This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T22:02:12+00:00 www.secnews.physaphae.fr InfoSecurity Mag - InfoSecurity Magazine Volt Typhoon\'s ten-month intrusion of Littleton Electric Light and Water Departments exposes vulnerabilities in the US electric grid]]> 2025-03-13T17:15:00+00:00 https://www.infosecurity-magazine.com/news/volt-typhoon-threatens-us-ot/ www.secnews.physaphae.fr/article.php?IdArticle=8655593 False Vulnerability,Industrial Guam 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Introduction In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks\' Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks\' Junos OS routers. The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device. Mandiant worked with Juniper Networks to investigate this activity and observed that the affected Juniper MX routers were running end-of-life hardware and software. Mandiant recommends that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade. Mandiant has reported on similar custom malware ecosystems in 2022 and 2023 that UNC3886 deployed on virtualization technologies and network edge devices. This blog post showcases a development in UNC3886\'s tactics, techniques and procedures (TTPs), and their focus on malware and capabilities that enable them to operate on network and edge devices, which typically lack security monitoring and detection solutions, such as endpoint detection and response (EDR) agents.  Mandiant previously reported on UNC3886\'s emphasis on techniques to gather and use legitimate credentials to move laterally within a network, undetected. These objectives remained consistent but were pursued with the introduction of a new tool in 2024. Observations in this blog post strengthen our assessment that the actor\'s focus is on maintaining long-term access to victim networks. UNC3886 continues to show a deep understanding of the underlying technology of the appliances being targeted. At the time of writing, Mandiant has not identified any technical overlaps between activities detailed in this blog post and those publicly reported by other parties as Volt Typhoon or Salt Typhoon.  Attribution UNC3886 is a highly adept China-nexu]]> 2025-03-12T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/ www.secnews.physaphae.fr/article.php?IdArticle=8655317 False Malware,Tool,Vulnerability,Threat,Patching,Prediction,Cloud,Technical Guam 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-11-04T12:25:16+00:00 https://community.riskiq.com/article/d6da7f0d www.secnews.physaphae.fr/article.php?IdArticle=8605948 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Prediction,Medical,Cloud,Technical APT 41,APT 28,APT 31,Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-28T11:27:40+00:00 https://community.riskiq.com/article/fa5a55d5 www.secnews.physaphae.fr/article.php?IdArticle=8602805 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Prediction,Medical,Cloud,Technical APT 38,Guam 2.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-10-08T18:38:34+00:00 https://community.riskiq.com/article/29587102 www.secnews.physaphae.fr/article.php?IdArticle=8594452 False Ransomware,Vulnerability,Threat,Industrial Guam 3.0000000000000000 TechRepublic - Security News US There are approximately 163 devices worldwide that are still exposed to attack via the CVE-2024-39717 vulnerability.]]> 2024-08-29T15:17:42+00:00 https://www.techrepublic.com/article/volt-typhoon-exploits-versa-director/ www.secnews.physaphae.fr/article.php?IdArticle=8566269 False Vulnerability,Threat Guam 3.0000000000000000 SecurityWeek - Security News Au milieu de l'exploitation de Typhoon Zero-Day, Censys trouve des centaines de serveurs exposés présentant une surface d'attaque mûre pour les attaquants.

---

>Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers. ]]> 2024-08-28T15:08:42+00:00 https://www.securityweek.com/censys-finds-hundreds-of-exposed-servers-as-volt-typhoon-apt-targets-isps-msps/ www.secnews.physaphae.fr/article.php?IdArticle=8565501 False Vulnerability,Threat Guam 3.0000000000000000 The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The China-nexus cyber espionage group tracked as Volt Typhoon has been attributed with moderate confidence to the zero-day exploitation of a recently disclosed high-severity security flaw impacting Versa Director. The attacks targeted four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early]]> 2024-08-27T19:30:00+00:00 https://thehackernews.com/2024/08/chinese-volt-typhoon-exploits-versa.html www.secnews.physaphae.fr/article.php?IdArticle=8564754 False Vulnerability,Threat Guam 3.0000000000000000 Recorded Future - FLux Recorded Future 2024-08-27T17:32:01+00:00 https://therecord.media/versa-zero-day-volt-typhoon-china www.secnews.physaphae.fr/article.php?IdArticle=8564847 False Vulnerability,Threat Guam 3.0000000000000000 Krebs on Security - Chercheur Américain Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.]]> 2024-08-27T14:26:41+00:00 https://krebsonsecurity.com/2024/08/new-0-day-attacks-linked-to-chinas-volt-typhoon/ www.secnews.physaphae.fr/article.php?IdArticle=8564750 False Vulnerability,Threat Guam 3.0000000000000000 Dark Reading - Informationweek Branch So far, the threat actor has compromised at least five organizations using CVE-2024-39717; CISA has added bug to its Known Exploited Vulnerability database.]]> 2024-08-27T14:00:00+00:00 https://www.darkreading.com/cyberattacks-data-breaches/china-s-volt-typhoon-actively-exploiting-now-patched-0-day-in-versa-director-servers www.secnews.physaphae.fr/article.php?IdArticle=8564781 False Vulnerability,Threat Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-08-27T10:47:04+00:00 https://community.riskiq.com/article/1af984be www.secnews.physaphae.fr/article.php?IdArticle=8564652 False Vulnerability,Threat Guam 3.0000000000000000 Bleeping Computer - Magazine Américain The Chinese state-backed hacking group Volt Typhoon is behind attacks that exploited a zero-day flaw in Versa Director to upload a custom webshell to steal credentials and breach corporate networks. [...]]]> 2024-08-27T10:00:00+00:00 https://www.bleepingcomputer.com/news/security/chinese-volt-typhoon-hackers-exploited-versa-zero-day-to-breach-isps-msps/ www.secnews.physaphae.fr/article.php?IdArticle=8564715 False Vulnerability,Threat Guam 3.0000000000000000 RiskIQ - cyber risk firms (now microsoft) 2024-04-05T13:39:39+00:00 https://community.riskiq.com/article/b4f39b04 www.secnews.physaphae.fr/article.php?IdArticle=8476526 False Malware,Tool,Vulnerability,Threat,Studies,Industrial,Prediction,Technical Guam 3.0000000000000000 Recorded Future - FLux Recorded Future Plusieurs groupes de piratage basés en Chine, dont Volt Typhoon, visent un trio de vulnérabilités affectant son géant ivanti aux côtés de multiples opérations cybercriminales.L'Agence de sécurité de la cybersécurité et de l'infrastructure (CISA) et plusieurs des principales agences de cybersécurité du monde ont publié des avertissements sur les vulnérabilités - étiquetées CVE-2023-46805, CVE-2024-21887 et CVE-2024-21893 - en raison deleur utilisation généralisée

---

Several China-based hacking groups, including Volt Typhoon, are targeting a trio of vulnerabilities affecting IT giant Ivanti alongside multiple cybercriminal operations. The Cybersecurity and Infrastructure Security Agency (CISA) and several of the world\'s leading cybersecurity agencies have released warnings about the vulnerabilities - labeled CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 - due to their widespread use]]> 2024-04-04T16:40:24+00:00 https://therecord.media/volt-typhoon-china-targeting-energy-defense-ivanti-bugs www.secnews.physaphae.fr/article.php?IdArticle=8476005 False Vulnerability Guam 3.0000000000000000 Mandiant - Blog Sécu de Mandiant   Since the initial disclosure of CVE-2023-46805 and CVE-2024-21887 on Jan. 10, 2024, Mandiant has conducted multiple incident response engagements across a range of industry verticals and geographic regions. Mandiant\'s previous blog post, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts, details zero-day exploitation of CVE-2024-21893 and CVE-2024-21887 by a suspected China-nexus espionage actor that Mandiant tracks as UNC5325.  This blog post, as well as our previous reports detailing Ivanti exploitation, help to underscore the different types of activity that Mandiant has observed on vulnerable Ivanti Connect Secure appliances that were unpatched or did not have the appropriate mitigation applied.  Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families. In addition, we\'ve seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives. As of April 3, 2024, a patch is readily available for every supported version of Ivanti Connect Secure affected by the vulnerabilities. We recommend that customers follow Ivanti\'s latest patching guidance and instructions to prevent further exploitation activity. In addition, Ivanti released a new enhanced external integrity checker tool (ICT) to detect potential attempts of malware persistence across factory resets and system upgrades and other tactics, techniques, and procedures (TTPs) observed in the wild. We also released a remediation and hardening guide]]> 2024-04-04T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement/ www.secnews.physaphae.fr/article.php?IdArticle=8500398 False Malware,Tool,Vulnerability,Threat,Studies,Mobile,Cloud Guam 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC AT&T Cybersecurity Alien Labs reviewed the big events of 2023 and how malware morphed this year to try new ways to breach and wreak havoc. This year\'s events kept cybersecurity experts on their toes, from expanding malware variants to introducing new threat actors and attack techniques. Here are some of the most compelling developments, highlighting malware\'s evolving capabilities and the challenges defenders face. Highlights of the year: Emerging trends and notable incidents As the year unfolded, several trends and incidents left an indelible mark on the cybersecurity landscape: Exploiting OneNote for malicious payloads Cybercriminals leveraged Microsoft OneNote to deliver many malicious payloads to victims, including Redline, AgentTesla, Quasar RAT, and others. This previously underutilized Office program became a favored tool due to its low suspicion and widespread usage. SEO poisoning and Google Ads Malicious actors resorted to SEO poisoning tactics, deploying phishing links through Google Ads to deceive unsuspecting victims. These links led to cloned, benign web pages, avoiding Google\'s detection and remaining active for extended periods. Prominent malware families, including Raccoon Stealer and IcedID, capitalized on this strategy. Exploiting geopolitical events Cybercriminals exploited the geopolitical climate, particularly the Middle East conflict, as a lure for their attacks. This trend mirrored the previous year\'s Ukraine-related phishing campaigns and crypto scams. APTs: State-sponsored espionage continues to present challenges Advanced Persistent Threats (APTs) continued to pose a significant threat in 2023: Snake: CISA reported on the Snake APT, an advanced cyber-espionage tool associated with the Russian Federal Security Service (FSB). This malware had been in use for nearly two decades. Volt Typhoon: A campaign targeting critical infrastructure organizations in the United States was attributed to Volt Typhoon, a state-sponsored actor based in China. Their focus lay on espionage and information gathering. Storm-0558: This highly sophisticated intrusion campaign, orchestrated by the Storm-0558 APT from China, infiltrated the email accounts of approximately 25 organizations, including government agencies. Ransomware\'s relentless rise Ransomware remained a prevalent and lucrative threat throughout the year: Cuba and Snatch: Ransomware groups like Cuba and Snatch targeted critical infrastructure in the United States, causing concern for national security. ALPHV/BlackCat: Beyond SEO poisoning, this group compromised the computer systems of Caesar and MGM casinos. They also resorted to filing complaints with the US Securities and Exchange Commission (SEC) against their victims, applying additional pressure to pay ransoms. Exploiting new vulnerabilities: Cybercriminals wasted no time exploiting newly discovered vulnerabilities, such as CVE-2023-22518 in Atlassian\'s Confluence, CVE-2023-4966 (Citrix bleed), and others. These vulnerabilities became gateways for ransomware attacks. Evolving ransom]]> 2024-01-25T11:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/the-dark-side-of-2023-cybersecurity-malware-evolution-and-cyber-threats www.secnews.physaphae.fr/article.php?IdArticle=8442915 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Prediction Guam 3.0000000000000000 Global Security Mag - Site de news francais mise à jour malveillant

---

SecurityScorecard Threat Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days - Malware Update]]> 2024-01-11T15:24:12+00:00 https://www.globalsecuritymag.fr/securityscorecard-threat-research-volt-typhoon-compromises-30-of-cisco-rv320.html www.secnews.physaphae.fr/article.php?IdArticle=8437922 False Vulnerability,Threat,Studies Guam 4.0000000000000000 Anomali - Firm Blog Figure 1 - Diagrammes de résumé du CIO.Ces graphiques résument les CIO attachés à ce magazine et donnent un aperçu des menaces discutées. Cyber News et Intelligence des menaces shadowVictiticoor et Coinmin de Force Group \\ (Publié: 27 mai 2023) Force Shadow est une menace qui cible les organisations sud-coréennes depuis 2013. Il cible principalement les serveurs Windows.Les chercheurs d'AHNLAB ont analysé l'activité du groupe en 2020-2022.Les activités de force fantôme sont relativement faciles à détecter car les acteurs ont tendance à réutiliser les mêmes noms de fichiers pour leurs logiciels malveillants.Dans le même temps, le groupe a évolué: après mars, ses fichiers dépassent souvent 10 Mo en raison de l'emballage binaire.Les acteurs ont également commencé à introduire divers mineurs de crypto-monnaie et une nouvelle porte dérobée surnommée Viticdoor. Commentaire de l'analyste: Les organisations doivent garder leurs serveurs à jour et correctement configurés avec la sécurité à l'esprit.Une utilisation et une surchauffe du processeur inhabituellement élevées peuvent être un signe du détournement de ressources malveillantes pour l'exploitation de la crypto-monnaie.Les indicateurs basés sur le réseau et l'hôte associés à la force fantôme sont disponibles dans la plate-forme Anomali et il est conseillé aux clients de les bloquer sur leur infrastructure. mitre att & amp; ck: [mitre att & amp; ck] t1588.003 - obtenir des capacités:Certificats de signature de code | [mitre att & amp; ck] t1105 - transfert d'outils d'entrée | [mitre att & amp; ck] t1027.002 - fichiers ou informations obscurcies: emballage logiciel | [mitre att & amp; ck] t1569.002: exécution du service | [mitre att & amp; ck] T1059.003 - Commande et script Interpréteur: Windows Command Shell | [mitre att & amp; ck] T1547.001 - Exécution de botter ou de connexion automatique: Registre Run Keys / Startup Folder | [mitre att & amp; ck] t1546.008 - Événement Exécution déclenchée: caractéristiques de l'accessibilité | [mitre att & amp; ck] t1543.003 - créer ou modifier le processus système: service Windows | [mitre att & amp; ck] t1554 - compromis le logiciel client binaire | [mitreAtt & amp; ck] t1078.001 - Comptes valides: comptes par défaut | [mitre att & amp; ck] t1140 - désobfuscate / décode ou infor]]> 2023-05-31T17:19:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-shadow-force-targets-korean-servers-volt-typhoon-abuses-built-in-tools-cosmicenergy-tests-electric-distribution-disruption www.secnews.physaphae.fr/article.php?IdArticle=8340962 False Ransomware,Malware,Tool,Vulnerability,Threat APT 38,Guam,CosmicEnergy 2.0000000000000000 NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud Uber,APT 38,APT 37,APT 28,APT 19,APT 15,APT 10,APT 34,Guam None