www.secnews.physaphae.fr

www.secnews.physaphae.fr This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:00:14+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant Bonjour 0 jours, mon vieil ami: une analyse d'exploitation du 2024 zéro-jour Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis Résumé exécutif GoogleThreat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts. Scope This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2024. We discuss how targeted vendors and exploited products drive trends that reflect threat actor goals and shifting exploitation approaches, and then closely examine several examples of zero-day exploitation from 2024 that demonstrate how actors use both historic and novel techniques to exploit vulnerabilities in targeted products. The following content leverages original research conducted by GTIG, combined with breach investigation findings and reporting from reliable open sources, though we cannot independently confirm the reports of every source. Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents through digital forensic investigations. The numbers presented here reflect our best understanding of current data. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. aside_block Key Takeaways Zero-day exploitation continues to grow gradually. The 75 zero-day vulnerabilities exploited in 2024 follow a pattern that has emerged ]]> 2025-04-29T05:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends/ www.secnews.physaphae.fr/article.php?IdArticle=8669387 False Malware,Tool,Vulnerability,Threat,Patching,Mobile,Prediction,Cloud,Commercial APT 37 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Lazarus frappe 6 entreprises sud-coréennes via Cross Ex, Innix Zero-Day et ThreatNeedle malware Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Zero-Day and ThreatNeedle Malware At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea\'s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in]]> 2025-04-24T19:41:00+00:00 https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html www.secnews.physaphae.fr/article.php?IdArticle=8667217 False Malware,Vulnerability,Threat APT 38 3.0000000000000000 GB Hacker - Blog de reverseur Lazarus APT cible les organisations en exploitant des vulnérabilités d'une journée Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities Une récente campagne de cyber-espionnage par le célèbre groupe de menaces persistantes (APT) de Lazarus avancée (APT), suivie comme «Opération Synchole», a compromis au moins six organisations sud-coréennes à travers les logiciels, l'informatique, le financier, les semi-conducteurs et les secteurs de télécommunications depuis novembre 2024. […]

>A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024. According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely […] ]]> 2025-04-24T17:07:50+00:00 https://gbhackers.com/lazarus-apt-targets-organizations/ www.secnews.physaphae.fr/article.php?IdArticle=8667290 False Vulnerability,Threat APT 38 3.0000000000000000 Kaspersky - Kaspersky Research blog Opération Synchole: Lazarus APT remonte au puits Operation SyncHole: Lazarus APT goes back to the well Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach.]]> 2025-04-24T05:00:04+00:00 https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/ www.secnews.physaphae.fr/article.php?IdArticle=8666967 False Vulnerability APT 38 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Cybercrime: A Multifaceted National Security Threat 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Weekly OSINT Highlights, 30 December 2024 ## Snapshot Last week\'s OSINT reporting highlights the persistence and evolution of cyber threats targeting a wide range of sectors, from cryptocurrency exchanges to aerospace and defense industries. The predominant attack vectors include phishing, exploitation of long-standing vulnerabilities, and the use of advanced malware like StealBit, OtterCookie, and VBCloud. Threat actors such as North Korea\'s Lazarus Group and TraderTraitor, as well as botnets like FICORA and CAPSAICIN, continue to refine their tactics, leveraging]]> 2024-12-30T12:02:43+00:00 https://community.riskiq.com/article/2ec56fef www.secnews.physaphae.fr/article.php?IdArticle=8631656 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Weekly OSINT Highlights, 18 November 2024 2024-11-18T12:22:31+00:00 https://community.riskiq.com/article/2560112c www.secnews.physaphae.fr/article.php?IdArticle=8613484 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 41,APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 11 novembre 2024 2024-11-11T12:45:44+00:00 https://community.riskiq.com/article/3b100c61 www.secnews.physaphae.fr/article.php?IdArticle=8609345 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 37 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires d'osint, 4 novembre 2024 Weekly OSINT Highlights, 4 November 2024 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Pacific Rim Timeline: Informations pour les défenseurs contre une tresse de campagnes d'attaque entrelacées Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns 2024-10-31T20:29:50+00:00 https://community.riskiq.com/article/798c0fdb www.secnews.physaphae.fr/article.php?IdArticle=8604363 False Malware,Tool,Vulnerability,Threat,Legislation,Cloud APT 41,APT 31 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Rekoobe Backdoor découverte dans le répertoire ouvert, ciblant éventuellement les utilisateurs de TradingView Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users 2024-10-30T18:25:16+00:00 https://community.riskiq.com/article/3c757860 www.secnews.physaphae.fr/article.php?IdArticle=8603864 True Ransomware,Malware,Tool,Vulnerability,Threat APT 31 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 28 octobre 2024 Weekly OSINT Highlights, 28 October 2024 2024-10-28T11:27:40+00:00 https://community.riskiq.com/article/fa5a55d5 www.secnews.physaphae.fr/article.php?IdArticle=8602805 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 38,Guam 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) The Crypto Game of Lazarus APT: Investors vs. Zero-days 2024-10-25T16:11:10+00:00 https://community.riskiq.com/article/e831e4ae www.secnews.physaphae.fr/article.php?IdArticle=8601740 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 Global Security Mag - Site de news francais Le groupe APT Lazarus a exploité une vulnérabilité zero-day dans Chrome pour voler des crypto-monnaies Investigations]]> 2024-10-24T23:33:00+00:00 https://www.globalsecuritymag.fr/le-groupe-apt-lazarus-a-exploite-une-vulnerabilite-zero-day-dans-chrome-pour.html www.secnews.physaphae.fr/article.php?IdArticle=8602217 False Vulnerability,Threat APT 38 2.0000000000000000 HackRead - Chercher Cyber Le groupe Lazarus exploite Chrome 0-Day pour la crypto avec un faux jeu NFT Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…]]> 2024-10-24T17:38:25+00:00 https://hackread.com/north-korean-hackers-crypto-deceptive-game-zero-day-exploit/ www.secnews.physaphae.fr/article.php?IdArticle=8601586 False Vulnerability,Threat APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Le groupe Lazarus exploite Google Chrome Flaw dans une nouvelle campagne Lazarus Group Exploits Google Chrome Flaw in New Campaign Lazarus Group exploited Google Chrome zero-day, infecting systems with Manuscrypt malware]]> 2024-10-24T16:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-exploits-google/ www.secnews.physaphae.fr/article.php?IdArticle=8601571 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Le groupe Lazarus exploite Google Chrome Vulnérabilité à contrôler les appareils infectés Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the]]> 2024-10-24T15:23:00+00:00 https://thehackernews.com/2024/10/lazarus-group-exploits-google-chrome.html www.secnews.physaphae.fr/article.php?IdArticle=8601531 False Vulnerability,Threat APT 38 2.0000000000000000 SecurityWeek - Security News Les pirates nord-coréens ont exploité Chrome Zero-Day pour le vol de crypto-monnaie North Korean Hackers Exploited Chrome Zero-Day for Cryptocurrency Theft Le Lazarus APT a créé un site Web trompeur qui a exploité un chrome zéro-jour pour installer des logiciels malveillants et voler la crypto-monnaie.

>The Lazarus APT created a deceptive website that exploited a Chrome zero-day to install malware and steal cryptocurrency. ]]> 2024-10-24T13:02:10+00:00 https://www.securityweek.com/north-korean-hackers-exploited-chrome-zero-day-for-cryptocurrency-theft/ www.secnews.physaphae.fr/article.php?IdArticle=8601542 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 Dark Reading - Informationweek Branch Le groupe Lazarus exploite Chrome Zero-Day dans la dernière campagne Lazarus Group Exploits Chrome Zero-Day in Latest Campaign The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.]]> 2024-10-23T20:55:13+00:00 https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-exploits-chrome-zero-day-campaign www.secnews.physaphae.fr/article.php?IdArticle=8601480 False Vulnerability,Threat APT 38 2.0000000000000000 Kaspersky - Kaspersky Research blog Le jeu crypto de Lazarus APT: Investisseurs vs zéro-jours The Crypto Game of Lazarus APT: Investors vs. Zero-days Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain.]]> 2024-10-23T11:00:48+00:00 https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ www.secnews.physaphae.fr/article.php?IdArticle=8601458 False Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires OSINT, 21 octobre 2024 Weekly OSINT Highlights, 21 October 2024 2024-10-21T11:41:26+00:00 https://community.riskiq.com/article/02320e34 www.secnews.physaphae.fr/article.php?IdArticle=8600983 False Ransomware,Malware,Tool,Vulnerability,Threat,Cloud APT 38,APT 37,APT-C-17 2.0000000000000000 Dark Reading - Informationweek Branch DPRC utilise Microsoft Zero-Day dans des attaques de pain grillé sans clics DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.]]> 2024-10-21T01:00:00+00:00 https://www.darkreading.com/vulnerabilities-threats/dprk-microsoft-zero-day-no-click-toast-attacks www.secnews.physaphae.fr/article.php?IdArticle=8600761 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Malicious ads exploited Internet Explorer zero day to drop malware 2024-10-18T20:53:46+00:00 https://community.riskiq.com/article/d11b6766 www.secnews.physaphae.fr/article.php?IdArticle=8599904 False Malware,Vulnerability,Threat APT 37 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Scarcruft nord-coréen exploite Windows Zero-Day pour répandre le malware Rokrat North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.]]> 2024-10-16T16:20:00+00:00 https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8598696 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 Bleeping Computer - Magazine Américain Les publicités malveillantes ont exploité Internet Explorer Zero Day pour laisser tomber les logiciels malveillants Malicious ads exploited Internet Explorer zero day to drop malware The North Korean hacking group ScarCruft launched a large-scale attack in May that leveraged an Internet Explorer zero-day flaw to infect targets with the RokRAT malware and exfiltrate data. [...]]]> 2024-10-16T09:59:12+00:00 https://www.bleepingcomputer.com/news/security/malicious-ads-exploited-internet-explorer-zero-day-to-drop-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8598745 False Malware,Vulnerability,Threat APT 37 2.0000000000000000 SecurityWeek - Security News Cyperspies iraniennes exploitant la vulnérabilité récente du noyau Windows Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability Le pétrole APT lié à l'Iran a intensifié les cyber-opérations contre les Émirats arabes unis et la région du Golfe plus large.

>The Iran-linked APT OilRig has intensified cyber operations against the United Arab Emirates and the broader Gulf region. ]]> 2024-10-14T11:20:49+00:00 https://www.securityweek.com/iranian-cyberspies-exploiting-recent-windows-kernel-vulnerability/ www.secnews.physaphae.fr/article.php?IdArticle=8597613 False Vulnerability APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) OilRig exploite Windows Flaw de noyau dans la campagne d'espionnage ciblant les EAU et le Golfe OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region. "The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities]]> 2024-10-13T15:10:00+00:00 https://thehackernews.com/2024/10/oilrig-exploits-windows-kernel-flaw-in.html www.secnews.physaphae.fr/article.php?IdArticle=8597073 False Vulnerability,Threat APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Earth Simnavaz (alias Apt34) prélève des cyberattaques avancées contre les régions des EAU et du Golfe Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions #### Targeted Geolocations - United Arab Emirates ## Snapshot Researchers at Trend Micro have identif]]> 2024-10-11T21:41:42+00:00 https://community.riskiq.com/article/bc0f3dd1 www.secnews.physaphae.fr/article.php?IdArticle=8596273 False Malware,Tool,Vulnerability,Threat,Prediction APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires OSINT, 7 octobre 2024 Weekly OSINT Highlights, 7 October 2024 2024-10-07T16:54:11+00:00 https://community.riskiq.com/article/33015049 www.secnews.physaphae.fr/article.php?IdArticle=8593765 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Cloud APT 37,APT 45 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Enveloppe # Sleep: une plongée profonde dans la campagne en cours de la Corée du Nord contre l'Asie du Sud-Est SHROUDED#SLEEP: A Deep Dive into North Korea\\'s Ongoing Campaign Against Southeast Asia 2024-10-03T20:13:46+00:00 https://community.riskiq.com/article/2e62a43c www.secnews.physaphae.fr/article.php?IdArticle=8591525 False Malware,Tool,Vulnerability,Threat,Cloud APT 37 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Zimbra RCE Vuln Under Attack Needs Immediate Patching 2024-10-02T20:01:11+00:00 https://community.riskiq.com/article/a558d6ba www.secnews.physaphae.fr/article.php?IdArticle=8590707 False Tool,Vulnerability,Threat,Patching APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires OSINT, 30 septembre 2024 Weekly OSINT Highlights, 30 September 2024 2024-09-30T13:21:55+00:00 https://community.riskiq.com/article/70e8b264 www.secnews.physaphae.fr/article.php?IdArticle=8588927 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Mobile ChatGPT,APT 36 2.0000000000000000 Mandiant - Blog Sécu de Mandiant UNC1860 et le temple de l'avoine: la main cachée d'Iran dans les réseaux du Moyen-Orient UNC1860 and the Temple of Oats: Iran\\'s Hidden Hand in Middle Eastern Networks Executive Summary UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran\'s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East. UNC1860\'s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860. UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group\'s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we belie]]> 2024-09-19T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8579617 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 16 septembre 2024 Weekly OSINT Highlights, 16 September 2024 2024-09-16T11:20:34+00:00 https://community.riskiq.com/article/f4ae836f www.secnews.physaphae.fr/article.php?IdArticle=8577706 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Prediction,Cloud APT 34 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires OSINT, 9 septembre 2024 Weekly OSINT Highlights, 9 September 2024 2024-09-09T11:04:46+00:00 https://community.riskiq.com/article/563312a4 www.secnews.physaphae.fr/article.php?IdArticle=8573205 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Commercial APT 38,APT 29 2.0000000000000000 Mandiant - Blog Sécu de Mandiant ATTENTIONS DÉFÉRENCES - Examiner les cambriolages Web3 DeFied Expectations - Examining Web3 Heists Where money goes, crime follows. The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector. Mandiant has a long history of investigating bank heists. In 2016, Mandiant investigated the world\'s largest bank heist that occurred at the Bank of Bangladesh and resulted in the theft of $81 million by North Korea\'s APT38. While the group\'s operations were quite innovative and made for an entertaining 10-episode podcast by the BBC, it pales in comparison to Web3 heists. In 2022, the largest DeFi heist occurred on Sky Mavis\' Ronin Blockchain, which resulted in the theft of over $600 million by North Korean threat actors. While North Korea is arguably the world\'s leading cyber criminal enterprise, they are not the only player. Since 2020, there have been hundreds of Web3 heists reported, which has resulted in over $12 billion in stolen digital assets

Source: Chainalysis 2024 Crypto Crime Report While social engineering, crypto drainers, rug pulls (scams), and ]]> 2024-09-03T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/ www.secnews.physaphae.fr/article.php?IdArticle=8569124 False Malware,Hack,Vulnerability,Threat,Cloud APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires OSINT, 2 septembre 2024 Weekly OSINT Highlights, 2 September 2024 2024-09-02T19:54:58+00:00 https://community.riskiq.com/article/161e114f www.secnews.physaphae.fr/article.php?IdArticle=8568711 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud APT 41,APT 32 2.0000000000000000 Contagio - Site d infos ransomware 2022-2024 Corée du Nord Citrine Citrine Sleet / Lazarus Fudmodule (BYOVD) ROOTKIT Samples 2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples ]]> 2024-09-02T16:43:39+00:00 https://contagiodump.blogspot.com/2024/09/2022-2024-north-korea-citrine-sleet.html www.secnews.physaphae.fr/article.php?IdArticle=8568712 False Vulnerability,Threat,Conference APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Sleet citrine exploitant le chrome zéro-jour Citrine Sleet exploiting Chromium zero-day 2024-08-29T19:44:20+00:00 https://community.riskiq.com/article/0ce29639 www.secnews.physaphae.fr/article.php?IdArticle=8567037 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Menace persistante avancée ciblant les défenseurs vietnamiens des droits de l'homme Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders 2024-08-29T18:15:40+00:00 https://community.riskiq.com/article/de978ca1 www.secnews.physaphae.fr/article.php?IdArticle=8566388 False Ransomware,Malware,Tool,Vulnerability,Threat APT 32 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Aimez-vous les beignets;Voici un Donut Shellcode livré via PowerShell / Python Do you Like Donuts; Here is a Donut Shellcode Delivered Through PowerShell/Python 2024-08-20T20:33:25+00:00 https://community.riskiq.com/article/e2fc2f8b www.secnews.physaphae.fr/article.php?IdArticle=8561044 False Vulnerability,Threat,Cloud APT 34 3.0000000000000000 SecurityWeek - Security News Attaque de Windows Zero-Day liée à la Corée du Nord Lazarus Apt Windows Zero-Day Attack Linked to North Korea\\'s Lazarus APT La vulnérabilité, suivie en CVE-2024-38193 et marquée comme \\ 'activement exploitée \' par Microsoft, permet des privilèges système sur les derniers systèmes d'exploitation Windows.

>The vulnerability, tracked as CVE-2024-38193 and marked as \'actively exploited\' by Microsoft, allows SYSTEM privileges on the latest Windows operating systems. ]]> 2024-08-19T15:35:53+00:00 https://www.securityweek.com/windows-zero-day-attack-linked-to-north-koreas-lazarus-apt/ www.secnews.physaphae.fr/article.php?IdArticle=8560350 False Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Microsoft Patches Flaw Zero-Day exploitée par le groupe de Lazarus de la Corée du Nord Microsoft Patches Zero-Day Flaw Exploited by North Korea\\'s Lazarus Group A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this]]> 2024-08-19T12:35:00+00:00 https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html www.secnews.physaphae.fr/article.php?IdArticle=8560131 False Vulnerability,Threat APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 5 août 2024 Weekly OSINT Highlights, 5 August 2024 2024-08-05T10:51:17+00:00 https://community.riskiq.com/article/ed438f56 www.secnews.physaphae.fr/article.php?IdArticle=8552050 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile APT33,APT 41,APT 33,APT-C-17 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Un nouvel outil Specula utilise Outlook pour l'exécution du code distant sous Windows New Specula tool uses Outlook for remote code execution in Windows ## Snapshot TrustedSec identified a new red team post-exploitation framework called "Specula," which leverages a vulnerability in Microsoft Outlook to remotely execute code by setting malicious home pages via registry modifications. ## Description The novel Specula framework exploits [CVE-2017-11774](https://sip.security.microsoft.com/vulnerabilities/vulnerability/CVE-2017-11774/overview), a security feature bypass vulnerability in Outlook that allows threat actors to set a custom Outlook home page via registry keys and run vbscript or jscript to execute arbitrary commands on compromised Windows systems. Despite being patched, attackers can still create malicious home pages using Windows Registry values, enabling them to achieve persistence and laterally spread to other systems. The method is notable for its ability to bypass security software by leveraging Outl]]> 2024-08-02T00:53:15+00:00 https://community.riskiq.com/article/4b71ce29 www.secnews.physaphae.fr/article.php?IdArticle=8549339 False Tool,Vulnerability,Threat APT33,APT 33 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Weekly OSINT Highlights, 29 July 2024 2024-07-29T10:58:35+00:00 https://community.riskiq.com/article/72f3426d www.secnews.physaphae.fr/article.php?IdArticle=8546560 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Legislation,Mobile,Industrial,Medical APT 28,APT 36 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Onyx Sleet utilise une gamme de logiciels malveillants pour recueillir l'intelligence pour la Corée du Nord Onyx Sleet uses array of malware to gather intelligence for North Korea 2024-07-24T23:34:10+00:00 https://community.riskiq.com/article/31828df1 www.secnews.physaphae.fr/article.php?IdArticle=8544253 False Ransomware,Malware,Tool,Vulnerability,Threat,Industrial,Cloud,Technical,Commercial APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Faits saillants hebdomadaires, 8 juillet 2024 Weekly OSINT Highlights, 8 July 2024 2024-07-08T15:06:59+00:00 https://community.riskiq.com/article/9a175891 www.secnews.physaphae.fr/article.php?IdArticle=8532909 False Malware,Tool,Vulnerability,Threat,Mobile,Cloud APT 36 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) 2024-05-31T22:14:46+00:00 https://community.riskiq.com/article/08f4a417 www.secnews.physaphae.fr/article.php?IdArticle=8510885 False Malware,Tool,Vulnerability,Threat APT 38 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Extinction de l'IOC?Les acteurs de cyber-espionnage de Chine-Nexus utilisent des réseaux orbes pour augmenter les coûts des défenseurs IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers. Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations. By using these mesh networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. These networks often use both rented VPS nodes in combination with malware designed to target routers so they can grow the number of devices capable of relaying traffic within compromised networks. Mandiant assesses with moderate confidence that this is an effort to raise the cost of defending an enterprise\'s network and shift the advantage toward espionage operators by evading detection and complicating attribution. Mandiant believes that if network defenders can shift the current enterprise defense paradigm away from treating adversary infrastructure like indicators of compromise (IOCs) and instead toward tracking ORB networks like evolving entities akin to APT groups, enterprises can contend with the rising challenge of ORB networks in the threat landscape. IOC Extinction and the Rise of ORB Networks The cybersecurity industry has reported on the APT practice of ORB network usage in the past as well as on the functional implementation of these networks. Less discussed are the implications of broad ORB network usage by a multitude of China-nexus espionage actors, which has become more common over recent years. The following are three key points and paradigm shifting implications about ORB networks that require enterprise network defenders to adapt the way they think about China-nexus espionage actors: ORB networks undermine the idea of “Actor-Controlled Infrastructure”: ORB networks are infrastructure networks administered by independent entities, contractors, or administrators within the People\'s Republic of China (PRC). They are not controlled by a single APT actor. ORB networks create a network interface, administer a network of compromised nodes, and contract access to those networks to multiple APT actors that will use the ORB networks to carry out their own distinct espionage and reconnaissance. These networks are not controlled by APT actors using them, but rather are temporarily used by these APT actors often to deploy custom tooling more conventionally attributable to known China-nexus adversaries. ORB network infrastructure has a short lifesp]]> 2024-05-22T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8504765 False Malware,Tool,Vulnerability,Threat,Prediction,Cloud,Commercial APT 15,APT 5,APT 31 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Pole Voûte: cyber-menaces aux élections mondiales Poll Vaulting: Cyber Threats to Global Elections Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure. Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture. The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence. ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000 AhnLab - Korean Security Firm Microsoft Windows Security Update Advisory (CVE-2024-21338) aperçu du 13 février 2024, Microsoft a annoncé une élévation du noyau Windows des privilèges Vulnérabilité CVE-2012-21338correctif.La vulnérabilité se produit à certains ioctl de & # 8220; appid.sys & # 8221;Connu sous le nom de pilote AppLocker, l'une des fonctionnalités Windows.L'acteur de menace peut lire et écrire sur une mémoire de noyau aléatoire en exploitant la vulnérabilité, et peut soit désactiver les produits de sécurité ou gagner le privilège du système.Avast a rapporté que le groupe de menaces Lazarus a récemment utilisé la vulnérabilité CVE-2024-21338 à désactiver les produits de sécurité.Ainsi, les utilisateurs de Windows OS sont ...

Overview On February 13th, 2024, Microsoft announced a Windows Kernel Elevation of Privilege Vulnerability CVE-2024-21338 patch. The vulnerability occurs at certain IOCTL of “appid.sys” known as AppLocker‘s driver, one of the Windows feature. The threat actor can read and write on a random kernel memory by exploiting the vulnerability, and can either disable security products or gain system privilege. AVAST reported that the Lazarus threat group has recently used CVE-2024-21338 vulnerability to disable security products. Thus, Windows OS users are... ]]> 2024-03-06T08:56:56+00:00 https://asec.ahnlab.com/en/62668/ www.secnews.physaphae.fr/article.php?IdArticle=8459725 False Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Les pirates de Lazarus ont exploité la faille du noyau Windows comme zéro-jour lors d'attaques récentes Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts. The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part]]> 2024-02-29T16:49:00+00:00 https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8456930 False Vulnerability,Threat APT 38 3.0000000000000000 SecurityWeek - Security News Windows Zero-Day exploité par des pirates nord-coréens dans Rootkit Attack Windows Zero-Day Exploited by North Korean Hackers in Rootkit Attack Le groupe nord-coréen Lazarus a exploité le conducteur Applocker Zero-Day CVE-2024-21338 pour l'escalade des privilèges dans les attaques impliquant Fudmodule Rootkit.

>North Korean group Lazarus exploited AppLocker driver zero-day CVE-2024-21338 for privilege escalation in attacks involving FudModule rootkit. ]]> 2024-02-29T10:28:36+00:00 https://www.securityweek.com/windows-zero-day-exploited-by-north-korean-hackers-in-rootkit-attack/ www.secnews.physaphae.fr/article.php?IdArticle=8456926 False Vulnerability,Threat APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) Opération forgeron: Lazarus cible les organisations du monde Operation Blacksmith: Lazarus Targets Organizations Worldwide Using Novel Telegram-Based Malware Written in DLang #### Description Cisco Talos has discovered a new campaign conducted by the Lazarus Group, called "Operation Blacksmith," which employs at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. The RATs are named "NineRAT" and "DLRAT," and the downloader is called "BottomLoader." The campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). Lazarus has targeted manufacturing, agricultural, and physical security companies. The malware is written in DLang, indicating a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT. #### Reference URL(s) 1. https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ #### Publication Date December 11, 2023 #### Author(s) Jungsoo An ]]> 2023-12-13T19:34:57+00:00 https://community.riskiq.com/article/04580784 www.secnews.physaphae.fr/article.php?IdArticle=8422247 False Malware,Vulnerability APT 38 3.0000000000000000 Recorded Future - FLux Recorded Future Pirates nord-coréens utilisant la vulnérabilité log4j dans la campagne mondiale North Korean hackers using Log4J vulnerability in global campaign

Les pirates connectés à Groupe de Lazarus de la Corée du Nord ont exploité le Vulnérabilité LOG4J Dans une campagne d'attaques ciblant les entreprises dans les secteurs de la fabrication, de l'agriculture et de la sécurité physique.Connu sous le nom de «Faire du forgeron de l'opération», la campagne a vu les pirates de Lazarus utiliser au moins trois nouvelles familles de logiciels malveillants, selon des chercheurs de Cisco Talos qui ont nommé l'un des

Hackers connected to North Korea\'s Lazarus Group have been exploiting the Log4j vulnerability in a campaign of attacks targeting companies in the manufacturing, agriculture and physical security sectors. Known as “Operation Blacksmith,” the campaign saw Lazarus hackers use at least three new malware families, according to researchers at Cisco Talos who named one of the]]> 2023-12-11T20:30:00+00:00 https://therecord.media/north-korean-hackers-using-log www.secnews.physaphae.fr/article.php?IdArticle=8421198 False Malware,Vulnerability APT 38 2.0000000000000000 Dark Reading - Informationweek Branch Le groupe Lazarus est toujours à la main Log4Shell, en utilisant des rats écrits en \\ 'd \\' Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in \\'D\\' The infamous vulnerability may be on the older side at this point, but North Korea\'s primo APT Lazarus is creating new, unique malware around it at a remarkable clip.]]> 2023-12-11T16:15:00+00:00 https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d www.secnews.physaphae.fr/article.php?IdArticle=8421118 False Malware,Vulnerability APT 38 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates nord-coréens exploitent le bogue connu dans le fournisseur de logiciels \\ 'de haut niveau \\' North Korean hackers exploit known bug in \\'high-profile\\' software vendor

Les pirates connectés au gouvernement nord-coréen ont exploité une vulnérabilité dans un fournisseur de logiciels «haut de gamme» pour cibler ses clients, selon un récent Rapport .À la mi-juillet, les chercheurs de la société de cybersécurité Kaspersky ont détecté une série d'attaques contre plusieurs victimes ciblées via un logiciel de sécurité non identifié conçu pour crypter les communications Web à l'aide du numérique

Hackers connected to the North Korean government have exploited a vulnerability in a “high-profile” software vendor to target its customers, according to a recent report. In mid-July, researchers from the cybersecurity firm Kaspersky detected a series of attacks on several victims who were targeted through unidentified security software designed to encrypt web communications using digital]]> 2023-10-27T16:30:00+00:00 https://therecord.media/north-korean-hackers-exploit-software-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8401515 False Vulnerability,Threat APT 38 4.0000000000000000 Bleeping Computer - Magazine Américain Les pirates nord-coréens exploitent la faille critique de Teamcity pour violer les réseaux North Korean hackers exploit critical TeamCity flaw to breach networks Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. [...]]]> 2023-10-18T18:33:02+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-critical-teamcity-flaw-to-breach-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8397455 False Vulnerability APT 38 3.0000000000000000 AhnLab - Korean Security Firm La magie de rêve de l'opération de Lazarus Group \\ Lazarus Group\\'s Operation Dream Magic Le groupe Lazare est un groupe de piratage connu pour être parrainé par l'État et mène activement des activités de piratageDans le monde entier pour le gain financier, le vol de données et d'autres fins.Un aperçu simplifié de l'attaque du trou d'arrosage du groupe Lazare qui a abusé de la vulnérabilité inisafée est la suivante: un lien malveillant a été inséré dans un article spécifique sur un site Web d'actualités.Par conséquent, les entreprises et les institutions qui ont cliqué sur cet article étaient ciblées pour le piratage.Les pirates ont exploité des sites Web coréens vulnérables avec C2 ...

The Lazarus group is a hacking group that is known to be state-sponsored and is actively conducting hacking activities worldwide for financial gain, data theft, and other purposes. A simplified overview of the Lazarus group’s watering hole attack that abused the INISAFE vulnerability is as follows: a malicious link was inserted within a specific article on a news website. Consequently, companies and institutions that clicked on this article were targeted for hacking. The hackers exploited vulnerable Korean websites with C2... ]]> 2023-10-17T00:55:09+00:00 https://asec.ahnlab.com/en/57736/ www.secnews.physaphae.fr/article.php?IdArticle=8396477 False Vulnerability APT 38 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Le groupe Lazarus cible l'infrastructure Internet et les soins de santé avec le logiciel malveillant \\'QuiteRAT\\' Lazarus Group Targets Internet Infrastructure and Healthcare with \\'QuiteRAT\\' Malware QuiteRAT, the North-Korea-Backed group\'s new malware, exploits a 2022 ManageEngine ServiceDesk vulnerability]]> 2023-08-25T07:30:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-internet-healthcare/ www.secnews.physaphae.fr/article.php?IdArticle=8374396 False Malware,Vulnerability APT 38,APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain Les pirates utilisent l'exploitation de gestion publique pour violation de l'organisation Internet Hackers use public ManageEngine exploit to breach internet org The North Korean state-backed hacker group tracked as Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho\'s ManageEngine ServiceDesk to compromise an internet backbone infrastructure provider and healthcare organizations. [...]]]> 2023-08-24T08:31:20+00:00 https://www.bleepingcomputer.com/news/security/hackers-use-public-manageengine-exploit-to-breach-internet-org/ www.secnews.physaphae.fr/article.php?IdArticle=8374056 False Vulnerability APT 38 2.0000000000000000 CVE Liste - Common Vulnerability Exposure CVE-2023-40341 A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.]]> 2023-08-16T15:15:11+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40341 www.secnews.physaphae.fr/article.php?IdArticle=8370819 False Vulnerability APT 32 None AhnLab - Korean Security Firm Lezare Menace Group exploitant la vulnérabilité de la solution de sécurité financière coréenne Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution comme couvert précédemment ici sur le blog ASEC, le groupe de menace Lazarus exploite les vulnérabilités d'Inisafe Crossweb Ex etMagicline4nx dans leurs attaques.New Malware of Lazarus Threat Group Actor Group exploitant le processus Initch (26 avril 2022) Un cas d'infection par les logiciels malveillants par le groupe d'attaque de Lazarus désactivant les programmes anti-malware avec la technique BYOVD (31 octobre 2022) tout en surveillant les activités du groupe de menaces de Lazarus, Ahnlab Security Emergency Response Center (ASEC) a récemment découvert que la vulnérabilité zéro-jour de Vestcert ...

As covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE CrossWeb EX and MagicLine4NX in their attacks. New Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022) A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique (Oct 31, 2022) While monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC) recently discovered that the zero-day vulnerability of VestCert... ]]> 2023-06-14T23:00:00+00:00 https://asec.ahnlab.com/en/54195/ www.secnews.physaphae.fr/article.php?IdArticle=8345547 False Malware,Vulnerability,Threat APT 38 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 # 24 [Le biais de l'esprit \\] le prétexage dépasse désormais le phishing dans les attaques d'ingénierie sociale CyberheistNews Vol 13 #24 [The Mind\\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks

CyberheistNews Vol 13 #24 | June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching Uber,APT 37,ChatGPT,ChatGPT,APT 43 2.0000000000000000 Anomali - Firm Blog Anomali Cyber Watch: Shadow Force cible les serveurs coréens, Volt Typhoon abuse des outils intégrés, Cosmicenergy Tests Electric Distribution Perturbation Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces shadowVictiticoor et Coinmin de Force Group \\ (Publié: 27 mai 2023) Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor. Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor]]> 2023-05-31T17:19:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-shadow-force-targets-korean-servers-volt-typhoon-abuses-built-in-tools-cosmicenergy-tests-electric-distribution-disruption www.secnews.physaphae.fr/article.php?IdArticle=8340962 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38,Guam,CosmicEnergy 2.0000000000000000 AhnLab - Korean Security Firm Groupe Lazare ciblant les serveurs Web Windows IIS Lazarus Group Targeting Windows IIS Web Servers Ahnlab Security Emergency Response Center (ASEC) a récemment confirmé le groupe Lazarus, un groupe connu pour recevoir un soutienÀ l'échelle nationale, effectuant des attaques contre les serveurs Web Windows IIS.Habituellement, lorsque les acteurs de la menace effectuent une analyse et trouvent un serveur Web avec une version vulnérable, ils utilisent la vulnérabilité adaptée à la version pour installer un shell Web ou exécuter des commandes malveillantes.Le journal AHNLAB Smart Defense (ASD) affiché ci-dessous dans la figure 1 montre que les systèmes Windows Server sont ...

AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are... ]]> 2023-05-23T01:00:00+00:00 https://asec.ahnlab.com/en/53132/ www.secnews.physaphae.fr/article.php?IdArticle=8338601 False Vulnerability,Threat APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Microsoft met en garde contre les attaques parrainées par l'État exploitant la vulnérabilité critique de papier Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant\'s threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint]]> 2023-05-09T14:23:00+00:00 https://thehackernews.com/2023/05/microsoft-warns-of-state-sponsored.html www.secnews.physaphae.fr/article.php?IdArticle=8334732 False Vulnerability,Threat APT 35 2.0000000000000000 Anomali - Firm Blog Anomali Cyber Watch: APT37 adopte les fichiers LNK, Charming Kitten utilise le bordereau d'implant Bellaciao, le cryptage de remappage d'octet unique Vipersoftx InfostEaler Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces Réaction en chaîne: Rokrat & rsquo; s.Lien manquant (Publié: 1er mai 2023) Depuis 2022, le groupe parrainé par le Nord-Korea APT37 (Group123, Ricochet Chollima) a principalement changé ses méthodes de livraison de Maldocs pour cacher des charges utiles à l'intérieur des fichiers LNK surdimensionnés.Vérifier les chercheurs a identifié plusieurs chaînes d'infection utilisées par le groupe de juillet 2022 à avril 2023. Celles-ci ont été utilisées pour livrer l'un des outils personnalisés de l'APT37 (Goldbackdoor et Rokrat), ou le malware de marchandises Amadey.Tous les leurres étudiés semblent cibler des personnes coréennes avec des sujets liés à la Corée du Sud. Commentaire de l'analyste: Le passage aux chaînes d'infection basées sur LNK permet à APT37 de l'interaction utilisateur moins requise car la chaîne peut être déclenchée par un simple double clic.Le groupe continue l'utilisation de Rokrat bien triés qui reste un outil furtif avec ses couches supplémentaires de cryptage, le cloud C2 et l'exécution en mémoire.Les indicateurs associés à cette campagne sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquerleur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1059.001: Powershell | [mitre att & amp; ck] t1055 - injection de processus | [mitre att & amp; ck] t1027 - fichiers ou informations obscurcis | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1204.002 - Exécution des utilisateurs: fichier malveillant | [mitre att & amp; ck] t1059.005 - commande et script interprète: visuel basique | [mitre att & amp; ck] t1140 - désobfuscate / décode ou informations | [mitre att & amp; ck] T1218.011 - Exécution par proxy binaire signée: Rundll32 Tags: malware: Rokrat, mitre-software-id: s0240, malware-Type: Rat, acteur: Groupe123, mitre-groupe: APT37, acteur: Ricochet Chollima, Country source: Corée du Nord, Country source: KP, Cible-Country: Corée du Sud, Cible-Country: KR, Type de fichier: Zip, déposer-Type: Doc, Fichier-Type: ISO, Fichier-Type: LNK, File-Type: Bat, File-Type: EXE, Fichier-Type: VBS, malware: Amadey,MALWARE: Goldbackdoor, Type de logiciels malveillants: porte dérobée, abusée: Pcloud, abusé: Cloud Yandex, abusé: OneDrive, abusé: & # 8203; & # 8203; Processeur de mots Hangul, abusé: themida, système cible: Windows ]]> 2023-05-01T23:16:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt37-adopts-lnk-files-charming-kitten-uses-bellaciao-implant-dropper-vipersoftx-infostealer-unique-byte-remapping-encryption www.secnews.physaphae.fr/article.php?IdArticle=8332656 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Cloud APT 37,APT 37,APT 35 2.0000000000000000 CVE Liste - Common Vulnerability Exposure CVE-2023-23891 2023-04-06T14:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23891 www.secnews.physaphae.fr/article.php?IdArticle=8325504 False Vulnerability APT 32 None CVE Liste - Common Vulnerability Exposure CVE-2023-24399 2023-03-30T12:15:07+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24399 www.secnews.physaphae.fr/article.php?IdArticle=8323479 False Vulnerability APT 32 None Anomali - Firm Blog Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions (published: March 10, 2023) Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network. Analyst Comment: Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use Anomali's Premium Digital Risk Protection service to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor. MITRE ATT&CK: [MITRE ATT&CK] T1417.001 - Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture Tags: malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android Cobalt Illusion Masquerades as Atlantic Council Employee (published: March 9, 2023) A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups i]]> 2023-03-14T17:32:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-xenomorph-automates-the-whole-fraud-chain-on-android-icefire-ransomware-started-targeting-linux-mythic-leopard-delivers-spyware-using-romance-scam www.secnews.physaphae.fr/article.php?IdArticle=8318511 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference APT 35,ChatGPT,ChatGPT,APT 36,APT 42 2.0000000000000000 CVE Liste - Common Vulnerability Exposure CVE-2023-24180 2023-03-14T14:15:13+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24180 www.secnews.physaphae.fr/article.php?IdArticle=8318500 False Vulnerability APT 33 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity 2023-03-08T16:04:00+00:00 https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html www.secnews.physaphae.fr/article.php?IdArticle=8316641 False Hack,Vulnerability,Medical APT 38 3.0000000000000000 AhnLab - Korean Security Firm Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities Since two years ago (March 2021), the Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. As such, ASEC (AhnLab Security Emergency Response Center) has been pursuing and analyzing the Lazarus threat group’s activities and related malware. The affected company in this case had been infiltrated by the Lazarus group in May 2022 and was re-infiltrated recently through the same software’s 0-Day vulnerability. During the infiltration in May 2022,... ]]> 2023-03-06T23:30:00+00:00 https://asec.ahnlab.com/en/48810/ www.secnews.physaphae.fr/article.php?IdArticle=8316149 False Malware,Vulnerability,Threat,Medical APT 38 3.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #09 [Eye Opener] Should You Click on Unsubscribe?

CyberheistNews Vol 13 #09 | February 28th, 2023 [Eye Opener] Should You Click on Unsubscribe? By Roger A. Grimes. Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?" The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action. In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days. Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use. In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list. [CONTINUED] at the KnowBe4 blog:https://blog.knowbe4.com/should-you-click-on-unsubscribe [Live Demo] Ridiculously Easy Security Awareness Training and Phishing Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approac]]> 2023-02-28T14:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-09-eye-opener-should-you-click-on-unsubscribe www.secnews.physaphae.fr/article.php?IdArticle=8314155 False Malware,Hack,Tool,Vulnerability,Threat,Guideline,Prediction APT 38,ChatGPT 3.0000000000000000 AhnLab - Korean Security Firm HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. 1. Overview The RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC information but also the mobile phone data of their targets. A distinct characteristic of the... ]]> 2023-02-21T01:00:00+00:00 https://asec.ahnlab.com/en/48063/ www.secnews.physaphae.fr/article.php?IdArticle=8312034 False Malware,Vulnerability,Threat,Cloud APT 37 3.0000000000000000 CVE Liste - Common Vulnerability Exposure CVE-2018-25070 2023-01-07T11:15:08+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25070 www.secnews.physaphae.fr/article.php?IdArticle=8298792 False Vulnerability,Guideline,Conference APT 35 None Anomali - Firm Blog Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays (published: January 1, 2023) Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server. Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux Linux Backdoor Malware Infects WordPress-Based Websites (published: December 30, 2022) Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect. Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use ]]> 2023-01-04T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-machine-learning-toolkit-targeted-by-dependency-confusion-multiple-campaigns-hide-in-google-ads-lazarus-group-experiments-with-bypassing-mark-of-the-web www.secnews.physaphae.fr/article.php?IdArticle=8297872 False Malware,Tool,Vulnerability,Threat,Patching,Medical APT 38,LastPass 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers 2022-12-08T13:29:00+00:00 https://thehackernews.com/2022/12/google-warns-of-internet-explorer-zero.html www.secnews.physaphae.fr/article.php?IdArticle=8289009 False Vulnerability,Threat,Cloud APT 37 3.0000000000000000 CVE Liste - Common Vulnerability Exposure CVE-2022-35730 2022-12-04T23:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35730 www.secnews.physaphae.fr/article.php?IdArticle=8287663 False Vulnerability APT 32 None AhnLab - Korean Security Firm A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware. This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in... ]]> 2022-10-31T01:57:31+00:00 https://asec.ahnlab.com/en/40830/ www.secnews.physaphae.fr/article.php?IdArticle=7747128 False Malware,Hack,Vulnerability,Threat,Medical APT 38 None Anomali - Firm Blog Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Alert (AA22-294A) #StopRansomware: Daixin Team (published: October 21, 2022) Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code. Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (published: October 21, 2022) Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload. Analyst Comment: It is crucial that your company ensures that servers are]]> 2022-10-25T16:53:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-daixin-team-ransoms-healthcare-sector-earth-berberoka-breaches-casinos-for-data-windows-affected-by-bring-your-own-vulnerable-driver-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=7673563 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical APT 38 None CSO - CSO Daily Dashboard North Korea\'s Lazarus group uses vulnerable Dell driver to blind security solutions CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”To read this article in full, please click here]]> 2022-10-05T12:15:00+00:00 https://www.csoonline.com/article/3675948/north-korea-s-lazarus-group-uses-vulnerable-dell-driver-to-blind-security-solutions.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=7310080 False Tool,Vulnerability APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers 2022-10-03T16:26:00+00:00 https://thehackernews.com/2022/10/hackers-exploiting-dell-driver.html www.secnews.physaphae.fr/article.php?IdArticle=7292668 False Vulnerability,Threat,Medical APT 38 None InfoSecurity Mag - InfoSecurity Magazine Lazarus Group Exploits Dell Driver Vulnerability to Bypass Windows Security 2022-10-03T15:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-exploit-dell-driver/ www.secnews.physaphae.fr/article.php?IdArticle=7288031 False Vulnerability APT 38 None We Live Security - Editeur Logiciel Antivirus ESET ESET Research into new attacks by Lazarus – Week in security with Tony Anscombe 2022-09-30T14:10:38+00:00 https://www.welivesecurity.com/videos/eset-research-uncovers-new-lazarus-campaigns-week-security-tony-anscombe/ www.secnews.physaphae.fr/article.php?IdArticle=7240281 False Vulnerability APT 38 None Anomali - Firm Blog Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 27,APT 34 None CISCO Talos - Cisco Research blog Lazarus and the tale of three RATs By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern]]> 2022-09-08T08:39:42+00:00 http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html www.secnews.physaphae.fr/article.php?IdArticle=6785115 False Malware,Tool,Vulnerability,Threat,Medical APT 38 None Anomali - Firm Blog Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence LastPass Hackers Stole Source Code (published: August 26, 2022) In August 2022, an unidentified threat actor gained access to portions of the password management giant LastPass development environment. LastPass informed that it happened through a single compromised developer account and the attacker took portions of source code and some proprietary LastPass technical information. The company claims that this incident did not affect customer data or encrypted password vaults. Analyst Comment: This incident doesn’t seem to have an immediate impact on LastPass users. Still, organizations relying on LastPass should raise the concern in their risk assessment since “white-box hacking” (when source code of the attacking system is known) is easier for threat actors. Organizations providing public-facing software should take maximum measures to block threat actors from their development environment and establish robust and transparent security protocols and practices with all third parties involved in their code development. Tags: LastPass, Password manager, Data breach, Source code Mercury Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli (published: August 25, 2022) Starting in July 2022, a new campaign by Iran-sponsored group Static Kitten (Mercury, MuddyWater) was detected targeting Israeli organizations. Microsoft researchers detected that this campaign was leveraging exploitation of Log4j 2 vulnerabilities (CVE-2021-45046 and CVE-2021-44228) in SysAid applications (IT management tools). For persistence Static Kitten was dropping webshells, creating local administrator accounts, stealing credentials, and adding their tools in the startup folders and autostart extensibility point (ASEP) registry keys. Overall the group was heavily using various open-source and built-in operating system tools: eHorus remote management software, Ligolo reverse tunneling tool, Mimikatz credential theft tool, PowerShell programs, RemCom remote service, Venom proxy tool, and Windows Management Instrumentation (WMI). Analyst Comment: Network defenders should monitor for alerts related to web shell threats, suspicious RDP sessions, ASEP registry anomaly, and suspicious account creation. Similarly, SysAid users can monitor for webshells and abnormal processes related to SysAisServer instance. Even though Static Kitten was observed leveraging the Log4Shell vulnerabilities in the past (targeting VMware apps), most of their attacks still start with spearphishing, often from a compromised email account. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-08-30T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-first-real-life-video-spoofing-attack-magicweb-backdoors-via-non-standard-key-identifier-lockbit-ransomware-blames-victim-for-ddosing-back-and-more www.secnews.physaphae.fr/article.php?IdArticle=6626943 False Ransomware,Hack,Tool,Vulnerability,Threat,Guideline,Cloud APT 37,APT 29,LastPass None CSO - CSO Daily Dashboard WannaCry explained: A perfect ransomware storm ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.To read this article in full, please click here]]> 2022-08-24T12:34:00+00:00 https://www.csoonline.com/article/3227906/wannacry-explained-a-perfect-ransomware-storm.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=6506640 False Ransomware,Vulnerability,Medical Wannacry,Wannacry,APT 38 None Anomali - Firm Blog Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT-C-35: New Windows Framework Revealed (published: August 11, 2022) The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules. Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows]]> 2022-08-16T15:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransomware-module-added-to-sova-android-trojan-bitter-apt-targets-mobile-phones-with-dracarys-china-sponsored-ta428-deploys-six-backdoors-at-once-and-more www.secnews.physaphae.fr/article.php?IdArticle=6354068 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical APT 38 None NoticeBored - Experienced IT Security professional CISO workshop slides glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None Anomali - Firm Blog Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” (published: July 28, 2022) Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode. Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match). MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564 Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits (published: July 27, 2022) Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that se]]> 2022-08-02T15:17:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-velvet-chollima-steals-emails-from-browsers-austrian-mercenary-leverages-zero-days-china-sponsored-group-uses-cosmicstrand-uefi-firmware-rootkit-and-more www.secnews.physaphae.fr/article.php?IdArticle=6091651 False Malware,Tool,Vulnerability,Threat,Patching,Guideline,Cloud APT 37,APT 28 None CISCO Talos - Cisco Research blog Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products

By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None Anomali - Firm Blog Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Update: The Phish Goes On - 5 Million Stolen Credentials and Counting (published: June 16, 2022) PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads. Analyst Comment: Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 Tags: Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo F5 Labs Investigates MaliBot (published: June 15, 2022) F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services. Analyst Comment: Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] User Execution - T1204 Tags: MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa (published: June 15, 2022) On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in E]]> 2022-06-21T15:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gallium-expands-targeting-across-telecommunications-government-and-finance-sectors-with-new-pingpull-tool-dragonforce-malaysia-opspatuk-opsindia-and-more www.secnews.physaphae.fr/article.php?IdArticle=5309464 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Conference Yahoo,APT 35 None Security Affairs - Blog Secu North Korea-linked Lazarus APT uses Log4J to target VMware servers North Korea-linked Lazarus APT is exploiting the Log4J remote code execution (RCE) in attacks aimed at VMware Horizon servers. North Korea-linked group Lazarus is exploiting the Log4J RCE vulnerability (CVE-2021-44228) to compromise VMware Horizon servers. Multiple threat actors are exploiting this flaw since January, in January VMware urged customers to patch critical Log4j security vulnerabilities impacting Internet-exposed […] ]]> 2022-05-22T15:48:25+00:00 https://securityaffairs.co/wordpress/131483/apt/lazarus-apt-log4j-vmware-servers.html www.secnews.physaphae.fr/article.php?IdArticle=4758896 False Vulnerability,Threat APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor 2022-05-20T02:23:24+00:00 https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html www.secnews.physaphae.fr/article.php?IdArticle=4711794 False Vulnerability,Medical APT 38 None Bleeping Computer - Magazine Américain Lazarus hackers target VMware servers with Log4Shell exploits 2022-05-19T11:24:04+00:00 https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmware-servers-with-log4shell-exploits/ www.secnews.physaphae.fr/article.php?IdArticle=4707701 False Vulnerability APT 38 None CVE Liste - Common Vulnerability Exposure CVE-2022-30953 2022-05-17T15:15:09+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30953 www.secnews.physaphae.fr/article.php?IdArticle=4670393 False Vulnerability APT 32 4.0000000000000000