Search This Blog

Showing posts with label APT. Show all posts

Chinese Hackers are Targeting Russian Aerospace Industry

 

Space Pirates, a Chinese cyberespionage group is targeting businesses in the Russian aerospace industry with phishing emails to deploy a novel strain of malware. 

The APT group started operating in 2017, and researchers believe it is associated with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Russian security researchers at Positive Technologies named the group "Space Pirates" due to their espionage operations focusing on stealing confidential information from companies in the aerospace field. 

Malicious actors targeted government agencies, IT departments, and aerospace and power enterprises in Russia, Georgia as well as Mongolia. However, the majority of victims were spotted to be in Russia. Out of those, several victims operated specifically within the partially state-owned aerospace industry of the Russian Federation. 

The researchers first uncovered signs of Space Pirates' activity last summer during incident response and quickly confirmed that the malicious actors employed the same malware and infrastructure against at least four more domestic organizations since 2019. 

According to researchers, at least two attacks on Russian organizations were successful. In one instance, Space Pirates accessed at least 20 servers on the corporate network and stayed there for ten months; 1,500 internal documents were stolen, together with information about all employee accounts in one of the network domains. 

In the second assault, the Chinese attackers stayed in the network of the compromised firms for over a year, exfiltrating confidential information and deploying their malware to 12 corporate network nodes in three distinct regions. 

The Space Pirates’ unique toolkit contains a wide range of malware, including unique loaders and multiple previously undetected backdoors tracked as MyKLoadClient, BH_A006, and Deed RAT. The arsenal also includes the Zupdax backdoor along with well-known malware such as PlugX RAT, ShadowPad backdoor, Poison Ivy RAT, a modified version of PcShare, and the public ReVBShell shell. The APT group also leverages the dog-tunnel utility to tunnel traffic. 

The threat analysts believe that the overlaps between various Chinese APTs are due to tool exchanges, a common phenomenon for hackers in the region. 

“APT groups with Asian roots continue to attack Russian companies, which is confirmed by the activity of the Space Pirates group. Attackers both develop new malware that implements non-standard techniques (such as Deed RAT) and uses modifications of existing backdoors. Sometimes such modifications can have many layers of obfuscation added to counteract protections and complicate the analysis procedure – as in the case of BH_A006, built on the code of the popular Gh0st backdoor,” researchers explained. 

“A separate difficulty in the case of APT groups in the Asian region is the exact attribution of the observed activity: the frequent exchange of tools used, as well as the joint activity of various groups in some cases, significantly complicate this task.”

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

Chinese APT Actor Tracked as 'Antlion' Targeting Companies in Taiwan

 

It has been almost 18 months since the Chinese state-backed advanced persistent threat (APT) actor tracked as ‘Antlion’ has been attacking financial institutions and manufacturing companies in Taiwan state in a persistent campaign. The researchers at Symantec noted that the threat actors deployed a new custom backdoor named 'xPack' on compromised networks, which gave malicious actors wide access into the victim’s system.

The backdoor was designed to run WMI commands remotely, while it has also been seen that the attackers leveraged EternalBlue exploits in the backdoor. The attackers also interact with SMB shares, and it is also possible that the actors used mounted shares over SMB to transfer data to the command and control (C2) server. 

Furthermore, the attackers have successfully browsed the web through the backdoor, likely using it as a proxy to mask their IP address. Researchers believe that the malware was used in a campaign against Taiwan and had allowed the adversaries to run stealthy cyber-espionage operations. 

While dissecting such an attack, it could be seen that the malicious actors spent 175 days on the compromised network. However, the Symantec cyberthreat unit is studying two other incidents of such kind to determine how the adversary went undetected on the network for as long as 250 days. 

The researcher said that the new custom malware helped threat actors achieve this level of furtiveness; Symantec researchers have also deducted the following custom tools that help xPack in this operation. 

• EHAGBPSL – Custom C++ loader 
• CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT 
• JpgRun – Custom C++ loader 
• NetSessionEnum – Custom SMB session enumeration tool 
• Kerberos golden ticket tool based on the Mimikatz credentials stealer 
• ENCODE MMC – Custom bind/reverse file transfer tool 

"There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network," explains Symantec.

APT41 Used the New MoonBounce UEFI Malware in Targeted Attacks

 

According to the Kaspersky researchers who discovered it, a new firmware bootkit discovered in the wild demonstrates remarkable advances over previous similar tools. MoonBounce is a harmful implant that hides in a computer's UEFI firmware in the system's SPI flash - a storage component external to the hard drive, making it difficult to remove and difficult for proprietary security products to detect. UEFI is a technical specification that aids in the interoperability of computer systems' operating systems (OS) and firmware software. 

Being able to place malicious code known as a "UEFI bootkit" in the firmware is an ideal approach to avoid detection by antivirus software and other security measures running at the OS level. This has been done before, with the FinFisher malware and the ESPecter backdoor being two recent instances. In general, these tools hijack the boot sequence and initialize it before the operating system's security components. They are extremely tenacious because they nest in regions that cannot be wiped, such as reserved disk space. 

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices," explains Kaspersky in the report. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader." 

MoonBounce is the third bootkit identified in the wild, following LoJax and MosaicRegressor, and it shows "substantial development, with a more sophisticated attack flow and better technical sophistication" when compared to predecessors. It was discovered in 2021 by Kaspersky using its Firmware Scanner, which is designed to detect threats hidden in the ROM BIOS, including UEFI firmware images.

Kaspersky discovered a plethora of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates acquired from its C2 servers that correspond to earlier FBI reports on APT41 activities. While the United States Department of Justice discovered and charged five APT41 members in September 2020, the presence of MoonBounce and the operation around it demonstrates that the threat actors were not deterred by the legal pressure. 

According to the telemetry data, the attacks were extremely targeted, and Kaspersky only detected the firmware rootkit on one occasion. Kaspersky discovered several malware samples and loaders in other devices on the same network, however, they were non-UEFI implants. Microcin backdoor, Mimikat credential stealer, Go implant, StealthMutant loader, and ScrambleCross malware are a few examples.

Iranian Hackers Behind Cox Media Group Ransomware Attack

 

Iranian hackers were behind the ransomware attack that disrupted Cox radio and TV stations' IT systems and live streaming earlier this year, according to The Record. 

The attack was carried out by a threat actor known as DEV-0270, which has been linked to many incursions against US organizations this year that resulted in the deployment of ransomware. While the Cox Media Group's infiltration was discovered on June 3 when the attackers used ransomware to encrypt some internal servers, the group had been breaching and hiding inside the company's internal network since mid-May. 

The attack did not affect all Cox Media Group radio and television stations, but it did disrupt certain stations' capability to broadcast live feeds on their websites. Initially, the Cox Media Group attempted to downplay the incident. 

Local reporters who used Twitter to convey information about the ransomware attack were admonished and forced to withdraw their posts. However, four months later, in October, the corporation finally confirmed the incident, although without disclosing any details about the Iranian hackers. 

The disclosure that Iranian hackers were behind the Cox attack comes less than a month after the US Department of Justice charged two Iranian citizens with various hacking-related offenses in November. One of them was for compromising a US media firm with the goal of disseminating false information about the legality of the US 2020 Presidential election via its website. 

Lee Enterprises, which owns the Buffalo News, the Arizona Daily Star, and the Omaha World-Herald, was eventually confirmed as the company. DEV-0270 has previously engaged in both information-collection operations and financially motivated attacks, according to a Microsoft threat intelligence analysis on the group, obscuring the true reason behind the recent Cox ransomware attack. 

The strategy of delivering ransomware on the networks of large corporations was first detected in late 2016 by Iranian hackers, namely the SamSam group. Their strategy of focusing on large businesses rather than end-users was later adopted by the majority of ransomware threat actors, and is now known as "big-game hunting." 

Since then, the majority of ransomware attacks have been attributed to Russian-based groups; however, certain ransomware cases have also been linked to members of state-sponsored espionage groups operating in Iran, China, and North Korea in recent years. 

These groups used ransomware on the networks of some of their victims as a path to monetize compromised companies with no intelligence-collection value or to hide intelligence collection behind a more generic ransomware issue that wouldn't prompt a more in-depth examination. 

Cox Media Group spokespersons did not respond to inquiries for comment on the incursion in May and June.

'Tropic Trooper' Makes a Comeback to Target Transportation Organizations

 

Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. 

Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.

According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.” 

The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said. 

According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data. 

The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw

 

An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks

 

In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

BlackBerry Discovers Initial Access Broker Linked to 3 Different Hacker Groups

 

The latest report from BlackBerry revealed an initial access broker termed "Zebra2104" that has links with three harmful cybercriminals groups, and few are involved in phishing campaigns and ransomware attacks Research and Intelligent team at Blackberry discovered that Zebra2104 gave entry points to ransomware groups such as MountLocker, Phobos, and StrongPity APT. 

The access was given to various organizations in Australia and Turkey which fell victim to the attacks. The StrongPity APT attacked Turkish firms in the healthcare sector, and also targeted smaller enterprises. As per Blackberry, its research suggests an access broker having a lot of manpower, or actors might've built large hidden traps on the web. 

The report also suggests that an inquiry confirmed that MountLocker ransomware was working along with StrongPity, an APT group that dates back to 2012, a Turkish state-sponsored group (allegedly). As of now, it might be hard to believe that criminal groups are sharing resources, but the experts have found a common link, enabled by a fourth criminal group termed Zebra2104, which the experts believe to be an Initial Access Broker (IAB). According to experts, there is an abundance of hacking groups working together, more than mentioned in this article. 

The single-domain directed the experts to a path where they discovered various ransomware attacks, and an APT C2 (command and control). The path turned out to be an IAB--Zebra2104 infrastructure. IAB's general gets access to the top bidders in dark web platforms on underground forums. Following that, the winning bidder deploys ransomware or any other malware in the target organization's systems, the campaign depends on the goals of the attack. 

"A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion," reports ZD Net.

Threat Actors from China Infiltrated a Major Afghan Telecom Provider

 

Just as the US was completing its withdrawal from Afghanistan, several China-linked cyberespionage groups were seen intensifying attacks on a major telecom corporation. Recorded Future, a threat intelligence firm, reported on Tuesday that it has witnessed four different Chinese threat groups target a mail server belonging to Roshan, a large telecom provider in Afghanistan with over 6.5 million subscribers. 

According to Doug Madory, Director of Internet Analysis at Kentik and a veteran observer of worldwide traffic trends, “Roshan is one of the largest suppliers of Internet access to the people of Afghanistan” and a major source of online traffic in and out of the nation. 

Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers were unable to link to other known actors, carried out the attacks. The researchers believe it's not unusual for Chinese hackers to target the same Roshan mail server because they often have diverse intelligence requirements and don't coordinate their actions. 

Some of the groups had been able to access the mail server for months, but the attacks seemed to pick up steam in August and September, just as US forces were leaving Afghanistan. During this time, the researchers noted an uptick in data exfiltration activity. 

Roshan was told of the compromises by Recorded Future before Insikt Group made the assaults public. A Chinese Embassy spokesperson described pinpointing the source of cyber assaults as a "difficult technological problem" in an email sent after the report was posted. 

“Linking cyber-attacks directly to one certain government is a highly sensitive political issue. China hopes that relevant parties will adopt a professional and responsible attitude,” the statement said. “Qualitativing cyber incidents must be based on sufficient evidence instead of groundless speculation,” the spokesperson wrote. 

The first activity linked to Roshan, according to the experts, was tied to the suspected Chinese state-sponsored group Calypso Advanced Persistent Threat (APT). That infiltration appears to have started in July 2020 and continued through September 2021, with a spike in activity in August and September of this year. 

From at least March through May of this year, the researchers discovered the same Roshan mail server connecting with the infrastructure of another known suspected Chinese APT group, RedFoxtrot. 

According to an Insikt report published Tuesday, RedFoxtrot also appeared to have infiltrated another undisclosed Afghan cellular operator during this time. RedFoxtrot was previously identified as targeting unnamed telecommunications firms in Afghanistan, India, Pakistan, and Kazakhstan, according to a study published by the research team in June. The RedFoxtrot was also linked to Unit 69010 of the People's Liberation Army in Ürümqi, Xinjiang, according to the study.

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

Chinese Webdav-O Virus Attacked Russian Federal Agencies

 

In 2020, a collection of Chinese state-sponsored threat groups may have been behind a series of targeted attacks on the Russian federal executive authority. The latest study, published by Singapore-based Group-IB, looks into a piece of computer virus known as "Webdav-O" that was discovered in the intrusions, with the cybersecurity firm noticing similarities between the tool and a popular Trojan known as "BlueTraveller," which is linked to a Chinese threat group known as TaskMasters and used in malicious activities with the aim of espionage and plundering confidential documents. 

The report builds on a series of public disclosures in May from Solar JSOC and SentinelOne, both of which revealed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne linking it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428. 

TA428 has been targeting government entities in East Asia since 2013, with a particular focus on those involved in domestic and foreign policy, government information technology, and economic development. Attackers used the Microsoft Equation Editor exploit CVE-2018-0798 to deploy a custom malware called Cotx RAT, according to Proofpoint researchers. This APT gang also employs Poison Ivy payloads, which share command and control (C&C) infrastructure with the newly discovered Cotx attacks.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

“It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here,” Group-IB points out. The researchers also point out that evidence implies a big hacking force made up of People's Liberation Army intelligence units may be operating out of China, with the numerous Chinese APT groups tracked by threat intelligence agencies being little more than subgroups.

APT Malicious Campaigns Target Asian Entities

 

Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities. 

In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines. This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence. 

Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests. 

"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added. 

The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted. 

The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device. 

The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome. 

Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets. 

The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved. 

"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.

Job Seeking Engineers Have Become Lazarus Gang’s New Target

 

Amid operations sending malicious documentation to work-seekers, the renowned group Lazarus advanced persistent threat (APT) has been identified. In this case, defense companies are searching for jobs. 

As per a paper published online by AT&T Alien Labs, researchers monitored the activity of Lazarus for months with technical targets in the United States and Europe. 

According to the creator of the report, Fernando Martinez, emails from prominent defense contractors Airbus, General Motors (GM), and Rheinmetall have been sent to potential engineering recruits by the APT purport. 

Word documents with macros that implant malicious code in a victim's PC are included in the emails to prevent detection by changing the target computer settings. 

“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” Martinez wrote. 

Lazarus's operation is the newest thing that targets the field of defense. In February, scientists attributed a 2020 spear-phishing campaign to the APT aiming to acquire key data by using advancing malware named ThreatNeedle from defense organizations. 

Indeed, with Microsoft Office Macros being used and third-party communications infrastructures being jeopardized, Lazarus is written all over the latest attacks that remain 'in line with the earlier Lazarus campaigns' as Martinez said. 

“Attack lures, potentially targeting engineering professionals in government organizations, showcase the importance of tracking Lazarus and their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.” 

Researchers from AT&T Alien Labs have already seen Lazarus' activities, trying to attract victims to false Boeing and BAE systems jobs. Martinez noted that Twitter users were warned of the current campaign as Twitter users identified various papers related to Lazarus by Rheinmetall, GM, and Airbus from May to June this year. 

Researchers have discovered that campaigns using the three new documents are comparable in communicating with the command and control but that they can do malicious activities in distinct ways. Lazarus has circulated two malicious documents related to the German defense and automotive industry engineering firm Rheinmetall. The second had "more elaborate content," which made it possible for victims to remain unnoticed, noted Martinez. 

One of the distinctive aspects of the macro in the original malicious document is to rename the Microsoft Docs command-line software Certutil to try and disguise its actions. 

“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.” 

Owing to Lazarus' historically prolific behavior – called the "most active" threat group in 2020 by Kaspersky— the recent attack on technicians "is not expected to be the last," Martinez said. 

Attack tactics that may target technical experts in governmental organizations illustrate the relevance of Lazarus tracking and its progression, Martinez added.

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.

Researchers Spotted Two Android Spyware Linked to Confucius

 

Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”