This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T18:53:37+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-18T12:22:31+00:00 https://community.riskiq.com/article/2560112c www.secnews.physaphae.fr/article.php?IdArticle=8613484 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 41,APT 38 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-28T11:27:40+00:00 https://community.riskiq.com/article/fa5a55d5 www.secnews.physaphae.fr/article.php?IdArticle=8602805 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 38,Guam 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-09T11:04:46+00:00 https://community.riskiq.com/article/563312a4 www.secnews.physaphae.fr/article.php?IdArticle=8573205 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Commercial APT 38,APT 29 2.0000000000000000 Security Intelligence - Site de news Américain En février 2023, X-Force a publié un blog intitulé & # 8220; Direct Kernel Object Manipulation (DKOM) Attacks contre les fournisseurs ETW & # 8221;Cela détaille les capacités d'un échantillon attribué au groupe Lazare se sont exploités pour altérer la visibilité des opérations de logiciels malveillants.Ce blog ne remaniera pas l'analyse de l'échantillon de logiciel malveillant Lazarus ou du traçage d'événements pour Windows (ETW) comme [& # 8230;]

---

>In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as […] ]]> 2023-03-20T18:30:00+00:00 https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/ www.secnews.physaphae.fr/article.php?IdArticle=8320005 False Malware,Medical APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-03-08T16:04:00+00:00 https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html www.secnews.physaphae.fr/article.php?IdArticle=8316641 False Hack,Vulnerability,Medical APT 38 3.0000000000000000 AhnLab - Korean Security Firm Since two years ago (March 2021), the Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. As such, ASEC (AhnLab Security Emergency Response Center) has been pursuing and analyzing the Lazarus threat group’s activities and related malware.  The affected company in this case had been infiltrated by the Lazarus group in May 2022 and was re-infiltrated recently through the same software’s 0-Day vulnerability. During the infiltration in May 2022,... ]]> 2023-03-06T23:30:00+00:00 https://asec.ahnlab.com/en/48810/ www.secnews.physaphae.fr/article.php?IdArticle=8316149 False Malware,Vulnerability,Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence WinorDLL64: A Backdoor From The Vast Lazarus Arsenal? (published: February 23, 2023) When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group. Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations. MITRE ATT&CK: [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 - Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account | [MITRE ATT&CK] T1083 - File And Directory Discovery | [MITRE ATT&CK] T1135 - Network Share Discovery | [MITRE ATT&CK] T1057 - Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1614.001 - System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1049 - System Network Connections Discovery |]]> 2023-02-28T16:15:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-newly-discovered-winordll64-backdoor-has-code-similarities-with-lazarus-ghostsecret-atharvan-backdoor-can-be-restricted-to-communicate-on-certain-days www.secnews.physaphae.fr/article.php?IdArticle=8314193 False Ransomware,Malware,Tool,Threat,Medical,Medical,Cloud APT 38 1.00000000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-23T17:17:00+00:00 https://thehackernews.com/2023/02/lazarus-group-using-new-winordll64.html www.secnews.physaphae.fr/article.php?IdArticle=8312842 False Malware,Tool,Medical APT 38 1.00000000000000000000 AhnLab - Korean Security Firm Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. Overview Definition of Anti-Forensics Anti-forensics refers to the tampering of evidence in... ]]> 2023-02-23T02:00:00+00:00 https://asec.ahnlab.com/en/48223/ www.secnews.physaphae.fr/article.php?IdArticle=8312769 False Malware,Threat,Medical APT 38 2.0000000000000000 ZoneAlarm - Security Firm Blog In March 2022, the Lazarus Group, a North Korea-backed hacking group, stole around $5.84 million worth of cryptocurrency through the Axie Infinity Ronin Bridge hack. However, over ten months later, the Norwegian police agency Økokrim announced they had seized part of the stolen funds. The crime-fighting unit was able to track the money on the … ]]> 2023-02-21T15:23:27+00:00 https://blog.zonealarm.com/2023/02/norwegian-seize-stolen-crypto-funds-linked-to-the-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=8312195 False Medical APT 38 2.0000000000000000 ZoneAlarm - Security Firm Blog In March 2022, the Lazarus Group, a North Korea-backed hacking group, stole around $5.84 million worth of cryptocurrency through the Axie Infinity Ronin Bridge hack. However, over ten months later, the Norwegian police agency Økokrim announced they had seized the stolen funds. The crime-fighting unit was able to track the money on the blockchain, even … ]]> 2023-02-21T15:23:27+00:00 https://blog.zonealarm.com/2023/02/norway-seizes-stolen-crypto-funds-linked-to-the-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=8312231 True Medical APT 38 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-20T16:53:00+00:00 https://thehackernews.com/2023/02/norway-seizes-584-million-in.html www.secnews.physaphae.fr/article.php?IdArticle=8311878 False Medical APT 38 2.0000000000000000 The Register - Site journalistique Anglais 2023-02-17T05:15:06+00:00 https://go.theregister.com/feed/www.theregister.com/2023/02/17/norwegian_authorities_found_59_million/ www.secnews.physaphae.fr/article.php?IdArticle=8311157 False Hack,Medical APT 38 3.0000000000000000 Dark Reading - Informationweek Branch 2023-02-07T21:05:00+00:00 https://www.darkreading.com/remote-workforce/dprk-using-unpatched-zimbra-devices-to-spy-on-researchers- www.secnews.physaphae.fr/article.php?IdArticle=8308050 False Medical,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (published: February 2, 2023) In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer. Analyst Comment: Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators. MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell | [MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items | [MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1553 - Subvert Trust Controls | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations | ]]> 2023-02-07T17:23:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-malvirt-obfuscates-with-koivm-virtualization-icebreaker-overlay-hides-v8-bytecode-runtime-interpretation-sandworm-deploys-multiple-wipers-in-ukraine www.secnews.physaphae.fr/article.php?IdArticle=8307984 False Malware,Tool,Threat,Medical,Medical APT 38 3.0000000000000000 Recorded Future - FLux Recorded Future The North Korean military's notorious hacking arm – known as the Lazarus Group – has been accused of targeting public and private sector research organizations, an Indian medical research company and other businesses in the energy sector. Security analysts at WithSecure said they were called on to respond to a cyberattack that they initially tied to the […]]> 2023-02-02T21:04:29+00:00 https://therecord.media/hackers-linked-to-north-korea-targeted-indian-medical-org-energy-sector/ www.secnews.physaphae.fr/article.php?IdArticle=8306679 False Medical,Medical APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-02-02T15:15:00+00:00 https://thehackernews.com/2023/02/north-korean-hackers-exploit-unpatched.html www.secnews.physaphae.fr/article.php?IdArticle=8306524 False Medical APT 38 2.0000000000000000 Global Security Mag - Site de news francais Malware Update]]> 2023-02-02T09:12:35+00:00 https://www.globalsecuritymag.fr/WithSecure-TM-researchers-link-intelligence-gathering-campaign-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=8306512 False Medical,Medical APT 38 1.00000000000000000000 CSO - CSO Daily Dashboard To read this article in full, please click here]]> 2023-02-02T01:00:00+00:00 https://www.csoonline.com/article/3686580/apt-groups-use-ransomware-ttps-as-cover-for-intelligence-gathering-and-sabotage.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=8306508 False Ransomware,Threat,Medical APT 38 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese PlugX Malware Hidden in Your USB Devices? (published: January 26, 2023) Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it. Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name. MITRE ATT&CK: [MITRE ATT&CK] T1091 - Replication Through Removable Media | [MITRE ATT&CK] T1559.001 - Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 - Ingress Tool Transfer Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows Abraham's Ax Likely Linked to Moses Staff (published: January 26, 2023) Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham's Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware. Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with an]]> 2023-01-31T17:27:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-killlsomeone-folders-invisible-in-windows-everything-apis-abuse-speeds-up-ransomware-apt38-experiments-with-delivery-vectors-and-backdoors www.secnews.physaphae.fr/article.php?IdArticle=8305945 False Ransomware,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 Global Security Mag - Site de news francais Malwares]]> 2023-01-25T14:41:22+00:00 https://www.globalsecuritymag.fr/Cybermenace-le-groupe-TA444-deploie-de-nouvelles-methodes-pour-derober-des.html www.secnews.physaphae.fr/article.php?IdArticle=8303977 False Medical APT 38 1.00000000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2023-01-24T17:28:00+00:00 https://thehackernews.com/2023/01/fbi-says-north-korean-hackers-behind.html www.secnews.physaphae.fr/article.php?IdArticle=8303677 False Hack,Threat,Medical APT 38 2.0000000000000000 Bleeping Computer - Magazine Américain 2023-01-24T09:49:59+00:00 https://www.bleepingcomputer.com/news/security/fbi-north-korean-hackers-stole-100-million-in-harmony-crypto-hack/ www.secnews.physaphae.fr/article.php?IdArticle=8303700 False Hack,Medical APT 38 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays (published: January 1, 2023) Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server. Analyst Comment: The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the 'torchtriton' library to 'pytorch-triton' and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. MITRE ATT&CK: [MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel Tags: Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux Linux Backdoor Malware Infects WordPress-Based Websites (published: December 30, 2022) Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect. Analyst Comment: Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use ]]> 2023-01-04T16:30:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-machine-learning-toolkit-targeted-by-dependency-confusion-multiple-campaigns-hide-in-google-ads-lazarus-group-experiments-with-bypassing-mark-of-the-web www.secnews.physaphae.fr/article.php?IdArticle=8297872 False Malware,Tool,Vulnerability,Threat,Patching,Medical APT 38,LastPass 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-27T20:27:00+00:00 https://thehackernews.com/2022/12/bluenoroff-apt-hackers-using-new-ways.html www.secnews.physaphae.fr/article.php?IdArticle=8295250 False Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New MuddyWater Threat: Old Kitten; New Tricks (published: December 8, 2022) In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates. Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219 Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows Babuk Ransomware Variant in Major New Attack (published: December 7, 2022) In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files). Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | ]]> 2022-12-13T16:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-muddywater-hides-behind-legitimate-remote-administration-tools-vice-society-tops-ransomware-threats-to-education-abandoned-javascript-library-domain-pushes-web-skimmers www.secnews.physaphae.fr/article.php?IdArticle=8290724 False Ransomware,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-07T14:52:00+00:00 https://thehackernews.com/2022/12/microsoft-alerts-cryptocurrency.html www.secnews.physaphae.fr/article.php?IdArticle=8288593 False Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Chinese Gambling Spam Targets World Cup Keywords (published: December 2, 2022) Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu). Analyst Comment: Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou Leaked Android Platform Certificates Create Risks for Users (published: December 2, 2022) On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked. Analyst Comment: Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature. Tags: Android, Google, Platform certificates, Signed malware, malware-type:Adware Blowing Cobalt Strike Out of the Water With Memory Analysis (published: December 2, 2022) The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-me]]> 2022-12-06T17:09:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-infected-websites-show-different-headers-depending-on-search-engine-fingerprinting-10-android-platform-certificates-abused-in-the-wild-phishing-group-impersonated-major-uae-oil www.secnews.physaphae.fr/article.php?IdArticle=8288335 False Spam,Malware,Tool,Threat,Medical APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-05T17:54:00+00:00 https://thehackernews.com/2022/12/russian-courts-targeted-by-new-crywiper.html www.secnews.physaphae.fr/article.php?IdArticle=8287807 False Ransomware,Malware,Medical APT 38 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-12-05T16:00:00+00:00 https://thehackernews.com/2022/12/north-korean-hackers-spread-applejeus.html www.secnews.physaphae.fr/article.php?IdArticle=8287791 False Malware,Threat,Medical APT 38 3.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads (published: November 17, 2022) From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer. Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment (published: November 16, 2022) From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL. Analyst Comment: Evasion through URI fragmentation hides the token value from traff]]> 2022-11-22T23:47:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uri-fragmentation-used-to-stealthily-defraud-holiday-shoppers-lazarus-and-billbug-stick-to-their-custom-backdoors-z-team-turned-ransomware-into-wiper-and-more www.secnews.physaphae.fr/article.php?IdArticle=8169179 False Ransomware,Malware,Tool,Threat,Guideline,Medical APT 38 4.0000000000000000 AhnLab - Korean Security Firm In the ASEC blog post uploaded on April 2022 (New Malware of Lazarus Threat Actor Group Exploiting INITECH Process, https://asec.ahnlab.com/en/33801/), the team discussed the fact that the Lazarus attack group had been exploiting the INITECH process to infect systems with malware.  This article aims to cover the details of the Lazarus group using the watering hole technique to hack into systems before exploiting the vulnerability of the MagicLine4NX product from Dream Security in order to additionally hack into systems in... ]]> 2022-10-31T01:57:31+00:00 https://asec.ahnlab.com/en/40830/ www.secnews.physaphae.fr/article.php?IdArticle=7747128 False Malware,Hack,Vulnerability,Threat,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Alert (AA22-294A) #StopRansomware: Daixin Team (published: October 21, 2022) Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code. Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment. MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Service Session Hijacking - T1563 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (published: October 21, 2022) Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload. Analyst Comment: It is crucial that your company ensures that servers are]]> 2022-10-25T16:53:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-daixin-team-ransoms-healthcare-sector-earth-berberoka-breaches-casinos-for-data-windows-affected-by-bring-your-own-vulnerable-driver-attacks-and-more www.secnews.physaphae.fr/article.php?IdArticle=7673563 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical APT 38 None CISCO Talos - Cisco Research blog By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets.  A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge.  Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit.  Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent.  The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. ]]> 2022-10-18T08:41:18+00:00 http://blog.talosintelligence.com/2022/10/the-benefits-of-taking-intent-based.html www.secnews.physaphae.fr/article.php?IdArticle=7540074 False Threat,Medical,Cloud Yahoo,Uber,APT 38,APT 37,APT 29,APT 19,APT 15,APT 10 None CVE Liste - Common Vulnerability Exposure 2022-10-06T18:16:03+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32172 www.secnews.physaphae.fr/article.php?IdArticle=7323479 False Medical APT 38 None CVE Liste - Common Vulnerability Exposure 2022-10-06T18:16:02+00:00 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32171 www.secnews.physaphae.fr/article.php?IdArticle=7323478 False Medical APT 38 None Malwarebytes Labs - MalwarebytesLabs Categories: NewsTags: malware Tags: ZINC Tags: microsoft Tags: infection Tags: C&C Tags: open source Tags: job offer Tags: fake Tags: LinkedIn A North Korean ZINC group is accused of creating compromised versions of KiTTY, PuTTY, TightVNC, and other popular open-source software apps (Read more...) ]]> 2022-10-05T15:45:00+00:00 https://www.malwarebytes.com/blog/news/2022/10/bogus-job-offers-lead-to-weaponised-open-source-software www.secnews.physaphae.fr/article.php?IdArticle=7312391 False Guideline,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Royal Ransomware Emerges in Multi-Million Dollar Attacks (published: September 29, 2022) AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network. Analyst Comment: Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566 Tags: actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering ZINC Weaponizing Open-Source Software (published: September 29, 2022) Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file. Analyst Comment: All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Scheduled Task - T1053 | ]]> 2022-10-04T18:08:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-canceling-subscription-installs-royal-ransomware-lazarus-covinces-to-ssh-to-its-servers-polyglot-file-executed-itself-as-a-different-file-type-and-more www.secnews.physaphae.fr/article.php?IdArticle=7298043 False Ransomware,Malware,Tool,Threat,Medical APT 38 None Security Affairs - Blog Secu North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver. The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn. The discovery was made by ESET researchers while […] ]]> 2022-10-04T15:02:16+00:00 https://securityaffairs.co/wordpress/136623/apt/lazarus-exploit-dell-firmware-driver.html www.secnews.physaphae.fr/article.php?IdArticle=7296096 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-10-03T16:26:00+00:00 https://thehackernews.com/2022/10/hackers-exploiting-dell-driver.html www.secnews.physaphae.fr/article.php?IdArticle=7292668 False Vulnerability,Threat,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-30T15:32:00+00:00 https://thehackernews.com/2022/09/north-korean-hackers-weaponizing-open.html www.secnews.physaphae.fr/article.php?IdArticle=7222830 False Threat,Medical APT 38 None InfoSecurity Mag - InfoSecurity Magazine 2022-09-30T15:00:00+00:00 https://www.infosecurity-magazine.com/news/lazarus-group-weaponize-open/ www.secnews.physaphae.fr/article.php?IdArticle=7225933 False Medical APT 38 None AhnLab - Korean Security Firm Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries. AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process... ]]> 2022-09-22T05:47:21+00:00 https://asec.ahnlab.com/en/38993/ www.secnews.physaphae.fr/article.php?IdArticle=7055562 False Medical APT 38 4.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something. The Axie Infinity recovery represents a shift in law enforcement’s ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds. In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain...]]> 2022-09-13T11:51:39+00:00 https://www.schneier.com/blog/archives/2022/09/fbi-seizes-stolen-cryptocurrencies.html www.secnews.physaphae.fr/article.php?IdArticle=6868279 False Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-09T17:06:00+00:00 https://thehackernews.com/2022/09/us-seizes-cryptocurrency-worth-30.html www.secnews.physaphae.fr/article.php?IdArticle=6803428 False Threat,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-08T17:50:00+00:00 https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=6784938 False Medical APT 38 None The Register - Site journalistique Anglais 2022-09-08T12:00:09+00:00 https://go.theregister.com/feed/www.theregister.com/2022/09/08/lazarus_group_energy_firms_trade_secrets/ www.secnews.physaphae.fr/article.php?IdArticle=6783464 False Malware,Medical APT 38 None CISCO Talos - Cisco Research blog By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern]]> 2022-09-08T08:39:42+00:00 http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html www.secnews.physaphae.fr/article.php?IdArticle=6785115 False Malware,Tool,Vulnerability,Threat,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-09-07T17:40:00+00:00 https://thehackernews.com/2022/09/north-korean-hackers-spotted-using-new.html www.secnews.physaphae.fr/article.php?IdArticle=6767439 False Malware,Medical APT 38 None CISCO Talos - Cisco Research blog By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog. Executive SummaryCisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.We have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.Actor profile]]> 2022-09-07T08:01:43+00:00 http://blog.talosintelligence.com/2022/09/lazarus-magicrat.html www.secnews.physaphae.fr/article.php?IdArticle=6766837 False Malware,Threat,Medical APT 38 3.0000000000000000 CSO - CSO Daily Dashboard ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.To read this article in full, please click here]]> 2022-08-24T12:34:00+00:00 https://www.csoonline.com/article/3227906/wannacry-explained-a-perfect-ransomware-storm.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=6506640 False Ransomware,Vulnerability,Medical Wannacry,Wannacry,APT 38 None Bleeping Computer - Magazine Américain 2022-08-17T13:01:42+00:00 https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-signed-macos-malware-to-target-it-job-seekers/ www.secnews.physaphae.fr/article.php?IdArticle=6375974 False Malware,Medical APT 38 None IT Security Guru - Blog Sécurité 2022-08-17T09:33:15+00:00 https://www.itsecurityguru.org/2022/08/17/job-seekers-targeted-in-lazarus-group-hack/?utm_source=rss&utm_medium=rss&utm_campaign=job-seekers-targeted-in-lazarus-group-hack www.secnews.physaphae.fr/article.php?IdArticle=6370619 True Malware,Hack,Medical APT 38 None Security Affairs - Blog Secu The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets. ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages […] ]]> 2022-08-17T08:31:52+00:00 https://securityaffairs.co/wordpress/134491/malware/north-korea-mac-malware-m1.html www.secnews.physaphae.fr/article.php?IdArticle=6369198 False Malware,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-16T23:20:26+00:00 https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html www.secnews.physaphae.fr/article.php?IdArticle=6368264 False Malware,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence APT-C-35: New Windows Framework Revealed (published: August 11, 2022) The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules. Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows]]> 2022-08-16T15:06:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-ransomware-module-added-to-sova-android-trojan-bitter-apt-targets-mobile-phones-with-dracarys-china-sponsored-ta428-deploys-six-backdoors-at-once-and-more www.secnews.physaphae.fr/article.php?IdArticle=6354068 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-08-09T05:32:48+00:00 https://thehackernews.com/2022/08/us-sanctions-virtual-currency-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=6211497 False Medical APT 38 None CyberScoop - scoopnewsgroup.com special Cyber 2022-08-08T16:31:28+00:00 https://www.cyberscoop.com/treasury-department-sanctions-tornado-cash-lazarus-group/ www.secnews.physaphae.fr/article.php?IdArticle=6203842 False Medical APT 38 None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-07-27T23:09:54+00:00 https://thehackernews.com/2022/07/us-offers-10-million-reward-for.html www.secnews.physaphae.fr/article.php?IdArticle=5985577 False Medical APT 38 None CISCO Talos - Cisco Research blog By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: ]]> 2022-07-27T12:22:17+00:00 http://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html www.secnews.physaphae.fr/article.php?IdArticle=5973224 False Vulnerability,Guideline,Medical APT 38,APT 19 None Fortinet ThreatSignal - Harware Vendor 2022-07-07T08:14:35+00:00 https://fortiguard.fortinet.com/threat-signal-report/4663 www.secnews.physaphae.fr/article.php?IdArticle=5595940 False Ransomware,Threat,Patching,Medical Wannacry,Wannacry,APT 38 None IT Security Guru - Blog Sécurité 2022-06-30T10:40:51+00:00 https://www.itsecurityguru.org/2022/06/30/north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack/?utm_source=rss&utm_medium=rss&utm_campaign=north-korea-backed-hacking-collective-lazarus-group-suspected-to-be-behind-recent-harmony-bridge-attack www.secnews.physaphae.fr/article.php?IdArticle=5469045 True Medical APT 38 4.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-06-29T23:01:41+00:00 https://thehackernews.com/2022/06/north-korean-hackers-suspected-to-be.html www.secnews.physaphae.fr/article.php?IdArticle=5465954 False Hack,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-20T02:23:24+00:00 https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html www.secnews.physaphae.fr/article.php?IdArticle=4711794 False Vulnerability,Medical APT 38 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-05-06T21:23:05+00:00 https://thehackernews.com/2022/05/us-sanctions-cryptocurrency-mixer.html www.secnews.physaphae.fr/article.php?IdArticle=4559230 False Hack,Medical APT 38,APT 28 3.0000000000000000 Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2022-05-05T12:20:10+00:00 https://threatpost.com/vhd-ransomware-lazarus-group/179507/ www.secnews.physaphae.fr/article.php?IdArticle=4548365 False Ransomware,Medical APT 38,APT 28 None Security Affairs - Blog Secu 2022-05-04T12:39:23+00:00 https://securityaffairs.co/wordpress/130892/apt/ransomware-strains-linked-to-nk-apt38.html www.secnews.physaphae.fr/article.php?IdArticle=4542648 False Ransomware,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical Uber,APT 38,APT 28 None knowbe4 - cybersecurity services North Korea's Lazarus Group is using social engineering attacks to target users of cryptocurrency, according to a joint advisory from the US FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the US Treasury Department.]]> 2022-04-20T12:49:57+00:00 https://blog.knowbe4.com/tradertraitor-when-states-do-social-engineering www.secnews.physaphae.fr/article.php?IdArticle=4481014 False Medical APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Lazarus Targets Chemical Sector (published: April 14, 2022) In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information. Analyst Comment: Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector Old Gremlins, New Methods (published: April 14, 2022) Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode]]> 2022-04-19T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-raidforums-seized-sandworm-attacks-ukrainian-power-stations-north-korea-steals-chemical-secrets-and-more www.secnews.physaphae.fr/article.php?IdArticle=4477972 False Ransomware,Spam,Malware,Vulnerability,Threat,Guideline,Medical APT 38,APT 28 None IT Security Guru - Blog Sécurité 2022-04-19T10:41:45+00:00 https://www.itsecurityguru.org/2022/04/19/blockchain-companies-warned-of-north-korean-hackers/?utm_source=rss&utm_medium=rss&utm_campaign=blockchain-companies-warned-of-north-korean-hackers www.secnews.physaphae.fr/article.php?IdArticle=4476983 True Threat,Medical APT 38,APT 28 None InfoSecurity Mag - InfoSecurity Magazine 2022-04-19T09:00:00+00:00 https://www.infosecurity-magazine.com/news/ronin-crypto-heist-618m-north-korea/ www.secnews.physaphae.fr/article.php?IdArticle=4476653 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-19T00:02:44+00:00 https://thehackernews.com/2022/04/fbi-us-treasury-and-cisa-warns-of-north.html www.secnews.physaphae.fr/article.php?IdArticle=4476391 False Threat,Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-16T01:31:45+00:00 https://thehackernews.com/2022/04/lazarus-hackers-behind-540-million-axie.html www.secnews.physaphae.fr/article.php?IdArticle=4463512 False Hack,Threat,Medical APT 38,APT 28 None SecurityWeek - Security News 2022-04-14T20:07:22+00:00 https://www.securityweek.com/us-gov-blames-north-korea-hackers-600m-cryptocurrency-heist www.secnews.physaphae.fr/article.php?IdArticle=4451205 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-04-01T03:37:45+00:00 https://thehackernews.com/2022/04/north-korean-hackers-distributing.html www.secnews.physaphae.fr/article.php?IdArticle=4377812 False Medical APT 38 None IT Security Guru - Blog Sécurité 2022-02-09T10:57:38+00:00 https://www.itsecurityguru.org/2022/02/09/cryptocurrency-organisations-hit-with-fake-job-offers/?utm_source=rss&utm_medium=rss&utm_campaign=cryptocurrency-organisations-hit-with-fake-job-offers www.secnews.physaphae.fr/article.php?IdArticle=4098829 False Threat,Medical APT 38,APT 28 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) 2022-01-28T01:24:28+00:00 https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html www.secnews.physaphae.fr/article.php?IdArticle=4045173 False Malware,Medical APT 38,APT 28 None knowbe4 - cybersecurity services A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang's Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.]]> 2022-01-18T16:59:26+00:00 https://blog.knowbe4.com/north-korean-cryptocurrency-theft-relies-on-social-engineering www.secnews.physaphae.fr/article.php?IdArticle=3987812 False Threat,Medical APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NSW Government Casual Recruiter Suffers Ransomware Hit (published: December 17, 2021) Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed. Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss. MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029 Tags: Conti, Wizard Spider, Ransomware, Banking and Finance Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions (published: December 16, 2021) Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role. Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses. MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115 Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin ‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems (published: December 16, 2021) Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group ]]> 2021-12-21T16:57:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-pseudomanuscrypt-mass-spyware-campaign-targets-35k-systems-apt31-intrusion-set-campaign-description-countermeasures-and-code-state-sponsored-hackers-abuse-slack-api-to-steal www.secnews.physaphae.fr/article.php?IdArticle=3841167 False Ransomware,Malware,Vulnerability,Threat,Guideline,Medical APT 41,APT 38,APT 28,APT 31 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer (published: November 8, 2021) US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries. Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks. MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075 Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom (published: November 9, 2021) A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t]]> 2021-11-16T17:34:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-revil-affiliates-arrested-electronics-retail-giant-hit-by-ransomware-robinhood-breach-zero-day-in-palo-alto-security-appliance-and-more www.secnews.physaphae.fr/article.php?IdArticle=3667130 False Ransomware,Data Breach,Malware,Tool,Vulnerability,Threat,Medical APT 38,APT 27,APT 1 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-10-27T00:14:47+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/nYK8fTcVuRM/latest-report-uncovers-supply-chain.html www.secnews.physaphae.fr/article.php?IdArticle=3571547 False Malware,Threat,Medical APT 38,APT 28 None TroyHunt - Blog Security 2021-09-16T23:30:08+00:00 https://arstechnica.com/?p=1792679 www.secnews.physaphae.fr/article.php?IdArticle=3381130 False Medical APT 38 None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC T1036.003). Background Since 2009, the known tools and capabilities believed to have been used by the Lazarus Group include DDoS botnets, keyloggers, remote access tools (RATs), and drive wiper malware. The most publicly documented malware and tools used by the group actors include Destover, Duuzer, and Hangman. Analysis Several documents identified from May to June 2021 by Twitter users were identified as being linked to the Lazarus group. Documents observed in previous campaigns lured victims with job opportunities for Boeing and BAE systems. These new documents include: Rheinmetall_job_requirements.doc: identified by ESET Research. General_motors_cars.doc: identified by Twitter user @1nternaut. Airbus_job_opportunity_confidential.doc: identified by 360CoreSec. The documents attempted to impersonate new defense contractors and engineering companies like Airbus, General Motors (GM), and Rheinmetall. All of these documents contain macro malware, which has been developed and improved during the course of this campaign and from one target to another. The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros. First iteration: Rheinmetall The first two documents from early May 2021 were related to a German Engineering company focused on the defense and automotive industries, Rheinmetall. The second malicious document appears to include more elaborate content, which may have resulted in the documents going unnoticed by victims. The Macro has base64 encoded files, which are extracted and decoded during execution. Some of the files are split inside the Macro and are not combined until the time of decoding. One of the most distinctive characteristics of this Macro is how it evades detections of a MZ header encoded in base64 (TVoA, TVpB, TVpQ, TVqA, TVqQ or TVro), by separating the first two characters from the rest of the content, as seen in Figure 1. Figure 1: Concealing of MZ header, as captured by Alien Labs. The rest of the content is kept together in lines of 64 characters, and because of this, YARA rules can be used to detect other, typical executable content encoded in base64 aside of the MZ header. In this case, up to nine different YARA rules alerted to suspicious encoded strings in our Alien Labs analysis, like VirtualProtect, GetProcAddress, IsDe]]> 2021-07-06T10:00:00+00:00 https://feeds.feedblitz.com/~/656720256/0/alienvault-blogs~Lazarus-campaign-TTPs-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=3027251 False Malware,Threat,Guideline,Medical APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Andariel Evolves to Target South Korea with Ransomware (published: June 15, 2021) Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack. Analyst Comment: Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security. MITRE ATT&CK: [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros Matanbuchus: Malware-as-a-Service with Demonic Intentions (published: June 15, 2021) In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. Analyst Comment: Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection. MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery - T1016 Tags: BelialDemon, Matanbuchus, Belial, WildFire, EU, North America Black Kingdom ransomware (published: June 17]]> 2021-06-22T18:18:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-klingon-rat-holding-on-for-dear-life-cvs-medical-records-breach-black-kingdom-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2966761 False Ransomware,Data Breach,Malware,Vulnerability,Threat,Medical APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence New Sophisticated Email-based Attack From NOBELIUM (published: May 28, 2021) NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement. Analyst Comment: Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules. MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 Tags: Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military Evolution of JSWorm Ransomware (published: May 25, 2021) JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat. Analyst Comment: Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk. MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Private Keys - T1145 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] BITS Jobs - T1197]]> 2021-06-02T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-attacks-against-israeli-targets-macos-zero-days-conti-ransomware-targeting-us-healthcare-and-more www.secnews.physaphae.fr/article.php?IdArticle=2868449 False Ransomware,Malware,Threat,Medical Solardwinds,APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-05-24T10:23:01+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/dvdck4LoGYE/researchers-link-cryptocore-attacks-on.html www.secnews.physaphae.fr/article.php?IdArticle=2832231 False Medical APT 38,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Ransomware,Malware,Tool,Vulnerability,Threat,Medical Wannacry,Wannacry,APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-04-19T22:33:45+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/wHc4_FCN43Y/lazarus-apt-hackers-are-now-using-bmp.html www.secnews.physaphae.fr/article.php?IdArticle=2669656 False Malware,Threat,Medical APT 38 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Bogus Android Clubhouse App Drops Credential-Swiping Malware (published: March 19, 2021) Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one. Analyst Comment: Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 Tags: LokiBot, BlackRock, Banking, Android, Clubhouse Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers (published: March 18, 2021) Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. Analyst Comment: Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware (published: March 18, 2021) Cybereason detected a new campaig]]> 2021-03-23T14:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-malware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2522336 False Ransomware,Malware,Tool,Threat,Patching,Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-02-26T03:02:08+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/70y1849WSoA/north-korean-hackers-targeting-defense.html www.secnews.physaphae.fr/article.php?IdArticle=2402885 False Malware,Medical APT 38 2.0000000000000000 TechRepublic - Security News US 2021-02-25T16:49:06+00:00 https://www.techrepublic.com/article/north-korean-hackers-find-another-new-target-the-defense-industry/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=2399288 False Medical APT 38,APT 28 None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-17T18:20:28+00:00 https://threatpost.com/us-accuses-north-korean-hackers/164039/ www.secnews.physaphae.fr/article.php?IdArticle=2362036 True Medical APT 38,APT 28 None Security Affairs - Blog Secu 2021-01-29T14:49:07+00:00 https://securityaffairs.co/wordpress/113990/apt/zinc-apt-targets-security-experts.html?utm_source=rss&utm_medium=rss&utm_campaign=zinc-apt-targets-security-experts www.secnews.physaphae.fr/article.php?IdArticle=2267129 False Vulnerability,Medical APT 38 None Bleeping Computer - Magazine Américain 2021-01-28T14:47:45+00:00 https://www.bleepingcomputer.com/news/security/microsoft-dprk-hackers-likely-hit-researchers-with-chrome-exploit/ www.secnews.physaphae.fr/article.php?IdArticle=2261838 False Vulnerability,Medical APT 38 None Bleeping Computer - Magazine Américain 2020-12-24T12:00:11+00:00 https://www.bleepingcomputer.com/news/security/north-korean-state-hackers-breach-covid-19-research-entities/ www.secnews.physaphae.fr/article.php?IdArticle=2125285 False Medical APT 38,APT 28 None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2020-12-23T23:24:40+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/B8Tg68yvkZc/north-korean-hackers-trying-to-steal.html www.secnews.physaphae.fr/article.php?IdArticle=2124093 False Threat,Medical APT 38,APT 28 None Kaspersky - Kaspersky Research blog 2020-12-23T10:00:08+00:00 https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ www.secnews.physaphae.fr/article.php?IdArticle=2122402 False Threat,Medical APT 38,APT 28 None