This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-20T19:12:39+00:00 www.secnews.physaphae.fr The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said,]]> 2024-01-23T20:03:00+00:00 https://thehackernews.com/2024/01/vextrio-uber-of-cybercrime-brokering.html www.secnews.physaphae.fr/article.php?IdArticle=8442148 False Malware,Threat Uber 4.0000000000000000 ProofPoint - Cyber Firms 2024-01-09T11:57:12+00:00 https://www.proofpoint.com/us/blog/identity-threat-defense/rise-in-identity-threats www.secnews.physaphae.fr/article.php?IdArticle=8437188 False Ransomware,Malware,Tool,Threat,Studies Uber 2.0000000000000000 ProofPoint - Cyber Firms 2023-11-27T09:26:51+00:00 https://www.proofpoint.com/us/blog/security-awareness-training/cybersecurity-topics-to-include-in-your-program www.secnews.physaphae.fr/article.php?IdArticle=8417272 False Ransomware,Malware,Tool,Vulnerability,Threat,Mobile,Cloud Uber,Uber 2.0000000000000000 ProofPoint - Cyber Firms 2023-11-21T08:35:02+00:00 https://www.proofpoint.com/us/blog/information-protection/preventing-mfa-fatigue-attacks www.secnews.physaphae.fr/article.php?IdArticle=8415409 False Ransomware,Data Breach,Malware,Tool,Threat,Technical Uber 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months. Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually. Why does API security still pose a threat in 2023? Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams. As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data.  API sprawl]]> 2023-08-15T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/why-is-api-security-the-next-big-thing-in-cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=8370101 False Malware,Tool,Vulnerability,Threat,Cloud Uber 3.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #24  |   June 13th, 2023 [The Mind\'s Bias] Pretexting Now Tops Phishing in Social Engineering Attacks The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let\'s drill down a bit more in the social engineering section. They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. "The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top." A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor\'s bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear. BEC Attacks Have Nearly Doubled It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor. Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category. Financially Motivated External Attackers Double Down on Social Engineering Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection. However, unlike the times we live in, this section isn\'t all doom and ]]> 2023-06-13T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks www.secnews.physaphae.fr/article.php?IdArticle=8344804 False Spam,Malware,Vulnerability,Threat,Patching ChatGPT,ChatGPT,APT 43,APT 37,Uber 2.0000000000000000 knowbe4 - cybersecurity services CyberheistNews Vol 13 #22  |   May 31st, 2023 [Eye on Fraud] A Closer Look at the Massive 72% Spike in Financial Phishing Attacks With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all. When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That\'s right – the financial services industry, at least according to cybersecurity vendor Armorblox\'s 2023 Email Security Threat Report. According to the report, the financial services industry as a target has increased by 72% over 2022 and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn\'t get any better for the financial industry: 51% of invoice fraud attacks targeted the financial services industry 42% were payroll fraud attacks 63% were payment fraud To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means one in five email-based attacks made it all the way to the Inbox. The next layer in your defense should be a user that\'s properly educated using security awareness training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage. Blog post with links:https://blog.knowbe4.com/financial-fraud-phishing [Live Demo] Ridiculously Easy Security Awareness Training and Phishing Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. Join us Wednesday, June 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users. ]]> 2023-05-31T13:00:00+00:00 https://blog.knowbe4.com/cyberheistnews-vol-13-22-eye-on-fraud-a-closer-look-at-the-massive-72-percent-spike-in-financial-phishing-attacks www.secnews.physaphae.fr/article.php?IdArticle=8340859 False Ransomware,Malware,Hack,Tool,Threat,Conference ChatGPT,ChatGPT,Uber,Guam 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017). It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day. In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website. Figure 1. SeroXen features announced on its website. This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool. In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal. After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT. The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th]]> 2023-05-30T22:00:00+00:00 https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale www.secnews.physaphae.fr/article.php?IdArticle=8340743 False Malware,Tool,Threat APT 10,Uber 2.0000000000000000 GoogleSec - Firm Security Blog preventing over $2 billion in fraudulent and abusive transactions. We\'ve raised the bar for new developers to join the Play ecosystem with phone, email, and other identity verification methods, which contributed to a reduction in accounts used to publish violative apps. We continued to partner with SDK providers to limit sensitive data access and sharing, enhancing the privacy posture for over one million apps on Google Play. With strengthened Android platform protections and policies, and developer outreach and education, we prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years. Developer Support and Collaboration to Help Keep Apps Safe As the Android ecosystem expands, it\'s critical for us to work closely with the developer community to ensure they have the tools, knowledge, and support to build secure and trustworthy apps that respect user data security and privacy. In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs. We also launched the Google Play SDK Index to help developers evaluate an SDK\'s reliability and safety and make informed decisions about whether an SDK is right for their business and their users. We will keep working closely with SDK providers to improve app and SDK safety, limit how user data is shared, and improve lines of communication with app developers. We also recently launched new features and resources to give developers a better policy experience. We\'ve expanded our Helpline pilot to give more developers direct policy phone support. And we piloted the Google Play Developer Community so more developers can discuss policy questions and exchange best practices on how to build ]]> 2023-04-27T11:01:43+00:00 http://security.googleblog.com/2023/04/how-we-fought-bad-apps-and-bad-actors.html www.secnews.physaphae.fr/article.php?IdArticle=8331577 False Malware,Prediction Uber 4.0000000000000000 Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters (published: April 21, 2023) A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign. Analyst Comment: Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups. MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1489 - Service Stop Tags: Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (published: April 20, 2023) Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and]]> 2023-04-25T18:22:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-two-supply-chain-attacks-chained-together-decoy-dog-stealthy-dns-communication-evilextractor-exfiltrates-to-ftp-server www.secnews.physaphae.fr/article.php?IdArticle=8331005 False Ransomware,Spam,Malware,Tool,Threat,Cloud APT 38,ChatGPT,APT 43,Uber 2.0000000000000000 InfoSecurity Mag - InfoSecurity Magazine 2023-01-16T17:00:00+00:00 https://www.infosecurity-magazine.com/news/circleci-breach-caused-by/ www.secnews.physaphae.fr/article.php?IdArticle=8301578 False Data Breach,Malware Uber 4.0000000000000000 InformationSecurityBuzzNews - Site de News Securite 2023-01-11T14:13:11+00:00 https://informationsecuritybuzz.com/kinsing-malware-hits-kubernetes-clusters-flawed-postgresql/ www.secnews.physaphae.fr/article.php?IdArticle=8300025 False Malware,Threat Uber 2.0000000000000000 SC Magazine - Magazine 2023-01-10T21:14:26+00:00 https://www.scmagazine.com/brief/breach/kubernetes-clusters-compromised-by-kinsing-malware www.secnews.physaphae.fr/article.php?IdArticle=8299850 False Malware Uber 2.0000000000000000 Bleeping Computer - Magazine Américain 2023-01-09T16:16:26+00:00 https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/ www.secnews.physaphae.fr/article.php?IdArticle=8299327 False Malware Uber 2.0000000000000000 GoogleSec - Firm Security Blog launched in 2019 with a mission to protect Android users from bad apps through shared intelligence and coordinated detection between alliance partners. Earlier this year, the App Defense Alliance expanded to include new initiatives outside of malware detection and is now the home for several industry-led collaborations including Malware Mitigation, MASA (Mobile App Security Assessment) & CASA (Cloud App Security Assessment). With a new dedicated landing page at appdefensealliance.dev, the ADA has an expanded mission to protect Android users by removing threats while improving app quality across the ecosystem. Let's walk through some of the latest program updates from the past year, including the addition of new ADA members. Malware MitigationTogether, with the founding ADA members - Google, ESET, Lookout, and Zimperium, the alliance has been able to reduce the risk of app-based malware and better protect Android users. These partners have access to mobile apps as they are being submitted to the Google Play Store and scan thousands of apps daily, acting as another, vital set of eyes prior to an app going live on Play. Knowledge sharing and industry collaboration are important aspects in securing the world from attacks and that's why we're continuing to invest in the program. New ADA MembersWe're excited to see the ADA expand with the additions of McAfee and Trend Micro. Both McAfee and Trend Micro are leaders in the antivirus space and we look forward to their contributions to the program. Mobile App Security Assessment (MASA)With consumers spending four to five hours per day in mobile apps, ensuring the safety of these services is more important than ever. According to Data.ai, the pandemic accelerated existing mobile habits - with app categories like finance growing 25% YoY and users spending over 100 billion hours in shopping apps. That's why the ADA introduced MASA (Mobile App Security Assessment), which allows developers to have their apps independently validated against the Mobile Application Security Verification Standard (MASVS standard) under the OWASP Mobile Application Security project. The project's mission is to “Define the industry standard for mobile application security,” and has been used by both public and private sector organizations as a form of industry best practices when it comes to mobile application security. Developers can work directly with an ADA Authorized Lab to have their apps evaluated against a set of MASVS L1 requirements. Once successful, the app's validation is listed in the recently launched App Validation Directory, which provides users a single place to view all app validations. The Directory also allows users to access more assessment details including validation date, test lab, and a report showing all test steps and requirements. The Directory will be updated over time with new features and search functionality to make it more user friendly. The Google Play Store is the first commercial app store to recognize and display a badge for any app that has completed an independent security review through ADA MASA. The badge is displayed within an app's respective ]]> 2022-12-15T20:51:24+00:00 http://security.googleblog.com/2022/12/app-defense-alliance-expansion.html www.secnews.physaphae.fr/article.php?IdArticle=8294655 False Malware,Guideline,Prediction Uber 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Sixth Annual Bank Survey found that more than 70% of fintech companies named information security as their top issue. According to VMware's Modern Bank Heists study, since the COVID-19 epidemic, there have been 238% more cyberattacks on companies in the financial sector. Artificial intelligence (AI) and self-learning malware are making cyberattacks more sophisticated. While ransomware assaults are the most profitable for cybercriminals, phishing attacks prey on unsuspecting and defenseless consumers. Thus, it should come as no surprise that 39% of financial industry executives think that the overall network security threat to BFSI sector companies has increased significantly. Financial and banking firms in the US must put cybersecurity first above all else given the volume of sensitive data that the BFSI sector must manage. Leading analytics company GlobalData predicts that rising demand for cybersecurity would cause worldwide security revenues in the retail banking industry to climb from $7.9 billion in 2019 to $9.8 billion in 2024. What are the biggest concerns facing the financial sector in the United States for 2022? Reimbursing cyber scams As banks are under pressure to compensate their scammed consumers, rising cybercrime rates translate to rising costs for the industry. More than half (58%) of those who conduct their banking online encounter scams via email or SMS at least once per week, and 23% report having fallen victim to a cyberattack. Banks currently reimburse authorized push payment (APP) fraud at an average rate of 46%. Although many banking institutions are refusing reimbursements for online fraud, this is due to change soon, or else the situation will backfire. For example, measures supported by the UK government will require banks to reimburse everyone. This is only one illustration of the fact that if banks are to secure their consumers and their business line in 2022, they must prioritize cybersecurity more highly. To exchange efficient strategies, banks will need to collaborate with governments and industry organizations. The public must continue to get education on preventative measures, but ultimately it is the banks' responsibility to establish security models that will give them and their clients the greatest level of safety. Maintain compliance with strict privacy regulations The use of social engineering and account takeover fraud will increase over the next years. Financial institutions must not only conduct comprehensive data checks beyond document verification at account opening to fight this but also keep track of customer identities throughout the customer lifecycle.   Banks must decide how to manage sensitive personal data like biometrics as ]]> 2022-10-13T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/the-biggest-concerns-within-the-us-financial-sector-in-2022 www.secnews.physaphae.fr/article.php?IdArticle=7431394 False Ransomware,Malware,Vulnerability,Threat,Guideline Uber None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Hacker Pwns Uber Via Compromised VPN Account (published: September 16, 2022) On September 15, 2022, ride-sharing giant Uber started an incident response after discovering a data breach. According to Group-IB researchers, download file name artifacts point to the attacker getting access to fresh keylogger logs affecting two Uber employees from Indonesia and Brazil that have been infected with Racoon and Vidar stealers. The attacker allegedly used a compromised VPN account credentials and performed multifactor authentication fatigue attack by requesting the MFA push notification many times and then making a social-engineering call to the affected employee. Once inside, the attacker allegedly found valid credentials for privilege escalation: a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account. On September 18, 2022, Rockstar Games’ Grand Theft Auto 6 suffered a confirmed data leak, likely caused by the same attacker. Analyst Comment: Network defenders can consider setting up alerts for signs of an MFA fatigue attack such as a large number of MFA requests in a relatively short period of time. Review your source code for embedded credentials, especially those with administrative privileges. MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 Tags: MFA fatigue, Social engineering, Data breach, Uber, GTA 6, GTA VI, detection:Racoon, detection:Vidar, malware-type:Keylogger, malware-type:Stealer Self-Spreading Stealer Attacks Gamers via YouTube (published: September 15, 2022) Kaspersky researchers discovered a new campaign spreading the RedLine commodity stealer. This campaign utilizes a malicious bundle: a single self-extracting archive. The bundle delivers RedLine and additional malware, which enables spreading the malicious archive by publishing promotional videos on victim’s Youtube channel. These videos target gamers with promises of “cheats” and “cracks.” Analyst Comment: Kids and other online gamers should be reminded to avoid illegal software. It might be better to use different machines for your gaming and banking activities. MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Resource Hijacking - T1496 Tags: detection:RedLine, malware-type:Stealer, Bundle, Self-spreading, Telegraph, Youtub]]> 2022-09-20T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-uber-and-gta-6-were-breached-redline-bundle-file-advertises-itself-on-youtube-supply-chain-attack-via-ecommerce-fishpig-extensions-and-more www.secnews.physaphae.fr/article.php?IdArticle=7016803 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline Uber,Uber,APT 15,APT 41 None AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC DevOps teams develop applications and deploy services using them. Moreover, organizations also use these containers to deploy and scale the DevOps infrastructure like the CI/CD tools. A report reveals that by 2022, organizations are likely to run 24% of their workload on containers. However, despite the benefits containers offer, it doesn’t mean they are completely secure. A study revealed that 87% of organizations had deployed containers in their production, while it's found that 94% had experienced at least one security incident. Another research finds that 45% of organizations have delayed or slowed down their application deployment process because of container security issues. All these issues can cause organizations to slow down their transformation journey and bear financial and reputational loss. To avoid such circumstances, organizations need to be aware of cloud container threats and learn how to minimize risks. Why are cloud containers becoming a growing threat? Containerization is a fast-moving trend that plays a pivotal role in improving agility and boosting innovation and is necessary for application development. The adoption of containers has soared in recent years and will continue to rise - and why not, as it transforms how an organization deploys IT infrastructure. Gartner predicts that by 2023, 70% of organizations will use containerized applications. In a survey, the Cloud-Native Computing Foundation (CFNC) finds that 96% of enterprises have evaluated or actively use Kubernetes. Besides this, 68% of the IT leaders in the Red Hat State of Enterprise Open Source Report for 2022 say that container technology is on the level of other important technologies, like Artificial Intelligence and Machine Learning. Container adoption comes with great advantages, but can also pose cybersecurity threats and challenges that adversely impact organizations. Enterprises who depend on container technology but fail to identify the security vulnerabilities and implement mitigation measures compromise their sensitive business data, including customer data. The situation becomes even more dire since most of these threats can’t be mitigated through endpoint security tools such as proxies or VPNs.  Here are some of the reasons cloud containers are becoming a threat to organizations: Human error Hackers can compromise container technology in the cloud in several ways. ]]> 2022-08-10T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/are-cloud-containers-a-sugar-coated-threat www.secnews.physaphae.fr/article.php?IdArticle=6227177 False Malware,Vulnerability,Threat,Guideline Uber None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None Dark Reading - Informationweek Branch 2022-07-19T14:00:00+00:00 https://www.darkreading.com/attacks-breaches/protecting-against-kubernetes-borne-ransomware www.secnews.physaphae.fr/article.php?IdArticle=5825506 False Ransomware,Malware Uber None Malwarebytes Labs - MalwarebytesLabs We take a look at reports of scammers targeting Youtuber's channels with malware called YTStealer, that eats authentication cookies. ]]> 2022-07-01T17:35:43+00:00 https://blog.malwarebytes.com/scams/2022/07/ytstealer-targets-youtube-content-creators/ www.secnews.physaphae.fr/article.php?IdArticle=5495957 False Malware Uber None TroyHunt - Blog Security 2022-06-29T22:25:52+00:00 https://arstechnica.com/?p=1863620 www.secnews.physaphae.fr/article.php?IdArticle=5459236 False Malware Uber None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems (published: April 25, 2022) Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables. Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | ]]> 2022-04-26T16:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-gamaredon-delivers-four-pterodos-at-once-known-plaintext-attack-on-yanlouwang-encryption-north-korea-targets-blockchain-industry-and-more www.secnews.physaphae.fr/article.php?IdArticle=4508976 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline,Medical APT 38,Uber,APT 28 None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer ]]> 2022-02-15T20:01:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-mobile-malware-is-on-the-rise-apt-groups-are-working-together-ransomware-for-the-individual-and-more www.secnews.physaphae.fr/article.php?IdArticle=4134740 False Ransomware,Malware,Tool,Vulnerability,Threat,Guideline APT 43,Uber,APT 36,APT-C-17 None Bleeping Computer - Magazine Américain 2021-10-20T11:49:39+00:00 https://www.bleepingcomputer.com/news/security/google-youtubers-accounts-hijacked-with-cookie-stealing-malware/ www.secnews.physaphae.fr/article.php?IdArticle=3537865 False Malware Uber None Anomali - Firm Blog Figure 1 - Overview of /cmd/ Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following: AWS Credential Stealer Diamorphine Rootkit IP Scanners Mountsploit Scripts to set up utils Scripts to setup miners Scripts to remove previous miners Figure 2 - Snippet of AWS Credential Stealer Script Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server. Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236. Binaries (/bin/) Figure 4 - Overview of /bin Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations. Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A. ]]> 2021-10-06T19:06:00+00:00 https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server www.secnews.physaphae.fr/article.php?IdArticle=3479896 False Malware,Tool,Threat APT 32,Uber None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag. Trending Cyber News and Threat Intelligence S.O.V.A. – A New Android Banking Trojan with Fowl Intentions (published: September 10, 2021) ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap. Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation. MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances (published: September 9, 2021) Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud. Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl]]> 2021-09-14T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-azurescape-cloud-threat-mshtml-0-day-in-the-wild-confluence-cloud-hacked-to-mine-monero-and-more www.secnews.physaphae.fr/article.php?IdArticle=3369753 False Ransomware,Spam,Malware,Tool,Vulnerability,Threat,Guideline Uber,APT 15,APT 41 None Security Affairs - Blog Secu 2021-08-01T08:55:45+00:00 https://securityaffairs.co/wordpress/120717/breaking-news/security-affairs-newsletter-round-325.html?utm_source=rss&utm_medium=rss&utm_campaign=security-affairs-newsletter-round-325 www.secnews.physaphae.fr/article.php?IdArticle=3157648 False Malware Uber None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Windows “PetitPotam” Network Attack – How to Protect Against It (published: July 21, 2021) Microsoft has released mitigations for a new Windows vulnerability called PetitPotam. Security researcher, Gillesl Lionel, created a proof-of-concept script that abuses Microsoft’s NT Lan Manager (NTLM) protocol called MS-EFSRPC (encrypting file system remote protocol). PetitPotam can only work if certain system functions that are enabled if the following conditions are met: NTLM authentication is enabled on domain, active directory certificate services (AD CS) is being used, certificate authority web enrollment or certificate enrollment we service are enabled. Exploitation can result in a NTLM relay attack, which is a type of man-in-the-middle attack. Analyst Comment: Microsoft has provided mitigation steps to this attack which includes disabling NTLM on a potentially affected domain, in addition to others. Tags: Vulnerability, Microsoft, PetitPotam, Man-in-the-middle APT31 Modus Operandi Attack Campaign Targeting France (published: July 21, 2021) The French cybersecurity watchdog, ANSSII issued an alert via France computer emergency response team (CERT) discussing attacks targeting multiple French entities. The China-sponsored, advanced persistent threat (APT) group APT31 (Judgment Panda, Zirconium) has been attributed to this ongoing activity. The group was observed using “a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.” Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 Tags: APT, APT31, Judgment Panda, Zirconium, Home routers StrongPity APT Group Deploys Android Malware for the First Time (published: July 21, 2021) Trend Micro researchers conducted analysis on a malicious APK sample shared on Twitter by MalwareHunterTeam. The shared sample was discussed as being a trojanized version of an Android app offered on the authentic Syrian E-Gov website, potentially via a watering-hole attack. Researchers took this information and pivoted further to analyze the backdoor functionality of the trojanized app (which is no longer being distributed on the official Syrian E-Gov website). Additional samples were identified to be contacting URLs that are identical to or following previous r]]> 2021-07-27T15:00:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt31-targeting-french-home-routers-multiple-microsoft-vulnerabilities-strongpity-deploys-android-malware-and-more www.secnews.physaphae.fr/article.php?IdArticle=3140285 False Malware,Tool,Vulnerability,Threat APT 31,Uber None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence NoxPlayer Supply-Chain Attack is Likely The Work of Gelsemium Hackers (published: June 14, 2021) ESET researchers have discovered malicious activity dating back to at least 2014 attributed to the Gelsemium cyberespionage group. The group targets electronics manufacturers, governments, religious entities in multiple countries throughout East Asia and the Middle East. Gelsemium demonstrated sophistication in their infection chain with extensive configurations, multiple implants at each stage, and modifying settings on-the-fly for delivering the final payload. The dropper, called Gelsemine, will drop a loader called Gelsenicine that will deliver the final payload, called Gelsevirine. Analyst Comment: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled. MITRE ATT&CK: [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 Tags: Cyberespionage, Gelsemium, Supply Chain BackdoorDiplomacy: upgrading from Quarian to Turian (published: June 10, 2021) A new advanced persistent threat (APT) group, dubbed BackdoorDiplomacy, has been targeting ministries of foreign affairs (MOFAs) and telecommunication companies located in Africa and the Middle East since at least 2017, according to ESET researchers. The group was observed targeting “vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment.” BackdoorDiplomacy’s objective is to access a system, use pentesting tools for lateral movement, and install a custom backdoor called “Turian,” which is based on the Quarian backdoor. Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: ]]> 2021-06-15T16:05:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-teamtnt-expand-its-cryptojacking-footprint-puzzlemaker-attack-with-chrome-zero-day-noxplayer-supply-chain-attack-likely-the-work-of-gelsemium-hackers-and-more www.secnews.physaphae.fr/article.php?IdArticle=2930142 False Ransomware,Malware,Vulnerability,Threat Uber None InformationSecurityBuzzNews - Site de News Securite 2021-06-08T12:07:44+00:00 https://informationsecuritybuzz.com/expert-comments/new-kubernetes-malware-backdoors-clusters-via-windows-containers-expert-weighs-in/ www.secnews.physaphae.fr/article.php?IdArticle=2890039 False Malware Uber None Security Affairs - Blog Secu 2021-06-07T19:16:04+00:00 https://securityaffairs.co/wordpress/118690/cyber-crime/siloscape-backdoor-kubernetes-clusters.html?utm_source=rss&utm_medium=rss&utm_campaign=siloscape-backdoor-kubernetes-clusters www.secnews.physaphae.fr/article.php?IdArticle=2887120 True Malware Uber None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-06-07T17:18:48+00:00 https://threatpost.com/windows-containers-malware-targets-kubernetes/166692/ www.secnews.physaphae.fr/article.php?IdArticle=2886462 False Malware Uber None SecurityWeek - Security News 2021-06-07T17:06:15+00:00 http://feedproxy.google.com/~r/securityweek/~3/x72s6xdSk0c/siloscape-malware-targets-windows-server-containers www.secnews.physaphae.fr/article.php?IdArticle=2886499 False Malware Uber None ZD Net - Magazine Info 2021-06-07T10:00:00+00:00 https://www.zdnet.com/article/siloscape-this-new-malware-targets-windows-containers-to-access-kubernetes-clusters/#ftag=RSSbaffb68 www.secnews.physaphae.fr/article.php?IdArticle=2884838 False Malware Uber None ComputerWeekly - Computer Magazine 2021-06-07T08:30:00+00:00 https://www.computerweekly.com/news/252501997/Siloscape-malware-a-risk-to-Windows-containers-Kubernetes www.secnews.physaphae.fr/article.php?IdArticle=2885397 False Malware Uber None The Hacker News - The Hacker News est un blog de news de hack (surprenant non?) ]]> 2021-06-07T07:52:27+00:00 http://feedproxy.google.com/~r/TheHackersNews/~3/26A21V2RALs/researchers-discover-first-known.html www.secnews.physaphae.fr/article.php?IdArticle=2885896 False Malware Uber None Bleeping Computer - Magazine Américain 2021-06-07T06:51:59+00:00 https://www.bleepingcomputer.com/news/security/new-kubernetes-malware-backdoors-clusters-via-windows-containers/ www.secnews.physaphae.fr/article.php?IdArticle=2884730 False Malware Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Container Journal, 48% of respondents to a 2020 survey said that their organizations were using the platform. That’s up from 27% two years prior. These organizations could be turning to Kubernetes for the many benefits it affords them. As noted in its documentation, Kubernetes comes with the ability to distribute the container network traffic so as to keep organizations’ applications up and running. The platform is also capable of moving the actual state of any deployed containers to a desired state specified by the user as well of replacing and killing containers that don’t respond to a health check. The double-edged growth of Kubernetes clusters The benefits mentioned above trace back to the advantage of the Kubernetes cluster. At a minimum, a cluster consists of a control plane for maintaining the cluster’s desired state and a set of nodes for running the applications and workloads. Clusters make it possible for organizations to run containers across a group of machines in their environment. There’s just one problem: the number of clusters under organizations’ management is on the rise. This growth in clusters creates network complexity that complicates the task of securing a Kubernetes environment. As StackRox explains in a blog post: That’s because in a sprawling Kubernetes environment with several clusters spanning tens, hundreds, or even thousands of nodes, created by hundreds of different developers, manually checking the configurations is not feasible. And like all humans, developers can make mistakes – especially given that Kubernetes configuration options are complicated, security features are not enabled by default, and most of the community is learning how to effectively use components including Pod Security Policies and Security Context, Network Policies, RBAC, the API server, kubelet, and other Kubernetes controls. The last thing that organizations want to do is enable a malicious actor to authorize their Kubernetes environment. This raises an important question: how can organizations make sure they’re taking the necessary security precautions? Look to the Kubernetes API Server Organizations can help strengthen the security of their Kubernetes environment by locking down the Kubernetes API server. Also known as kube-apiserver, the Kubernetes API server is the frontend of the control plane that exposes the Kubernetes API. This element is responsible for helping end users, different parts of the cluster and external elements communicate with one another. A compromise of the API server could enable attackers to manipulate the communication between different Kubernetes components. This could include having them communicate with malicious resources that are hosted externally. Additionally, they could leverage this communication channel to spread malware like cryptominers amongst all the pods, activity which could threaten the availability of the organization’s applications and services. Fortunately, organizations can take several steps to secure the Kubernetes API server. Presented below are a few recommendations. Stay on top of Kubernetes updates From time to time, Kubernetes releases a software update that patches a vulnerability affecting the Kubernetes API server. It’s important that administrators implement those fixes on a timely basis. Otherwise, they could give malici]]> 2021-02-11T11:00:00+00:00 https://feeds.feedblitz.com/~/643985864/0/alienvault-blogs~The-Kubernetes-API-Server-Exploring-its-security-impact-and-how-to-lock-it-down www.secnews.physaphae.fr/article.php?IdArticle=2329673 False Malware,Vulnerability Uber None InformationSecurityBuzzNews - Site de News Securite 2021-02-05T18:53:56+00:00 https://informationsecuritybuzz.com/expert-comments/new-malware-hijacks-kubernetes-clusters-to-mine-monero-experts-insight/ www.secnews.physaphae.fr/article.php?IdArticle=2300490 False Malware,Threat Uber 4.0000000000000000 Security Affairs - Blog Secu 2021-02-05T16:44:53+00:00 https://securityaffairs.co/wordpress/114241/malware/teamtnt-hildegard-malware-kubernetes.html?utm_source=rss&utm_medium=rss&utm_campaign=teamtnt-hildegard-malware-kubernetes www.secnews.physaphae.fr/article.php?IdArticle=2299916 False Malware Uber None SecurityWeek - Security News 2021-02-04T16:07:37+00:00 http://feedproxy.google.com/~r/Securityweek/~3/n7AqOjz03-Q/new-hildegard-malware-targets-kubernetes-systems www.secnews.physaphae.fr/article.php?IdArticle=2294675 False Malware Uber None Kaspersky Threatpost - Kaspersky est un éditeur antivirus russe 2021-02-03T20:50:54+00:00 https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/ www.secnews.physaphae.fr/article.php?IdArticle=2290965 False Malware Uber None ComputerWeekly - Computer Magazine 2021-02-03T12:00:00+00:00 https://www.computerweekly.com/news/252495806/Crypto-malware-targets-Kubernetes-clusters-say-researchers www.secnews.physaphae.fr/article.php?IdArticle=2289996 False Malware Uber None InformationSecurityBuzzNews - Site de News Securite Expert Insight: Docker Malware Is Now Common – Devs Need To React Accordingly]]> 2020-12-02T12:20:16+00:00 https://www.informationsecuritybuzz.com/expert-comments/expert-insight-docker-malware-is-now-common-devs-need-to-react-accordingly/ www.secnews.physaphae.fr/article.php?IdArticle=2072139 False Malware Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC State of Container and Kubernetes Security Fall 2020 survey, for instance, StackRox found that 91% of respondents were using Kubernetes to orchestrate their containers and that three quarters of organizations were using the open-source container-orchestration system in production. Even so, nine in 10 respondents told StackRox in its poll that they had experienced a security event in their container and Kubernetes environment in the last 12 months. Two-thirds of organizations said those incidents had involved a misconfiguration. These findings highlight the need for organizations to enhance the security of their Kubernetes environments against misconfiguration incidents. In this blog post, we’ll narrow our focus and discuss how one type of misconfiguration in particular—embracing default pod communication—endangers organizations’ security. We’ll then discuss how organizations can use either Pod Security Policies (PSPs) or OPA Gatekeeper to ensure the security of their pods. Understanding the Security Challenges of Pod Communication To understand the security challenges inherent in default Kubernetes pod communication, it’s important that we first define what a pod is and does. Pods consist of one or more containers, shared storage/network resources and specifications for running those containers, according to the Kubernetes website. When framed in Docker terms, pods act as groups of Docker containers that share namespaces and filesystem volumes. These small computing units help organizations to group containers together and have these resources collaborate on specific projects or sets of work. Where organizations run into challenges is the way in which pods communicate by default. As noted elsewhere on Kubernetes website, the standard configuration for pods is non-isolated in that they are capable of accepting traffic from any source. This is a problem, as this type of open communication potentially enables malicious actors to abuse the Kubernetes environment for nefarious purposes. Digital attackers could stage an attack in which they create a malicious container and use that to compromise its corresponding pod, for instance. That actor could then abuse unrestricted communication between pods to move laterally throughout the Kubernetes environment, deploying cryptominers and installing infostealing malware along the way. Using Security Context to Address These Challenges Fortunately, organizations can address these security challenges associated with pods using what are known as security contexts. Kubernetes notes on its site that security contexts function as configurations that help to define the security properties of a pod or a container. These configurations include access controls that govern who can access a pod or container and whether a Kubernetes resource is privileged. With the right security contexts, organizations can therefore prevent unauthorized actors from gaining access to a container, from elevating privileges on a compromised resource and from moving laterally on the network. Enforcing Security Context with Pod Security Policies When it comes time to enforce a security context, organizations may choose to use pod security policies (PSPs). These cluster-level resources manage the specifications under which a pod is allowed to run on a s]]> 2020-10-19T11:00:00+00:00 https://feeds.feedblitz.com/~/637232922/0/alienvault-blogs~PSPs-vs-OPA-Gatekeeper-Breaking-down-your-Kubernetes-Pod-security-options www.secnews.physaphae.fr/article.php?IdArticle=1985636 False Malware Uber None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC ZDNet, Flexera’s “2020 State of the Cloud Report” found that about two-thirds (65%) of organizations were using Docker and that another 14% intended to begin using it at some point. Slightly fewer organizations (58%) were using Kubernetes at the time of the survey, by comparison, with 22% of participants saying they planned to adopt it. Even so, misconfigurations with both containers and Kubernetes are posing a problem. StackRox’s “State of Kubernetes and Container Security Winter 2020” report found that nearly all (94%) of respondents had experienced a security incident in their container environments over the past 12 months, per Security magazine’s coverage. The majority (69%) of those security events amounted to a misconfiguration incident, followed by runtime issues and vulnerabilities at 27% and 24%, respectively. In keeping with those experiences, 61% of survey participants cited misconfigurations as their most worrisome security risk for their container and Kubernetes environments followed by vulnerabilities (27%) and runtime attacks (12%). These findings beg the question: why are misconfigurations such an issue for organizations’ Kubernetes and container environments? This blog post will answer this question by first defining containers and Kubernetes and explaining the benefits of each technology. It will then explore how misconfigurations open the door for attacks from malicious actors. Finally, it will briefly provide a few recommendations on how organizations can reduce the probability of suffering a misconfiguration incident. Why use containers and Kubernetes? According to CIO, a container contains everything that’s needed to run a software program. It includes an application along with its dependencies, libraries and other components. Bundling these components together enables a container to run regardless of the system’s OS distribution or the underlying infrastructure. Those aren’t the only benefits of containers, either. Containers might be only tens of megabytes in size, for instance. A server can therefore host more containers than virtual machines, notes CIO, as a virtual machine consists of an entire OS that might be several gigabytes in size. Consequently, virtual machines usually take several minutes to boot up and begin running, while containers can run almost instantly. This quality makes containers more dynamic in that organizations can spin them up and wind them down at a moment’s notice. Finally, organizations can take advantage of containers’ smaller size and dynamism to split an application into several modules that extend across several containers. Under this approach, developers can make changes to a module and deploy them without needing to redesign the whole app. As the number of containers grows, organizations need some way of managing them all in an organized fashion. That’s where Kubernetes comes in as an orchestration platform. Per its website, Kubernetes enables organizations to manage their containerized workloads and services. It allows organizations to load balance and distribute network traffic in order to stabilize a deployment. It also enables organizations to restart containers that fail and kill those]]> 2020-09-22T11:00:00+00:00 https://feeds.feedblitz.com/~/635839134/0/alienvault-blogs~Why-misconfigurations-are-such-an-issue-in-your-containers-and-Kubernetes www.secnews.physaphae.fr/article.php?IdArticle=1932079 False Malware Uber None IT Security Guru - Blog Sécurité 2019-04-03T09:35:03+00:00 https://www.itsecurityguru.org/2019/04/03/fans-of-swedish-youtuber-pewdiepie-spread-malware-to-increase-channel-subscriptions/ www.secnews.physaphae.fr/article.php?IdArticle=1087316 False Ransomware,Malware Uber 4.0000000000000000 Global Security Mag - Site de news francais Points de Vue ]]> 2018-09-03T13:56:02+00:00 http://www.globalsecuritymag.fr/Securite-informatique-Comment,20180903,80600.html www.secnews.physaphae.fr/article.php?IdArticle=790779 False Malware Uber,Wannacry None