Recherche : [EN] - Cyberveille

DeftTorero TTPs in 2019–2021 https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

03/10/2022 20:15:11

Earlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts. This threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity community as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a possible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools publicly available on the internet that allows them to blend in.

Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors | Mandiant https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

03/10/2022 20:11:54

Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:

1) Maintain persistent administrative access to the hypervisor
2) Send commands to the hypervisor that will be routed to the guest VM for execution
3) Transfer files between the ESXi hypervisor and guest machines running beneath it
4) Tamper with logging services on the hypervisor

Lazarus hackers abuse Dell driver bug using new FudModule rootkit https://www.bleepingcomputer.com/news/security/lazarus-hackers-abuse-dell-driver-bug-using-new-fudmodule-rootkit/

02/10/2022 12:36:22

The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.

Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

02/10/2022 12:32:50

ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers.

ProxyNotShell— the story of the claimed zero days in Microsoft Exchange https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9

02/10/2022 10:20:25

Yesterday, cybersecurity vendor GTSC Cyber Security dropped a blog saying they had detected exploitation of a new Microsoft Exchange zero…

Ukraine warns of 'massive cyberattacks' coming from Russia on critical infrastructure sites https://www.cyberscoop.com/ukrainians-warn-of-massive-cyberattacks/

02/10/2022 09:53:51

The Russian government is planning “massive cyberattacks” against Ukrainian critical infrastructure facilities to “increase the effect of missile strikes on electrical supply facilities,” the Ukrainian government said Monday.

Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying https://www.wired.com/story/hyperjacking-vmware-mandiant/

01/10/2022 01:07:10

For decades, security researchers warned about techniques for hijacking virtualization software. Now one group has put them into practice.

Chaos is a Go-based Swiss army knife of malware https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

01/10/2022 01:03:28

Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently uncovered a multifunctional Go-based malware developed for Windows and Linux

Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

30/09/2022 09:27:43

Circa the beginning of August 2022, while doing security monitoring & incident response services, GTSC SOC team discovered that a critical infrastructure was being attacked, specifically to their Microsoft Exchange application. During the investigation, GTSC Blue Team experts determined that the attack utilized an unpublished Exchange security vulnerability, i.e., a 0-day vulnerability, thus immediately came up with a temporary containment plan.

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

30/09/2022 09:08:07

Espionage group begins using new backdoor that leverages rarely seen steganography technique.

ZINC weaponizing open-source software https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

29/09/2022 18:15:19

In recent months, Microsoft detected weaponization of legitimate open-source software by an actor the Microsoft Threat Intelligence Center (MSTIC) tracks as ZINC, targeting employees at media, defense and aerospace, and IT service provider organizations in the US, UK, India, and Russia.

Lindy Cameron at Chatham House security and defence conference 2022 https://www.ncsc.gov.uk/speech/lindy-cameron-chatham-house-security-and-defence-conference-2022

29/09/2022 16:08:53

The National Cyber Security Centre’s CEO Lindy Cameron delivered a keynote speech at the Chatham House security and defence conference 2022.

Lindy Cameron discussed the cyber dimension of the Russia-Ukraine conflict, focusing on what the NCSC has observed and the UK’s response.

BumbleBee: Round Two https://thedfirreport.com/2022/09/26/bumblebee-round-two/

28/09/2022 15:29:52

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. …

NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

28/09/2022 15:28:47

NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.

MAR-10400779-1.v1 – Zimbra 1 https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-270a

28/09/2022 15:27:59

CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.