www.secnews.physaphae.fr

www.secnews.physaphae.fr This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T21:03:18+00:00 www.secnews.physaphae.fr ProofPoint - Cyber Firms Autour du monde en 90 jours: les acteurs parrainés par l'État essaient Clickfix Around the World in 90 Days: State-Sponsored Actors Try ClickFix 2025-04-17T10:31:17+00:00 https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix www.secnews.physaphae.fr/article.php?IdArticle=8664262 False Malware,Tool,Vulnerability,Threat,Prediction,Cloud APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware Russia-linked threat actors have been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin\'s efforts to gather economic and political intelligence in Central Asia. The campaign has been assessed to be the work of an intrusion set dubbed UAC-0063, which likely shares overlap with APT28, a nation-state group affiliated with Russia\'s General Staff Main]]> 2025-01-14T14:40:00+00:00 https://thehackernews.com/2025/01/russian-linked-hackers-target.html www.secnews.physaphae.fr/article.php?IdArticle=8637076 False Malware,Threat APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe. Recorded Future\'s Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The]]> 2024-11-22T17:36:00+00:00 https://thehackernews.com/2024/11/russian-hackers-deploy-hatvibe-and.html www.secnews.physaphae.fr/article.php?IdArticle=8615986 False Malware,Threat APT 28 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Ngioweb reste actif 7 ans plus tard Ngioweb Remains Active 7 Years Later 2024-11-01T19:39:00+00:00 https://cybersecurity.att.com/blogs/labs-research/ngioweb-remains-active-7-years-later www.secnews.physaphae.fr/article.php?IdArticle=8604836 False Malware,Vulnerability,Threat,Mobile,Technical APT 28 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Perspectives sur les cyber-menaces ciblant les utilisateurs et les entreprises au Mexique Insights on Cyber Threats Targeting Users and Enterprises in Mexico Like many countries across the globe, Mexico faces a cyber threat landscape made up of a complex interplay of global and local threats, with threat actors carrying out attempted intrusions into critical sectors of Mexican society. Mexico also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. Threat actors with an array of motivations continue to seek opportunities to exploit the digital infrastructure that Mexicans rely on across all aspects of society. This joint blog brings together our collective understanding of the cyber threat landscape impacting Mexico, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. By sharing our global perspective, especially during today\'s Google for Mexico event, we hope to enable greater resiliency in mitigating these threats. Cyber Espionage Operations Targeting Mexico As the 12th largest economy in the world, Mexico draws attention from cyber espionage actors from multiple nations, with targeting patterns mirroring broader priorities and focus areas that we see elsewhere. Since 2020, cyber espionage groups from more than 10 countries have targeted users in Mexico; however, more than 77% of government-backed phishing activity is concentrated among groups from the People\'s Republic of China (PRC), North Korea, and Russia.

Figure 1: Government-backed phishing activity targeting Mexico, January 2020 – August 2024 The examples here highlight recent and historical examples where cyber espionage actors have targeted users and organizations in Mexico. It should be noted that these campaigns describe targeting and do not indicate successful compromise or exploitation. PRC Cyber Espionage Activity Targeting Mexico Since 2020, we have observed activity from seven cyber espionage groups with links to the PRC targeting users in Mexico, accounting for a third of government-backed phishing activity in the country. This volume of PRC cyber espionage is similar to activity in other regions where Chinese government investment has been focused, such as countries within China\'s Belt and Road Initiative. In addition to activity targeting Gmail users, PRC-backed groups have targeted Mexican government agencies, higher ]]> 2024-09-10T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-mexico/ www.secnews.physaphae.fr/article.php?IdArticle=8574054 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Cloud,Commercial APT 28 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 12 août 2024 Weekly OSINT Highlights, 12 August 2024 2024-08-12T10:35:06+00:00 https://community.riskiq.com/article/e60227f4 www.secnews.physaphae.fr/article.php?IdArticle=8556324 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile,Industrial,Cloud APT 28 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Russian APT Fighting Ursa cible les diplomates avec des logiciels malveillants de tête à l'aide de fausses annonces de vente de voitures Russian APT Fighting Ursa Targets Diplomats with HeadLace Malware Using Fake Car Sale Ads 2024-08-05T21:26:54+00:00 https://community.riskiq.com/article/00383b84 www.secnews.physaphae.fr/article.php?IdArticle=8552380 False Malware,Tool,Vulnerability,Threat APT 28 4.0000000000000000 Global Security Mag - Site de news francais Cybercriminalité : Fighting Ursa utilise une annonce de vente de voiture comme leurre Malwares]]> 2024-08-05T15:01:41+00:00 https://www.globalsecuritymag.fr/cybercriminalite-fighting-ursa-utilise-une-annonce-de-vente-de-voiture-comme.html www.secnews.physaphae.fr/article.php?IdArticle=8552154 False Malware,Threat APT 28 3.0000000000000000 Dark Reading - Informationweek Branch Russie \\ 'S \\' combattant Ursa \\ 'APT utilise des annonces de voitures pour installer des logiciels malveillants Headlace Russia\\'s \\'Fighting Ursa\\' APT Uses Car Ads to Install HeadLace Malware The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation, tempting them with a purported good deal on a Audi Q7 Quattro SUV.]]> 2024-08-05T11:38:04+00:00 https://www.darkreading.com/threat-intelligence/russia-fighting-ursa-apt-car-ads-headlace-malware www.secnews.physaphae.fr/article.php?IdArticle=8552054 False Malware APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) APT28 cible les diplomates avec des logiciels malveillants de tête via la vente de phishing APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace. "The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as]]> 2024-08-02T21:46:00+00:00 https://thehackernews.com/2024/08/apt28-targets-diplomats-with-headlace.html www.secnews.physaphae.fr/article.php?IdArticle=8549910 False Malware,Threat APT 28 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Weekly OSINT Highlights, 29 July 2024 2024-07-29T10:58:35+00:00 https://community.riskiq.com/article/72f3426d www.secnews.physaphae.fr/article.php?IdArticle=8546560 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Industrial,Medical APT 28,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) UAC-0063 Attaque des institutions de recherche en Ukraine: Hatvibe + Cherryspy + CVE-2024-23692 UAC-0063 attacks research institutions in Ukraine: HATVIBE + CHERRYSPY + CVE-2024-23692 2024-07-23T20:53:33+00:00 https://community.riskiq.com/article/078e5560 www.secnews.physaphae.fr/article.php?IdArticle=8542990 True Malware,Vulnerability,Threat APT 28 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Enhardi et évolutif: un instantané des cyber-menaces auxquelles l'OTAN est confrontée à l'OTAN Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges-the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel. NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape. Cyber Espionage NATO\'s adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year\'s summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance\'s defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance\'s strategic advantage and inform adversary leadership on how to anticipate and counteract NATO\'s initiatives and investments. NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders. APT29 (ICECAP) Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and poli]]> 2024-07-08T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-facing-nato/ www.secnews.physaphae.fr/article.php?IdArticle=8532698 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 29,APT 28 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Aperçu sur les cyber-menaces ciblant les utilisateurs et les entreprises au Brésil Insights on Cyber Threats Targeting Users and Enterprises in Brazil Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in carrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the worldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the threat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry out account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats targeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the geopolitical landscape; one that extends into the cyber realm. As Brazil\'s influence grows, so does its digital footprint, making it an increasingly attractive target for cyber threats originating from both global and domestic actors. This blog post brings together Google\'s collective understanding of the Brazilian threat landscape, combining insights from Google\'s Threat Analysis Group (TAG) and Mandiant\'s frontline intelligence. As Brazil\'s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats. Google uses the results of our research to improve the safety and security of our products, making them secure by default. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no reported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security teams continuously monitor for new threat activity, and all identified websites and domains are added to Safe Browsing to protect users from further exploitation. We deploy and constantly update Android detections to protect users\' devices and prevent malicious actors from publishing malware to the Google Play Store. We send targeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and encouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated. Cyber Espionage Operations Targeting Brazil Brazil\'s status as a globally influential power and the largest economy in South America have drawn attention from c]]> 2024-06-12T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil/ www.secnews.physaphae.fr/article.php?IdArticle=8516847 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud,Technical APT 28 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Les pirates russes ciblent l'Europe avec des logiciels malveillants de tête et la récolte d'identification Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with]]> 2024-05-31T15:40:00+00:00 https://thehackernews.com/2024/05/russian-hackers-target-europe-with.html www.secnews.physaphae.fr/article.php?IdArticle=8510552 False Malware,Threat APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) APT28 soutenu par le Kremlin cible les institutions polonaises dans une campagne de logiciels malveillants à grande échelle Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign Polish government institutions have been targeted as part of a large-scale malware campaign orchestrated by a Russia-linked nation-state actor called APT28. "The campaign sent emails with content intended to arouse the recipient\'s interest and persuade him to click on the link," the computer emergency response team, CERT Polska, said in a Wednesday bulletin. Clicking on the link]]> 2024-05-09T20:50:00+00:00 https://thehackernews.com/2024/05/kremlin-backed-apt28-targets-polish.html www.secnews.physaphae.fr/article.php?IdArticle=8496647 False Malware APT 28 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000 Techworm - News Les pirates de la Russie ont exploité Windows Flaw pour déployer & # 8216; GooseEgg & # 8217;Malware Russia’s APT28 Hackers Exploited Windows Flaw To Deploy ‘GooseEgg’ Malware son avis . Microsoft a observé APT28 en utilisant GooseEgg dans le cadre des activités post-compromis contre diverses cibles, y compris les organisations gouvernementales, non gouvernementales, de l'éducation et des transports en Ukraine, en Europe occidentale et en Amérique du Nord. Bien que Gooseegg soit une application de lanceur simple, il peut engendrer d'autres applications sur la ligne de commande avec des autorisations élevées. Cela permet aux acteurs de menace de prendre en charge les activités malveillantes telles que l'exécution du code distant, l'installation d'une porte dérobée et le déplacement latéralement à travers des réseaux compromis. Les gouvernements américains et britanniques ont lié Forest Blizzard à l'unité 26165 de la Fédération de Russie \'s Military Intelligence Agency, la principale Direction du renseignement de l'état-major général des Forces armées de la Fédération de Russie (GRU). «Microsoft a observé qu'après avoir obtenu l'accès à un appareil cible, Forest Blizzard utilise GooseEgg pour élever les privilèges dans l'environnement.GooseEgg est généralement déployé avec un script de lot, que nous avons observé en utilisant le nom execute.bat et doit.bat .Ce script de lot écrit le fichier servtask.bat, qui contient des commandes pour enregistrer / compresser les ruches de registre.Le script de lot invoque l'exécutable de GooseEgg apparié et configure la persistance en tant que tâche planifiée conçue pour exécuter servtask.bat », lit le Advisory publié par Microsoft lundi. Les chercheurs de Microsoft ont noté qu'un fichier DLL malveillant intégré généralement, qui comprend l'expression « wayzgoose»; par exemple, wayzgoose23.dll , est une application de lanceur utilisée par la menaceLes acteurs doivent lancer d'autres charges utiles avec des autorisations au niveau du système et installer une porte dérobée, se déplacer latéralement dans le réseau de la victime et exécuter à distance le code sur les systèmes violés. Comme mentionné précédemment, la société a corrigé le défaut de sécurité des spouleurs imprimés en 2022. Il a également corrigé les vulnérabilités imprimées précédemment exploitées en 2021. «Les clients qui n'ont pas encore mis en œuvre ces correctifs sont invités à le faire dès que possible pour la sécurité de leur organisation», a déclaré Microsoft dans son avis. De plus, la société recommande également de dé]]> 2024-04-23T22:47:49+00:00 https://www.techworm.net/2024/04/russia-apt28-hackers-exploit-windows-flaw.html www.secnews.physaphae.fr/article.php?IdArticle=8487554 False Malware,Tool,Vulnerability,Threat APT 28 3.0000000000000000 SecurityWeek - Security News Les cyberespaces russes livrent \\ 'gooseegg \\' malware aux organisations gouvernementales Russian Cyberspies Deliver \\'GooseEgg\\' Malware to Government Organizations Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations. ]]> 2024-04-23T12:50:57+00:00 https://www.securityweek.com/russian-cyberspies-deliver-gooseegg-malware-to-government-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=8487450 False Malware,Tool APT 28 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) La Russie \\'s APT28 exploite Windows Print Spooler Flaw to déploier \\ 'gooseegg \\' malware Russia\\'s APT28 Exploited Windows Print Spooler Flaw to Deploy \\'GooseEgg\\' Malware The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for]]> 2024-04-23T09:53:00+00:00 https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html www.secnews.physaphae.fr/article.php?IdArticle=8487211 False Malware,Tool,Threat APT 28 3.0000000000000000 The Register - Site journalistique Anglais Old Windows Print Spooler Bug est la dernière cible du gang d'ours sophistiqué de la Russie Old Windows print spooler bug is latest target of Russia\\'s Fancy Bear gang Putin\'s pals use \'GooseEgg\' malware to launch attacks you can defeat with patches or deletion Russian spies are exploiting a years-old Windows print spooler vulnerability and using a custom tool called GooseEgg to elevate privileges and steal credentials across compromised networks, according to Microsoft Threat Intelligence.…]]> 2024-04-23T01:15:11+00:00 https://go.theregister.com/feed/www.theregister.com/2024/04/23/russia_fancy_bear_goose_egg/ www.secnews.physaphae.fr/article.php?IdArticle=8487124 False Malware,Tool,Vulnerability,Threat APT 28 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Rester en avance sur les acteurs de la menace à l'ère de l'IA Staying ahead of threat actors in the age of AI 2024-03-05T19:03:47+00:00 https://community.riskiq.com/article/ed40fbef www.secnews.physaphae.fr/article.php?IdArticle=8459485 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Medical,Technical APT 28,ChatGPT,APT 4 2.0000000000000000 Dark Reading - Informationweek Branch Le DOJ brise le botnet militaire russe dans le démontage de l'ours fantaisie DoJ Breaks Russian Military Botnet in Fancy Bear Takedown The feds disrupted a Russian intelligence SOHO router botnet notable for being built with Moobot malware rather than custom code.]]> 2024-02-15T20:29:21+00:00 https://www.darkreading.com/cyberattacks-data-breaches/doj-breaks-russian-military-botnet- www.secnews.physaphae.fr/article.php?IdArticle=8450559 False Malware APT 28 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) APT28: de l'attaque initiale à la création de menaces à un contrôleur de domaine en une heure APT28: From Initial Attack to Creating Threats to a Domain Controller in an Hour #### Description Between December 15-25, 2023, a series of cyberattacks were identified involving the distribution of emails containing links to purported "documents" among government organizations. Clicking on these links resulted in malware infecting computers. Investigation revealed that the links redirected victims to a website where a JavaScript-based download initiated a shortcut file. Opening this file triggered a PowerShell command to download and execute a decoy document, a Python interpreter, and a classified MASEPIE file named Client.py. Subsequently, various tools including OPENSSH, STEELHOOK PowerShell scripts, and the OCEANMAP backdoor were downloaded, with additional tools like IMPACKET and SMBEXEC created for network reconnaissance and lateral movement. The overall tactics, techniques, and tools used pointed to the APT28 group. Notably, the attack strategy indicated a broader plan to compromise the entire organization\'s information and communication system, emphasizing the potential threat to the entire network. Similar attacks were also reported against Polish organizations. #### Reference URL(s) 1. https://cert.gov.ua/article/6276894 #### Publication Date January 3, 2024 #### Author(s) CERT-UA ]]> 2024-01-03T19:16:54+00:00 https://community.riskiq.com/article/3c424c10 www.secnews.physaphae.fr/article.php?IdArticle=8433900 False Malware,Tool,Threat APT 28 4.0000000000000000 Recorded Future - FLux Recorded Future Nouveau malware trouvé dans l'analyse des hacks russes sur l'Ukraine, en Pologne New malware found in analysis of Russian hacks on Ukraine, Poland

Les chercheurs ont découvert une nouvelle opération de cyber contre des organisations ukrainiennes et polonaises, l'attribuant au groupe de pirates russes contrôlé par l'État connu sous le nom de Fancy Bear.Lors des attaques de décembre, des pirates russes ont envoyé des courriels de phishing à leurs victimes avec des pièces jointes malveillantes.Une fois ouverts, ces pièces jointes infectées par les appareils ciblés par le nouveau malware Masepie, selon [un

Researchers have discovered a new cyber operation against Ukrainian and Polish organizations, attributing it to the Russian state-controlled hacker group known as Fancy Bear. During the attacks in December, Russian hackers sent phishing emails to their victims with malicious attachments. Once opened, these attachments infected targeted devices with the novel Masepie malware, according to [a]]> 2023-12-29T13:18:00+00:00 https://therecord.media/fancy-bear-apt28-ukraine-new-malware-masepie www.secnews.physaphae.fr/article.php?IdArticle=8430796 False Malware APT 28 3.0000000000000000 ProofPoint - Cyber Firms TA422 \\ Soule d'exploitation dédiée - la même semaine après semaine TA422\\'s Dedicated Exploitation Loop-the Same Week After Week 2023-12-05T05:00:40+00:00 https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week www.secnews.physaphae.fr/article.php?IdArticle=8419228 False Malware,Vulnerability,Threat APT 28 3.0000000000000000 knowbe4 - cybersecurity services Cyberheistnews Vol 13 # 26 [Eyes Open] La FTC révèle les cinq dernières escroqueries par SMS CyberheistNews Vol 13 #26 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams

CyberheistNews Vol 13 #26 | June 27th, 2023 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says. These are the top five text scams reported by the FTC: Copycat bank fraud prevention alerts Bogus "gifts" that can cost you Fake package delivery problems Phony job offers Not-really-from-Amazon security alerts "People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they\'ll get a call from a phony \'fraud department\' claiming they want to \'help get your money back.\' What they really want to do is make unauthorized transfers. "What\'s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft." Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there\'s a problem with a delivery. "The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small \'redelivery fee.\'" Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake \'mystery shopper\' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says. "Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person\'s money – and the phony \'employer\' – are long gone." Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from \'Amazon,\' asking to verify a big-ticket order they didn\'t place," the FTC says. "Concerned ]]> 2023-06-27T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-26-eyes-open-the-ftc-reveals-the-latest-top-five-text-message-scams www.secnews.physaphae.fr/article.php?IdArticle=8349704 False Ransomware,Spam,Malware,Hack,Tool,Threat FedEx,APT 28,APT 15,ChatGPT,ChatGPT 2.0000000000000000 knowbe4 - cybersecurity services Cyberheistnews Vol 13 # 19 [Watch Your Back] Nouvelle fausse erreur de mise à jour Chrome Attaque cible vos utilisateurs CyberheistNews Vol 13 #19 [Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users

CyberheistNews Vol 13 #19 | May 9th, 2023 [Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users Compromised websites (legitimate sites that have been successfully compromised to support social engineering) are serving visitors fake Google Chrome update error messages. "Google Chrome users who use the browser regularly should be wary of a new attack campaign that distributes malware by posing as a Google Chrome update error message," Trend Micro warns. "The attack campaign has been operational since February 2023 and has a large impact area." The message displayed reads, "UPDATE EXCEPTION. An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update." A link is provided at the bottom of the bogus error message that takes the user to what\'s misrepresented as a link that will support a Chrome manual update. In fact the link will download a ZIP file that contains an EXE file. The payload is a cryptojacking Monero miner. A cryptojacker is bad enough since it will drain power and degrade device performance. This one also carries the potential for compromising sensitive information, particularly credentials, and serving as staging for further attacks. This campaign may be more effective for its routine, innocent look. There are no spectacular threats, no promises of instant wealth, just a notice about a failed update. Users can become desensitized to the potential risks bogus messages concerning IT issues carry with them. Informed users are the last line of defense against attacks like these. New school security awareness training can help any organization sustain that line of defense and create a strong security culture. Blog post with links:https://blog.knowbe4.com/fake-chrome-update-error-messages A Master Class on IT Security: Roger A. Grimes Teaches You Phishing Mitigation Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they\'re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more. Join Roger A. Grimes, KnowBe4\'s Data-Driven Defense Evangelist, ]]> 2023-05-09T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-19-watch-your-back-new-fake-chrome-update-error-attack-targets-your-users www.secnews.physaphae.fr/article.php?IdArticle=8334782 False Ransomware,Data Breach,Spam,Malware,Tool,Threat,Prediction NotPetya,NotPetya,APT 28,ChatGPT,ChatGPT 2.0000000000000000 The Register - Site journalistique Anglais L'APT28 de la Russie cible le gouvernement ukrain Russia\\'s APT28 targets Ukraine government with bogus Windows updates Nasty emails designed to infect systems with info-stealing malware The Kremlin-backed threat group APT28 is flooding Ukrainian government agencies with email messages about bogus Windows updates in the hope of dropping malware that will exfiltrate system data.…]]> 2023-05-02T06:37:07+00:00 https://go.theregister.com/feed/www.theregister.com/2023/05/02/russia_apt28_ukraine_phishing/ www.secnews.physaphae.fr/article.php?IdArticle=8332710 False Malware,Threat APT 28,APT 28 2.0000000000000000 TechRepublic - Security News US L'acteur de menace APT28 cible les routeurs Cisco avec une vieille vulnérabilité Threat actor APT28 targets Cisco routers with an old vulnerability Les États-Unis, l'Europe et l'Ukraine seraient des cibles dans cette menace malveillante.Apprenez à protéger les routeurs Cisco affectés.

>The U.S., Europe and Ukraine are reportedly targets in this malware threat. Learn how to protect affected Cisco routers. ]]> 2023-04-28T16:36:57+00:00 https://www.techrepublic.com/article/apt28-cisco-routers-security-vulnerability/ www.secnews.physaphae.fr/article.php?IdArticle=8331913 False Malware,Vulnerability,Threat APT 28,APT 28 2.0000000000000000 knowbe4 - cybersecurity services Cyberheistnews Vol 13 # 17 [Head Start] Méthodes efficaces Comment enseigner l'ingénierie sociale à une IA CyberheistNews Vol 13 #17 [Head Start] Effective Methods How To Teach Social Engineering to an AI

>Russian nation-state actors are using a patched remote code execution vulnerability in Cisco network appliances to conduct... ]]> 2023-04-20T11:23:59+00:00 https://socradar.io/apt28-exploits-cisco-vulnerability-to-deploy-malware-in-espionage-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=8329638 False Malware,Vulnerability APT 28 2.0000000000000000 Dark Reading - Informationweek Branch Russian Fancy Bear APT a exploité les routeurs de Cisco non corrigés pour nous pirater, UE Gov \\ 't agences Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov\\'t Agencies The nation-stage threat group deployed custom malware on archaic versions of Cisco\'s router operating system. Experts warn that such attacks targeting network infrastructure are on the rise.]]> 2023-04-19T21:40:00+00:00 https://www.darkreading.com/attacks-breaches/russian-fancy-bear-apt-exploited-unpatched-cisco-routers-to-hack-us-eu-government-agencies www.secnews.physaphae.fr/article.php?IdArticle=8329462 False Malware,Hack,Threat APT 28 2.0000000000000000 Bleeping Computer - Magazine Américain US, Royaume-Uni avertissant des pirates de gouvernement utilisant des logiciels malveillants personnalisés sur les routeurs Cisco US, UK warn of govt hackers using custom malware on Cisco routers The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named \'Jaguar Tooth\' on Cisco IOS routers, allowing unauthenticated access to the device. [...]]]> 2023-04-18T17:42:45+00:00 https://www.bleepingcomputer.com/news/security/us-uk-warn-of-govt-hackers-using-custom-malware-on-cisco-routers/ www.secnews.physaphae.fr/article.php?IdArticle=8329040 False Malware APT 28 2.0000000000000000 knowbe4 - cybersecurity services Cyberheistnews Vol 13 # 16 [doigt sur le pouls]: comment les phishers tirent parti de l'IA récent Buzz CyberheistNews Vol 13 #16 [Finger on the Pulse]: How Phishers Leverage Recent AI Buzz

CyberheistNews Vol 13 #16 | April 18th, 2023 [Finger on the Pulse]: How Phishers Leverage Recent AI Buzz Curiosity leads people to suspend their better judgment as a new campaign of credential theft exploits a person\'s excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard. Veriti writes "These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the Redline Stealer (aka RedStealer) malware is activated and is capable of stealing passwords and downloading further malware onto the user\'s device." Veriti describes the capabilities of the Redline Stealer malware which, once downloaded, can take sensitive information like credit card numbers, passwords, and personal information like user location, and hardware. Veriti added "The malware can upload and download files, execute commands, and send back data about the infected computer at regular intervals." Experts recommend using official Google or OpenAI websites to learn when their products will be available and only downloading files from reputable sources. With the rising use of Google and Facebook ads as attack vectors experts also suggest refraining from clicking on suspicious advertisements promising early access to any product on the Internet. Employees can be helped to develop sound security habits like these by stepping them through monthly social engineering simulations. Blog post with links:https://blog.knowbe4.com/ai-hype-used-for-phishbait [New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist Now there\'s a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform! The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leav]]> 2023-04-18T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-16-finger-on-the-pulse-how-phishers-leverage-recent-ai-buzz www.secnews.physaphae.fr/article.php?IdArticle=8328885 False Spam,Malware,Hack,Threat APT 28,ChatGPT,ChatGPT 3.0000000000000000 Malwarebytes Labs - MalwarebytesLabs APT28 attack uses old PowerPoint trick to download malware Categories: NewsTags: APT28 Tags: Fancy Bear Tags: PowerPoint Tags: PowerShell Tags: One Drive Tags: SyncAppvPublishingServer The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros (Read more...) ]]> 2022-09-28T21:15:00+00:00 https://www.malwarebytes.com/blog/news/2022/09/powerpoint-mouseover-triggers-powershell-script-for-malware-delivery www.secnews.physaphae.fr/article.php?IdArticle=7189077 False Malware APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Hackers Using PowerPoint Mouseover Trick to Infect System with Malware 2022-09-28T15:39:00+00:00 https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html www.secnews.physaphae.fr/article.php?IdArticle=7176862 False Malware,Threat APT 28 3.0000000000000000 Security Affairs - Blog Secu APT28 relies on PowerPoint Mouseover to deliver Graphite malware The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware. The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported. Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used […] ]]> 2022-09-28T13:47:10+00:00 https://securityaffairs.co/wordpress/136358/apt/apt28-powerpoint-mouseover-technique.html www.secnews.physaphae.fr/article.php?IdArticle=7179609 False Malware APT 28 None NoticeBored - Experienced IT Security professional CISO workshop slides glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None Anomali - Firm Blog Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Malware,Tool,Vulnerability,Threat,Patching,Guideline,Cloud APT 37,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed (published: June 24, 2022) ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection. Analyst Comment: Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 Tags: malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families (published: June 24, 2022) Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes. Analyst Comment: Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 Tags: malware:BazarLoad]]> 2022-06-28T19:11:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-api-hammering-confuses-sandboxes-pirate-panda-wrote-in-nim-magecart-obfuscates-variable-names-and-more www.secnews.physaphae.fr/article.php?IdArticle=5436667 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat APT 28,APT 23 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug 2022-06-23T12:21:33+00:00 https://threatpost.com/fancy-bear-nuke-threat-lure/180056/ www.secnews.physaphae.fr/article.php?IdArticle=5341503 False Malware,Threat APT 28 None Malwarebytes Labs - MalwarebytesLabs Russia\'s APT28 uses fear of nuclear war to spread Follina docs in Ukraine 2022-06-21T15:25:09+00:00 https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/ www.secnews.physaphae.fr/article.php?IdArticle=5310140 False Malware APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Ransomware,Malware,Tool,Vulnerability,Threat APT 29,APT 28 3.0000000000000000 Anomali - Firm Blog Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical Uber,APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lazarus Targets Chemical Sector (published: April 14, 2022) In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information. Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector Old Gremlins, New Methods (published: April 14, 2022) Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode]]> 2022-04-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-raidforums-seized-sandworm-attacks-ukrainian-power-stations-north-korea-steals-chemical-secrets-and-more www.secnews.physaphae.fr/article.php?IdArticle=4477972 False Ransomware,Spam,Malware,Vulnerability,Threat,Guideline,Medical APT 38,APT 28 None Fortinet ThreatSignal - Harware Vendor AcidRain Wiper Suspected in Satellite Broadband Outage in Europe 2022-04-01T14:09:48+00:00 https://fortiguard.fortinet.com/threat-signal-report/4484 www.secnews.physaphae.fr/article.php?IdArticle=4381922 False Malware,Threat VPNFilter,VPNFilter,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Webinar on Cyberattacks in Ukraine – Summary and Q&A (published: March 14, 2022) As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively. Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR. MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490 Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear Alert (AA21-265A) Conti Ransomware (Updated) (published: March 9, 2022) The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine. Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t]]> 2022-03-15T16:46:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-government-and-financially-motivated-targeting-of-ukraine-conti-ransomware-active-despite-exposure-carbanak-abuses-xll-files-and-more www.secnews.physaphae.fr/article.php?IdArticle=4285837 False Ransomware,Malware,Tool,Vulnerability,Threat APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) North Korean Hackers Using Windows Update Service to Infect PCs with Malware 2022-01-28T01:24:28+00:00 https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html www.secnews.physaphae.fr/article.php?IdArticle=4045173 False Malware,Medical APT 38,APT 28 None Security Affairs - Blog Secu North Korea-linked Lazarus APT used Windows Update client and GitHub in recent attacks 2022-01-27T20:30:53+00:00 https://securityaffairs.co/wordpress/127296/apt/lazarus-apt-windows-update-client.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-windows-update-client www.secnews.physaphae.fr/article.php?IdArticle=4043080 False Malware APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence FBI Warns Of Malicious QR Codes Used To Steal Your Money (published: January 23, 2022) The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021. Analyst Comment: Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 Tags: EU & UK, Banking and Finance MoonBounce: The Dark Side Of UEFI Firmware (published: January 20, 2022) Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect. Analyst Comment: Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code. MITRE ATT&CK: [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-01-25T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moonbounce-accesspress-qr-code-scams-and-more www.secnews.physaphae.fr/article.php?IdArticle=4030711 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 41,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group ]]> 2021-12-21T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-pseudomanuscrypt-mass-spyware-campaign-targets-35k-systems-apt31-intrusion-set-campaign-description-countermeasures-and-code-state-sponsored-hackers-abuse-slack-api-to-steal www.secnews.physaphae.fr/article.php?IdArticle=3841167 False Ransomware,Malware,Vulnerability,Threat,Guideline,Medical APT 41,APT 38,APT 28,APT 31 None Kaspersky - Kaspersky Research blog PseudoManuscrypt: a mass-scale spyware attack campaign 2021-12-16T10:00:19+00:00 https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/105286/ www.secnews.physaphae.fr/article.php?IdArticle=3806117 False Malware APT 38,APT 28 None Security Affairs - Blog Secu North Korea-linked Lazarus APT targets the IT supply chain 2021-10-27T09:03:08+00:00 https://securityaffairs.co/wordpress/123831/apt/north-korea-lazarus-supply-chain.html?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-lazarus-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=3571716 False Malware APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Latest Report Uncovers Supply Chain Attacks by North Korean Hackers ]]> 2021-10-27T00:14:47+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/nYK8fTcVuRM/latest-report-uncovers-supply-chain.html www.secnews.physaphae.fr/article.php?IdArticle=3571547 False Malware,Threat,Medical APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 41,APT 41,APT 39,APT 29,APT 29,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence UK and Allies Accuse China for a Pervasive Pattern of Hacking, Breaching Microsoft Exchange Servers (published: July 19, 2021) On July 19th, 2021, the US, the UK, and other global allies jointly accused China in a pattern of aggressive malicious cyber activity. First, they confirmed that Chinese state-backed actors (previously identified under the group name Hafnium) were responsible for gaining access to computer networks around the world via Microsoft Exchange servers. The attacks took place in early 2021, affecting over a quarter of a million servers worldwide. Additionally, APT31 (Judgement Panda) and APT40 (Kryptonite Panda) were attributed to Chinese Ministry of State Security (MSS), The US Department of Justice (DoJ) has indicted four APT40 members, and the Cybersecurity and Infrastructure Security Agency (CISA) shared indicators of compromise of the historic APT40 activity. Analyst Comment: Network defense-in-depth and adherence to information security best practices can assist organizations in reducing the risk. Pay special attention to the patch and vulnerability management, protecting credentials, and continuing network hygiene and monitoring. When possible, enforce the principle of least privilege, use segmentation and strict access control measures for critical data. Organisations can use Anomali Match to perform real time forensic analysis for tracking such attacks. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 Tags: Hafnium, Judgement Panda, APT31, TEMP.Jumper, APT40, Kryptonite Panda, Zirconium, Leviathan, TEMP.Periscope, Microsoft Exchange, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Government, EU, UK, North America, China NSO’s Spyware Sold to Authoritarian Regimes Used to Target Activists, Politicians and Journalists (published: July 18, 2021) Israeli surveillance company NSO Group supposedly sells spyware to vetted governments bodies to fight crime and terrorism. New research discovered NSO’s tools being used against non-criminal actors, pro-democracy activists and journalists investigating corruption, political opponents and government critics, diplomats, etc. In some cases, the timeline of this surveillance coincided with journalists' arrests and even murders. The main penetration tool used by NSO is malware Pegasus that targets both iPho]]> 2021-07-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-china-blamed-for-microsoft-exchange-attacks-israeli-cyber-surveillance-companies-help-oppressive-governments-and-more www.secnews.physaphae.fr/article.php?IdArticle=3100256 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Guideline,Industrial APT 41,APT 40,APT 28,APT 31 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Lazarus campaign TTPs and evolution T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. MZ header conceal

Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Klingon RAT Holding on for Dear Life, CVS Medical Records Breach, Black Kingdom Ransomware and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Andariel Evolves to Target South Korea with Ransomware (published: June 15, 2021) Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack. Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros Matanbuchus: Malware-as-a-Service with Demonic Intentions (published: June 15, 2021) In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America Black Kingdom ransomware (published: June 17]]> 2021-06-22T18:18:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-klingon-rat-holding-on-for-dear-life-cvs-medical-records-breach-black-kingdom-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2966761 False Ransomware,Data Breach,Malware,Vulnerability,Threat,Medical APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations (published: June 4, 2021) Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP. Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts. MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069 Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates Necro Python Bots Adds New Tricks (published: June 3, 2021) Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms. Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover. MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig New SkinnyBoy Ma]]> 2021-06-08T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-teamtnt-actively-enumerating-cloud-environments-to-infiltrate-organizations-necro-python-bots-adds-new-tricks-us-seizes-domains-used-by-apt29-and-more www.secnews.physaphae.fr/article.php?IdArticle=2890622 False Ransomware,Malware,Vulnerability,Threat,Patching,Guideline APT 29,APT 28 None SecurityWeek - Security News Russian Hackers Use New \'SkinnyBoy\' Malware in Attacks on Military, Government Orgs 2021-06-07T10:36:39+00:00 http://feedproxy.google.com/~r/securityweek/~3/QqGxNMqto4A/russian-hackers-use-new-skinnyboy-malware-attacks-military-government-orgs www.secnews.physaphae.fr/article.php?IdArticle=2884670 False Malware,Threat APT 28 3.0000000000000000 Bleeping Computer - Magazine Américain New SkinnyBoy malware used by Russian hackers to breach sensitive orgs 2021-06-03T11:19:32+00:00 https://www.bleepingcomputer.com/news/security/new-skinnyboy-malware-used-by-russian-hackers-to-breach-sensitive-orgs/ www.secnews.physaphae.fr/article.php?IdArticle=2871844 False Malware APT 28 None Anomali - Firm Blog Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Sophisticated Email-based Attack From NOBELIUM (published: May 28, 2021) NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement. Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military Evolution of JSWorm Ransomware (published: May 25, 2021) JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat. Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197]]> 2021-06-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-attacks-against-israeli-targets-macos-zero-days-conti-ransomware-targeting-us-healthcare-and-more www.secnews.physaphae.fr/article.php?IdArticle=2868449 False Ransomware,Malware,Threat,Medical Solardwinds,APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical Wannacry,Wannacry,APT 38,APT 28 None Bleeping Computer - Magazine Américain North Korean hackers use new Vyveva malware to attack freighters 2021-04-08T09:01:17+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-vyveva-malware-to-attack-freighters/ www.secnews.physaphae.fr/article.php?IdArticle=2604686 False Malware APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: APT, Malware, Vulnerabilities and More. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Bogus Android Clubhouse App Drops Credential-Swiping Malware (published: March 19, 2021) Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one. Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 Tags: LokiBot, BlackRock, Banking, Android, Clubhouse Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers (published: March 18, 2021) Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware (published: March 18, 2021) Cybereason detected a new campaig]]> 2021-03-23T14:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-malware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2522336 False Ransomware,Malware,Tool,Threat,Patching,Medical APT 38,APT 28 None Anomali - Firm Blog Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat Wannacry,Wannacry,APT 29,APT 28,APT 31,APT 34 None Kaspersky - Kaspersky Research blog Lazarus targets defense industry with ThreatNeedle 2021-02-25T10:00:53+00:00 https://securelist.com/lazarus-threatneedle/100803/ www.secnews.physaphae.fr/article.php?IdArticle=2397206 False Malware APT 38,APT 28 None Security Affairs - Blog Secu North Korea-linked Lazarus APT targets the COVID-19 research 2020-12-25T18:45:15+00:00 https://securityaffairs.co/wordpress/112621/apt/lazarus-apt-targets-covid-19.html?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-apt-targets-covid-19 www.secnews.physaphae.fr/article.php?IdArticle=2127161 True Malware APT 38,APT 28 None Security Affairs - Blog Secu Russia-linked APT28 uses COVID-19 lures to deliver Zebrocy malware 2020-12-10T12:14:06+00:00 https://securityaffairs.co/wordpress/112137/apt/apt28-covid-19-zebrocy.html?utm_source=rss&utm_medium=rss&utm_campaign=apt28-covid-19-zebrocy www.secnews.physaphae.fr/article.php?IdArticle=2089000 False Malware APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware ]]> 2020-12-09T07:11:49+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/m3ppxlyl_Xk/russian-apt28-hackers-using-covid-19-as.html www.secnews.physaphae.fr/article.php?IdArticle=2087286 False Malware,Threat APT 28 None Anomali - Firm Blog Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence China’s ‘Hybrid War’: Beijing’s Mass Surveillance of Australia and the World for Secrets and Scandal (published: September 14, 2020) A database containing 2.4 million people has been leaked from a Shenzhen company, Zhenhua Data, believed to have ties to the Chinese intelligence service. The database contains personal information on over 35,000 Australians and prominent figures, and 52,000 Americans. This includes addresses, bank information, birth dates, criminal records, job applications, psychological profiles, and social media. Politicians, lawyers, journalists, military officers, media figures, and Natalie Imbruglia are among the records of Australians contained in the database. While a lot of the information is public, there is also non-public information contributing to claims that China is developing a mass surveillance system. Recommendation: Users should always remain vigilant about the information they are putting out into the public, and avoid posting personal or sensitive information online. Tags: China, spying US Criminal Court Hit by Conti Ransomware; Critical Data at Risk (published: September 11, 2020) The Fourth District Court of Louisiana, part of the US criminal court system, appears to have become the latest victim of the Conti ransomware. The court's website was attacked and used to steal numerous court documents related to defendants, jurors, and witnesses, and then install the Conti ransomware. Evidence of the data theft was posted to the dark web. Analysis of the malware by Emsisoft’s threat analyst, Brett Callow, indicates that the ransomware deployed in the attack was Conti, which has code similarity to another ransomware strain, Ryuk. The Conti group, believed to be behind this ransomware as a service, is sophisticated and due to the fact that they receive a large portion of the ransoms paid, they are motivated to avoid detections and continue to develop advanced attacking tools. This attack also used the Trickbot malware in its exploit chain, similar to that used by Ryuk campaigns. Recommendation: Defense in Depth, including vulnerability remediation and scanning, monitoring, endpoint protection, backups, etc. is key to thwarting increasingly sophisticated attacks. Ransomware attacks are particularly attractive to attackers due to the fact that each successful ransomware attack allows for multiple streams of income. The attackers can not only extort a ransom to decrypt the victim's files (especially in cases where the victim finds they do not have appropriate disaster recovery plans), but they can also monetize the exfiltrated data directly and/or use the data to aid in future attacks. This technique is increasingly used in supply chain compromises to build difficult to detect spearphishing attacks. Tags: conti, ryuk, ransomware ]]> 2020-09-15T15:00:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-apt-group-malware-ransomware-and-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=2103282 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 28,APT 31 3.0000000000000000 Anomali - Firm Blog Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence ‘Baka’ Javascript Skimmer Identified (published: September 6, 2020) Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data. Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory. Tags: Baka, Javascript, Skimmer Netwalker Ransomware Hits Argentinian Government, Demands $4 Million (published: September 6, 2020) The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million. Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Argentina, Government, Netwalker, Ransomware No Rest for the Wicked: Evilnum Unleashes PyVil RAT (published: September 3, 2020) Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KY]]> 2020-09-09T16:24:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-skimmer-ransomware-apt-group-and-more www.secnews.physaphae.fr/article.php?IdArticle=2103283 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical APT 38,APT 28 4.0000000000000000 Global Security Mag - Site de news francais APT28 : malware découvert par NSA/FBI - commentaire McAfee Malwares ]]> 2020-08-14T08:19:05+00:00 http://www.globalsecuritymag.fr/APT28-malware-decouvert-par-NSA,20200814,101790.html www.secnews.physaphae.fr/article.php?IdArticle=1859294 False Malware APT 28 None McAfee Labs - Editeur Logiciel On Drovorub: Linux Kernel Security Best Practices Intro In a U.S. government cyber security advisory released today, the National Security Agency and Federal Bureau of Investigation warn of a previously undisclosed piece of Linux rootkit malware called Drovorub and attribute the threat to malicious actor APT28. The report is incredibly detailed and proposes several complementary detection techniques to effectively identify Drovorub malware […] ]]> 2020-08-13T18:19:06+00:00 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/on-drovorub-linux-kernel-security-best-practices/ www.secnews.physaphae.fr/article.php?IdArticle=2031369 False Malware,Threat APT 28 None Security Affairs - Blog Secu FBI and NSA joint report details APT28\'s Linux malware Drovorub 2020-08-13T18:07:18+00:00 https://securityaffairs.co/wordpress/107112/malware/apt28-drovorub-linux-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=apt28-drovorub-linux-malware www.secnews.physaphae.fr/article.php?IdArticle=1857930 False Malware APT 28 None Dark Reading - Informationweek Branch NSA & FBI Disclose New Russian Cyberespionage Malware 2020-08-13T13:25:00+00:00 https://www.darkreading.com/vulnerabilities---threats/nsa-and-fbi-disclose-new-russian-cyberespionage-malware/d/d-id/1338662?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple www.secnews.physaphae.fr/article.php?IdArticle=1857859 False Malware APT 28 None ZD Net - Magazine Info Political targets at risk as Fancy Bear returns with refreshed backdoor malware 2019-09-24T09:34:10+00:00 https://www.zdnet.com/article/political-targets-at-risk-as-fancy-bear-returns-with-refreshed-backdoor-malware/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=1357979 False Malware,Threat APT 28 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Can you trust threat intelligence from threat sharing communities? | AT&T ThreatTraq subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jaime Blasco, VP and Chief Scientist, AlienVault, Stan Nurilov, Lead Member of Technical Staff, AT&T, and Joe Harten, Director Technical Security. Stan: Jaime. I think you have a very interesting topic today about threat intelligence. Jaime: Yes, we want to talk about how threat intelligence is critical for threat detection and incident response, but then when this threat intelligence and the threat actors try to match those indicators and that information that is being shared, it can actually be bad for companies. So we are going to share some of the experiences we have had with managing the Open Threat Exchange (OTX) - one of the biggest threat sharing communities out there. Stan: Jaime mentioned that they have so many threat indicators and so much threat intelligence as part of OTX, the platform. Jaime: We know attackers monitor these platforms and are adjusting tactics and techniques and probably the infrastructure based on public reaction to cyber security companies sharing their activities in blog posts and other reporting. An example is in September 2017, we saw APT28, and it became harder to track because we were using some of the infrastructure and some of the techniques that were publicly known. And another cyber security company published content about that and then APT28 became much more difficult to track. The other example is APT1. If you remember the APT1 report in 2013 that Mandiant published, that made the group basically disappear from the face of earth, right? We didn't see them for a while and then they changed the infrastructure and they changed a lot of the tools that they were using, and then they came back in 2014. So we can see that that threat actor disappeared for a while, changed and rebuilt, and then they came back. We also know that attackers can try to publish false information in this platform, so that's why it's important that not only those platforms are automated, but also there are human analysts that can verify that information. Joe: It seems like you have to have a process of validating the intelligence, right? I think part of it is you don't want to take this intelligence at face value without having some expertise of your own that asks, is this valid? Is this a false positive? Is this planted by the adversary in order to throw off the scent? I think it's one of those things where you can't automatically trust - threat intelligence. You have to do some of your own diligence to validate the intelligence, make sure it makes sense, make sure it's still fresh, it's still good. This is something we're working on internally - creating those other layers to validate and create better value of our threat intelligence. Jaime: The other issue I wanted to bring to the table is what we call false flag operations - that's when an adversary or a threat actor studies another threat actor and tries to emulate their behavior. So when companies try to do at]]> 2019-07-25T13:00:00+00:00 https://feeds.feedblitz.com/~/604869576/0/alienvault-blogs~Can-you-trust-threat-intelligence-from-threat-sharing-communities-ATampT-ThreatTraq www.secnews.physaphae.fr/article.php?IdArticle=1222817 False Malware,Threat,Studies,Guideline APT 38,APT 28,APT 1 None InformationSecurityBuzzNews - Site de News Securite US Cyber Command Starts Uploading Foreign APT Malware To Virus Total US Cyber Command Starts Uploading Foreign APT Malware To Virus Total]]> 2018-11-09T15:30:00+00:00 https://www.informationsecuritybuzz.com/expert-comments/us-cyber-command/ www.secnews.physaphae.fr/article.php?IdArticle=888736 False Malware,Threat APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild

]]> 2018-09-27T10:40:03+00:00 https://thehackernews.com/2018/09/uefi-rootkit-malware.html www.secnews.physaphae.fr/article.php?IdArticle=825841 False Malware APT 28 5.0000000000000000 We Live Security - Editeur Logiciel Antivirus ESET LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group ESET researchers have shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe ]]> 2018-09-27T09:57:03+00:00 https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ www.secnews.physaphae.fr/article.php?IdArticle=825881 False Malware APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) VPNFilter Router Malware Adds 7 New Network Exploitation Modules

]]> 2018-09-27T03:30:00+00:00 https://thehackernews.com/2018/09/vpnfilter-router-hacking.html www.secnews.physaphae.fr/article.php?IdArticle=825842 False Malware VPNFilter,APT 28 5.0000000000000000 Mandiant - Blog Sécu de Mandiant Introduction aux applications de cacao en ingénierie inverse Introduction to Reverse Engineering Cocoa Applications application de cacao de trojan qui envoie des informations systèmey compris les données de trousseau à l'attaquant, un version macOS d'APT28\'s xagent malware , et un new-trojan ransomware . Dans ce blog, l'équipe Flare souhaite introduire deux petits outils qui peuvent aider à la tâche des applications de cacao en ingénierie inverse pour MacOS.Afin de

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends system information including keychain data back to the attacker, a macOS version of APT28\'s Xagent malware, and a new Trojan ransomware. In this blog, the FLARE team would like to introduce two small tools that can aid in the task of reverse engineering Cocoa applications for macOS. In order to]]> 2017-03-08T17:15:00+00:00 https://www.mandiant.com/resources/blog/introduction-to-reve www.secnews.physaphae.fr/article.php?IdArticle=8377788 False Malware,Tool APT 28 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Malware APT28: une fenêtre sur les opérations de cyber-espionnage de la Russie? APT28 Malware: A Window into Russia\\'s Cyber Espionage Operations? mandiant href = "https://www.mandiant.com/resources/mandiant-expose-apt1-chinas-cyber-espionage-units" cible = "_ Blank"> Rapport APT1, en Chine.Aujourd'hui, nous publions un nouveau rapport: apt28:Une fenêtre sur les opérations de cyber-espionnage de la Russie? Ce rapport se concentre sur un groupe de menaces que nous avons désigné comme APT28.Alors que les logiciels malveillants d'APT28 \\ sont assez connus dans la communauté de la cybersécurité, notre rapport détaille des informations supplémentaires exposant des opérations en cours et ciblées qui, selon nous, indiquent un sponsor gouvernemental basé à Moscou. dans

The role of nation-state actors in cyber attacks was perhaps most widely revealed in February 2013 when Mandiant released the APT1 report, which detailed a professional cyber espionage group based in China. Today we release a new report: APT28: A Window Into Russia\'s Cyber Espionage Operations? This report focuses on a threat group that we have designated as APT28. While APT28\'s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow. In]]> 2014-10-27T03:00:42+00:00 https://www.mandiant.com/resources/blog/apt28-a-window-into-russias-cyber-espionage-operations www.secnews.physaphae.fr/article.php?IdArticle=8377813 False Malware,Threat APT 28,APT 28,APT 1 4.0000000000000000