This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-11T02:30:29+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant Introduction Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears to be a substantial evolution of ScatterBee, an obfuscating compiler previously analyzed by PWC. GTIG assesses that POISONPLUG is an advanced modular backdoor used by multiple distinct, but likely related threat groups based in the PRC, however we assess that POISONPLUG.SHADOW usage appears to be further restricted to clusters associated with APT41. GTIG currently tracks three known POISONPLUG variants: POISONPLUG POISONPLUG.DEED POISONPLUG.SHADOW POISONPLUG.SHADOW-often referred to as "Shadowpad," a malware family name first introduced by Kaspersky-stands out due to its use of a custom obfuscating compiler specifically designed to evade detection and analysis. Its complexity is compounded by not only the extensive obfuscation mechanisms employed but also by the attackers\' highly sophisticated threat tactics. These elements collectively make analysis exceptionally challenging and complicate efforts to identify, understand, and mitigate the associated threats it poses. In addressing these challenges, GTIG collaborates closely with the FLARE team to dissect and analyze POISONPLUG.SHADOW. This partnership utilizes state-of-the-art reverse engineering techniques and comprehensive threat intelligence capabilities required to mitigate the sophisticated threats posed by this threat actor. We remain dedicated to advancing methodologies and fostering innovation to adapt to and counteract the ever-evolving tactics of threat actors, ensuring the security of Google and our customers against sophisticated cyber espionage operations. Overview In this blog post, we present our in-depth analysis of the ScatterBrain obfuscator, which has led to the development of a complete stand-alone static deobfuscator library independent of any binary analysis frameworks. Our analysis is based solel]]> 2025-01-28T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator/ www.secnews.physaphae.fr/article.php?IdArticle=8643871 False Malware,Tool,Threat,Studies,Patching,Cloud APT 41 2.0000000000000000 Mandiant - Blog Sécu de Mandiant   Executive Summary In collaboration with Google\'s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. APT41 successfully infiltrated and maintained prolonged, unauthorized access to numerous victims\' networks since 2023, enabling them to extract sensitive data over an extended period.  APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control communication. Later in the intrusion, APT41 leveraged DUSTTRAP, which would lead to hands-on keyboard activity. APT41 used publicly available tools SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive. Overview Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load BEACON.  As the APT41 intrusion progressed, the group escalated its tactics by deploying the DUSTTRAP dropper. Upon execution, DUSTTRAP would decrypt a malicious payload and execute it in memory, leaving minimal forensic traces. The decrypted payload was designed to establish communication channels with either APT41-controlled infrastructure for command and control or, in some instances, with a compromised Google Workspace account, further blending its malicious activities with legitimate traffic. The affected Google Workspace accounts have been successfully remediated to prevent further unauthorized access. Furthermore, APT41 leveraged SQLULDR2 to export data from Oracle Databases, and used PINEGROVE to systematically and efficiently exfiltrate large volumes of sensitive data from the compromised networks, transferring to OneDrive to enable exfiltration and subsequent analysis. ]]> 2024-07-18T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/ www.secnews.physaphae.fr/article.php?IdArticle=8539580 False Ransomware,Malware,Tool,Threat,Patching,Medical,Cloud APT 41 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) ## Snapshot In April 2024, Zscaler ThreatLabz discovered a new loader named DodgeBox, an upgraded and evolved version of StealthVector, a tool previously used by the Chinese APT group, APT41, tracked by Microsoft as [Brass Typhoon](https://security.microsoft.com/intel-profiles/byExternalId/e49c4119afe798db103058c3ffda5bd85e83534940247449478524d61ae6817a). ## Description After their analysis of DodgeBox, researchers from Zscaler ThreatLabz assess that the malware is an enhanced version of StealthVector loader as there are significant similarities between the two malwares. Written in C, DodgeBox is a reflective DLL loader that has a number of attributes, including the ability to decrypt and load embedded DLLs, perform environment checks, and carry out cleanup procedures. Notably, DodgeBox also employs call stack spoofing, a technique used by malware to obfuscate the origins of API calls, making it difficult for Endpoint Detection and Response (EDR) solutions and antivirus programs to detect the malware. DodgeBox has been used by APT41 to deliver the MoonWalk backdoor, a new backdoor being employed by the threat group.  DodgeBox and StealthVector both have similarities in their:  - checksum and configuration decryption, - decrypted conf]]> 2024-07-11T22:03:33+00:00 https://community.riskiq.com/article/3524d2ae www.secnews.physaphae.fr/article.php?IdArticle=8535322 False Malware,Tool,Threat,Patching APT 41 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-07-09T19:47:09+00:00 https://community.riskiq.com/article/e8378a00 www.secnews.physaphae.fr/article.php?IdArticle=8533748 False Malware,Tool,Vulnerability,Threat,Patching,Legislation,Industrial APT 40 3.0000000000000000 The Register - Site journalistique Anglais Lax patching and vulnerable small biz kit make life easy for Beijing\'s secret-stealers Law enforcement agencies from eight nations, led by Australia, have issued an advisory that details the tradecraft used by China-aligned threat actor APT40 – aka Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk – and found it prioritizes developing exploits for newly found vulnerabilities and can target them within hours.…]]> 2024-07-09T02:33:07+00:00 https://go.theregister.com/feed/www.theregister.com/2024/07/09/apt_40_tradecraft_advisory/ www.secnews.physaphae.fr/article.php?IdArticle=8533187 False Vulnerability,Threat,Patching,Legislation APT 40 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-05-06T19:54:46+00:00 https://community.riskiq.com/article/7c5aa156 www.secnews.physaphae.fr/article.php?IdArticle=8494794 False Malware,Vulnerability,Threat,Patching,Cloud APT 42 3.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching Uber,APT 37,ChatGPT,ChatGPT,APT 43 2.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hijack Execution Flow]]> 2022-01-19T22:45:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-russia-sponsored-cyber-threats-china-based-earth-lusca-active-in-cyberespionage-and-cybertheft-bluenoroff-hunts-cryptocurrency-related-businesses-and-more www.secnews.physaphae.fr/article.php?IdArticle=3999162 False Ransomware,Malware,Tool,Vulnerability,Threat,Patching,Guideline APT 41,APT 38,APT 29,APT 28,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence US 2020 Presidential Apps Riddled with Tracking and Security Flaws (published: September 17, 2020) The Vote Joe 2020 application has been found to be potentially leaking personal data about voters. The app is used by the Joe Biden campaign to engage with voters and get supporters to send out promotional text messages. Using TargetSmart, an intelligence service, the app receives their predictions via API endpoint which has been found to be returning additional data. Voter preference and voter prediction could be seen, while voter preference is publically accessible, the information for TargetSmart was not meant to be publicly available. The app also let users from outside of the United States download, allowing for non-US citizens to have access to the data, as there was no email verification. Vote Joe isn’t the only campaign app with security issues, as the Donald Trump application exposed hardcoded secret keys in the APK. Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. Tags: APK, Android, Campaign, Election, Joe Biden, PII German Hospital Attacked, Patient Taken to Another City Dies (published: September 17, 2020) A failure in IT systems at Duesseldorf University Hospital in Germany has led to the death of a woman. In an apparent ransomware attack, the hospital’s systems crashed with staff unable to access data. While there was no apparent ransom note, 30 servers at the hospital had been encrypted last week, with a ransom note left on one server addressed to Heinrich Heine University. Duesseldorf police contacted the perpetrators to inform them they had attacked the hospital instead of the university, with the perpetrators providing decryption keys, however patients had to be rerouted to other hospitals and therefore a long time before being treated by doctors. Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection. MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Germany, Healthcare, Hospital, Ransomware ]]> 2020-09-22T15:00:00+00:00 https://www.anomali.com/blog/weekly-threat-briefing-android-malware-apt-groups-election-apps-ransomware-and-more www.secnews.physaphae.fr/article.php?IdArticle=2103281 False Ransomware,Malware,Vulnerability,Threat,Patching,Guideline APT 41 5.0000000000000000