Security News

An advanced threat actor has been spotted using distinctive, novel methods to backdoor French entities in the construction, real estate, and government industries. The attack starts with a well-known technique - emails containing a macro-enabled Microsoft Word document masquerading as information relating to the GDPR - and ends up with an attempt to install a backdoor on target systems.

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems. Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed.

Over the last year or two we've noticed that the steady stream of sextortion emails we used to receive - at one time, we were getting several variants on the theme each week - has dwindled to almost nothing. Often, attackers stick to messages in plain text or HTML for the obvious reason that web or email links in those messages typically turn into directly tempting "Calls to action".

The info-stealing malware TinyNuke has re-emerged in a new campaign targeting French users with invoice-themed lures in emails sent to corporate addresses and individuals working in manufacturing, technology, construction, and business services. The TinyNuke malware activity first appeared in 2017, culminated in 2018, then dropped significantly in 2019, and almost faded out of existence in 2020.

The French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last year's SolarWinds hack has been targeting French organizations since February 2021. While ANSSI has not determined how Nobelium compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions.

Details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean, have emerged today in a report from France's Computer Emergency Response Team. Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.

Details about the tools and tactics used by a ransomware affiliate group, now tracked as Lockean, have emerged today in a report from France's Computer Emergency Response Team. Lockean activity was first noticed in 2020 when the actor hit a French company in the manufacturing sector and deployed DoppelPaymer ransomware on the network.

The privacy-hugging, end-to-end encryption-providing email provider ProtonMail was forced to log the IP address of a French activist and turn it over to Europol, according to a French police report that came to light over the weekend. French police sent a request to Swiss police via Europol and thus managed to force the company to hand over the IP address and device details of the French activist.

Encrypted email service ProtonMail has become embroiled in a minor scandal after responding to a legal request to hand over a user's IP address and details of the devices he used to access his mailbox to Swiss police - resulting in the user's arrest. Police were executing a warrant obtained by French authorities and served on their Swiss counterparts through Interpol, according to social media rumours that ProtonMail chief exec Andy Yen acknowledged to The Register.

Lemarié, the San Francisco jury found, then went on to share those trade secrets with his new employer, French email security firm Vade Secure. Of 20 trade secrets Proofpoint said Lemarié and Vade had used unlawfully, the jury agreed that 15 had been misappropriated by Vade Secure in a "Wilful and malicious" way, according to the final verdict form [PDF].