the importance of people, process and technology in their security posture. Q: What do you think about OWASP and other organizations that are focused on web application security? I think they are great. They are a powerful resource for developers and security professionals to be more aware of web application security issues. Q: We hear a lot of fear, uncertainty and doubt (FUD) around WordPress security. What helpful advice could you give our readers who are using Wordpress currently? The problem in the WordPress security space is that the majority of users are not very technical, and there is also a lot of misinformation and disinformation being spre]]> 2017-03-20T13:00:00+00:00 http://feeds.feedblitz.com/~/283151240/0/alienvault-blogs~Interview-with-Daniel-Cid-founder-of-OSSEC www.secnews.physaphae.fr/article.php?IdArticle=340899 False Guideline APT 19 None We Live Security - Editeur Logiciel Antivirus ESET 2017-03-07T12:03:12+00:00 http://feedproxy.google.com/~r/eset/blog/~3/MkxK6_DVakw/ www.secnews.physaphae.fr/article.php?IdArticle=329882 False None APT 19 None Bleeping Computer - Magazine Américain 2017-02-09T17:06:50+00:00 https://www.bleepingcomputer.com/news/security/google-makes-wordpress-site-owners-nervous-due-to-confusing-security-alerts/ www.secnews.physaphae.fr/article.php?IdArticle=311104 False None APT 19 3.0000000000000000 ZD Net - Magazine Info 2017-02-08T11:41:55+00:00 http://www.zdnet.com/article/thousands-of-wordpress-websites-fall-prey-to-defacement/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=308799 False None APT 19 None Bleeping Computer - Magazine Américain 2016-11-21T16:35:08+00:00 http://www.bleepingcomputer.com/news/security/russian-spammer-uses-fake-google-domain-to-tell-webmasters-to-vote-trump/ www.secnews.physaphae.fr/article.php?IdArticle=257879 False None APT 19 None Hacker Republic - Site de news Hack fr SpamBotsBlack SEOSurveiller ses logs, c'est bien mais regarder ce qui se passe du côté de ses statistiques de fréquentation, c'est mieux. En faisant un tour sur mon Google Analytics, j'ai eu l'immense surprise de voir ceci dans la catégorie langue : En faisant une recherche rapide, j'ai découvert qu'il s'agissait d'une variété de spam : le spam analytics. Le spam analytics : pourquoi ? Cette technique, que je classe dans la section Black SEO, peut aussi – comme le spam traditionnel – être vectrice de malware. Dans le cas illustré ici, il s'agissait surtout d'une campagne électorale. L'idée générale est de pourrir les rapports analytics des webmasters, community managers, développeurs, etc. pour les inciter à visiter des sites et voir dans quel contexte on parle de leur application Web. Il peut aussi s'agir de générer du trafic vers ses sites. En effet, certains portails laissent publics leurs backlinks et leurs référents, améliorant du même coup les backlinks-spammeurs et donc leur notoriété et donc leur rang dans les résultats de recherche. C'est ce qu'on appelle du spamindexing. En résumé, le spam analytics sert à : Générer un faux trafic ; Propager des malwares ; Faire grimper sa propre notoriété. On a vu le pourquoi, passons au comment. Comment fonctionne le spam analytics ? En matière de spam analytics, il y a deux techniques : Le bot Referral Spam ; Le Ghost Referral Spam. Comme son nom l'indique, le premier est un robot qui va effectivement visiter votre site, donc générer du trafic. Cette technique est simple et tout le monde sait le faire. Le second est un peu plus vicieux car il ne concerne que les sites fonctionnant avec Google Analytics, il ne visite pas votre site mais il laisse quand même une empreinte dans vos statistiques, soit par faux référents, par faux langages ou par faux mots-clefs. Mais alors, comment peut-on polluer des statistiques en ne visitant pas un site Web ? En utilisant une petite " faille " de Google Analytics, qui en réalité une fonctionnalité, faisant ainsi une démonstration remarquable de la phrase " it's not a bug, it's a feature ". On commence par générer des codes Google Analytics. On envoie ensuite de fausses données grâce au protocole de mesure de Google Analytics et ces fausses données sont ensuite enregistrées dans les statistiques des comptes ciblés.]]> 2016-11-15T00:49:31+00:00 https://www.hackersrepublic.org/outils/le-spam-analytics www.secnews.physaphae.fr/article.php?IdArticle=282813 False None APT 19 None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2016-11-10T11:03:00+00:00 http://www.networkworld.com/article/3138891/internet/google-punishes-web-backsliders-in-chrome.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=251917 False None APT 19 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2016-11-02T03:21:37+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/DEo5yJss7-Y/memcached-hacking.html www.secnews.physaphae.fr/article.php?IdArticle=242973 False None APT 19 None UnderNews - Site de news "pirate" francais La firme de sécurité Sucuri vient de publier le Website Hacked Trend Report pour le deuxième trimestre de 2016, en mettant en évidence l'impressionnant palmarès du CMS WordPress. Bien entendu, c'est la faute à la négligence des webmasters et non du système en lui-même...]]> 2016-09-28T08:16:27+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/zmAsGTv4q5g/wordpress-remporte-la-palme-du-cms-le-plus-vise-par-les-cyberattaques.html www.secnews.physaphae.fr/article.php?IdArticle=137848 False None APT 19 None UnderNews - Site de news "pirate" francais Google Chrome affiche actuellement une icône informative grise sur les sites HTTP. Mais le géant explique sur son blog qu'à partir du début 2017, son navigateur avertira les utilisateurs qui se trouvent sur une page non protégée par HTTPS. Lorsqu'une alerte s'affichera pour tous les visiteurs d'un site, cela pourra être considéré comme un important moyen de pression pour forcer les webmasters à passer leur site en HTTPS.]]> 2016-09-11T10:43:41+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/d-pJWrduC-g/google-chrome-vers-une-signalisation-des-pages-http-non-securisees.html www.secnews.physaphae.fr/article.php?IdArticle=47810 False None APT 19 None Network World - Magazine Info Dubbed Observatory, the tool was initially built for in-house use by Mozilla security engineer April King, who was then encouraged to expand it and make it available to the whole world.She took inspiration from the SSL Server Test from Qualys' SSL Labs, a widely appreciated scanner that rates a website's SSL/TLS configuration and highlights potential weaknesses. Like Qualys' scanner, Observatory uses a scoring system from 0 to 100 -- with the possibility of extra bonus points -- which translates into grades from F to A+.To read this article in full or to leave a comment, please click here]]> 2016-08-26T08:14:40+00:00 http://www.networkworld.com/article/3112331/mozilla-launches-free-website-security-scanning-service.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=8971 False None APT 19 None UnderNews - Site de news "pirate" francais ]]> 2016-06-08T09:28:01+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/U0x7Sf6GEPQ/ransomware-web-le-cms-drupal-attaque-via-une-injection-sql.html www.secnews.physaphae.fr/article.php?IdArticle=2534 False None APT 19 None CodingSec - Ethical Hacking Team 2016-06-02T16:00:17+00:00 https://codingsec.net/2016/06/6-best-html5-libraries-2016/ www.secnews.physaphae.fr/article.php?IdArticle=2342 False None APT 19 None UnderNews - Site de news "pirate" francais ]]> 2016-05-07T16:25:00+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/u40WYPs4yIg/wordpress-4-5-2-mise-a-jour-de-securite-critique.html www.secnews.physaphae.fr/article.php?IdArticle=1324 False None APT 19 2.0000000000000000