cyberveille.decio.ch
Amazon identified internet domains abused by APT29
APT29 aka Midnight Blizzard recently attempted to phish thousands of people. Building on work by CERT-UA, Amazon recently identified internet domains abused by APT29, a group widely attributed to Russia’s Foreign Intelligence Service (SVR). In this instance, their targets were associated with government agencies, enterprises, and militaries, and the phishing campaign was apparently aimed at […]
Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files
Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight […]
Attacker Abuses Victim Resources to Reap Rewards from Titan Network
- Trend Micro researchers observed an attacker exploiting the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor used public IP lookup services and various system commands to gather details about the compromised machine. The attack involved downloading and executing multiple shell scripts to install Titan binaries and connect to the Titan Network with the attacker’s identity. * The malicious actor connects compromised machines to the Cassini Testnet, which allows them to participate in the delegated proof of stake system for reward tokens.
Change Healthcare says 100 million people impacted by February ransomware attack
Change Healthcare updated filings with the federal government to warn that about 100 million people had information accessed by hackers during a ransomware attack in February. The Department of Health and Human Services’s (HHS) Office for Civil Rights said Change Healthcare notified them on October 22 that “approximately 100 million individual notices have been sent regarding this breach.”
.jpg%3Fheight%3D635%26t%3D1729186960%26width%3D1200?width=92&height=&ar=&mode=&format=avif&dpr=2)
Cyberattaque: la panne de Onelog persiste (update)
Mise à jour du 28 octobre 2024: Depuis le jeudi 24 octobre, il est impossible de se connecter et de s'enregistrer via Onelog, Single Sign-On porté conjointement par plusieurs entreprises de médias suisses, en raison d'une cyber-attaque. Les répercussions de la cyberattaque se poursuivent, indique un communiqué daté d'aujourd'hui 28 octobre. Onelog souligne collaborer intensivement avec les entreprises concernées pour rétablir les services affectés dans les prochains jours. Des enquêtes sont menées pour évaluer l'ampleur de l'attaque, en coordination avec les autorités suisses et européennes. En raison de l’enquête en cours, aucun autre détail ne peut être divulgué. Onelog promet de communiquer des informations complémentaires dès que possible.
Inside the Open Directory of the “You Dun” Threat Group
- Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
Fog ransomware targets SonicWall VPNs to breach corporate networks
Fog and Akira ransomware operators have increased their exploitation efforts of CVE-2024-40766, a critical access control flaw that allows unauthorized access to resources on the SSL VPN feature of SonicWall SonicOS firewalls.
Italy police arrest four over alleged illegal database access, source says
Italian police have placed four people under house arrest including Leonardo Maria Del Vecchio, son of the late billionaire founder of Luxottica, as part of a probe into alleged illegal access to state databases, a source said on Saturday. A lawyer for Leonardo Maria Del Vecchio said he was "eagerly awaiting the completion of preliminary investigations to be able to prove he has nothing to do with the events in question and that charges laid against him have no basis.
Reuters exposé of hack-for-hire world is back online after Indian court ruling
Reuters News has restored to its website an investigation into mercenary hacking after a New Delhi court lifted a takedown order it issued last year. The article, originally published on Nov. 16, 2023, and titled “How an Indian startup hacked the world,” detailed the origins and operations of a New Delhi-based cybersecurity firm called Appin. Reuters found that Appin grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians and wealthy elites around the globe.
New Windows Driver Signature bypass allows kernel rootkit installs
Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems. #Attack #Bypass #Computer #Downgrade #Elevation #Escalation #InfoSec #Privilege #Privileges #Rootkit #Security #Windows #of
