Mairies : les pirates du groupe CUBA vident deux mairies françaises de leurs contenus
Les pirates informatiques du groupe CUBA, spécialisés dans le rançonnage d’entreprise, viennent de diffuser les informations volées à deux mairies françaises.
Nouveau sabotage des infrastructures Internet en France
En début de semaine, un lien backbone qui véhicule Internet du nord au sud de la France a été tronçonné près d’Aix-en-Provence. Les conséquences sont mineures, mais interrogent sur la fragilité des infrastructures.
Exploited Windows zero-day lets JavaScript files bypass security warnings
A new Windows zero-day allows threat actors to use malicious JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1
Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE).
Reverse Engineering the Apple MultiPeer Connectivity Framework
Some time ago I was using Logic Pro to record some of my music and I needed a way to start and stop the recording from an iPhone, so I found about Logic Remote and was quite happy with it.
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind
A new variant of the URSNIF malware, first observed in June 2022, marks an important milestone for the tool. Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. This is a significant shift from the malware’s original purpose to enable banking fraud, but is consistent with the broader threat landscape.
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware
ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The malicious app was uploaded to VirusTotal where it triggered one of our YARA rules (used to classify and identify malware samples), which gave us the opportunity to analyze it.
APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth Analysis
During Spring 2022, a company discovered that one of their equipments was communicating with a known command and control server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the security breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were discovered on victim’s information system, and past incidents. Our in-depth analysis led us to conclude that an advanced persistent threat dubbed APT27 (a.k.a LuckyMouse, EmissaryPanda) actually compromised the company’s internal network for more than a year by exploiting a public facing application. Our analysis showed that the threat actor managed to compromise five different domains and to gain persistence on many equipments while trying to hide in plain sight. Besides, APT27 operators collected technical and business-related informations and exfiltrate almost three terabytes of data. As investigations went on, we observed tactics, techniques and procedures that had already been documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the community fresh and actionnable threat-intelligence related to APT27. That is why this report presents a timeline of actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It provides as well a MITRE ATT&CK diagram and several recommendations to follow if you came across such incident, and to prevent them.
Grâce à une fausse enceinte Bluetooth JBL, ils réussissaient à voler des voitures
En Seine-et-Marne, deux voleurs ont été interceptés par les gendarmes au volant d'une voiture signalée volée. Ils étaient en possession d'une enceinte Bluetooth dans laquelle était dissimulée un dispositif électronique capable de démarrer de nombreuses voitures.
TeamTNT is a threat group that was known for primarily targeting the cloud and container environments around the world. This group has been documented to leverage the cloud and container resources by deploying cryptocurrency miners in the victim environments. While the group has been active since 2019 and announced it was quitting in 2021, our recent observations make it appear as if TeamTNT has returned — or a copycat group imitating the routines of TeamTNT — and has been deploying an XMRig cryptocurrency miner. Analysis of the attack patterns and other technical details of the code has also led us to believe that the routines are mimicking TeamTNT’s arsenal, but are likely deployed by another cryptocurrency mining group named WatchDog.
Cyberattaque : comment Caen a évité le pire grâce à l’EDR d’HarfangLab
Caen a profité des suites d’un démonstrateur de l'EDR d'HarfangLab en attente de contractualisation pour détecter les prémices du possible déploiement d’un rançongiciel. L’intrusion est avérée, un nettoyage en cours, mais le chiffrement a été évité. Et très probablement le vol de données aussi.
See how this tool—created by a sophisticated and seemingly unknown threat actor—uses the unique approach of disguising itself as part of a Windows update.
A New Attack Surface on MS Exchange Part 4 - ProxyRelay!
Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday. We understand their situation and agree to extend the deadline.
CVE-2022-42889: Keep Calm and Stop Saying "4Shell"
CVE-2022-42889, which some have begun calling “Text4Shell,” is a vulnerability in the popular Apache Commons Text library that can result in code execution when processing malicious input. The vulnerability was announced on October 13, 2022 on the Apache dev list and originally reported by Alvaro Munoz
Technical Analysis of BlueSky Ransomware - CloudSEK
BlueSky Ransomware is a modern malware using advanced techniques to evade security defences. It predominantly targets Windows hosts and utilizes the Windows multithreading model for fast encryption.
BianLian Ransomware Encrypts Files in the Blink of an Eye
BianLian is a financially motivated threat actor that targets a wide range of industries. It uses the exotic programming language “Go” to encrypt files with unusual speed.
Prime minister links drones over Norway to ‘hybrid threats’
Norwegian police and military were busy again this week investigating more unidentified drones seen flying over critical energy infrastructure. After a Russian man was arrested for trying to leave Norway with two drones containing lots of pictures, Prime Minister Jonas Gahr Støre likened the incidents to a new form of “hybrid threats.”
New “Prestige” ransomware impacts organizations in Ukraine and Poland
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.
Microsoft Office 365 Message Encryption Insecure Mode of Operation | WithSecure™ Labs
Microsoft Office 365 Message Encryption (OME) utilitises Electronic Codebook (ECB) mode of operation. This mode is insecure and leaks information about the structure of the messages sent and can lead to partial or full message disclosure.
Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
* Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. * The Alchimist has a web interface in Simplified Chinese with remote administration features. * The attack framework is designed to target Windows, Linux and Mac machines. * Alchimist and Insekt binaries are implemented in GoLang. * This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies.
There are many security solutions available today that rely on the Extended Berkeley Packet Filter (eBPF) features of the Linux kernel to monitor kernel functions. Such a paradigm shift in the latest monitoring technologies is being driven by a variety of reasons