Hebdomadaire Shaarli

In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future’s Insikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate. This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities. TAG-112’s infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored operations, particularly TAG-102 (Evasive Panda).

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.

"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.

The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.

The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.

Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure.

These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.

Les services de l’Assemblée nationale ont alerté l’ensemble des députés après le piratage.

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta,…

At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.

GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

• The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services named ‘SecureHost‘ and ‘BEARHOST‘. We notably observed that both network’s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.
• Amongst the activities shared by the two networks, we noticed that both GootLoader and SpyNote malwares recently changed their infrastructure of command-and-control servers and phishing pages from to Proton66. Additionally, the domains hosting the phishing pages deploying SpyNote were hosted on either one of the two AS and had already been used in previous campaigns delivering revoked AnyDesk and LiveChat versions for both Windows and Mac.
• Regarding the other malicious activities found on PROSPERO’s IPs, we found that throughout September, multiple SMS spam campaigns targeting citizens from various countries were leading to phishing domains hosted on PROSPERO and Proton66. While most phishing templates were usurping bank login pages to steal credit card details, we also noticed that some of them were used to deploy android spywares such as Coper (a.k.a. Octo).
• SocGholish, another initial access broker (IAB) that we found to be hosting a major part of its infrastructure on Proton66, continues to leverage this autonomous system to host fingerprinting scripts contained on the websites it infects. Along SocGholish, we found out that FakeBat, another loader that infects systems through compromised websites, was using the same IPs to host both screening and redirection script

Security research that presents a method to automatically validate credentials against Fortinet VPN servers by uncovering an exploit that attackers can use to compromise countless organizations.

Quatre Américains et un Britannique sont désormais poursuivis pour leur implication dans ce groupe, accusé notamment d’avoir piraté les casinos MGM Resorts. Spécialisé dans l’hameçonnage, ce collectif pourrait être l’émanation d’une vaste communauté de pirates anglophones.

L’attacco è avvenuto il 18 novembre ma è stato comunicato il giorno dopo attraverso l’avviso di un ente che si serve di INPS Servizi

Dans le cadre d'un nouveau projet, le groupe technologique Ruag modifie un smartphone Samsung pour les institutions gouvernementales et les autorités telles que l'armée et les organisations à gyrophare.

Un smartphone appelé "Guardian" est un nouveau projet de communication sécurisée. C'est l'entreprise d'armement Ruag MRO qui en est responsable. Le prototype actuel devrait également fonctionner par satellite dans un avenir proche. Ruag collabore avec Wisekey, une société de sécurité genevoise, pour la connexion par satellite. C'est ce que rapportent plusieurs médias suisses comme le "Walliser Bote" et "Watson".

[Article mis à jour le 19 novembre 2024 à 17h40] Un cybercriminel a mis en ligne, mardi, une base de données contenant les informations hospitalières et personnelles de plus de 750 000 personnes. Celui-ci revendique une fuite de données du logiciel de gestion médicale Mediboard.

Learn how Nautilus threat-hunting operation analyzed attackers exploiting misconfigured JupyterLab for illegal stream ripping with Traceeshark.

L’enseigne de surgelés a averti mardi une partie des clients de son programme de fidélité que leurs données sont dans la nature.

Exploit attempts for unpatched Citrix vulnerability, Author: Johannes Ullrich

We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications.

Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.

The Justice Department unsealed criminal charges today against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms.

In C:\Users\username\AppData\Local\Palo Alto Networks\GlobalProtect there was a file called panGPA.log that contained something interesting:

This is a pair of vulnerabilities, described as ‘Authentication Bypass in the Management Web Interface’ and a ‘Privilege Escalation‘ respectively, strongly suggesting they are used as a chain to gain superuser access, a pattern that we’ve seen before with Palo Alto appliances. Before we’ve even dived into to code, we’ve already ascertained that we’re looking for a chain of vulnerabilities to achieve that coveted pre-authenticated Remote Code Execution.

• T-Mobile was able to prevent a recent hack before escalating.
• Hackers were able to enter T-Mobile's network but didn't get too far.
• No data breaches occurred this time.

More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.

The documents provide never-been-seen insight into the current cat-and-mouse game between forensics companies and phone manufacturers Apple and Google.

The FreeBSD Foundation has released an extensive security audit of two critical FreeBSD components: bhyve and Capsicum.

Germany's national statistics agency Destatis said Friday it had been the victim of a suspected data leak, following a media report that the organisation had been attacked by pro-Russian hackers.

Turkey's Personal Data Protection Board (KVKK) has fined Amazon.com's gaming platform Twitch 2 million lira ($58,000) over a data breach, the official Anadolu Agency reported on Saturday.

The U.S. Department of justice indicted two hackers for breaking into the systems of AT&T and several other companies.