Search This Blog

Showing posts with label APT attacks. Show all posts

Dark Pink: New APT Group Targets Asia-Pacific, Europe With Spear Phishing Attacks


A new wave of advanced persistent threat (APT) attacks has been discovered, that is apparently launched by a threat group named Dark Pink. 

The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted. 

Details Of The Attack 

The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’  This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher. 

Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly. 

In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer." 

These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks. 

Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website. 

This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous. 

Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers. 

Dark Pink APT Group Remains Active 

The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size. 

The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack." 

APTs: Description, Key Threats, and Best Management Practices


An Advances Persistent Threat (APT) is a sophisticated, multiple staged cyberattack, in which the threat actor covertly creates and maintain its presence within an organization’s network, undetected, over a period of time. 

A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

  1. Network infiltration 
  2. The expansion of the attacker’s presence 
  3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

 Iran's MuddyWater Hacker Group is Exploiting New Malware

 

According to a notice issued by US security and law enforcement authorities, Iran-linked cyber activities are targeting a variety of government and private organizations in several areas across Asia, Africa, Europe, and North America.

"MuddyWater actors are poised to deliver stolen data and access to the Iranian government, as well as to share them with other cybercriminal actors," the agencies stated. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Centre of the United Kingdom have issued a combined advisory (NCSC) in the regard.

This year, the cyber-espionage actor was revealed to be working for Iran's Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of state and private organisations in Asia, Africa, Europe, and North America, including telecommunications, defence, local government, and the oil and natural gas sectors. 

MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Aside from publicly disclosed vulnerabilities, the hacker group has already been seen using open-source tools to get access to sensitive information, deliver ransomware, and maintain resilience on victim networks. 

Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused on Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor. In harmful operations, MuddyWater actors use new variations of PowGoop malware as its main loader, which consists of a DLL loader and an Operating system downloader. The malicious programme poses as a valid Google Update executable file and is signed as such. 

A surveying script to identify and send data about target PCs back to the remote C2 server rounds out MuddyWater's arsenal of weapons. A newly discovered PowerShell backdoor was also installed, which is used to perform actions obtained from the attacker. 

The agencies advise enterprises to utilise multi-factor authentication whenever possible, limit the usage of administrator credentials, deploy phishing defences, and prioritise correcting known exploited vulnerabilities to provide barriers against potential attacks.

 Lazarus APT Cell Exploits the Windows Update Client

 

According to experts at a cyber security agency, Lazarus, a notable hacking organization with ties to the North Korean government, has been utilizing the Windows Update client to spread malware as part of a new spear-phishing effort.

The North Korean nation-state hacking outfit known as the Lazarus Group, formerly as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year. 

The two macro-embedded messages seem to be enticing the targets about new Lockheed Martin job opportunities: 
  • Lockheed Martin JobOpportunities.docx 
  • Salary Lockheed Martin job opportunities confidential.doc 

Both of these documents were created on April 24, 2020, but enough evidence leads us to believe it was leveraged in a campaign between late December 2021 and early 2022. The threat actor's domains are one of the pieces of evidence that this attack took place recently. The attack begins with the malicious macros hidden in the Word document being executed. 

The malware executes a series of implants in order to gain startup persistence on the target computer and inserts code into the computer's restart system to ensure a restart does not knock down the virus.

Researchers discovered evidence that the threat group used GitHub as a command and control (C2) site for its attacks. Lazarus' use of GitHub as a C2 is unusual, according to the researchers, who claim this is the first time a group is seen to be doing so. The threat group was found to be utilizing GitHub as a command and control (C2) site for its attacks. According to the researchers, Lazarus' usage of GitHub as a C2 is uncommon. 

The campaign's attribution to the Lazarus APT is based on different facts as stated below: 
  • The usage of employment opportunities as a template is something Lazarus has done before.
  • Defense industry targets, particularly Lockheed Martin, are well-known targets for North Korean-linked APT. 
  • The metadata utilized in this campaign connects the documents to various other materials used by Lazarus previously.

APT Malicious Campaigns Target Asian Entities

 

Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities. 

In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines. This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence. 

Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests. 

"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added. 

The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted. 

The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device. 

The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome. 

Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets. 

The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved. 

"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.

Threat Actors Use Several New Advanced Techniques To Exploit Windows Services


 

According to the cybersecurity researchers, several fresh techniques, comparatively advanced — are being used by attackers, for exploiting legitimate Windows services to accelerate low-level privileges into the system (concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities, least privilege is also a foundational component of zero trust strategies) to get full control of the system. 

By the means of this recent attack, the threat actors took the same advantages, targeting similar Windows services facilities as that of previous attacks. Meanwhile, threat actors are also working on some new techniques to get access to the recent version of the operating system, as reported by Antonio Cocomazzi, a system engineer at SentinelOne. Furthermore, Antonio Cocomazzi shed light on the same in a Black Hat Asian virtual conference this week. 

For the organizations, the biggest issue dealing with these cyberattacks is that these attacks exploit services that hold a very important part of the system as well as exist by design in the windows functioning system. These services are enabled and available by default into the system as well as they play an essential part in the implementation of Web networking, mail servers, database servers, and other important services. 

Exploits, named “juicy potatoes,” has become a mainstream method for threat actors to invade into the windows systems, said Cocoazzi. Further, he added that SentinelOne has disclosed some very specific evidence against this exploit: it is being used in multiple APT campaigns. 

“Microsoft has fixed the exploit in newer versions of its software. However, JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803. Additionally, newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato.” Antonio Cocomazzi, a system engineer at SentinelOne reported. 

Domestic Kitten - An Iranian Surveillance Operation

 

Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application. 

The victims incorporate prominent scholastics, activists and business pioneers in Iran and elsewhere, and government authorities in the United States and Europe, researchers at Israeli cybersecurity firm Check Point said in a couple of reports released on Monday. 

The APT uses versatile malware called FurBall. The malware depends on commercially-available monitoring software called KidLogger, and as indicated by the researchers, "it seems that the developers either obtained the KidLogger source code or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities." FurBall is spread through an assortment of assault vectors including phishing, Iranian sites, Telegram channels, and employing SMS messages containing a link to the malware. The malware uses an assortment of disguises to attempt to fool a victim into the installation, for example, being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

When installed on a target device, FurBall can intercept SMS messages, get call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their target's movements, and more. At the point when data has been accumulated from the compromised device, it very well may be sent to command-and-control (C2) servers that have been utilized by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.  

On Monday, Check Point researchers, along with SafeBreach, additionally uncovered the activities of a subsequent danger group that is effectively focusing on Iranian dissidents but rather than focus on their smartphones, their PCs are at risk.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Hackers Use Backdoor to Infiltrate Governments and Companies, Motive, not Money.


According to findings by cybersecurity firms Avast and ESET, an APT (Advanced Persistent Threat) cyberattack targeted companies and government authorities in Central Asia, using backdoors to gain entry into company networks for a long period. The targets involved telecom companies, gas agencies, and one government body in Central Asia. APT attacks, unlike other cyberattacks, don't work for money profits but have different motives.


According to cybersecurity experts, APT attacks are state-sponsored, and their purpose is to get intel on politics and inside information, not money. According to research findings, the hackers responsible for the APT attack in Central Asia is a group from China that uses RAT (Remote Access Tools). The attack was not their first, as experts believe that the same group was responsible for the 2017 cyberattacks against the Russian military and the Belarusian government.

APT attacks remain lowkey 

Unlike ransomware attacks that are famous for infiltrating the company networks, involving some top IT companies, the APT actors like to stay out of the radar and remain unnoticed. The motive of these attacks is not blackmail by having sensitive information. These attacks aim to remain unnoticed for as long as possible, as it allows hackers to have access to the company's network and data. Experts say that they currently don't have substantial evidence about the data that was deleted or manipulated. After the attack, the hackers part away as to avoid any suspicion or identification. Confidential info like Espionage, government policies, and trade, is what these hackers are after.

The cyberattacks are on the rise due to people working from home, giving opportunities to hackers. It has been very tough to protect users from malware attacks in the current times, due to millions of malware. The reason is the COVID-19 pandemic, and the best chance to stay safe from hackers is to be on alert after the pandemic ends. Users should check every link they get, before opening it or passing it to someone else. People working from home should keep their systems and device updated, along with the applications.

Government based hacking groups are attacking Microsoft Exchange Servers


Various government-backed hacking groups and APTs are targeting and exploiting a vulnerability in Microsoft Exchange email servers. The vulnerability was patched last month February 2020.


Volexity, a UK cyber security firm was the first to discover these exploitation attempts on Friday. But neither did they share the names of the hacking groups nor did they comment further on the matter. It is rumoured that the hacking groups are "the big players" but nothing has been confirmed yet. The vulnerability is identified as CVE-2020-0688.

Microsoft released fixes for this on Feb 11 and asked system admins to install the fixes as soon as possible to ward of attacks. After the release of the patch, things remained calm only to escalate after two weeks when Zero-Day Initiative reported the bug to Microsoft and published a detailed report on the vulnerability and how it worked. Security researchers used this report to craft proof-of-concept exploits to test their own servers and create detection rules.

And as soon as all this info became public, hackers started playing attention and when all this information was easily available they took advantage of the vulnerability.

"On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets." reports Zdnet.

Volexity said, these scans turned into actual attacks.

APTs - "advanced persistent threats," were the first to exploit this bug to attack. APTs are state sponsored hacking groups. Security Researchers say, this vulnerability could become quite popular among ransomware attackers.

It is not easy to exploit CVE-2020-0688 vulnerability. Only expert hackers can abuse this bug as they need the credentials for an email account on the Exchange server- but it will not stop ransom gangs and APTs as these are well versed in phishing mail campaigns and gain credentials through the same.

Companies and organizations which have had previous phishing and malware attacks, are adviced to update their Exchange email servers with the bug fix as soon as possible.

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose. 

Hackers Bypass the 2-step Verification to Invade Government Systems and Industries


2-step verification is an extra security measure that an application uses when connecting to a service or a device. But the 2-step authentication was avoided by a group of hackers from China known as APT20. The government, industries, and various corporations across the world are concerned about the issue. This is disturbing news for the world of cybersecurity. APT 20, a criminal hacking organization from China was able to avoid the important 2-step verification, that is used as a safety precaution by vast services on the internet such as Google, Whatsapp, Instagram, etc. But above all this, this issue is a major concern for banking institutions that rely on internet services for their conduct.



The APT20 group was caught avoiding the 2-step Verification: 

After successfully breaking the verification process, APT20 was able to get access to some government agencies, corporate databases, and servers of various industries. The activity was discovered by Fox-It, a Dutch security specialist, when it received a complaint from one of the victims and upon investigation, it was able to identify the criminal group responsible for the attack. The corporations hit by the attack are spread over 10 nations and different sectors, some of which include Germany, Britain, France, the US, and China. The sectors affected are flight, architecture, banking, power, security, transportation, HR services, etc. The attack, however, doesn't affect the general public, as it focuses much on the corporations.

What is a 2-step verification?

Today, 2-step verification has become an official security order and is used worldwide by the users as an assurance of security (even if the users are unaware, their systems rely on this method). The safety method comes along with an extension to the typical login-password credentials process. 2-step verification operates when the user enters his credentials while logging into a device, following which he is sent a temporary code.

The 2-step verification asks the user a temporary code that he has to enter while logging in to the device. For instance, Google systems like Gmail retrieves the user back to his device for confirming the identity. Only after making sure that the user is authenticated and not a fraud, he is allowed access into the specified device. After filling in the code, the user verifies his identification to the system.   

Mobile Malware: The next biggest security threat around the world


BlackBerry reveals Advance Persistence Threats and players targeting several enterprises. This entire time, the world had no clue about how widespread and common mobile malware is, and how it is being used for constant monitoring and reconnaissance. In truth, there are several hot actors and high-level safety threat that we didn't know until now. An advanced persistent threat (APT) is a long-time and pointed cyber invasion in which an invader gets entrance to a system and stays anonymous for a while.


The purpose of an APT intervention is usually to spy mobile actions and unlawfully take data instead of causing any harm to the company or the network. "It is Fertile, Prevalent and Multi-Platform," concludes Blackberry in a report titled 'Mobile Malware and APT Espionage.' The analysts recognized three superior harmful attacks, dawning essentially in countries like China, North Korea, Vietnam, and Iran, which further strengthens mobile malware, along with computer malware. The final aim is cyber spying and info retrieving, principally for business and administrative purposes. 

Opening up is a new harmful threat that Blackberry proclaims as BBCY-TA2. PWNDROID3, an earlier obscure android malware class, is being used for distributing a counterfeit bitcoin application. Following it is BBCY-TA3, a mobile malware that aims for westward and South Asian economic ventures in the telecommunications business. It also picks out almost all chemical production corporations across the globe, except for China. BlackBerry states it is yielding its relapse support with BBCY-TA2. Another Advance Persistence Threat is a class known as OCEANLOTUS, which uses a unique Android malware species PWNDROID1, via three spam mobile applications.

The whole show is that it makes BlackBerry Cylance CTO Eric Cornelius to the understanding that phone invasions are more conspicuous pervading of a danger than what people assumed. “This would come as a blow to the people when they discover how connected, and long-termed the attacks picking up mobile users are, as they have been simple prey for Advance Persistent Threat organizations. The reason being is the traditional lack of efficient safety resolutions for identifying and stopping mobile malware.”

Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools




Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”






Zero-day vulnerability in Internet Explorer discovered

According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.

The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.


These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.

The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.


The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.

Microsoft has neither confirmed nor denied the attacks, but has given the following statement:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.