This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-03T12:49:06+00:00 www.secnews.physaphae.fr SANS Institute - SANS est un acteur de defense et formation Yahoo! is the latest victim of a large scale data breach. It looks like the released data dates back to at least 2014 and contains more than 500 Million user accounts, so if you havent changed your Yahoo! password in the last couple of years then it is time. As one of the other ISC Handlers pointed out...not all Yahoo! customers may know they are Yahoo! customers. Yahoo! whitelabels email services on behalf of ISPs and email providers. I assume those white label providers will need to do notifications to their customers as well? -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> 2016-09-22T23:42:35+00:00 https://isc.sans.edu/diary.html?storyid=21513&rss www.secnews.physaphae.fr/article.php?IdArticle=113254 True None Yahoo None @DarkReading - Flux twitter 2016-09-22T23:15:53+00:00 https://twitter.com/DarkReading/status/779066715523211265 www.secnews.physaphae.fr/article.php?IdArticle=112609 True None Yahoo None @DarkReading - Flux twitter 2016-09-22T23:03:08+00:00 https://twitter.com/DarkReading/status/779063506234736641 www.secnews.physaphae.fr/article.php?IdArticle=112456 False None Yahoo None SC Magazine - Magazine ]]> 2016-09-22T22:26:10+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/kYDDkkTrhXY/ www.secnews.physaphae.fr/article.php?IdArticle=113329 True None Yahoo None SC Magazine - Magazine ]]> 2016-09-22T22:26:10+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/nn7lpdnoRh0/ www.secnews.physaphae.fr/article.php?IdArticle=116470 True None Yahoo None The State of Security - Magazine Américain Read More ]]> 2016-09-22T21:21:09+00:00 http://www.tripwire.com/state-of-security/latest-security-news/yahoo-confirms-at-least-500m-users-account-info-stolen-by-state-sponsored-actor/ www.secnews.physaphae.fr/article.php?IdArticle=112457 False None Yahoo None Ars Technica - Risk Assessment Security Hacktivism 2016-09-22T20:21:43+00:00 http://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/ www.secnews.physaphae.fr/article.php?IdArticle=112256 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-09-22T19:47:01+00:00 https://threatpost.com/500-million-yahoo-accounts-stolen-by-state-sponsored-hackers/120818/ www.secnews.physaphae.fr/article.php?IdArticle=112598 False None Yahoo None TechRepublic - Security News US 2016-09-22T19:40:04+00:00 http://www.techrepublic.com/article/yahoo-confirms-500m-accounts-leaked-in-massive-data-breach/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=112583 False None Yahoo None Network World - Magazine Info data breach, which affects at least 500 million users, but it could be unrelated to the black market sale of alleged Yahoo accounts, according to a source familiar with the matter.The information comes even as security experts have been questioning why Yahoo took so long to warn the public when it was known that a hacker was claiming to be selling the data online around early August.To read this article in full or to leave a comment, please click here]]> 2016-09-22T19:39:15+00:00 http://www.networkworld.com/article/3123532/yahoo-uncovered-breach-after-probing-a-black-market-sale.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=113857 False None Yahoo None SecurityWeek - Security News 2016-09-22T19:08:03+00:00 http://feedproxy.google.com/~r/Securityweek/~3/4pUUiUWU1pU/yahoo-confirms-massive-data-breach-500-million-accounts www.secnews.physaphae.fr/article.php?IdArticle=112107 False None Yahoo None Graham Cluley - Blog Security writes: We have confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. My advice? Reset your Yahoo password. Make it a strong, complex password - and make sure that you are not using the same password anywhere else on the net. If you were using the same password in multiple places, you need to get out of that habit right now. Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials. Invest in a decent password manager program to generate random, hard-to-crack passwords, store them securely and remember them for you. If you haven't already done so, enable two-step verification on your Yahoo account. Watch out for phishing emails that pretend to come from Yahoo. More as this news develops. ]]> 2016-09-22T19:01:25+00:00 https://www.grahamcluley.com/2016/09/yahoo-confirms-500-million-accounts-hacked-2014-data-breach/ www.secnews.physaphae.fr/article.php?IdArticle=111845 False None Yahoo None Bleeping Computer - Magazine Américain 2016-09-22T17:57:04+00:00 http://www.bleepingcomputer.com/news/business/yahoo-hit-with-a-massive-500-million-account-data-breach/ www.secnews.physaphae.fr/article.php?IdArticle=112692 False None Yahoo None Network World - Magazine Info affected in one of the biggest data breaches in history. Information including names, email addresses, telephone numbers and hashed passwords may have been stolen.Yahoo has blamed the attack on a "state-sponsored actor," but it's far from clear who hacked the internet company and how the culprits pulled off the attack.Blaming it on a state-sponsored actor, however, indicates that Yahoo may have found evidence that the hackers were targeting the company over a long period of time, said Vitali Kremez, a cybercrime analyst at security firm Flashpoint.To read this article in full or to leave a comment, please click here]]> 2016-09-22T17:33:46+00:00 http://www.networkworld.com/article/3122963/hackers-have-a-treasure-trove-of-data-with-the-yahoo-breach.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=113472 False None Yahoo None Dark Reading - Informationweek Branch 2016-09-22T16:40:00+00:00 http://www.darkreading.com/attacks-breaches/yahoo-reveals-nation-state-borne-data-breach-affecting-a-half-billion-users/d/d-id/1326984?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=112748 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-09-22T16:31:27+00:00 https://threatpost.com/yahoo-reportedly-to-confirm-breach-of-hundreds-of-millions-of-credentials/120797/ www.secnews.physaphae.fr/article.php?IdArticle=111150 False None Yahoo None Wired Threat Level - Security News The company is reportedly about to admit that a four-year-old collection 200 million user accounts up for sale on the dark web is real, stolen data. The post Hack Brief: Yahoo Looks Set to Confirm a Big, Old Data Breach]]> 2016-09-22T16:15:44+00:00 https://www.wired.com/2016/09/hack-brief-yahoo-looks-set-confirm-big-old-data-breach/ www.secnews.physaphae.fr/article.php?IdArticle=111055 False None Yahoo None Ars Technica - Risk Assessment Security Hacktivism 2016-09-22T15:42:11+00:00 http://arstechnica.com/security/2016/09/yahoo-reported-to-be-ready-to-confirm-2012-breach-of-200-million-accounts/ www.secnews.physaphae.fr/article.php?IdArticle=110710 False None Yahoo None Network World - Magazine Info a ranking by the "Have I been pwned" website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.And only three breaches had ranked above the 100 million level:LinkedIn reported a loss of 167 million email addresses and passwords. They were originally stolen in 2012 but not publicly disclosed until 2016, again after the data was offered on an underground "dark market" site.To read this article in full or to leave a comment, please click here]]> 2016-09-22T13:36:47+00:00 http://www.networkworld.com/article/3123445/the-massive-yahoo-hack-ranks-as-the-worlds-biggest-so-far.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=112350 False None Yahoo None Network World - Magazine Info went on sale on the black market last month.However, the hacker behind the sale claimed that the stolen database involved only 200 million users and was likely obtained in 2012.To read this article in full or to leave a comment, please click here]]> 2016-09-22T12:16:27+00:00 http://www.networkworld.com/article/3123102/yahoo-data-breach-affects-at-least-500-million-users.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=111970 False None Yahoo None @AnonyOps - Flux twitter 2016-09-22T08:46:25+00:00 https://twitter.com/josephfcox/status/778847906837229568 www.secnews.physaphae.fr/article.php?IdArticle=111537 False None Yahoo None @AnonyOps - Flux twitter 2016-09-22T08:41:24+00:00 https://twitter.com/josephfcox/status/778846643466756096 www.secnews.physaphae.fr/article.php?IdArticle=111538 False None Yahoo None Graham Cluley - Blog Security As Yahoo poises to sell up to Verizon, it may have some bad news to share. Recode reports that "several hundred million" account credentials may have been impacted by a data breach. ]]> 2016-09-22T08:24:29+00:00 https://www.grahamcluley.com/2016/09/yahoo-expected-confirm-massive-data-breach-says-recode/ www.secnews.physaphae.fr/article.php?IdArticle=109273 False None Yahoo None Network World - Magazine Info reported Thursday, citing unnamed sources familiar with the investigation.To read this article in full or to leave a comment, please click here]]> 2016-09-22T08:03:00+00:00 http://www.networkworld.com/article/3123034/security/yahoo-reportedly-to-confirm-massive-data-breach.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=110676 False None Yahoo None Dark Reading - Informationweek Branch 2016-09-14T09:10:00+00:00 http://www.darkreading.com/cloud/google-facebook-twitter-petition-congress-to-support-icann-transition/d/d-id/1326896?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=63698 False None Yahoo None Network World - Magazine Info To read this article in full or to leave a comment, please click here]]> 2016-09-07T14:48:00+00:00 http://www.networkworld.com/article/3117643/security/election-exploits-what-you-need-to-know-infographic.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=28202 False None Yahoo None Ars Technica - Risk Assessment Security Hacktivism 2016-09-06T13:46:12+00:00 http://arstechnica.com/security/2016/09/98-million-passwords-from-2012-breach-of-russias-yahoo-rambler-ru-leaked/ www.secnews.physaphae.fr/article.php?IdArticle=20793 False None Yahoo 5.0000000000000000 The State of Security - Magazine Américain Read More ]]> 2016-09-06T11:33:18+00:00 http://www.tripwire.com/state-of-security/latest-security-news/mega-breach-strikes-rambler-ru-with-leak-of-nearly-100m-user-records/ www.secnews.physaphae.fr/article.php?IdArticle=20266 False None Yahoo None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2016-09-06T00:28:22+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/N6FpkBHn4-4/russias-largest-portal-hacked-nearly.html www.secnews.physaphae.fr/article.php?IdArticle=19814 False None Yahoo None Naked Security - Blog sophos ]]> 2016-09-01T12:46:53+00:00 https://nakedsecurity.sophos.com/2016/09/01/yahoo-email-privacy-lawsuit-settled/ www.secnews.physaphae.fr/article.php?IdArticle=9837 False None Yahoo None Korben - Bloger francais > Lire la suite Cet article merveilleux et sans aucun égal intitulé : Canary – Un client mail nouvelle génération pour OSX ; a été publié sur Korben, le seul site qui t'aime plus fort que tes parents. ]]> 2016-08-30T08:00:37+00:00 http://feedproxy.google.com/~r/KorbensBlog-UpgradeYourMind/~3/ULz1yhklkoI/canary-client-mail-nouvelle-generation-osx.html www.secnews.physaphae.fr/article.php?IdArticle=9479 False None Yahoo None Dark Reading - Informationweek Branch 2016-08-29T13:20:00+00:00 http://www.darkreading.com/attacks-breaches/report-hackers-breach-two-state-election-databases-fbi-warns/d/d-id/1326760?_mc=RSS_DR_EDT www.secnews.physaphae.fr/article.php?IdArticle=9406 False None Yahoo None Network World - Magazine Info report by Yahoo News on Monday. Voter registration databases from both Illinois and Arizona were targeted in the hacks, according to the report.In the Illinois case, personal data on 200,000 voters was stolen. In July, an official with the state's board of elections warned on Facebook that the voting system had fallen to a cyberattack, forcing a shutdown.To read this article in full or to leave a comment, please click here]]> 2016-08-29T10:36:10+00:00 http://www.networkworld.com/article/3113452/fbi-warns-that-hackers-are-targeting-state-election-systems.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=9394 False None Yahoo None Krebs on Security - Chercheur Américain 2016-08-24T16:13:46+00:00 https://krebsonsecurity.com/2016/08/united-airlines-sets-minimum-bar-on-security/ www.secnews.physaphae.fr/article.php?IdArticle=8595 False None Yahoo None UnderNews - Site de news "pirate" francais Cela faisait un petit moment que le cybercriminel "Peace of Mind" n'avait pas fait parlé de lui sur la Toile. Voila qui est chose faite après la publication d'une annonce sur le marché noir mettant en vente plus de 200 millions identifiants Yahoo au prix de 3 BTC.]]> 2016-08-03T14:03:50+00:00 http://feedproxy.google.com/~r/undernews/oCmA/~3/HuENnQXl8gU/200-millions-didentifiants-yahoo-en-vente-pour-3-bitcoins.html www.secnews.physaphae.fr/article.php?IdArticle=5660 False None Yahoo None Ars Technica - Risk Assessment Security Hacktivism 2016-08-03T13:00:23+00:00 http://arstechnica.com/security/2016/08/yahoo-email-data-breach-dump/ www.secnews.physaphae.fr/article.php?IdArticle=5640 False None Yahoo None SecurityWeek - Security News 2016-08-02T17:10:04+00:00 http://feedproxy.google.com/~r/Securityweek/~3/3SJI1D9fPBM/hacker-selling-credentials-200-million-yahoo-users www.secnews.physaphae.fr/article.php?IdArticle=5285 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-08-02T16:51:25+00:00 https://threatpost.com/yahoo-investigates-200-million-alleged-accounts-for-sale-on-dark-web/119624/ www.secnews.physaphae.fr/article.php?IdArticle=5282 False None Yahoo None We Live Security - Editeur Logiciel Antivirus ESET 2016-08-02T16:37:31+00:00 http://feedproxy.google.com/~r/eset/blog/~3/F4Xv7lw1GcM/ www.secnews.physaphae.fr/article.php?IdArticle=5296 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-07-26T21:26:33+00:00 https://threatpost.com/yahoo-ordered-to-explain-data-gathering-procedures-in-deleted-email-case/119499/ www.secnews.physaphae.fr/article.php?IdArticle=4740 False None Yahoo None Naked Security - Blog sophos ]]> 2016-07-26T10:45:00+00:00 https://nakedsecurity.sophos.com/2016/07/26/yahoo-ordered-to-show-how-it-recovered-deleted-emails-in-drug-case/ www.secnews.physaphae.fr/article.php?IdArticle=4704 False None Yahoo None Ars Technica - Risk Assessment Security Hacktivism 2016-07-25T19:43:40+00:00 http://arstechnica.com/security/2016/07/new-evidence-suggests-dnc-hackers-penetrated-deeper-than-previously-thought/ www.secnews.physaphae.fr/article.php?IdArticle=4666 False None Yahoo None ZD Net - Magazine Info 2016-07-18T19:30:00+00:00 http://www.zdnet.com/article/meet-the-hacker-who-tries-to-break-yahoo-every-day/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=4266 False None Yahoo None Silicon - Site de News Francais 2016-06-08T16:28:10+00:00 http://www.silicon.fr/telegrammes-cisco-regarde-nutanix-nuxeo-leve-10-millions-de-dollars-sfr-se-lance-dans-la-visioconference-yahoo-vend-ses-brevets-149743.html www.secnews.physaphae.fr/article.php?IdArticle=2571 False None Yahoo None Silicon - Site de News Francais 2016-06-07T16:26:00+00:00 http://www.silicon.fr/ibm-emirates-microsoft-spark-verizon-yahoo-microsoft-projets-149584.html www.secnews.physaphae.fr/article.php?IdArticle=2510 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-06-01T17:29:49+00:00 https://threatpost.com/yahoo-discloses-contents-of-three-national-security-letters/118389/ www.secnews.physaphae.fr/article.php?IdArticle=2300 False None Yahoo None SC Magazine - Magazine ]]> 2016-05-12T17:00:00+00:00 http://feedproxy.google.com/~r/SCMagazineHome/~3/PFF-oRI-ZS8/ www.secnews.physaphae.fr/article.php?IdArticle=1594 False None Yahoo None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2016-05-10T11:00:51+00:00 https://threatpost.com/yahoo-releases-second-wave-of-unsealed-fisc-documents/117957/ www.secnews.physaphae.fr/article.php?IdArticle=1405 False None Yahoo None SANS Institute - SANS est un acteur de defense et formation https://github.com/google/rekall/releases/download/v1.3.2/osxpmem_2.0.1.zipNow let">cd osxpmem.app/">chown -R root:wheel MacPmem.kext/">kextload MacPmem.kext/">./osxpmem c none -o mem.dumpThe ">bulk_extractor -o bulkdir/ mem.dumpThe ">ls lS bulkdir/">total 1520-rw-r--r-- 1 root staff 398534 Apr 26 15:49 zip.txt-rw-r--r-- 1 root staff 202338 Apr 26 15:49 url.txt-rw-r--r-- 1 root staff 104701 Apr 26 15:49 domain.txt-rw-r--r-- 1 root staff 32010 Apr 26 15:49 report.xml-rw-r--r-- 1 root staff 1680 Apr 26 15:49 exif.txt-rw-r--r-- 1 root staff 1030 Apr 26 15:49 url_histogram.txt-rw-r--r-- 1 root staff 878 Apr 26 15:49 rfc822.txt-rw-r--r-- 1 root staff 493 Apr 26 15:49 email.txt-rw-r--r-- 1 root staff 427 Apr 26 15:49 domain_histogram.txt-rw-r--r-- 1 root staff 350 Apr 26 15:49 url_services.txt-rw-r--r-- 1 root staff 205 Apr 26 15:49 email_histogram.txt-rw-r--r-- 1 root staff 191 Apr 26 15:49 email_domain_histogram.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 aes_keys.txt-rw-r--r-- 1 root staff 0 Apr 26 15:48 alerts.txtNow let"># BANNER FILE NOT PROVIDED (-b option)# BULK_EXTRACTOR-Version: 1.5.0 ($Rev: 10844 $)# Feature-Recorder: domain# Filename: mem.dump# Histogram-File-Version: 1.1n=821 www.apple.comn=218 crl.apple.comn=4 www.iec.chn=4 www.w3.orgn=3 3.2.1.3n=2 aff4.orgn=2 bugreporter.apple.comn=2 lists.sourceforge.netn=2 schemas.xmlsoap.orgn=2 support.apple.comn=2 www.ietf.orgn=1 2.0.2.3n=1 4.2.6.1n=1 6.4.0.7n=1 tempuri.orgsh-3.2#">n=12633 @yahoo.comn=6135 @isc.sans.edun=4820 @imap.mail.yahoo.comn=4544 @lists.sans.orgn=3255 @sans.edun=2563 @sans.orgn=2546 @incidents.orgn=2253 @gmail.comn=1319 @isc.sans.orgn=866 @mail.gmail.comn=811 @web1d.den.giac.net">720717488 192.168.1.3 struct ip L (src) cksum-ok720717488 192.168.1.5 struct ip R (dst) cksum-ok720719296 192.168.1.3 struct ip L (src) cksum-ok720719296 192.168.1.5 struct ip R (dst) cksum-ok720719536 192.168.1.3 struct ip L (src) cksum-ok720719536 192.168.1.5 struct ip R (dst) cksum-ok720720304 192.168.1.3 struct ip L (src) cksum-ok720720304 192.168.1.5 struct ip R (dst) cksum-ok720721832 192.168.1.3 struct ip L (src) cksum-ok720721832 192.168.1.5 struct ip R (dst) cksum-ok720722352 192.168.1.3 struct ip L (src) cksum-ok720722352 192.168.1.5 struct ip R (dst) cksum-ok720723112 192.168.1.3 struct ip L (src) cksum-ok720723112 192.168.1.5 struct ip R (dst) cksum-ok720727976 192.168.1.3 struct ip L (src) cksum-ok720727976 192.168.1.5 struct ip R (dst) cksum-ok (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> 2016-04-26T17:57:41+00:00 https://isc.sans.edu/diary.html?storyid=20989&rss www.secnews.physaphae.fr/article.php?IdArticle=814 False None Yahoo None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Kaspersky’s Global Research and Analysis Team.In the research that AlienVault and Kaspersky collaborated on, we attributed several campaigns to this actor. Armed with some of the indicators that US-CERT made public after the Sony attack, we continued to analyze different campaigns in 2015 that we suspected were being launched by the same actor. Eventually we were also able to attribute previous activity to the same attackers including:Sony Pictures Entertainment - 2014Operation DarkSeoul - 2013Operation Troy - 2013Wild Positron / Duuzer - 2015Besides several campaigns were the Lazarus group has utilized wipers to perform destructive attacks, they have also been busy using the same tools to perform data theft and cyber espionage operations.Today, as part of the Operation BlockBuster release, we want to share some of our findings and TTP’s from the Lazarus Group that allowed us to link and attribute all the campaigns and tools into the same cluster of activity. We highly recommend that you read the comprehensive report Novetta published today that includes details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.Encryption/Shared keysOne of the key findings that gave us the opportunity to link several families to the same actors was finding a dropper that the attackers use. This dropper contains a compressed resource (ZIP) with the name “MYRES” that is protected by a password. The attackers have reused the same password in different occasions and we were able to find droppers containing different families used by the group.This actor also reuses the code libraries they utilize to perform RSA encryption. We were also able to find the exact same public key in multiple variants.Batch scriptsThis actor often uses BAT files that share the same skeleton in order to delete the initial files after infection.We have seem them reuse this technique across multiple droppers and payloads.Obfuscation functionsThe Lazarus Group uses a few different methods to obfuscate API functions and dynamically load them. One of them consist on using a simple XOR schema.]]> 2016-02-24T14:00:00+00:00 http://feeds.feedblitz.com/~/140108184/0/alienvaultotx~Operation-BlockBuster-unveils-the-actors-behind-the-Sony-attacks www.secnews.physaphae.fr/article.php?IdArticle=59 False Medical APT 38,Yahoo None Contagio - Site d infos ransomware WikipediaUpdate - Sept 4, 2013I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes  - it does not start with  lv|I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy  "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.CVE #CVE-2012-0158The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2]]> 2013-09-09T00:21:11+00:00 http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html www.secnews.physaphae.fr/article.php?IdArticle=9957 False None Yahoo None