## Summarizing top posts specific to an APT#

### 1. extract data for each APT

In [38]:
import pandas as pd
from os import listdir

path = '../data/'
files = listdir('../data/')
df = pd.DataFrame(columns=["url", "query", "text"])

aptNumbers = [1, 3, 5, 10, 12, 15, 16, 17, 18, 19, 27, 28, 29, 30, 32, 33, 34, 35, 37, 38]

for n in aptNumbers:
    for f in files:
        temp = pd.read_csv(path + f)
        df = df.append(temp)
    aptNum = "APT%s" % n
    df.loc[df['query'] == aptNum]
    apt_json = aptNum+'.json'
    df.to_json(apt_json, orient='records')

### 2. summarizing the posts

In [39]:
import json
import nltk
import numpy

BLOG_DATA = "APT3.json"

N = 100  # Number of words to consider
CLUSTER_THRESHOLD = 5  # Distance between words to consider
TOP_SENTENCES = 5  # Number of sentences to return for a "top n" summary

# Approach taken from "The Automatic Creation of Literature Abstracts" by H.P. Luhn

def _score_sentences(sentences, important_words):
    scores = []
    sentence_idx = -1

    for s in [nltk.tokenize.word_tokenize(s) for s in sentences]:

        sentence_idx += 1
        word_idx = []

        # For each word in the word list...
        for w in important_words:
            try:
                # Compute an index for where any important words occur in the sentence.

                word_idx.append(s.index(w))
            except ValueError, e: # w not in this particular sentence
                pass

        word_idx.sort()

        # It is possible that some sentences may not contain any important words at all.
        if len(word_idx)== 0: continue

        # Using the word index, compute clusters by using a max distance threshold
        # for any two consecutive words.

        clusters = []
        cluster = [word_idx[0]]
        i = 1
        while i < len(word_idx):
            if word_idx[i] - word_idx[i - 1] < CLUSTER_THRESHOLD:
                cluster.append(word_idx[i])
            else:
                clusters.append(cluster[:])
                cluster = [word_idx[i]]
            i += 1
        clusters.append(cluster)

        # Score each cluster. The max score for any given cluster is the score 
        # for the sentence.

        max_cluster_score = 0
        for c in clusters:
            significant_words_in_cluster = len(c)
            total_words_in_cluster = c[-1] - c[0] + 1
            score = 1.0 * significant_words_in_cluster \
                * significant_words_in_cluster / total_words_in_cluster

            if score > max_cluster_score:
                max_cluster_score = score

        scores.append((sentence_idx, score))

    return scores

def summarize(txt):
    sentences = [s for s in nltk.tokenize.sent_tokenize(txt)]
    normalized_sentences = [s.lower() for s in sentences]

    words = [w.lower() for sentence in normalized_sentences for w in
             nltk.tokenize.word_tokenize(sentence)]

    fdist = nltk.FreqDist(words)

    top_n_words = [w[0] for w in fdist.items() 
            if w[0] not in nltk.corpus.stopwords.words('english')][:N]

    scored_sentences = _score_sentences(normalized_sentences, top_n_words)

    # Summarization Approach 1:
    # Filter out nonsignificant sentences by using the average score plus a
    # fraction of the std dev as a filter

    avg = numpy.mean([s[1] for s in scored_sentences])
    std = numpy.std([s[1] for s in scored_sentences])
    mean_scored = [(sent_idx, score) for (sent_idx, score) in scored_sentences
                   if score > avg + 0.5 * std]

    # Summarization Approach 2:
    # Another approach would be to return only the top N ranked sentences

    top_n_scored = sorted(scored_sentences, key=lambda s: s[1])[-TOP_SENTENCES:]
    top_n_scored = sorted(top_n_scored, key=lambda s: s[0])

    # Decorate the post object with summaries

    return dict(top_n_summary=[sentences[idx] for (idx, score) in top_n_scored],
                mean_scored_summary=[sentences[idx] for (idx, score) in mean_scored])

blog_data = json.loads(open(BLOG_DATA).read())

post_count = 0
for post in blog_data:
       
    post.update(summarize(post['text']))

    post_count+=1
    
    print 'Post',post_count,'.......................................................................'
    print post['url']
    print
    print 'Top N Summary'
    print '-------------'
    print ' '.join(post['top_n_summary'])
    print
    print 'Mean Scored Summary'
    print '-------------------'
    print ' '.join(post['mean_scored_summary'])
    print

Post 1 .......................................................................
https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

Top N Summary
-------------
ZHANG Shilong (张世龙)
ZHANG was originally introduced by IntrusionTruth as a reciprocal follower of fisherxp’s Twitter account via his own @baobeilong account. NSACE appears to be a national education body that teaches network information security, including offensive activity7. From their latest post, which contains GAO’s Uber receipts, it is clear the group’s information likely goes beyond merely available OSINT data. In addition, FalconIntelligence notes that following the late 2015 Sino-U.S. brief cyber detente, much of the responsibility for western cyber intrusion operations was handed to the MSS as the PLA underwent an extensive reform that is still currently underway, and which is consolidating its military cyber forces under the Strategic Support Force. Many of these adversaries have begun targeting supply chain a

Post 7 .......................................................................
https://www.securityweek.com/poison-ivy-rat-campaign-leverages-new-delivery-techniques

Top N Summary
-------------
Still, the company did say that “espionage is a reasonable assumption for their motives.”
What the newly observed campaign did show, however, was that the actor behind it is up-to-date with recent social engineering and evasion techniques and isn’t shy when it comes to using them. The malware was distributed via Word documents with malicious macros, and the threat actor was using social engineering to trick users into enabling these macros. The malicious documents were delivered via email, claiming to contain instructions for logging into webmail or information regarding a state law proposal, FireEye explains. The shellcode has a custom XOR-based decryption loop that uses a single byte key (0xD4), and was designed to inject the Poison Ivy backdoor into userinit.exe. Previous Columns by Ionut Ar

Post 12 .......................................................................
https://www.securityweek.com/report-highlights-business-risks-drawn-geopolitical-flashpoints

Top N Summary
-------------
In early March, a DHS report described activity under the 'Pleasantly Surprised' campaign spear-phishing commercial entities in the financial, retail and technology sectors. Internally it continues to increase control over cyber activities with new regulations on data flows and VPNs. However, for the moment, it believes that the "re-election of Iranian President Hassan Rouhani is likely to have a stabilizing effect on Iranian cyber activities." In April, Google and Facebook became victims in a scam that netted $100 million for the scammers. Hacktivists
Flashpoint notes a decline in western hacktivism.

Mean Scored Summary
-------------------
China
Chinese state-sponsored activity has remained low following the Xi-Obama agreement made in September 2015. In early March, a DHS report descri

Post 18 .......................................................................
https://www.securityweek.com/china-linked-spies-used-new-malware-uk-government-attack

Top N Summary
-------------
The attack has been attributed to a threat actor known as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon. The group has improved its tools and techniques over the years, and NCC recently spotted two new backdoors it created. Experts determined that the hackers had stolen a VPN certificate from a compromised host and used it to regain access via the corporate VPN. In addition to BS2005, RoyalCLI and RoyalDNS, APT15 used custom-built keyloggers, and Microsoft SharePoint and Exchange enumeration and data dumping tools. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter.

Mean Scored Summary
-------------------
The attack has been attributed to a threat actor known as APT15, Ke3chang, Mirage, Vixen Panda and Play

Post 24 .......................................................................
https://securelist.com/ksb-threat-predictions-for-2018/83169/

Top N Summary
-------------
This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for m

Post 27 .......................................................................
https://www.securityweek.com/ccleaner-incident-investigation-reveals-possible-stage-3-payload

Top N Summary
-------------
Hackers had added a backdoor to the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases, Avast revealed. What led to this was the compromise of the distribution servers of Piriform, the company developing CCleaner, in the months before Avast purchased the software firm. However, given the timeline of events, they assume that it “had downloaded and installed ShadowPad on the four Piriform computers.”
The fact that ShadowPad is believed to have been developed by the Axiom group, the same actor behind the CCleaner attack, is also a strong indicator that this malware was intended to become the third stage payload, Avast says. The ShadowPad version used in the attack was custom-built, leading investigators to suspect it was explicitly created for Piriform. “While ShadowPad was 

Post 31 .......................................................................
https://www.securityweek.com/chinese-apt-group-uses-hacking-team%E2%80%99s-flash-player-exploit

Top N Summary
-------------
Chinese APT Group Uses Hacking Team’s Flash Player Exploit
The Adobe Flash Player exploit stolen by hackers from spyware maker Hacking Team has been leveraged by advanced persistent threat (APT) groups, according to security solutions provider Volexity. Hackers leaked a total of 400GB of data stolen from Hacking Team, including surveillance software, source code and exploits. The Flash Player exploit was integrated into exploit kits before Adobe managed to patch the vulnerability. As far as Wekby is concerned, Volexity is not the only security firm to analyze the group’s activities recently. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter.

Mean Scored Summary
-------------------
Hackers leaked a total of

Post 37 .......................................................................
https://www.fireeye.com//blog/threat-research/2013/02/netizen-research-bolsters-apt1-attribution.html

Top N Summary
-------------
This apartment complex is only a 600-meter walk away from the Unit 61398 headquarters building, as depicted in Figure 3. "[2] Furthermore, a person named Mei Qiang (梅强) co-authored two papers in 2007 and 2008 that are associated with the PLAIEU. However, if it is, it would indicate that he was probably a student at SJTU when he posed his question about Chinese cyber troops to Zhang Zhaozhong. An article published in the China Digital Times disclosed a 2004 recruitment notice on the Zhejiang University website advertising, "Unit 61398 of China's People's Liberation Army (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students." But if you have to do more work to deny something than to accept it, you might want to reconsider your chain 

Post 42 .......................................................................
https://www.fireeye.com//blog/threat-research/2013/02/threat-actors-mandiant-apt1-report-spear-phishing-nitty.html

Top N Summary
-------------
Before executing its payload the malware creates a thread that will monitor for windows created containing text related to AVG firewall notifications. An additional buffer is then decoded within the decoded shellcode using a single byte XOR key of 0xFF . The malware then attempts to connect to the configured server at itsec.eicp.net using TCP port 443 to download files to the infected system. The clean PDF is then displayed for the user while AdobeARM.exe is executed in the background. The malware takes the hostname string (up to 0x14 characters), increments each character by one and then appends the language ID string.

Mean Scored Summary
-------------------
As we noted yesterday , Brandon Dixon's 9B+ blog and Symantec reported the discovery of two malicious versi

Post 48 .......................................................................
https://securelist.com/cve-2015-2545-overview-of-current-threats/74828/

Top N Summary
-------------
The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. In this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these groups. The document is written in good Japanese, as shown below. For information about the service, please write to intelreports@kaspersky.com . Danti attacks  Danti (Kaspersky Lab’s internal name) is an APT actor that has been active at least since 2015, predominantly targeting Indian government organizations.

Mean Scored Summary
-------------------
The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. Over the following months, there was significant growth in the number of threat actors using the vulnerability as a primary tool for initial penetr

Post 53 .......................................................................
https://www.securityweek.com/cyber-unit-chinas-pla-behind-massive-cyber-espionage-operation-report

Top N Summary
-------------
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”
 
“The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Mandiant said that it was able to confirm 937 command and control servers running on 849 distinct IP addresses and has confirmed 2,551 domain names attributed to APT1 in the last several years. In late January, The New York Times said hackers stole corporate passwords and targeted the computers of 53 employees including former Beijing bureau chief Jim Yardley, who is now the South Asia bureau chief at the Times based in India, after the newspaper published a report on the vast wealth amassed by

Post 58 .......................................................................
https://www.securityweek.com/researchers-identify-targeted-attacks-australia

Top N Summary
-------------
Researchers Identify Targeted Attacks in Australia
Researchers at FireEye have identified a new targeted attack, currently hitting organizations in Australia, in order to deliver payloads designed to open remote access and steal information. “In our experiment, since the CnC was not responding, we supplied an encoded notepad.exe in the response. “We have observed many variants of this malware; some even try sending hostname and IP address information back to its CnC as part of its User-Agent string in the GET request. One of the variants we observed had “IPhone 8.5” in the UA string, which we found interesting.” 
It’s worth mentioning that FireEye’s findings included a list of malware that was previously disclosed by Mandiant in their APT1 report. (function() {
           var po = document.createElement

Post 63 .......................................................................
https://www.symantec.com/connect/blogs/apt1-additional-comment-crew-indicators-compromise

Top N Summary
-------------
Symantec has been actively tracking this group for six years while maintaining our own database of indicators. To help increase public awareness, we have decided to release hundreds of additional Comment Crew indicators to those already released. You can find these indicators in the following paper: Comment Crew Indicators of Compromise and on Pastebin. Update [February 25, 2013] – Paper now also includes list of associated MD5 hashes. File Attachments:




Protected Attachments:






Page Views: 
Operating Systems:


Tags:
Products, Endpoint Protection, Security Response, APT1, Comment Crew, IOCs

Groups: 

Subscriptions (0)

Mean Scored Summary
-------------------
To help increase public awareness, we have decided to release hundreds of additional Comment Crew indicators to those already

Post 69 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/08/apt28-targets-hospitality-sector.html

Top N Summary
-------------
APT28 Uses Malicious Document to Target Hospitality Industry  FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit. South Korea-nexus Fallout Team (aka Darkhotel) has used spoofed software updates on infected Wi-Fi networks in Asian hotels , and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations. APT28’s already wide

Post 74 .......................................................................
https://securelist.com/threats-in-the-netherlands/88185/

Top N Summary
-------------
The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. However, after careful research we found many false flags that pointed to different APT groups. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist. ASML is one of relatively few high-tech companies in the Netherlands.

Mean Scored Summary
-------------------
However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. 0  10,532    1  1,149  

Post 79 .......................................................................
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

Top N Summary
-------------
Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important. ]net lifeofmentalservice[. ]net netcorpscanprotect[.

Mean Scored Summary
-------------------
Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests. Sofacy selectively used SPLM/CHOPSTICK modules as

Post 84 .......................................................................
https://www.securityweek.com/microsoft-disrupts-election-related-domains-used-russian-hackers

Top N Summary
-------------
The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States. APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains. The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressi

Post 88 .......................................................................
https://www.securityweek.com/who-hacked-french-president-elect-emmanuel-macrons-campaign

Top N Summary
-------------
Who Hacked French President-elect Emmanuel Macron's Campaign? The Macron hack occurred far later in the election campaign than the DNC hack; the phishing emails appear to be far clumsier; and the email leak occurred too late to have any effect on the election outcome. The New York Times reported, "'We created false accounts, with false content, as traps. "If it's information warfare -- rather than cyber warfare," suggests F-Secure security advisor Sean Sullivan, "then the point is not stealth. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.Previous Columns by Kevin Townsend:Cyberattacks Against Energy Sector 

Post 93 .......................................................................
https://www.securityweek.com/pawn-storm-cyberspies-target-german-ruling-party

Top N Summary
-------------
Trend Micro discovered in April that the threat actor was launching credential phishing attacks against the Christian Democratic Union (CDU) and high-profile users of German freemail providers GMX and WEB.DE. Trend Micro previously reported that this provider, which has servers in the Netherlands and Romania, was used by Pawn Storm in at least 80 high profile attacks aimed at governments around the world. “Pawn Storm attackers often conduct sophisticated, simultaneous attacks against targets’ corporate and personal email accounts. The attackers build a fake version of the corporate webmail server of the targeted organization and at the same attack key members of the organization on their private free webmail accounts,” said Feike Hacquebord, senior threat researcher at Trend Micro. He worked as a high 

Post 98 .......................................................................
https://www.securityweek.com/russia-linked-pawn-storm-attackers-exploiting-new-adobe-flash-zero-day

Top N Summary
-------------
According to Trend Micro, the threat group behind Operation Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) is using Adobe Flash zero-day exploit code in attacks targeting several Ministries of Foreign Affairs. Despite recent patches issued by Adobe on Oct. 13, this vulnerability is still unpatched, leaving Flash users vulnerable to attacks. Subject lines used to entice users to click included many “interesting” events such as: 
 “Suicide car bomb targets NATO troop convoy Kabul” 
“Syrian troops make gains as Putin defends air strikes” 
“Israel launches airstrikes on targets in Gaza” 
“Russia warns of response to reported US nuke buildup in Turkey, Europe” 
“US military reports 75 US-trained rebels return Syria” 
 Trend Micro researchers Brooks Li, Feike

Post 102 .......................................................................
https://www.securityweek.com/attackers-using-usb-malware-steal-data-air-gapped-networks

Top N Summary
-------------
According to ESET, the USBStealer dropper initially infects a computer within the targeted organization that's connected to the Internet (Computer A). The dropper is disguised as a legitimate Russian application called USB Disk Security. When the USB drive is once again connected to Computer A, the malware operator drops a series of data exfiltration commands onto it. Once the stolen files are transferred back to Computer A, the attackers need to use a different piece of malware to copy the data to their own servers because USBStealer doesn't have such capabilities, ESET noted. Researchers say it's uncertain how the initial infection occurs, but a likely attack vector is spear phishing.

Mean Scored Summary
-------------------
According to ESET, the USBStealer dropper initially infects a com

Post 107 .......................................................................
https://www.securityweek.com/russia-linked-hackers-directly-targeting-diplomats-report

Top N Summary
-------------
Russia-linked Hackers Directly Targeting Diplomats: Report
The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns. The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow. Both the loader and the SofacyCarberp variant used in the attack are similar to samples previously analyzed, yet they include several differences, such as a new hashing algorithm to resolve API functions and find browser processes for injection, and modified C&C communication mechanisms. The onl

Post 110 .......................................................................
https://www.securityweek.com/pawn-storm-attackers-target-mh17-plane-crash-investigators

Top N Summary
-------------
Pawn Storm Attackers Target MH17 Plane Crash Investigators
Organizations tasked with investigating the crash of Malaysia Airlines Flight MH17 have been targeted by the Russia-linked threat group known as Pawn Storm, Trend Micro reported on Thursday. The security firm discovered that the attackers set up fake Secure File Transfer Protocol (SFTP) and VPN servers designed to mimic servers of the Dutch Safety Board most likely in an effort to phish the credentials of the organization’s staff. “The VPN server of the Safety Board looks to use temporary tokens for authentication. In addition to the DSB, the attackers also targeted one of the organization’s key partners using a rogue Outlook Web Access (OWA) server, a technique previously used by Pawn Storm in attacks aimed at defense companies in t

Post 116 .......................................................................
https://www.securityweek.com/hackers-leak-olympic-committee-emails-response-russia-ban

Top N Summary
-------------
One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances. WADA headquartered in Montreal, Canada supported by the United States Olympic Committee declared the crusade against the IOC on the pretext of defending clean sport,” the hackers said. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored. For instance, a hacker using the moniker Guccifer 2.0 has taken credit for an attack on the U.S. Democratic Party, which may have influenced last year’s presidential election. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Prev

Post 123 .......................................................................
https://www.securityweek.com/windows-zero-day-exploited-attacks-aimed-middle-east

Top N Summary
-------------
The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm's systems detected an exploitation attempt. "So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor. "We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar," Kas

Post 128 .......................................................................
https://www.securityweek.com/more-evidence-links-russia-dnc-attack

Top N Summary
-------------
One of the groups is Russia-linked Cozy Bear, which is also known as CozyDuke and APT29. Guccifer 2.0 has set up a WordPress website and a Twitter account, which he has been using to release documents allegedly stolen from the DNC. “Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC. In March, the SecureWorks Counter Threat Unit (CTU), which tracks Fancy Bear as Threat Group-4127 (TG-4127), observed a spear-phishing campaign that leveraged Bit.ly shortened links to target email accounts connected to the upcoming presidential election in the United States, including accounts belonging to individuals working for or associated with Hillary Clinton’s campaign and the DNC. “Whether or not this posting i

Post 132 .......................................................................
https://www.securityweek.com/pawn-storm-group-targets-turkey

Top N Summary
-------------
The economic and politically-motivated threat actor, which has been active for the past decade, is also known as APT28, Sednit, Sofacy, Fancy Bear and Tsar Team. The list of known targets also includes governments in Europe, Asia and the Middle East. Experts noted that if Pawn Storm is really a Russian group, it would make sense for it to target Turkey. “The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country,” Hacquebord noted.

Mean Scored Summary
-------------------
The economic and politically-motivated thre

Post 138 .......................................................................
https://www.securityweek.com/malicious-pdf-leads-discovery-adobe-reader-windows-zero-days

Top N Summary
-------------
The malicious document leverages a privilege escalation flaw in Windows (CVE-2018-8120) and a remote code execution vulnerability in Adobe Reader (CVE-2018-4990). In order to make it more difficult for attackers to execute arbitrary code on a system running its Reader software, Adobe has implemented a sandbox. “Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing,” explained Anton Cherepanov, the ESET researcher credited by Microsoft and Adobe for reporting the flaws. At the time of writing, 18 of the 59 antivirus engines on VirusTotal detect the files discovered by ESET as a generic Trojan or exploit. 

Post 143 .......................................................................
https://www.securityweek.com/windows-10-blocks-zero-days-patches-arrive-microsoft

Top N Summary
-------------
The two exploits were used in a small spear-phishing campaign targeting think tanks and nongovernmental organizations in the United States. The STRONTIUM group, Microsoft says, leveraged the Win32k exploit in attacks in October 2016, where they attempted to corrupt the tagWND.strName structure and use SetWindowTextW to write arbitrary content anywhere in kernel memory. Abusing the API call to overwrite data of current processes and copy token privileges of the SYSTEM, the exploit allowed attackers to run victim processes with elevated privileges. “The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. Previous Columns by Ionut Arghire:‘DemonBot' Botnet Targets Hadoop ServersLogical Bug in Microsoft Word'

Post 148 .......................................................................
https://www.securityweek.com/us-attributes-election-hacks-russian-threat-groups

Top N Summary
-------------
Attributes Election Hacks to Russian Threat Groups
U.S. Government Maps Election Hacks to Russian Threat Groups, But Industry Raises Concern Over Attribution Evidence
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election. As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States. It was all a jumbled mess,” tweeted Dmitri Alperovitch, Co-Founder & CTO at CrowdStrike. “That said, if you want to practice some hunting, go

Post 151 .......................................................................
https://www.securityweek.com/usual-threats-more-sophisticated-and-faster-report

Top N Summary
-------------
Last week, Microsoft discovered a major campaign focused on stealing Electroneum. The hackers used it in a phishing campaign that cited the New York City terror attacks. A second example comes from the December Gold Dragon attacks on organizations involved with the Winter Olympics. In this case the attackers employed steganography, "and a new tool released days before the attack." Just about every type of attack is increasing in both volume and sophistication.

Mean Scored Summary
-------------------
Last week, Microsoft discovered a major campaign focused on stealing Electroneum. The hackers used it in a phishing campaign that cited the New York City terror attacks. A second example comes from the December Gold Dragon attacks on organizations involved with the Winter Olympics. In this case the atta

Post 158 .......................................................................
https://www.securityweek.com/french-presidential-candidate-targeted-russia-linked-hackers

Top N Summary
-------------
The news comes shortly after Macron won the first round of France’s presidential election. Researchers have identified tens of military, government, defense, media, political, religious, educational and international organizations targeted by the group. The KAS phishing site, named kassap.de, was created in early April. Pawn Storm’s political operations have made a lot of headlines, particularly after the group targeted organizations affiliated with the Democratic Party in the United States. Several other “hacktivist” groups have been connected to Pawn Storm, including Cyber Caliphate, which claimed to be linked to ISIS when it attacked the U.S. Army and French TV station TV5Monde back in 2015.

Mean Scored Summary
-------------------
The news comes shortly after Macron won the first round

Post 164 .......................................................................
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

Top N Summary
-------------
Posted: 4 Oct, 2018
5 Min Read
Election Security


 Subscribe


Follow
twitter
facebook
linkedin




APT28: New Espionage Operations Target Military and Government Organizations
Recent campaigns see APT28 group return to covert intelligence gathering operations in Europe and South America. APT28 has continued to develop its tools over the past two years. Earworm uses two malware tools. However, Earworm also appears to conduct separate operations from APT28 and thus Symantec tracks them as a distinct group. An ongoing threat
It is now clear that after being implicated in the U.S. presidential election attacks in late 2016, APT28 was undeterred by the resulting publicity and continues to mount further attacks using its existing tools.

Mean Scored Summary
-------------------
Posted: 4 Oct, 2018
5

Post 170 .......................................................................
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

Top N Summary
-------------
Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important. ]net lifeofmentalservice[. ]net netcorpscanprotect[.

Mean Scored Summary
-------------------
Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests. Sofacy selectively used SPLM/CHOPSTICK modules a

Post 176 .......................................................................
https://www.securityweek.com/democracy-risk-poor-cybersecurity-foreign-interference-survey

Top N Summary
-------------
It started in June 2016 in the run-up to the 2016 presidential election, when the Democratic National Committee (DNC) announced it had been hacked, and CrowdStrike accused Russia-based Cozy Bear (APT 29). The fact that 1 in 4 voters said they would be willing to do so speaks volumes about how deeply this doubt has penetrated. Nevertheless, it is clear that there is strong voter concern over the future of elections and cybersecurity. The third is to create an auditable paper trail of votes in every state and precinct. He has been writing about high tech issues since before the birth of Microsoft.

Mean Scored Summary
-------------------
It started in June 2016 in the run-up to the 2016 presidential election, when the Democratic National Committee (DNC) announced it had been hacked, and Cro

Post 180 .......................................................................
https://www.securityweek.com/north-koreas-ddos-attacks-analyzed-based-ips

Top N Summary
-------------
The security firm believes the data may not be as useful for organizations as the U.S. hopes. Earlier this month, the United States Computer Emergency Readiness Team (US-CERT) released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s Hidden Cobra activities, particularly its DDoS botnet infrastructure. The IPs monitored by Arbor were involved in DDoS attacks on most days, but there were some periods with no activity. Security analysts would treat a list of command-and-control servers differently from a list of bots, and differently from a list of reflectors,” experts said. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Sauter Quickly Patches 

Post 184 .......................................................................
https://securelist.com/the-naikon-apt-and-the-msnmm-campaigns/70029/

Top N Summary
-------------
The MsnMM Campaigns [pdf]  For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea. Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others. The Naikon attackers attempted to exfiltrate sensitive geo-political, military, and economic data; to intercept communications and to maintain surveillance on their victims throughout the MsnMM campaigns. Their toolset and techniques changed over time in many minor ways, and appear to be run by Chinese-speaking individuals. The consistent list of military, economic, and political targets gave away the actor’s interests.

Me

Post 189 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/05/cyber-espionage-apt32.html

Top N Summary
-------------
Year   Country   Industry   Malware   2014   Vietnam   Network Security   WINDSHIELD   2014   Germany   Manufacturing   WINDSHIELD   2015   Vietnam   Media   WINDSHIELD   2016   Philippines   Consumer products   KOMPROGO WINDSHIELD SOUNDBITE BEACON   2016   Vietnam   Banking   WINDSHIELD   2016   Philippines   Technology Infrastructure   WINDSHIELD   2016   China   Hospitality   WINDSHIELD   2016   Vietnam   Media   WINDSHIELD   2016   United States   Consumer Products   WINDSHIELD PHOREAL BEACON SOUNDBITE   Table 1: APT32 Private Sector Targeting Identified by FireEye  APT32 Interest in Political Influence and Foreign Governments  In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalist

Post 193 .......................................................................
https://www.securityweek.com/campaign-targets-russian-speaking-enterprises-new-backdoor

Top N Summary
-------------
Campaign Targets Russian-Speaking Enterprises With New Backdoor
A malicious email campaign that has been active for at least two months is targeting Russian-speaking enterprises and delivering a new Windows-based backdoor, Trend Micro warns. Because of the emails’ limited distribution and specificity in social engineering lures, they should be considered part of a spear-phishing campaign, Trend Micro says. Once the exploit code was executed, it downloads a fake XLS file embedded with malicious JavaScript. Called Squiblydoo, this attack method abuses Regsvr32 to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker, and was previously associated with the activities of Vietnamese hacking group APT32. Previous Columns by Ionut Arghire:‘DemonBot'

Post 197 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

Top N Summary
-------------
Figure 2: Excerpt of an APT33 malicious .hta file  We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Identified Persona Linked to Iranian Government  We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries. APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making. ]com   TURNEDUP   www.securityupdated[. ]net   TURNEDUP   syn.broadcaster[.

Mean Scored Summary
-------------------

Post 202 .......................................................................
https://www.securityweek.com/industry-reactions-iran-cyber-retaliation-over-us-nuclear-deal-exit

Top N Summary
-------------
Iran is only likely to use significant destructive capabilities if the situation escalates or the US expands its role in supporting Saudi Arabia. From a technical perspective they have more than enough capability to carry out successful attacks, as we have seen in the Middle East and the United States. The thing that will reduce their operational capacity is if the US government takes a proactive and aggressive counter cyber posture and actively disrupts Iran's program before an attack is launched. Taking action, putting lives at risk could result in a kinetic response from the US and/or its allies as well as put into question Europe’s current support of the agreement. Ironically, today is the day that the EU NIS Directive becomes law in all 28 EU Member States.”










         

Post 205 .......................................................................
https://www.securityweek.com/iranian-hackers-use-quadagent-backdoor-recent-attacks

Top N Summary
-------------
The account was likely compromised via credential theft. The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. ]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion.

Mean Scored Summary
-------------------
Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks
A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered. Th

Post 210 .......................................................................
https://www.securityweek.com/north-korean-hacking-group-apt37-expands-targets

Top N Summary
-------------
Cisco published a report in January detailing some of the campaigns launched by the threat actor in 2017, but APT37 only started making headlines in early February when researchers revealed that it had been using a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. The list of targets includes organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors. The deal fell through, which is when APT37 started hacking the Middle Eastern company, likely in an effort to collect information, FireEye said. “Though they have primarily tapped other tracked suspected North Korean teams to carry out the most aggressive actions, APT37 is an additional tool available to the regime, perhaps even desirable for its relative obscurity. Relat

Post 215 .......................................................................
https://www.securityweek.com/researchers-say-code-reuse-links-north-koreas-malware

Top N Summary
-------------
In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic. The use of these malware families has been already attributed to the Lazarus Group, which is tracked by the U.S. government as Hidden Cobra. The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another. Previous Columns by Ionut Arghire:‘DemonBot' Botnet Targets Hadoop ServersLogical Bug in Microsoft Word's 'Online Video' Allows Code ExecutionSOC-as-a-Service Firm Arctic Wolf Networks Raises $45 MillionMultiple Vulnerabilities Patched in ASRock Drivers'TimpD

Post 220 .......................................................................
https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

Top N Summary
-------------
ZHANG Shilong (张世龙)
ZHANG was originally introduced by IntrusionTruth as a reciprocal follower of fisherxp’s Twitter account via his own @baobeilong account. NSACE appears to be a national education body that teaches network information security, including offensive activity7. From their latest post, which contains GAO’s Uber receipts, it is clear the group’s information likely goes beyond merely available OSINT data. In addition, FalconIntelligence notes that following the late 2015 Sino-U.S. brief cyber detente, much of the responsibility for western cyber intrusion operations was handed to the MSS as the PLA underwent an extensive reform that is still currently underway, and which is consolidating its military cyber forces under the Strategic Support Force. Many of these adversaries have begun targeting supply chain

Post 226 .......................................................................
https://www.securityweek.com/apt3-group-using-windows-ole-vulnerability-fireeye

Top N Summary
-------------
CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-6332 was fixed earlier this month during Patch Tuesday. The vulnerability affected all versions of Windows from Windows 95 on, and has been remotely exploitable since Internet Explorer 3.0. CVE-2014-4113 meanwhile exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who exploited it could potentially run arbitrary code in kernel mode.

Mean Scored Summary
-------------------
The group has also been seen using social networks to fool targets into installing malware. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Aut

Post 232 .......................................................................
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

Top N Summary
-------------
However, Buckeye’s focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong. From 2015 to date, Symantec identified approximately 82 organizations in various regions that had Buckeye tools present on their network. Up to mid-2015, Buckeye’s traditional targets were varying categories of US organizations, which match the types of victims seen in the UK. As mentioned previously, Buckeye also uses a number of hacking tools, including the following:
Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. This, coupled with the group’s use of zero-day exploits in the past, customized tools, and the types of organizations being targeted would suggest that Buckey

Post 235 .......................................................................
https://www.fireeye.com//blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

Top N Summary
-------------
]147/VxQG   f613846eb5bed227ec1a5f8df7e678d0   bdc4b9f5af9868e028dd0adc10099a4e6656e9f0ad12b2e75a30f5ca0e34489d   hxxp[:]//153.92.210[. ]208/wBNh1   50c60f37922ff2ff8733aaeaa9802da5   fb9f7fb3c709373523ff27824ed6a31d800e275ec5217d8a11024a3dffb577dd   hxxp[:]//eservake.jetos[. ]com/qIDj   c500dae1ca41236830b59f1467ee96c1   d3450966ceb2eba93282aace7d7684380d87c6621bbd3c4f621caa079356004a   Default   Default   f12df6984bb65d18e2561bd017df29ee1cf946efa5e510802005aeee9035dd53    Table 3: Example of Blowfish keys  In this example, the MD5 hash of hxxp[:]//151.106.53[. Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. These are sent via POST reques

Post 238 .......................................................................
https://www.securityweek.com/operation-cloud-hopper-china-based-hackers-target-managed-service-providers

Top N Summary
-------------
From here they obtain legitimate credentials to access the MSPs' client networks that align to APT10's targeting profile -- which the authors claim aligns with China's current five-year plan (FYP) for economic growth. It is MSPs in all of those countries that are the targets; and we are not told of any specific client organizations breached. "Overall," comments Israel Barak, CISO of Cybereason, "the notion that China has decreased its efforts since 2015 to conduct economic espionage is preposterous. But whether this indicates the end of the two China accords is a different matter. To reiterate, it is too early in this particular instance to determine whether the Cameron-Xi accord was broken or is it simply a case of competitive intelligence and cybercrime that must be dealt 

Post 242 .......................................................................
https://www.securityweek.com/dont-fall-victim-ip-theft-and-corporate-espionage

Top N Summary
-------------
Don't Fall Victim to IP Theft and Corporate Espionage
If the infamous bank robber, Willie Sutton, were alive today and honed his cyber skills, he might turn his attention to corporate espionage. Over the past two years, several threat actors have launched corporate espionage campaigns against companies in pharmaceuticals, chemicals and related industries with the aim of profiting from proprietary information such as intellectual property, R&D material on new products and technologies as well as financial information. The actors behind these campaigns are each known by different names, but include “APT10”, “Crouching Yeti”, “FIN4”, “Operation Ghoul”, “Patchwork”, “Poseidon”, “Tick” and “Turla.” 
How do these threat groups go about these campaigns? The malware logs keystrokes and collects passwords, sc

Post 247 .......................................................................
https://www.symantec.com/connect/blogs/yet-another-zero-day-japan-hit-ichitaro-vulnerability

Top N Summary
-------------
As always, we exercised the responsible vulnerability disclosure process following this discovery. In June 2013, Symantec came across a similar Trojan.Mdropper variant with the .jtd file extension, sent to an organization that received the malware mentioned above. The main difference is the file format. If successful, the shellcode would have downloaded malware from the following URL :
http://googles.al[REMOVED]my.com/index.html
The server hosting this domain has been associated with the group referred to as APT 12 by Mandiant. To prevent a possible compromise, Ichitaro users are advised to download and apply the latest patch from JustSystems.

Mean Scored Summary
-------------------
+2
2
0

2 Votes




Symantec Official Blog
Yet Another Zero-Day:  Japan Hit with Ichitaro Vulnerability


Post 254 .......................................................................
https://www.securityweek.com/year-old-office-vulnerabilities-most-popular-current-attacks

Top N Summary
-------------
What might be surprising is that cybercriminals stayed with CVE-2012-0158 for so long and that they suddenly moved to a new vulnerability. SophosLabs researchers, however, say that this makes perfect sense. This remote code execution flaw was abused by an APT group dubbed Platinum and TwoForOne before Microsoft released a patch in September 2015. However, other groups started using it after the patch, including EvilPost and APT16, as well as NetTraveler. Time to install those Office security updates!”









           (function() {
           var po = document.createElement("script"); po.type = "text/javascript"; po.async = true;
           po.src = "https://apis.google.com/js/plusone.js";
           var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s);
 

Post 259 .......................................................................
https://www.securityweek.com/ccleaner-incident-investigation-reveals-possible-stage-3-payload

Top N Summary
-------------
Hackers had added a backdoor to the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases, Avast revealed. What led to this was the compromise of the distribution servers of Piriform, the company developing CCleaner, in the months before Avast purchased the software firm. However, given the timeline of events, they assume that it “had downloaded and installed ShadowPad on the four Piriform computers.”
The fact that ShadowPad is believed to have been developed by the Axiom group, the same actor behind the CCleaner attack, is also a strong indicator that this malware was intended to become the third stage payload, Avast says. The ShadowPad version used in the attack was custom-built, leading investigators to suspect it was explicitly created for Piriform. “While ShadowPad was

Post 264 .......................................................................
https://www.securityweek.com/two-new-flash-player-zero-day-bugs-found-hacking-team-leak

Top N Summary
-------------
Two New Flash Player Zero-Day Bugs Found in Hacking Team Leak
Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Last week, several security firms reported finding zero-day exploits for Flash Player (CVE-2015-5119) and Microsoft Windows vulnerabilities in the 400GB of data stolen by hackers from the systems of Italy-based spyware maker Hacking Team. Other exploit kits will likely follow soon. The first Flash Player vulnerability whose existence came to light following the Hacking Team breach was integrated into several exploit kits. Marietje Schaake, a Dutch member of the European Parliament, has asked the European Commission and Italian authorities to investigate Hacking Team’s activities.

Mean Scored Summary
-------------

Post 269 .......................................................................
https://www.fireeye.com//blog/threat-research/2013/02/netizen-research-bolsters-apt1-attribution.html

Top N Summary
-------------
This apartment complex is only a 600-meter walk away from the Unit 61398 headquarters building, as depicted in Figure 3. "[2] Furthermore, a person named Mei Qiang (梅强) co-authored two papers in 2007 and 2008 that are associated with the PLAIEU. However, if it is, it would indicate that he was probably a student at SJTU when he posed his question about Chinese cyber troops to Zhang Zhaozhong. An article published in the China Digital Times disclosed a 2004 recruitment notice on the Zhejiang University website advertising, "Unit 61398 of China's People's Liberation Army (located in Pudong District, Shanghai) seeks to recruit 2003-class computer science graduate students." But if you have to do more work to deny something than to accept it, you might want to reconsider your chain

Post 274 .......................................................................
https://www.fireeye.com//blog/threat-research/2013/02/threat-actors-mandiant-apt1-report-spear-phishing-nitty.html

Top N Summary
-------------
Before executing its payload the malware creates a thread that will monitor for windows created containing text related to AVG firewall notifications. An additional buffer is then decoded within the decoded shellcode using a single byte XOR key of 0xFF . The malware then attempts to connect to the configured server at itsec.eicp.net using TCP port 443 to download files to the infected system. The clean PDF is then displayed for the user while AdobeARM.exe is executed in the background. The malware takes the hostname string (up to 0x14 characters), increments each character by one and then appends the language ID string.

Mean Scored Summary
-------------------
As we noted yesterday , Brandon Dixon's 9B+ blog and Symantec reported the discovery of two malicious vers

Post 281 .......................................................................
https://securelist.com/it-threat-evolution-q1-2013/36660/

Top N Summary
-------------
The cybercriminals used Twitter in this attack: in order to obtain C&C server addresses and subsequently download new malicious modules, the backdoor sought out special tweets from previously created accounts. The operation was dubbed “ TeamSpy ,” as the remote admin program TeamViewer was used by the attackers to control victim computers. Two weeks later, Facebook issued a statement that the computers of several of the company’s staff members had been infected by exploits during visits to a mobile developer site. (18.78%), an adware Trojan ranked second. Microsoft, Mozilla, and Google all revoked two root certificates issued by the certificate authority TurkTrust, thus removing them from their respective browser databases.

Mean Scored Summary
-------------------
Cyberespionage and cyberweapons  Red October  At the very

Post 286 .......................................................................
https://www.securityweek.com/chinas-apt1-changing-tactics-rebuilding-mandiant

Top N Summary
-------------
The report was the first time a private sector company had laid out evidence to link the China to cyber-espionage campaigns against businesses and government entities around the world. The group has not been knocked out yet, as it probably still has access to an extensive infrastructure of computers around the world. Mandiant's report disrupted only APT1, not the others. "Mandiant has observed no significant changes in their operations," the follow-up report said. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage.

Mean Scored Summary
-------------------
The report was the first time a private sector company had laid out evidence to link the China to cyber-espionage campaigns against businesses and government entities around the world

Post 292 .......................................................................
https://www.symantec.com/connect/blogs/hidden-lynx-and-mss-protection

Top N Summary
-------------
+4
4
0

4 Votes




Symantec Official Blog
Hidden Lynx and MSS protection


By: Jeannie Warner
Symantec Employee



Created 18 Sep 2013 
1 Comment

Bookmark






Google+0


LinkedIn0


Twitter


submit


Email














EXECUTIVE SUMMARY:
On Tuesday September 17, 2013, Symantec’s Security Response organization published a whitepaper report on Hidden Lynx, a Chinese APT group of professional hackers with advanced capabilities. The distribution of Moudoor requires a sizeable number of people to both breach targets and retrieve the information from the compromised networks. The group makes use of regular zero-day exploits. Attacks against government contractors and, more specifically, the defense industry indicate that the group is in pursuit of confidential information and suggests that the group had been 

Post 296 .......................................................................
https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew

Top N Summary
-------------
The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. Q: How does a victim get infected? Q: Does Symantec know who this group is targeting? There are several IPS signatures to catch threat families associated with this group:

System Infected: Trojan.Ecltys Activity 2
System Infected: Barkiofork Malware Activity
System Infected: Shady Trojan Activity
System Infected: Dalbot Backdoor Activity

Q: How will this report affect the Comment Crew operations? Despite the exposure of the Comment Crew, Symantec believes they will continue their activities.

Mean Scored Summary
-------------------
The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and 

Post 299 .......................................................................
https://www.securityweek.com/china-linked-hackers-use-signed-network-filtering-driver-recent-attacks

Top N Summary
-------------
China-linked Hackers Use Signed Network Filtering Driver in Recent Attacks
A cyber-espionage group believed to be operating out of China has been using a digitally signed network filtering driver as part of recent attacks, Kaspersky Lab reports. Over the past several months, the actor has been abusing the digitally signed 32- and 64-bit network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory. The company was notified of the certificate abuse. The use of the publicly-available Earthworm tunneler is common to Chinese-speaking actors and one of the commands used by the attackers creates a tunnel to a previously known LuckyMouse server, which, paired with the choice of victims in this campaign, suggests that this actor is beh

Post 305 .......................................................................
https://www.fireeye.com//blog/threat-research/2015/04/probable_apt28_useo.html

Top N Summary
-------------
The culprit FLV file is embedded within AS3 in two chunks, and is reassembled at runtime. And like CORESHELL, the new malware attempts to download a second-stage executable. The same subnet ( 87.236.215.0/24 ) also hosts several known or suspected APT28 domains, as seen in Table 1. CVE-2015-1701 Exploit  The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. Barring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.

Mean Scored Summary
-------------------
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). It uses the vulnerability to run code from userspace in

Post 309 .......................................................................
https://securelist.com/it-threat-evolution-q1-2018/85469/

Top N Summary
-------------
Olympic Destroyer… but who did the ‘destroying’? In February, we published an overview of Sofacy activities in 2017 , revealing a gradual moved away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Kaspersky Lab, as a member of the ITU-T Study Group 20, was a contributor to the development of Recommendation ITU-T T.4806 , designed to classify security issues, examine potential threats and determine how cyber-security measures can support the safe execution of IoT systems tasks. The infection starts with the download of a potentially unwanted application (PUA) that contains the miner. This executes the legitimate system process and uses a process-hollowing technique whereby the legitimate process code is switched for malicious code.

Mean Scored Summary
---------

Post 313 .......................................................................
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

Top N Summary
-------------
One example of the new Sofacy USBSTEALER modules is 8b238931a7f64fddcad3057a96855f6c, which is named internally as msdetltemp.dll. At the beginning of August, Sofacy began a new wave of attacks, focusing on  defense-related targets. The module inspects every new disk volume attached to the system. For every disk it creates a “stash” directory in “% root stash directory location %\ %volume serial number in hex%” with attributes FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM. The function “ NvStart ” is similar to the main function of the older module; it creates a window and enters the message loop waiting for device arrival notifications.

Mean Scored Summary
-------------------
This led us to believe the two groups were connected, at least to begin with, although it appears they parted way

Post 319 .......................................................................
https://www.securityweek.com/russia-linked-hackers-used-two-zero-days-recent-targeted-attack-fireeye

Top N Summary
-------------
“One of the C2 locations for the new payload, 87.236.215[. The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. We are working with the Microsoft Security Team on CVE-2015-1701.”
 “Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” FireEye said. According to the most recent report from Trend Micro, the APT group has introduced new infrastructure and is "zeroing in" on targets including the White House and NATO members. *Updated to include name of campaign and modified headline









           (function() {
           var po = document.createElement("script"); po.type = "text/javascript"; po.async = true;
           po.src = "https://apis.google.co

Post 324 .......................................................................
https://www.securityweek.com/russia-linked-spies-deliver-malware-dde-attack

Top N Summary
-------------
Russia-Linked Spies Deliver Malware via DDE Attack
The Russia-linked cyber espionage group tracked as APT28 and Fancy Bear has started delivering malware to targeted users by leveraging a recently disclosed technique involving Microsoft Office documents and a Windows feature called Dynamic Data Exchange (DDE). Shortly after, security firms reported seeing attacks leveraging DDE to deliver malware, including Locky ransomware. In the APT28 attacks spotted by McAfee, cyberspies used the document referencing the New York City attack to deliver a first-stage malware tracked as Seduploader. The malware, typically used by the threat actor as a reconnaissance tool, is downloaded from a remote server using PowerShell commands. “[The] use of recent domestic events and a prominent US military exercise focused on d

Post 330 .......................................................................
https://www.securityweek.com/russia-linked-pawn-storm-attackers-exploiting-new-adobe-flash-zero-day

Top N Summary
-------------
According to Trend Micro, the threat group behind Operation Pawn Storm (also known as APT28, Sednit, Fancy Bear, Sofacy and Tsar Team) is using Adobe Flash zero-day exploit code in attacks targeting several Ministries of Foreign Affairs. Despite recent patches issued by Adobe on Oct. 13, this vulnerability is still unpatched, leaving Flash users vulnerable to attacks. Subject lines used to entice users to click included many “interesting” events such as: 
 “Suicide car bomb targets NATO troop convoy Kabul” 
“Syrian troops make gains as Putin defends air strikes” 
“Israel launches airstrikes on targets in Gaza” 
“Russia warns of response to reported US nuke buildup in Turkey, Europe” 
“US military reports 75 US-trained rebels return Syria” 
 Trend Micro researchers Brooks Li, Feik

Post 336 .......................................................................
https://www.securityweek.com/tech-firms-target-domains-used-russia-linked-threat-group

Top N Summary
-------------
Last year, the threat group was said to have orchestrated election-related hacker attacks in the United States. ]org, which was registered using the email address [email protected][. The researchers also managed to find name servers used by Fancy Bear, including nemohosts[. In 2014, in an attempt to take down the Bladabindi (njRAT) and Jenxcus (NJw0rm) malware families, the company seized 23 No-IP domains to route bad traffic to a sinkhole. Previous Columns by Ionut Arghire:‘DemonBot' Botnet Targets Hadoop ServersLogical Bug in Microsoft Word's 'Online Video' Allows Code ExecutionSOC-as-a-Service Firm Arctic Wolf Networks Raises $45 MillionMultiple Vulnerabilities Patched in ASRock Drivers'TimpDoor' Malware Turns Android Devices into Proxies
2019 ICS Cyber Security Conference | Singapore [Apr

Post 342 .......................................................................
https://www.securityweek.com/pawn-storm-attackers-target-mh17-plane-crash-investigators

Top N Summary
-------------
Pawn Storm Attackers Target MH17 Plane Crash Investigators
Organizations tasked with investigating the crash of Malaysia Airlines Flight MH17 have been targeted by the Russia-linked threat group known as Pawn Storm, Trend Micro reported on Thursday. The security firm discovered that the attackers set up fake Secure File Transfer Protocol (SFTP) and VPN servers designed to mimic servers of the Dutch Safety Board most likely in an effort to phish the credentials of the organization’s staff. “The VPN server of the Safety Board looks to use temporary tokens for authentication. In addition to the DSB, the attackers also targeted one of the organization’s key partners using a rogue Outlook Web Access (OWA) server, a technique previously used by Pawn Storm in attacks aimed at defense companies in t

Post 348 .......................................................................
https://www.securityweek.com/hackers-leak-olympic-committee-emails-response-russia-ban

Top N Summary
-------------
One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances. WADA headquartered in Montreal, Canada supported by the United States Olympic Committee declared the crusade against the IOC on the pretext of defending clean sport,” the hackers said. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored. For instance, a hacker using the moniker Guccifer 2.0 has taken credit for an attack on the U.S. Democratic Party, which may have influenced last year’s presidential election. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Prev

Post 355 .......................................................................
https://www.securityweek.com/windows-zero-day-exploited-attacks-aimed-middle-east

Top N Summary
-------------
The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm's systems detected an exploitation attempt. "So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. A blog post published early on Wednesday by Kaspersky contains technical details on the vulnerability and how it has been exploited by FruityArmor. "We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar," Kas

Post 361 .......................................................................
https://www.securityweek.com/uk-australia-blame-russia-bad-rabbit-other-attacks

Top N Summary
-------------
The NSCS believes that the GRU is behind the groups tracked by various security firms as APT28, Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team and Sandworm. The NCSC says that the GRU is “almost certainly” responsible for the Bad Rabbit ransomware attack in October 2017, the August 2017 attack on the World Anti-Doping Agency (WADA), the 2016 attack on the U.S. Democratic National Committee (DNC), and an attack on a small TV station in the UK in the summer of 2015. “The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regar

Post 364 .......................................................................
https://www.securityweek.com/pawn-storm-group-targets-turkey

Top N Summary
-------------
The economic and politically-motivated threat actor, which has been active for the past decade, is also known as APT28, Sednit, Sofacy, Fancy Bear and Tsar Team. The list of known targets also includes governments in Europe, Asia and the Middle East. Experts noted that if Pawn Storm is really a Russian group, it would make sense for it to target Turkey. “The target list above shows that Pawn Storm may be after political information from Turkey: even the Turkish parliament got attacked. The fact they have set up at least two fake OWA servers for one of the largest Turkish newspapers may also be considered as further proof that they are also after information on what is going on in major media outlets in that country,” Hacquebord noted.

Mean Scored Summary
-------------------
The economic and politically-motivated thre

Post 370 .......................................................................
https://www.securityweek.com/malicious-pdf-leads-discovery-adobe-reader-windows-zero-days

Top N Summary
-------------
The malicious document leverages a privilege escalation flaw in Windows (CVE-2018-8120) and a remote code execution vulnerability in Adobe Reader (CVE-2018-4990). In order to make it more difficult for attackers to execute arbitrary code on a system running its Reader software, Adobe has implemented a sandbox. “Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing,” explained Anton Cherepanov, the ESET researcher credited by Microsoft and Adobe for reporting the flaws. At the time of writing, 18 of the 59 antivirus engines on VirusTotal detect the files discovered by ESET as a generic Trojan or exploit. 

Post 376 .......................................................................
https://www.securityweek.com/russian-cyberspies-use-komplex-trojan-target-os-x-systems

Top N Summary
-------------
The malware, dubbed “Komplex,” appears to have been developed by the threat actor known as Sofacy, Pawn Storm, APT28, Sednit, Fancy Bear and Tsar Team. The Trojan allows attackers to execute arbitrary commands and download additional files to the affected machine. At the time, the malware had been delivered via a vulnerability in the MacKeeper security and optimization software. Ryan Olson, intelligence director at Palo Alto Networks’ Unit 42, told SecurityWeek that they first detected Komplex at the beginning of August. Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux









           (function() {
           var po = document.createElement("script"); po.type = "text/javascript"; po.async = true;
           po.src = "https://apis.google.com/js/plusone.js";
          

Post 381 .......................................................................
https://www.securityweek.com/russia-linked-hackers-leak-football-doping-files

Top N Summary
-------------
The threat actor is tracked by various security firms as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium. “Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations. The organization has provided the following statement:
The World Anti-Doping Agency (WADA) is aware that, today, cyber espionage group ‘Fancy Bear’ once again released information; in particular, confidential athlete data regarding Therapeutic Use Exemptions (TUEs) on its website. Stakeholders can rest assured that ADAMS remains secure. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Sauter Quickly Patches Flaw in Building Automati

Post 387 .......................................................................
https://www.securityweek.com/russias-hackers-long-tied-military-secret-services

Top N Summary
-------------
That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks. In 2016, Russian cybersecurity giant Kaspersky estimated that between 2012 and 2015, Russian hackers had stolen at least $790 million worldwide. They "can work anywhere in the world, in any international company," he added. In 2012, the Russian defence ministry announced it was creating its own "cyber troops". Intel Budget Soars Under TrumpIBM to Acquire Open Source Giant Red Hat for $34 BillionBA Says 185,000 More Customers Affected in Cyber Attack
2018 ICS Cyber Security Conference | USA [Oct. 22-25]
Register an Invite to the CISO Forum at Half Moon Bay
2019 ICS Cyber Security Conference | Singapore [April 2019]

sponsored links

Tags: Cyberwarfare
NEWS & 

Post 394 .......................................................................
https://www.symantec.com/connect/blogs/adobe-patches-flash-player-vulnerability-used-pawn-storm-apt-campaign

Top N Summary
-------------
+2
2
0

2 Votes




Symantec Official Blog
Adobe patches Flash Player vulnerability used in Pawn Storm APT campaign
Adobe has issued an emergency patch for a new Flash Player vulnerability (CVE-2015-7645) exploited by attackers behind the Operation Pawn Storm campaign. By: Symantec Security Response
Symantec Employee



Created 19 Oct 2015 
0 Comments

: 
日本語


Bookmark






Google+0


LinkedIn0


Twitter


submit


Email















On October 16, Adobe released an emergency patch for a new Adobe Flash Player vulnerability (CVE-2015-7645), which was reportedly used by the attackers behind the Operation Pawn Storm (also known as APT28, Sednit, Fancy Bear, or Tsar Team) advanced persistent threat (APT) campaign. Select the version of Internet Explorer you are using at

Post 401 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/03/dissecting_one_ofap.html

Top N Summary
-------------
Upon execution, this command extracted, decrypted, and executed the PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class. Using a custom User Agent string or the system's User Agent string derived from urlmon.dll   7. When responding to an APT29 breach, it is vital to increase visibility, fully scope the incident before responding and thoroughly analyze accessed systems that don't contain known malware. This excellent whitepaper by William Ballenthin, Matt Graeber and Claudiu Teodorescu contains additional information on WMI offense, defense and forensics. This presentation by Christopher Glyer and Devon Kerr contains additional information on attacker use of WMI in past Mandiant investigations.

Mean Scored Summary
-------------------
POSHSPY's use of WMI to bo

Post 407 .......................................................................
https://www.securityweek.com/google-warns-users-recent-state-sponsored-attacks

Top N Summary
-------------
Register an Invite to the CISO Forum at Half Moon Bay
2019 ICS Cyber Security Conference | Singapore [April 2019]
2018 ICS Cyber Security Conference | USA [Oct. 22-25]

sponsored links

Tags: Cyberwarfare
NEWS & INDUSTRY
Tracking & Law Enforcement

Mean Scored Summary
-------------------
Register an Invite to the CISO Forum at Half Moon Bay
2019 ICS Cyber Security Conference | Singapore [April 2019]
2018 ICS Cyber Security Conference | USA [Oct. 22-25]

sponsored links

Tags: Cyberwarfare
NEWS & INDUSTRY
Tracking & Law Enforcement

Post 408 .......................................................................
https://www.securityweek.com/democracy-risk-poor-cybersecurity-foreign-interference-survey

Top N Summary
-------------
It started in June 2016 in the run-up to the 2016 presidential election,

Post 411 .......................................................................
https://www.securityweek.com/us-officially-accuses-russia-election-hacks

Top N Summary
-------------
Following the accusations, U.S. officals warned that it would act when it wants to protect national interests. The decentralized nature of the U.S election system and the number of protections state and local election officials have in place will help make a successful attack challenging, the U.S. says. In August, researchers from two security firms uncovered evidence that they say linked a Russian threat actor to the cyberattack targeting the U.S. Democratic Congressional Campaign Committee (DCCC). The DCCC was the second Democratic Party committee targeted by hackers over the summer. The first was the Democratic National Committee (DNC) which, according to several security companies, was targeted by two different Russia-linked advanced persistent threat (APT) actors: Cozy Bear, also known as Cozy Duke an

Post 417 .......................................................................
https://securelist.com/the-naikon-apt/69953/

Top N Summary
-------------
Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did. In other cases, the connection was established via dedicated proxy servers installed on dedicated servers rented in third countries. Below is a partial list of organizations affected by Naikon’s “operator X’s” espionage campaign in country X. If necessary, operator X delivered them via the remote control client. The empire strikes back  Every once in a while the Naikon group clashes with other APT groups that are also active in the region.

Mean Scored Summary
-------------------
Considering the volume of Naikon activity observed and its relentless, repeated attack attempts, such a confrontation was worth looking into, so we did. It is hardly surprising that there is an element of ov

Post 421 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/05/cyber-espionage-apt32.html

Top N Summary
-------------
Year   Country   Industry   Malware   2014   Vietnam   Network Security   WINDSHIELD   2014   Germany   Manufacturing   WINDSHIELD   2015   Vietnam   Media   WINDSHIELD   2016   Philippines   Consumer products   KOMPROGO WINDSHIELD SOUNDBITE BEACON   2016   Vietnam   Banking   WINDSHIELD   2016   Philippines   Technology Infrastructure   WINDSHIELD   2016   China   Hospitality   WINDSHIELD   2016   Vietnam   Media   WINDSHIELD   2016   United States   Consumer Products   WINDSHIELD PHOREAL BEACON SOUNDBITE   Table 1: APT32 Private Sector Targeting Identified by FireEye  APT32 Interest in Political Influence and Foreign Governments  In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalist

Post 425 .......................................................................
https://www.securityweek.com/campaign-targets-russian-speaking-enterprises-new-backdoor

Top N Summary
-------------
Campaign Targets Russian-Speaking Enterprises With New Backdoor
A malicious email campaign that has been active for at least two months is targeting Russian-speaking enterprises and delivering a new Windows-based backdoor, Trend Micro warns. Because of the emails’ limited distribution and specificity in social engineering lures, they should be considered part of a spear-phishing campaign, Trend Micro says. Once the exploit code was executed, it downloads a fake XLS file embedded with malicious JavaScript. Called Squiblydoo, this attack method abuses Regsvr32 to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker, and was previously associated with the activities of Vietnamese hacking group APT32. Previous Columns by Ionut Arghire:‘DemonBot'

Post 429 .......................................................................
https://www.fireeye.com//blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

Top N Summary
-------------
Figure 2: Excerpt of an APT33 malicious .hta file  We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Identified Persona Linked to Iranian Government  We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries. APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making. ]com   TURNEDUP   www.securityupdated[. ]net   TURNEDUP   syn.broadcaster[.

Mean Scored Summary
-------------------

Post 434 .......................................................................
https://www.securityweek.com/industry-reactions-iran-cyber-retaliation-over-us-nuclear-deal-exit

Top N Summary
-------------
Iran is only likely to use significant destructive capabilities if the situation escalates or the US expands its role in supporting Saudi Arabia. From a technical perspective they have more than enough capability to carry out successful attacks, as we have seen in the Middle East and the United States. The thing that will reduce their operational capacity is if the US government takes a proactive and aggressive counter cyber posture and actively disrupts Iran's program before an attack is launched. Taking action, putting lives at risk could result in a kinetic response from the US and/or its allies as well as put into question Europe’s current support of the agreement. Ironically, today is the day that the EU NIS Directive becomes law in all 28 EU Member States.”










         

Post 438 .......................................................................
https://www.securityweek.com/iranian-hackers-impersonate-israeli-security-firm

Top N Summary
-------------
In December 2017, ClearSky Cyber Security published a report detailing the group’s activities during the 2016-2017 timeframe. Roughly half a year after the report was published, the security firm announced on its Twitter account that the hackers built their own site impersonating ClearSky. The advanced persistent threat (APT) apparently copied entire pages from the legitimate website, but also changed one of them to include a sign in option with multiple services. The fake website started being flagged as deceptive soon after ClearSky discovered it. Previous Columns by Ionut Arghire:‘DemonBot' Botnet Targets Hadoop ServersLogical Bug in Microsoft Word's 'Online Video' Allows Code ExecutionSOC-as-a-Service Firm Arctic Wolf Networks Raises $45 MillionMultiple Vulnerabilities Patched in ASRock Drivers'T

Post 441 .......................................................................
https://www.fireeye.com//blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html

Top N Summary
-------------
Read our report, APT37 (Reaper): The Overlooked North Korean Actor , to learn more about our assessment that this threat actor is working on behalf of the North Korean government, as well as various other details about their operations:   Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately. Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HW

Post 447 .......................................................................
https://www.securityweek.com/researchers-say-code-reuse-links-north-koreas-malware

Top N Summary
-------------
In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic. The use of these malware families has been already attributed to the Lazarus Group, which is tracked by the U.S. government as Hidden Cobra. The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another. Previous Columns by Ionut Arghire:‘DemonBot' Botnet Targets Hadoop ServersLogical Bug in Microsoft Word's 'Online Video' Allows Code ExecutionSOC-as-a-Service Firm Arctic Wolf Networks Raises $45 MillionMultiple Vulnerabilities Patched in ASRock Drivers'TimpD

Post 451 .......................................................................
https://www.crowdstrike.com/blog/crowdstrike-falcon-defeats-gothic-panda-in-mitre-nation-state-emulation-test/

Top N Summary
-------------
For the roughly three decades that the commercial cybersecurity industry has existed, it has struggled with a fundamental problem –  a lack of realistic attack testing to determine whether the products that companies and consumers buy actually work in stopping real “in-the-wild” threats. Today I’m thrilled to announce that CrowdStrike Falcon, backed by our elite Falcon OverWatch™ team, aced the simulation – detecting and providing visibility into nearly every technique tested by the MITRE team. Our OverWatch team detects, stops and notifies our customers of about 400 serious breach attempts every single week – two per hour, on average. The one red cell below – “Exfiltration Over Command and Control Channel” (in this case, DNS) – was the only one missed by Falcon. The r

Post 454 .......................................................................
https://securelist.com/the-naikon-apt-and-the-msnmm-campaigns/70029/

Top N Summary
-------------
The MsnMM Campaigns [pdf]  For over half a decade, the Naikon APT waged multiple attack campaigns on sensitive targets throughout South-eastern Asia and around the South China Sea. Targets and victims included ASEAN governmental agencies and government departments, investment enterprises, military, law enforcement and border control organizations, embassies, university faculties and others. The Naikon attackers attempted to exfiltrate sensitive geo-political, military, and economic data; to intercept communications and to maintain surveillance on their victims throughout the MsnMM campaigns. Their toolset and techniques changed over time in many minor ways, and appear to be run by Chinese-speaking individuals. The consistent list of military, economic, and political targets gave away the actor’s interests.

Me

Post 459 .......................................................................
https://www.securityweek.com/flash-player-flaw-used-apt3-group-added-magnitude-exploit-kit

Top N Summary
-------------
The existence of the heap buffer overflow vulnerability (CVE-2015-3113) that can be exploited for arbitrary code execution was brought to light by FireEye. The security hole, which according to Trend Micro is similar to a previously discovered bug (CVE-2015-3043), exists due to the way Adobe Flash Player parses Flash Video (FLV) files. In late May, an exploit for a Flash Player bug fixed by Adobe on May 11 was added to the Angler exploit kit. “Some criminals might be behind several exploit kits, just like Paunch was behind Blackhole and Cool, and they may use the same exploit in all their kits.”









           (function() {
           var po = document.createElement("script"); po.type = "text/javascript"; po.async = true;
           po.src = "https://apis.google.com/js/plusone.js";
 

Post 462 .......................................................................
https://www.securityweek.com/state-sponsored-attackers-use-web-analytics-reconnaissance

Top N Summary
-------------
The reconnaissance campaign, which FireEye has been tracking since last year, is similar and possibly related to the activities of the Russia-linked advanced persistent threat (APT) group identified as Waterbug (Symantec) and Turla (Kaspersky Lab). FireEye has determined that the more than 100 compromised websites are likely to be visited by people interested in international travel, diplomacy, international economics, energy production and policy, and government matters. The list of targets includes government, embassy, higher education and research, entertainment and culture, NGO, international law, media, consumer goods and retail, energy, construction and engineering, visa services, and high tech websites in tens of countries across the world. Of particular interest appear to be executiv