This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T02:45:54+00:00 www.secnews.physaphae.fr RiskIQ - cyber risk firms (now microsoft) 2024-05-28T17:37:40+00:00 https://community.riskiq.com/article/eb5e10a2 www.secnews.physaphae.fr/article.php?IdArticle=8508725 False Ransomware,Malware,Hack,Tool,Threat APT 34 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-22T15:21:21+00:00 https://community.riskiq.com/article/d5d5c07f www.secnews.physaphae.fr/article.php?IdArticle=8504864 False Ransomware,Malware,Tool,Threat APT 34 3.0000000000000000 HackRead - Chercher Cyber Par deeba ahmed Les chercheurs de point de contrôle ont détaillé un nouveau groupe de pirates parrainé par l'État iranien appelé Void Manticore, en partenariat avec Scarred Manticore, un autre groupe de menaces basé dans le ministère de l'Intension et de la Sécurité de l'Iran. . Ceci est un article de HackRead.com Lire le post original: Les pirates d'État iraniens s'associent pour des attaques à grande échelle, rapport

---

>By Deeba Ahmed Check Point researchers have detailed a new Iranian state-sponsored hacker group called Void Manticore, partnering with Scarred Manticore, another threat group based in Iran\'s Ministry of Intelligence and Security. This is a post from HackRead.com Read the original post: Iranian State Hackers Partner Up for Large-Scale Attacks, Report]]> 2024-05-21T11:37:37+00:00 https://www.hackread.com/iranian-state-hackers-partner-up-for-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8504004 False Threat APT 34 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader]]> 2023-12-14T18:00:00+00:00 https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html www.secnews.physaphae.fr/article.php?IdArticle=8422615 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un groupe de cyber-espionnage lié au gouvernement iranien a développé plusieurs nouveaux téléchargeurs de logiciels malveillants au cours des deux dernières années et les a récemment utilisés pour cibler des organisations en Israël.Des chercheurs de la société Slovaquie ESET attribué Les téléchargeurs nouvellement découverts au groupe iranien de menace persistant avancé Oilrig, également connu sous le nom d'APT34.Selon les rapports précédents

---

A cyber-espionage group linked to the Iranian government developed several new malware downloaders over the past two years and has recently been using them to target organizations in Israel. Researchers at the Slovakia-based company ESET attributed the newly discovered downloaders to the Iranian advanced persistent threat group OilRig, also known as APT34. Previous reports said]]> 2023-12-14T16:30:00+00:00 https://therecord.media/oilrig-apt34-iran-linked-hackers-new-downloaders-israel www.secnews.physaphae.fr/article.php?IdArticle=8422737 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Un acteur iranien de la menace nationale cible des organisations de haut niveau au Moyen-Orient dans une campagne d'espionnage en cours, selon un nouveau rapport.Suivi en tant que Manticore marqué, le groupe cible principalement les secteurs du gouvernement, des militaires et des télécommunications en Arabie saoudite, aux Émirats arabes unis, en Jordanie, au Koweït, à Oman, en Irak et en Israël.Ces dernières années, Manticore marqué a

---

An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report. Tracked as Scarred Manticore, the group primarily targets government, military, and telecom sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. In recent years, Scarred Manticore has]]> 2023-10-31T19:30:00+00:00 https://therecord.media/iranian-hackers-spy-on-governments-military-middle-east www.secnews.physaphae.fr/article.php?IdArticle=8403704 False Threat APT 34 2.0000000000000000 Checkpoint - Fabricant Materiel Securite Faits saillants: 1. Intrudeurs silencieux: Manticore marqué, un groupe de cyber-menaces iranien lié à Mois (Ministère des renseignements & # 38; Security), gère tranquillement une opération d'espionnage sophistiquée furtive au Moyen-Orient.En utilisant leur dernier cadre d'outils de logiciels malveillants, Liontail, ils volent sous le radar depuis plus d'un an.2. Secteurs ciblés: La campagne se concentre sur les grands joueurs-gouvernement, militaire, télécommunications, informatique, finance et ONG au Moyen-Orient.Manticore marqué est une question de données systématiquement en train de saisir des données, montrant leur engagement envers les cibles de grande valeur.3. Évolution des tactiques: le livre de jeu de Manticore Scarre est passé des attaques de base de shell sur les serveurs Windows à [& # 8230;]

---

>Highlights: 1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year. 2. Targeted Sectors: The campaign focuses on big players-government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets. 3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to […] ]]> 2023-10-31T10:56:45+00:00 https://blog.checkpoint.com/security/unraveling-the-scarred-manticore-saga-a-riveting-epic-of-high-stakes-espionage-unfolding-in-the-heart-of-the-middle-east/ www.secnews.physaphae.fr/article.php?IdArticle=8403439 False Malware,Tool,Threat APT 34 2.0000000000000000 Checkpoint Research - Fabricant Materiel Securite Résultats clés Introduction Les recherches sur les points de contrôle, en collaboration avec l'équipe de réponse aux incidents de Sygnia \\, ont suivi et répondu aux activités de & # 160; marqué Manticore, un acteur iranien de la menace nationale qui cible principalement le gouvernement etsecteurs de télécommunications au Moyen-Orient.Manticore marqué, lié au prolifique acteur iranien Oilrig (alias APT34, Europium, Hazel Sandstorm), a constamment poursuivi [& # 8230;]

---

>Key Findings Introduction Check Point Research, in collaboration with Sygnia\'s Incident Response Team, has been tracking and responding to the activities of Scarred Manticore, an Iranian nation-state threat actor that primarily targets government and telecommunication sectors in the Middle East. Scarred Manticore, linked to the prolific Iranian actor OilRig (a.k.a APT34, EUROPIUM, Hazel Sandstorm), has persistently pursued […] ]]> 2023-10-31T10:56:34+00:00 https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/ www.secnews.physaphae.fr/article.php?IdArticle=8403445 False Threat APT 34,APT 34 3.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Résumé En octobre 2023, Netskope a analysé un document de mots malveillant et le malware qu'il contenait, surnommé «Menorah».Le malware a été attribué à un groupe de menaces persistant avancé APT34 et aurait été distribué par phisse de lance.Le fichier de bureau malveillant utilise le code VBA dispersé et obscurci pour échapper à la détection.Le groupe avancé des menaces persistantes cible [& # 8230;]

---

>Summary In October 2023, Netskope analyzed a malicious Word document and the  malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection.  The advanced persistent threat group targets […] ]]> 2023-10-25T19:00:00+00:00 https://www.netskope.com/blog/netskope-threat-coverage-menorah www.secnews.physaphae.fr/article.php?IdArticle=8400546 False Malware,Threat APT 34 2.0000000000000000 Recorded Future - FLux Recorded Future Les pirates liés au gouvernement d'Iran \\ ont passé huit mois à l'intérieur des systèmes d'un gouvernement du Moyen-Orient non spécifié, volant des fichiers et des e-mails, selon des chercheurs.La société de cybersécurité Symantec a attribué la campagne à un groupe qu'il appelle CambusMais d'autres appellent APT34, Oilrig ou Muddywater.L'intrusion a duré de février à septembre et tandis que le

---

Hackers connected to Iran\'s government spent eight months inside the systems of an unspecified Middle East government, stealing files and emails, according to researchers. Cybersecurity firm Symantec attributed the campaign to a group it calls Crambus but others refer to as APT34, OilRig or MuddyWater. The intrusion lasted from February to September, and while the]]> 2023-10-19T20:23:00+00:00 https://therecord.media/iran-linked-hackers-8-months-middle-east-government www.secnews.physaphae.fr/article.php?IdArticle=8397883 False Threat APT 34 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News]]> 2023-10-19T15:45:00+00:00 https://thehackernews.com/2023/10/iran-linked-oilrig-targets-middle-east.html www.secnews.physaphae.fr/article.php?IdArticle=8397652 False Threat APT 34 3.0000000000000000 Dark Reading - Informationweek Branch The state-sponsored threat actors (aka APT34, Crambus, Helix Kitten, or OilRig) spent months seemingly taking whatever government data they wished, using never-before-seen tools.]]> 2023-10-19T14:22:00+00:00 https://www.darkreading.com/dr-global/iran-linked-muddywater-spies-middle-east-govt-eight-months www.secnews.physaphae.fr/article.php?IdArticle=8397738 False Threat APT 34 2.0000000000000000 TrendLabs Security - Editeur Antivirus We observed and tracked the advanced persistent threat (APT) APT34 group with a new malware variant accompanying a phishing attack comparatively similar to the SideTwist backdoor malware. Following the campaign, the group abused a fake license registration form of an African government agency to target a victim in Saudi Arabia.]]> 2023-09-29T00:00:00+00:00 https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html www.secnews.physaphae.fr/article.php?IdArticle=8389378 False Malware,Threat APT 34,APT 34 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by]]> 2023-09-06T19:20:00+00:00 https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html www.secnews.physaphae.fr/article.php?IdArticle=8379668 False Threat APT 34 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Microsoft Investigates Iranian Attacks Against the Albanian Government (published: September 8, 2022) Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania. Analyst Comment: MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - T1070 Tags: OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona BRONZE PRESIDENT Targets Government Officials (published: September 8, 2022) Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters. Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | ]]> 2022-09-13T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-iran-albanian-cyber-conflict-ransomware-adopts-intermittent-encryption-dll-side-loading-provides-variety-to-plugx-infections-and-more www.secnews.physaphae.fr/article.php?IdArticle=6869959 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 27,APT 34 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence COBALT MIRAGE Conducts Ransomware Operations in U.S. (published: May 12, 2022) Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement. Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591 SYK Crypter Distributing Malware Families Via Discord (published: May 12, 2022) Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for d]]> 2022-05-17T15:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-costa-rica-in-ransomware-emergency-charming-kitten-spy-and-ransom-saitama-backdoor-hides-by-sleeping-and-more www.secnews.physaphae.fr/article.php?IdArticle=4668209 False Ransomware,Malware,Tool,Vulnerability,Threat,Conference APT 35,APT 15,APT 34 None knowbe4 - cybersecurity services Researchers at Fortinet observed a spear phishing attack that targeted a Jordanian diplomat late last month. The researchers attribute this attack to the Iranian state-sponsored threat actor APT34 (also known as OilRig or Helix Kitten). The body of the phishing email isn't particularly detailed, but the attackers put a significant amount of effort into impersonating an employee at the targeted individual's organization.]]> 2022-05-17T13:30:09+00:00 https://blog.knowbe4.com/spear-phishing-a-diplomat www.secnews.physaphae.fr/article.php?IdArticle=4667538 False Threat APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-13T02:32:11+00:00 https://thehackernews.com/2022/05/new-saitama-backdoor-targeted-official.html www.secnews.physaphae.fr/article.php?IdArticle=4589850 False Threat APT 34 2.0000000000000000 Bleeping Computer - Magazine Américain 2022-05-12T17:30:15+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-exposed-in-a-highly-targeted-espionage-campaign/ www.secnews.physaphae.fr/article.php?IdArticle=4593838 False Threat APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-02-09T03:25:23+00:00 https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html www.secnews.physaphae.fr/article.php?IdArticle=4098925 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Iran’s APT34 Returns with an Updated Arsenal (published: April 8, 2021) Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34. The threat group has been actively retooling and updating its payload arsenal to try and avoid detection. They have created several different malware variants whose ultimate purpose remained the same, to gain the initial foothold on the targeted device. Analyst Comment: Threat actors are always innovating new methods and update tools used to carry out attacks. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Custom Cryptographic Protocol - T1024 | [MITRE ATT&CK] Web Service - T1102 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Scripting - T1064 Tags: OilRig, APT34, DNSpionage, Lab Dookhtegan, TONEDEAF, Dookhtegan, Karkoff, DNSpionage, Government, Middle East New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp (published: April 7, 2021) Check Point Research recently discovered Android malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. The malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C2) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more. Analyst Comment: Users’ personal mobile has many enterprise applications installed like Multifactor Authenticator, Email Client, etc which increases the risk for the enterprise even further. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. The latest security patches should be installed for both applications and the operating system. Tags: Android, FlixOnline, WhatsApp ]]> 2021-04-13T15:49:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-android-malware-government-middle-east-and-more www.secnews.physaphae.fr/article.php?IdArticle=2631341 False Ransomware,Malware,Vulnerability,Threat,Guideline APT 34 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-08T06:37:05+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/hz96-cUbfVk/researchers-uncover-new-iranian-malware.html www.secnews.physaphae.fr/article.php?IdArticle=2604912 False Malware,Threat APT 34 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google: This Spectre proof-of-concept shows how dangerous these attacks can be (published: March 15, 2021) Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls. Tags: CVE-2017-5753 Threat Assessment: DearCry Ransomware (published: March 12, 2021) A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers. Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | ]]> 2021-03-17T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-ransomware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2496898 False Ransomware,Tool,Vulnerability,Threat,Guideline APT 41,Wannacry,APT 34 None Anomali - Firm Blog get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly. The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact (published: February 26, 2021) Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | ]]> 2021-03-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-groups-cobalt-strike-russia-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2422682 False Ransomware,Malware,Threat APT 29,APT 31,APT 28,Wannacry,Wannacry,APT 34 None Security Affairs - Blog Secu 2020-07-16T05:43:03+00:00 https://securityaffairs.co/wordpress/105959/intelligence/cia-covert-operations-fsb-apt34.html?utm_source=rss&utm_medium=rss&utm_campaign=cia-covert-operations-fsb-apt34 www.secnews.physaphae.fr/article.php?IdArticle=1807132 False Threat Yahoo,APT 34 None Security Affairs - Blog Secu 2020-03-03T18:48:42+00:00 https://securityaffairs.co/wordpress/98878/malware/kimsuky-apt-south-korea.html www.secnews.physaphae.fr/article.php?IdArticle=1579381 False Threat APT 36,APT 34 None The State of Security - Magazine Américain Read More ]]> 2019-12-17T14:40:28+00:00 https://www.tripwire.com/state-of-security/ics-security/poison-frog-malware-samples-reveal-oilrigs-sloppiness/ www.secnews.physaphae.fr/article.php?IdArticle=1494023 False Malware,Threat APT 34 None Bleeping Computer - Magazine Américain 2019-10-21T15:29:10+00:00 https://www.bleepingcomputer.com/news/security/russian-hackers-use-iranian-threat-groups-tools-servers-as-cover/ www.secnews.physaphae.fr/article.php?IdArticle=1418268 False Malware,Threat APT 34 None SecurityWeek - Security News 2019-06-20T18:11:01+00:00 https://www.securityweek.com/russia-linked-hackers-hijack-infrastructure-iranian-threat-group www.secnews.physaphae.fr/article.php?IdArticle=1166425 False Threat APT 34 None The State of Security - Magazine Américain Read More ]]> 2018-09-13T11:16:00+00:00 https://www.tripwire.com/state-of-security/security-data-protection/oilrig-launching-attack-campaigns-with-updated-bondupdater-trojan/ www.secnews.physaphae.fr/article.php?IdArticle=806062 False Threat APT 34 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload. In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables. Registry Persistence In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707 Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds. Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system.  We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query. The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters. ]]> 2018-09-06T13:00:00+00:00 http://feeds.feedblitz.com/~/568274998/0/alienvaultotx www.secnews.physaphae.fr/article.php?IdArticle=795252 False Malware,Threat APT 34 3.0000000000000000 Mandiant - Blog Sécu de Mandiant CVE-2017-11882 Le 14 novembre 2017, Fireeye a observé un attaquant utilisant un exploit pour la vulnérabilité de Microsoft Office pour cibler une organisation gouvernementale au Moyen-Orient.Nous évaluons que cette activité a été réalisée par un groupe de menaces de cyber-espionnage iranien présumé, que nous appelons APT34, en utilisant une porte dérobée PowerShell personnalisée pour atteindre ses objectifs. Nous pensons que l'APT34 est impliqué dans une opération de cyber-espionnage à long terme largement axé sur les efforts de reconnaissance au profit des intérêts iraniens de l'État-nation et est opérationnel depuis

---

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at]]> 2017-12-07T17:00:00+00:00 https://www.mandiant.com/resources/blog/targeted-attack-in-middle-east-by-apt34 www.secnews.physaphae.fr/article.php?IdArticle=8377759 False Vulnerability,Threat APT 34,APT 34 4.0000000000000000 Mandiant - Blog Sécu de Mandiant apt34 et leur ciblage fin 2017 d'une organisation gouvernementaleau Moyen-Orient. Introduction Au cours de la première semaine de mai 2016, DTI de FireEye \\ a identifié une vague de courriels contenant des pièces jointes malveillantes envoyées à plusieurs banques de la région du Moyen-Orient.Les acteurs de la menace semblent effectuer une reconnaissance initiale contre des cibles potentielles, et les attaques ont attiré notre attention car ils utilisaient

---

UPDATE (Dec. 8, 2017): We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East. Introduction In the first week of May 2016, FireEye\'s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using]]> 2016-05-22T08:01:01+00:00 https://www.mandiant.com/resources/blog/targeted-attacks www.secnews.physaphae.fr/article.php?IdArticle=8377568 False Threat APT 34 3.0000000000000000