Search This Blog

Showing posts with label APT. Show all posts

How Cybercrime and Cyberwar are Interlinked?


Cybersecurity experts have long debated that future conflicts will no longer be confronted just on a physical battlefield, but in a digital sphere as well. Although it is clear that the physical battlefield will not be mitigated sooner, considering the recent conflicts, we are also witnessing a rise in state-sponsored attacks like never before. It is therefore important that businesses, individuals, and governments ensure that they are prepared in combating an attack. Since, in a digital battleground, it is not just the soldiers being targeted, but everyone is in the line of fire. 

Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyber warfare are far more complex. In the world of state-sponsored cybercrime, it is not just the government intelligence agencies that are directly carrying out attacks, but these days one can witness attacks from organized cybercriminal organizations that have ties to a nation-state. 

These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, which hacked the Democratic National Committee in the year 2016 is an excellent example of this type of espionage operation. In a way, this serves as the ideal cover for malicious state actors who want to attack and disrupt vital infrastructure while lowering the potential for generating a geopolitical crisis or military conflict. 

If the Enemy Is in Range, So Are You 

Whether a cyberattack is directly linked to a foreign government agency, attacks on critical infrastructure can have devastating repercussions. Critical infrastructure does not just refer to state-owned and operated infrastructures such as power grids and government organizations - banks, large corporations, and Internet service providers all fall under the umbrella of critical infrastructure targets. 

As governments and private organizations continue to adopt advanced and connected IT networks, the risks and potential consequences will only increase. Recent research by the University of Michigan found security vulnerabilities in local traffic light systems. Although the flaw has subsequently been patched, this emphasizes the significance of robust, up-to-date inbuilt security systems to protect infrastructure against cyberattacks. 

Defend Now or Be Conquered Later 

With the rise in advancement and complexity in networks, the chance that vulnerabilities can be exploited as well increases exponentially. Every single endpoint on the network must be constantly monitored and secured if organizations are to have any chance of surviving a sophisticated state-backed attack. 

Some organizations are seen learning this lesson the hard way. For instance, in 2017, US food giant Mondelez was denied a $100 million insurance payout after suffering a Russian ATP cyberattack, since the attack was assumed to be “an act of war” and was not included in the firm’s cybersecurity policy. The conglomerate and Zurich Insurance recently rectified this issue on undisclosed terms.

Endpoint security has never been more critical than it is today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. This rise in the bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops. 

However, for over 10 years, various governments and ATP groups with potential cyber capabilities have adapted to and exploited the mobile threat landscape with extremely low detection rates. Attacks on the state and public mobile networks can take down large parts of the workforce, impacting productivity and disrupting everything from the government’s decision-making to the state’s economy. 

IT and security managing experts may not be the ones preventing the inevitable cyberattacks or cyber war, but they can defend themselves against major setbacks. If a device is connected to the infrastructure, physically or virtually, it has become a potential back door for cybercriminals to access the data and disrupt operations. Thus, if organizations want to avoid being victims of potential cyberwarfare, endpoint security should be a priority in conducting operations, from mobiles to desktops.

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.



Hackers Target Online Casinos With GamePlayerFramework Malware

 


The Russian cybersecurity company Kaspersky has stated that the activity of gambling puppet and DRBControl is associated with another set of intrusions that are being linked to Earth Berberoka (aka GamblingPuppet) and Earth Berberoka, citing a similar tactic and targeting as well as the creation of secure messaging clients.

As per the speculations "there may be a mix between espionage and IP theft, though their true motives remain a mystery so far," researchers Kurt Baumgartner and Georgy Kucherin wrote in a technical paper that appeared this week.

In November 2021 Kaspersky said that a PlugX loader and other payloads were detected on an employee monitoring service and a security package deployment service.

A company representative said on Friday that the attacker "was able to perform cyber espionage activities with some degree of stealth due to the initial infection method - the distribution of the framework through security solution packages."

"In addition to downloading programs, launchers, and a set of plugins used to gain remote access, the researchers also developed a new collection of keyloggers that can steal clipboard data and keystrokes from the computer."

In the following weeks, the same security package deployment service has also been used in the delivery of what is called the GamePlayerFramework, a C# variant of a C++-based malware known as PuppetLoader that was deployed.

Based on signs that have been uncovered, DiceyF appears to be a follow-on campaign to Earth Berberoka with a re-engineered malware toolset, even though the framework is maintained by two separate branches called Tifa and Yuna, which include different modules of varying sophistication.

While the Tifa branch mainly consists of a downloader and a core component, the Yuna branch is more complex in terms of functionality. It includes a downloader, a set of plugins, and a minimum of 12 PuppetLoader modules in addition to the downloader. Despite this, it is believed that both branches are actively and incrementally updated, and they are both considered active.

Regardless of the variant employed, once the GamePlayerFramework is launched, it can connect to the command-and-control system (C2) and transmit information about the compromised host, as well as the contents of the clipboard, and then the malware can seize control of the host by answering any of the fifteen commands that the C2 has provided.

As part of this process, the C2 server will also launch a plugin on the victim system. The plugin can either be downloaded from the C2 server when the framework is instantiated or retrieved by requesting the "InstallPlugin" command from the server when the framework is instantiated.

This allows the plugins to be used in conjunction with Google Chrome and Mozilla Firefox browsers to steal cookies from the browsers themselves. Also, this software is capable of capturing keystrokes and clipboard data, establishing virtual desktop sessions, and even being able to remotely log into the machine through Secure Shell.

Moreover, Kaspersky pointed out the use of a malicious app that mimicked Mango Employee Account Data Synchronizer, another piece of software that mimics employee account data synchronization. The GamePlayerFramework is dropped in the network by this messenger app which is used by the targeted entities to make their campaigns more effective.

Researchers have observed several exciting characteristics of DiceyF campaigns and TTP, according to the researchers. There is evidence that the group has modified their software over time, and has developed functionality in the code throughout their intrusions.

To ensure that victims would not become suspicious about the disguised implants, attackers gathered information about targeted organizations (like the floor where the IT department of the organization is located) and included the information in graphic windows that were displayed to victims.

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


Esca RAT Spyware Actively Employed Cybercriminals

Escanor is a new RAT (Remote Administration Tool) that was promoted on the Dark Web and Telegram, as per Resecurity, a cybersecurity firm based in Los Angeles that protects Fortune 500 companies globally. 

The threat actors provide versions of the RAT for Android and PC, as well as an HVNC module and an exploit builder to turn Microsoft Office and Adobe PDF files into weapons for spreading malicious code. 

The tool was first publicly available for purchase on January 26th of this year as a small HVNC implant that allowed for the establishment of a stealthy remote connection to the victim's machine. Later, the kit evolved into a full-scale, commercial RAT with a robust feature set. 

Over 28,000 people have joined Escanor's Telegram channel, which has a solid reputation on the Dark Web. Previous 'cracked' releases by the actor going by the same name included Venom RAT, 888 RAT, and Pandora HVNC, which were probably utilized to enhance Escanor's capability further.

According to reports, cybercriminals actively employ the malware known as Esca RAT, a mobile variant of Escanor, to attack users of online banks by intercepting one-time password (OTP) credentials.

The warning states that the tool "may be used to gather the victim's GPS locations, watch keystrokes, turn on hidden cameras, and browse files on the distant mobile devices to steal data."

Escanor Exploit Builder has been used to deliver the vast majority of samples that have lately been discovered. Decoy documents that look like bills and notices from well-known internet providers are utilized by hackers.

Resecurity also advised that the website address 'escanor[.]live' has earlier been linked to Arid Viper, a group that was active in the Middle East in 2015.

APT C-23 is also known as Arid Viper. Espionage and information theft are this threat actor's primary goals, which have been attributed to malevolent actors with political motivations for the freedom of Palestine. Although Arid Viper is not a particularly technologically advanced actor, it is known to target desktop and mobile platforms, including Apple iOS. 

Their primary malware, Micropsia, is surrounded by Delphi packers and compilers in their toolset. This implant has also been converted to various platforms, including an Android version and versions built on Python.

The majority of Escanor patients have been located in the United States, Canada, the United Arab Emirates, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore, with a few infections also occurring in South-East Asia.




North Korea Linked APT: US Sanctions Crypto Mixer Tornado Cash


The U.S Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash. It was used by North Korean hackers linked to Lazarus APT Group. 

What is Crypto Mixers?

The mixers are crucial elements for threat actors that use it for money laundering, the mixer was used in laundering the funds stolen from victims. 

As per OFAC, cybercriminals used Tornado Cash to launder more than $7 Billion worth of virtual currency, which was created in 2019. The Lazarus APT group laundered more than $455 million money and stole in the biggest ever virtual currency heist to date. 

About the attack

It was also used in laundering over $96 million of malicious actors' funds received from the 24th June 2022 Harmony Bridge Heist and around $7.8 million from Nomad crypto heist recently. The sanction has been taken in accordance with Executive Order (E.O) 13694. 

"Today, Treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cybercrimes, including those committed against victims in the United States,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

The Sanctions

In May, the US department of treasury sanctioned another cryptocurrency mixer, Blender.io, it was used by Lazarus APT, a hacking group linked to North Korea. It was used for laundering money from Axie Infinity's Ronin Bridge. The treasury has for the first time sanctioned a virtual currency mixer. 

"Virtual currency mixers that assist criminals are a threat to U.S. national security. Treasury will continue to investigate the use of mixers for illicit purposes and use its authorities to respond to illicit financing risks in the virtual currency ecosystem.” concludes the announcement published by the U.S. Treasury Department. “Criminals have increased their use of anonymity-enhancing technologies, including mixers, to help hide the movement or origin of funds.”



North Korea: Maui Ransomware Attacks Healthcare Services

 

North Korean state-sponsored hackers are using Maui to encrypt computers and data for vital healthcare services, including electronic health records, diagnostics, imaging, and intranet. A joint advisory from the FBI, the Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) describes a ransomware campaign that Pyongyang has been executing at least since May 2021. 

Traits of threat actors

It is unknown how these threat actors enter organizations through the initial access vector. The less well-known ransomware family stands out, according to cybersecurity firm Stairwell, since it lacks numerous essential characteristics typically found in ransomware-as-a-service (RaaS) groups. Stairwell's findings served as the basis for the alert. 

The lack of an "embedded ransom letter to provide recovery instructions or automated means of transferring encryption keys to attackers" is one analogy of this, according to security expert Silas Cutler in a technical analysis of the ransomware.

Instead, Maui sample analysis indicates that the malware is made to be manually executed by a remote actor using a command-line interface, utilizing it to target particular files on the compromised machine for encryption, as recently seen in the case of Bronze Starlight.

Each of these keys is then encrypted with RSA using a key pair generated for the first time when Maui is launched, in addition to encrypting target files with AES 128-bit encryption with a new key. The RSA keys are encrypted using a hard-coded, particular-to-each-campaign RSA public key as a third-degree of security.

The fact that Maui is not provided as a service to other affiliates for use in exchange for a cut of the money earned is another thing that sets it apart from other conventional ransomware products. 

Why is DPRK targeting healthcare?

Ransomware is highly hazardous in the healthcare industry. Such businesses often don't provide cybersecurity much attention or funds. Hospitals and other similar organizations also own critical medical and health data prone to abuse. Furthermore, such facilities cannot afford to be shut down for an extended period, which increases the possibility that they might pay the ransom to resume services.

Although these North Korean-sponsored ransomware operations targeting healthcare companies have been occurring for a year, iboss claims that they have increased significantly and become more sophisticated since then. It's the most recent example of how North Korean enemies are changing their strategies to shadily produce an ongoing flow of income for the country's struggling economy. 

The ransomware attacks are alleged to have temporarily or permanently affected health services in several cases. It is currently uncertain what infection vector was first used to carry out the incursions. Only 2% of those who paid the ransom in 2021 received their whole data recovered, according to the Sophos' State of Ransomware in Healthcare 2022 report. This compares to the global average of 46%. 

China-linked APT Went Under Radar for Decade

 

Researchers have discovered a small but effective China-linked APT that has been operating in Southeast Asia and Australia for more than a decade, running campaigns against government, education, and telecommunications institutions. 

SentinelLabs researchers stated that the APT, dubbed Aoqin Dragon, has been active since at least 2013. According to the report, the APT is "a small Chinese-speaking team with potential association to [an APT called] UNC94." According to researchers, one of Aoqin Dragon's methods and approaches is to use pornographic-themed infected documents as bait to attract victims to download them. 

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. The fact that Aoqin Dragon has developed, allowed them to stay under the radar for so long. For example, the APT's technique of infecting target computers has progressed. Aoqin Dragon depended on exploiting old vulnerabilities – especially, CVE-2012-0158 and CVE-2010-3333 – that their targets may not have yet fixed in their early years of operation. 

Aoqin Dragon later developed executable files with desktop icons that resembled Windows folders or antivirus software. These programmes were malicious droppers that planted backdoors and then connected to the attackers' command-and-control (C2) servers. Since 2018, the group has used a fraudulent detachable device as an infection vector. 

When a user clicks to view what appears to be a removable device folder, they really start a chain reaction that downloads a backdoor and establishes a C2 connection on their PC. Furthermore, the malware replicates itself to any genuine removable devices attached to the host system in order to move beyond the host and, presumably, onto the target's larger network. Other methods have been used by the group to remain undetected. 

They've exploited DNS tunnelling to get around firewalls by altering the internet's domain name system. Mongall, a backdoor exploit, encrypts communication data between the host and the C2 server. According to the experts, the APT gradually began to use the fake removable disc approach over time. This was done to "improve the malware's resistance to detection and removal by security tools." 

National-State Ties 

Targets have tended to fall into a few categories: government, education, and telecommunications, all in and around Southeast Asia. Researchers assert that “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.” 

A debug log discovered by researchers that contain simplified Chinese characters provides more proof of Chinese influence. Most importantly, the researchers uncovered an overlapping attack on the website of Myanmar's president in 2014. In another case, investigators were able to track the hackers' command-and-control and mail servers all the way back to Beijing. 

With that circumstance, Aoqin Dragon's two primary backdoors have overlapping C2 infrastructure, and the majority of the C2 servers may be ascribed to Chinese-speaking users. Still, "correctly identifying and monitoring State and State-Sponsored threat actors can be challenging," said Mike Parkin, senior technical engineer at Vulcan Cyber. 

“SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure when you’re identifying a new threat actor.”

LuoYu APT Delivers WinDealer Malware Via Man-on-the-side Attacks

 

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor known as LuoYu has been spotted utilising a malicious Windows application known as WinDealer supplied via man-on-the-side assaults.

In a new report, Russian cybersecurity company Kaspersky said, "This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads. Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to successful infection." 

Organizations targeted by LuoYu, which has been active since 2008, include primarily foreign diplomatic organisations based in China, members of the academic community, as well as financial, defence, logistics, and telecommunications firms. Taiwanese cybersecurity firm TeamT5 initially discovered LuoYu's usage of WinDealer at the Japan Security Analyst Conference (JSAC) in January 2021. 

Later assault campaigns targeted Japanese businesses, with isolated infections recorded in Austria, Germany, India, Russia, and the United States. PlugX and its sequel ShadowPad, both of which have been utilised by a number of Chinese threat actors to support their strategic objectives, are also part of the adversary's malware arsenal. The actor is also known to target Linux, macOS, and Android devices. 

WinDealer, for its part, has already been distributed via watering holes and trojanized apps masquerading as instant chatting and video hosting services such as Tencent QQ and Youku. However, the infection vector has now been exchanged by another form of dissemination that uses the automated update mechanism of chosen genuine apps to deliver a compromised version of the executable on "rare occasions."

At its core, WinDealer is a modular malware platform with all the bells and whistles of a standard backdoor, allowing it to collect sensitive data, snap screenshots, and run arbitrary commands.

It further distinguishes itself by employing a complicated IP creation method to choose a command-and-control (C2) server at random from a pool of 48,000 IP addresses. 

"The only way to explain these seemingly impossible network behaviours is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed," the company said. 

A man-on-the-side attack, like a man-in-the-middle attack, allows a malicious intruder to read and inject arbitrary messages into a communications channel while not being able to edit or delete messages delivered by other parties. Such attacks often rely on carefully timing their messages so that the malicious response containing the attacker-supplied material is delivered in response to a victim's request for web resources before the actual response from the server. 

"Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the internet," security researcher Suguru Ishimaru said. 

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies."

Organizations are More Susceptible to Known Vulnerabilities in Comparison to Zero-Day Flaw

 

A study of APT hacking campaigns conducted from 2008 to 2020 by University of Trento security researchers indicates enterprise IT security admins should worry most about fixing their systems for known vulnerabilities, rather than chasing a patch for every zero-day flaw that emerges. 

The researchers analyzed the impact of 86 APTs and 350 attack campaigns and debunked the belief that all APTs are highly sophisticated and prefer targeting zero-day flaws rather than ones that have already been patched. 

“Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” researchers Giorgio Di Tizio, Michele Armellini, and Fabio Massacci wrote in the report published on the pre-print server arXiv. 

Indeed, out of the 86 APTs they examined, only eight – known respectively as Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor – exploited CVEs were not used by anybody else. This demonstrates that not all the APTs are as sophisticated as many thinks, as the groups “often reuse tools, malware, and vulnerabilities,” researchers wrote. 

Faster updates minimize the threat 

The study showed that organizations that apply software updates as soon as they're published face the lowest odds of being compromised. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. 

It typically takes more than 200 days for an organization to align 90 percent of their machines with the latest software patches due to regression testing, which ensures that updated systems function properly after the update, researchers found. Such behavior is rational because not all vulnerabilities are always exploited in the wild. However, to combat APTs, slow updates do not seem appropriate. 

The study conducted by University of Trento researchers specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment. 

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers added.

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.

APT41 Used the New MoonBounce UEFI Malware in Targeted Attacks

 

According to the Kaspersky researchers who discovered it, a new firmware bootkit discovered in the wild demonstrates remarkable advances over previous similar tools. MoonBounce is a harmful implant that hides in a computer's UEFI firmware in the system's SPI flash - a storage component external to the hard drive, making it difficult to remove and difficult for proprietary security products to detect. UEFI is a technical specification that aids in the interoperability of computer systems' operating systems (OS) and firmware software. 

Being able to place malicious code known as a "UEFI bootkit" in the firmware is an ideal approach to avoid detection by antivirus software and other security measures running at the OS level. This has been done before, with the FinFisher malware and the ESPecter backdoor being two recent instances. In general, these tools hijack the boot sequence and initialize it before the operating system's security components. They are extremely tenacious because they nest in regions that cannot be wiped, such as reserved disk space. 

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices," explains Kaspersky in the report. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader." 

MoonBounce is the third bootkit identified in the wild, following LoJax and MosaicRegressor, and it shows "substantial development, with a more sophisticated attack flow and better technical sophistication" when compared to predecessors. It was discovered in 2021 by Kaspersky using its Firmware Scanner, which is designed to detect threats hidden in the ROM BIOS, including UEFI firmware images.

Kaspersky discovered a plethora of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates acquired from its C2 servers that correspond to earlier FBI reports on APT41 activities. While the United States Department of Justice discovered and charged five APT41 members in September 2020, the presence of MoonBounce and the operation around it demonstrates that the threat actors were not deterred by the legal pressure. 

According to the telemetry data, the attacks were extremely targeted, and Kaspersky only detected the firmware rootkit on one occasion. Kaspersky discovered several malware samples and loaders in other devices on the same network, however, they were non-UEFI implants. Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware are a few examples.

Iranian Hackers Behind Cox Media Group Ransomware Attack

 

Iranian hackers were behind the ransomware attack that disrupted Cox radio and TV stations' IT systems and live streaming earlier this year, according to The Record. 

The attack was carried out by a threat actor known as DEV-0270, which has been linked to many incursions against US organizations this year that resulted in the deployment of ransomware. While the Cox Media Group's infiltration was discovered on June 3 when the attackers used ransomware to encrypt some internal servers, the group had been breaching and hiding inside the company's internal network since mid-May. 

The attack did not affect all Cox Media Group radio and television stations, but it did disrupt certain stations' capability to broadcast live feeds on their websites. Initially, the Cox Media Group attempted to downplay the incident. 

Local reporters who used Twitter to convey information about the ransomware attack were admonished and forced to withdraw their posts. However, four months later, in October, the corporation finally confirmed the incident, although without disclosing any details about the Iranian hackers. 

The disclosure that Iranian hackers were behind the Cox attack comes less than a month after the US Department of Justice charged two Iranian citizens with various hacking-related offenses in November. One of them was for compromising a US media firm with the goal of disseminating false information about the legality of the US 2020 Presidential election via its website. 

Lee Enterprises, which owns the Buffalo News, the Arizona Daily Star, and the Omaha World-Herald, was eventually confirmed as the company. DEV-0270 has previously engaged in both information-collection operations and financially motivated attacks, according to a Microsoft threat intelligence analysis on the group, obscuring the true reason behind the recent Cox ransomware attack. 

The strategy of delivering ransomware on the networks of large corporations was first detected in late 2016 by Iranian hackers, namely the SamSam group. Their strategy of focusing on large businesses rather than end-users was later adopted by the majority of ransomware threat actors, and is now known as "big-game hunting." 

Since then, the majority of ransomware attacks have been attributed to Russian-based groups; however, certain ransomware cases have also been linked to members of state-sponsored espionage groups operating in Iran, China, and North Korea in recent years. 

These groups used ransomware on the networks of some of their victims as a path to monetize compromised companies with no intelligence-collection value or to hide intelligence collection behind a more generic ransomware issue that wouldn't prompt a more in-depth examination. 

Cox Media Group spokespersons did not respond to inquiries for comment on the incursion in May and June.

'Tropic Trooper' Makes a Comeback to Target Transportation Organizations

 

Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. 

Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.

According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.” 

The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said. 

According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data. 

The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw

 

An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks

 

In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups

 

The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.