Search This Blog

Showing posts with label Cyber Attacks. Show all posts

APTs: Description, Key Threats, and Best Management Practices


An Advances Persistent Threat (APT) is a sophisticated, multiple staged cyberattack, in which the threat actor covertly creates and maintain its presence within an organization’s network, undetected, over a period of time. 

A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

  1. Network infiltration 
  2. The expansion of the attacker’s presence 
  3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

Reasons for Being Updated ISO 27001 Crucial For Business Security

 


The supplier of the UK’s National Health Service, Advanced, faced a cyberattack on 4 august 2022 in the morning. It worked as a vicious example for an alerting situation: “how much a well-regulated set of rules and controls are important in security for any company?” As an effect of the cyber-attack, NHS 111, which is NHS’S 24/7 health helpline, was taken down, and the centers for urgent treatment were taken down, which caused disorderliness. 

There are numerous cases of such cyber attacks where organizations face huge losses. This made “security” a very crucial part of any business operation at present. To achieve a secured network for your digital assets, you should turn towards a set of efforts, effective practices, and well-populated principles in your industry. ISO 27001 works well for this purpose. 

ISO 27001 is also known as “the standard” or “ISO” it is a part of the ISO 27000 family, which is an information security auditable standard. ISO is considered best to provide leading advice and directions for implementing and maintaining an ISMS. ISO family is considered to be relevant throughout the world. 

Specifically, ISO 27002 is a directive for Information Security Management Systems. It explains “physical and logical controls” that a company or business should follow to protect its confidential data. It is the well-known “international standard” for information security management systems, and it was first ever published in 2005. 

In 2005, it was published as a solid informative security framework for handling risks like cyberattacks, data leaks, etc. Recently on October 25, 2022, a new update with new features and factors has been published. 

This standard has been updated with a set of clauses, under which it defines the management system, and Annex A explains a series of controls. The clauses include proper management of risk and Annex A’s power controls patch management, antivirus, and access control. 

One more additional benefit which ISO27001 provides to businesses is that there is no compulsion for all the controls, all businesses can make selections for the specific controls as per their needs. 

Benefits ISO 27001 Certification Gives to Your Business

One of the most crucial benefits of implementing ISO 27001 is the security advantages it provides to the organizations from initiation. 

The certification of ISO27001, which companies gain by devoting their time appraised by customers as a company that values information security solemnly. 

Considering the increasing number of cyber-attacks and new variants of cyber-attack, companies should get alert in making their information more protected and make ISO 27001 mandatory. Taking such safeguarding measures at the earliest is better to give a wide berth to missing out commercially.

ISO 27001 also works as cyber-insurance, which works on stages to safeguard the financial sector of the firm for the longer term. As cyber-attacks in any sector result in a huge monetary loss along with the downfall of reputation, to avoid such losses ISO 27001 is also suited best. 

It might seem daunting for our business to implement all of this in a way that is both effective and efficient. However, by putting together the right plan in place, we can greatly benefit from all the benefits ISO 27001 certification can provide. 

To ensure that businesses are successful in achieving certification under the revised version of the standard, it is also important to recognize that October was not the deadline for obtaining certification. Before certification bodies are ready to offer certifications, businesses may have a few months before they can do so. Following the announcement of the revised standard, businesses will likely be required to undergo a two-year transition period before they can retire ISO 27001:2013 completely. 

As we move forward with ISO 27001 adoption, it Is imperative to remember that although ISO 27001 compliance can be challenging, there is no doubt that ISO 27001 compliance is invaluable in today's hyper-connected world for businesses that wish to establish themselves as highly trusted and reliable partners.

Active Threat of Black Basta Ransomware on US Companies by QakBot Malware

 


Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign. 

The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys. 

Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom. 

It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file. 

The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand. 

The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware. 

In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours. 

The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources. 

Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.

Rise of Luna Moth’s Malware-Free Extortion Campaign

 


A group of security researchers has discovered that a threat actor has managed to extort hundreds of thousands of dollars from mostly small and midsized businesses over the last few months without using any encryption tools or malware. 

A group of attackers, known as Luna Moth (also called the "Silent" ransomware group), has been using an array of legitimate tools and a method of extortion known as "call-back phishing" to target victims. Later, they use sensitive data as leverage over them to take control of their finances.

Targeted attacks 

In a report published by Palo Alto Network's Unit 42 on Monday, researchers said that in the past, the adversary has primarily targeted smaller legal firms, but in recent times, it has begun moving after larger retailers as well, according to the report. There is evidence that the threat actor's tactics have evolved over the last few years, suggesting that they have become more efficient. According to a security vendor, this means that it now poses a danger to every organization, regardless of its size.

As a senior threat researcher at Palo Alto Networks and a threat researcher with Unit 42, Kristopher Russo is finding that this tactic is widely used to target businesses of all sizes, from large retailers to small and medium-sized law firms. "Because social engineering targets individuals, the size of the company does not offer much protection", said Kristopher Russo. 

Call-Back Phishing 

Call-back phishing is a tactic that security researchers first observed being used by the Conti ransomware over a year ago in a campaign to install BazarLoader malware on their targets' systems. 

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom-made for the recipient. It originates from a legitimate email service and involves some kind of lure to get the user to initiate a phone call with the attacker. 

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contained an invoice in the form of a PDF file for a subscription service in the recipient's name. The attackers inform the victim that the subscription will soon be active and billed to the credit card on file. The email provides a phone number to a purported call center — or sometimes multiple numbers, that users can call if they have questions about the invoice. Some of the invoices have logos of well-known companies on top of the page. 

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business." The attackers then convinced users who called to initiate a remote session with them using the Zoho Assist virtual support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse. He enables access to the clipboard, and blanks out the user's screen, Unit 42 said. 

After the attackers have accomplished that, their next step is to install legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment. 

In previous attacks, the adversaries installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems. However, lately, they appear to have whittled down their toolkit, Unit 42 said. 

If a victim does not have administrative rights on their system, the attacker eschews any attempt to persist on it. Instead, he proceeds straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only took what they could during the call," Unit 42 said in its report. 

Russo, who is the CEO of Russo Technologies, Inc., believes that the invoice even includes a tracking number that is used by the call center. As a result, when a victim telephones the number to dispute an invoice, it appears to be a legitimate company. 

A user who called was then convinced to engage in a remote session with the attackers via the Zoho Assist virtual support tool after they had been warned. The attackers will take control of the victim's keyboard and mouse as soon as he is connected to the remote session. It has been reported by Unit 42 that the threat actor also blanks the screen of the user after enabling access to the clipboard. 

Having obtained the victim's system credentials, the attackers then proceeded to install official Syncro remote support software on the victim's device. This was necessary to maintain persistence on their host machine. Additionally, a couple of other legitimate tools have been used to steal data from this computer, such as Rclone and WinSCP. Since administrators have legitimate reasons for using these products in their environments, these products are rarely flagged as suspicious by security tools. 

There were initially multiple monitoring and management tools installed on victims' computers by the adversaries, such as Atera and Splashtop, during the initial attacks. Despite this, Unit 42 reported that it appears they have been whittling down their tool set as of late. 

Any attempt by the attacker to persist on a system without administrative rights will be blocked if the victim does not have administrative rights on the system. Rather, what he does is directly access WinSCP Portable and use that to steal data directly from the computer. 

Depending on the circumstances, a persistent attacker may be able to exfiltrate the victim after hours or even weeks after initial contact. If the attacker does not establish persistence, exfiltration may take place after a few days or even weeks after initial contact, Unit 42 reported. 

Applying the Most Pressure 

According to Russo, the Luna Moth group usually looks for data that, when used appropriately, will pose the greatest pressure on their victims with the least amount of risk. A deep understanding of the legal industry was evident from the attacker's targeting of law firms. A person with knowledge of computer science could easily distinguish which data would be harmful if misused. 

Ruso describes Unit 42 as working on cases in which the law firm's sensitive and confidential data had been targeted by hackers. A sample of the most damaging data they stole was included in the extortion email that attackers sent out after reviewing the data they had stolen. 

There have been many attacks in which the adversary changed the victim's biggest clients by name and threatened to contact them directly if the victim organization did not pay the demanded ransom - which could range anywhere from 2 to 78 Bitcoins in some cases. 

According to the investigations carried out by Unit 42, the attackers in the cases where they gained access to the victim's computer did not move laterally once they obtained access. Although, Russo points out that the organization does continually monitor the compromised computer if the victim has admin credentials - even venturing so far as to telephone victims and taunt them if they notice remedial efforts have been made. 

Among the first to report on Luna Moth's activities, Sygnia described Luna Moth as surfacing most likely in March, according to one of its reports. In addition to using commercially available remote access tools, including Atera, Splashtop, and Syncro, as well as AnyDesk for persistence, the security vendor said that it had observed the threat actor working with commercially available remote access tools. Researchers from Sygnia said that in addition to the SoftPerfect network scanner, Sygnia observed that the threat actor was also using a third-party tool called SharpShares for network enumeration and a fourth tool called SharpShares for reconnaissance during their investigation. According to Sygnia, the attackers have included spoof names in the names of the tools they have stored on compromised systems to disguise them as legitimate binaries. 

According to Russo, the threat actor whose actions are being targeted is only concerned with minimizing their digital footprint to circumvent most technical security controls. 

Unit 42 said that since the attackers relied completely on social engineering to conduct the campaign and legitimate tools to execute it, there were few artifacts left behind following the attack. To be able to safeguard themselves against this new threat, Russo said his organization recommends that organizations of all sizes conduct security awareness training for their employees.

SWFD Alerts Patients About the Ransomware Attack


Santa Rosa Beach, Fla.(WMBB) – The South Walton Fire District is facing a ransomware attack, that initially took place in May 2022. 

The threat actor reportedly targeted computer systems in the past Memorial Day. The hack may impact patient information, particularly the data the fire district transported between the years 2007 and 2019, says South Walton Fire District officials. 

While the officials confirmed that no information so far has been leaked, a thorough investigation of the incident is ongoing. The district officials as well are taking additional precautionary measures in order to secure the leaked information of the patients. 

Details of The Ransomware Attack 

On Memorial Day, SWFD discovered that someone had encrypted their dispatch system's data, acquired temporary access, and left a ransom note. 

“In essence, what somebody had done was get access to the system, encrypted the data, and left a ransom note for us to, basically, pay that ransom in order to get that data back […] Fortunately, internally we have a pretty robust mechanism in place to do backups. So we never had to engage that threat actor to gain that data back. We were able to re-install that data and be back up and running in about a day and a half,” says South Walton Fire District Fire Chief Ryan Crawford. 

Chief Crawford mentions that immediate measures were put into action after the district learned about the attack, by calling in federal, state, and local law enforcement. He says that they are continuously working on newer methods and technologies against threat actors in order to secure data. 

“We have already taken a number of additional layers of protection to try and mitigate the issue and prevent further instances like this from occurring,” says Crawford. 

Describing one of the cautionary measures, Crawford says, “One of the easiest ways is to take those archived medical records completely offline […] And so now, you know, those are really accessible to us for when people do public records requests and those sorts of things, it now requires us to go into the room where that server is located to pull that information rather than doing that remote.”

In addition to this, SWFD has also established a toll-free call center to solve queries regarding the incident and address related concerns. The call center agents can be reached at 1-800-939-4170 from 8 a.m. to 8 p.m. Central Time, Monday through Friday.  

Understand BatLoader Malware and its Working


The BatLoader follows the common practice that all cybercriminals use to target victims and get maximum output. They prefer to target large organizations, companies, or firms instead of targeting individuals, as the profit of payoff from these firm attacks is huge than targeting potential individuals.

The researchers at VMware Carbon Black stated in their research that the operators of BatLoader are using a dropper to spread a variety of malware tools, along with a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on the target’s system. 

The researchers at VMware also stated that “the threat actors utilize search engine optimization (SEO) poisoning to lure users to downloading the malware from compromised websites.” 

The research highlighted the similarity of BatLoader with Conti ransomware. The team at VMware found that some attributes in BatLoader's attack chain were similar to past incidents in Conti ransomware. 

Mandiant, a subsidiary of Google, has also pointed out the similarities in the techniques employed by BatLoader and Conti. However, the team at VMware clearly stated that there is no link to Conti in the origin of the BatLoader. 

The carbon Black MDR team of VMware has disclosed that there have been 43 successful attacks by BatLoader in the past 90 days. There were some unsuccessful cases also in which the threat operators successfully delivered the initial harm, but the victim did not use it, nullifying the harm. In a further report, the team mentioned the number of affected organizations and their sectors. They targeted five companies in the manufacturing industry, seven in financial services, and nine in business services. There were numerous cases of attempts in the education, IT, healthcare, and retail sector. 

BatLoader’s process of infecting the target’s system 

The process of infecting the target’s system by BatLoader includes incorporation inside Windows MSI installers for software like TeamViewer, LogMeIn, and Anydesk. 

After that, the criminals purchase the adverts to direct the victims to the replica websites like logmein-cloud.com. These purchased adverts pop up on the top of the page where users search for that software like Zoom, Anydesk, etc. 

Later, when the victims follow the adverts, download the software, and execute it, their system gets opened up for the threat actors. 

BatLoader has advanced capabilities, especially for harming businesses, as it is half-automated. It is controlled by a person or group of people in place of additional code. BatLoader operates by the “Living off the land” command to distribute more malware. 

“Living off the Land” attack denotes if the malicious actors have complete control of your system, they can utilize the pre-existing software like Windows PowerShell and scripting tools in your system to administer the system by directing commands without installing any other malware. 

The researchers concluded BatLoader is more dangerous because, after the installation and execution of links that include BatLoader, it will also download and install the banking malware and information. Along with it, the BatLoader can find if it has other linked networks, and it will install remote monitoring and management malware to target all connected systems. 

Even after updates in technology in cyber security, BatLoader and similar threats pose a clear need for more tools and knowledge to detect the source and block the spread of such threats. Considering the regular emergence of new threat vectors, the dynamic of threats is changing, and the demand for updated ways of fighting against these cyberattacks, opting for an online course for gaining cybersecurity knowledge is also an innovative decision to decrease the chances of facing losses due to cyber-attacks.

Hive Ransomware Operators Extort $100m from Over 1,300 Firms Worldwide

 

The operators behind the Hive ransomware-as-a-service (RaaS) model have launched assaults against over 1,300 firms across the globe and received approximately $100 million in ransom payments as of November 2022, US government agencies stated in an alert. 

Active since June 2021, the malicious ransomware model has been employed in assaults against enterprises and critical infrastructure entities, including healthcare, government, communications, IT, and manufacturing organizations. 

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," read the joint advisory by the FBI, the US Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

Modus Operandi 

Hive's RaaS campaign involves a mix of operators, who design and manage the malware, and affiliates, who are responsible for launching the assaults on victim networks by often purchasing initial access from initial access brokers (IABs). 

In most scenarios, securing a foothold involves the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server, followed by the detection and termination of processes linked to antimalware, backups, file copying, and deleting Windows event logs. 

Subsequently, the ransomware designs a file with the .key extension in the root directory – this file, which is unique to the system it was created on, is required for decryption. A ransom note is dropped into each exploited directory, warning targets not to tamper with the .key file, as that would restrict them from data recovery, and also asks victims to contact the hackers via live chat on a website accessible via the Tor browser. 

The ransomware actor also threatens victims that, if a ransom is not paid, data would be leaked publicly on the Tor site ‘HiveLeaks’. Threat analysts also detected crooks employing anonymous file-sharing sites to publish siphoned data. 

"Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment," the advisory further reads. 

According to the recent report published by cybersecurity firm Malwarebytes, the ransomware targeted seven victims in August 2022, 14 in September, and two other organizations in October, marking a fall in the operations from July, when the gang targeted 26 victims.

Mustang Panda: Chinese Threat Actor Targets Governments Worldwide

Z

The malicious advanced threat actor, Mustang Panda, has allegedly been linked to a spear-phishing attack, that is targeting governments, and academic and research sectors across the globe. 

According to Trend Micro’s report, the primary targets of the phishing attacks, between May and October 2022 included entities of countries of the Asia Pacific region like Myanmar, Australia, The Philippines, Japan, and Taiwan. 

Mustang Panda, also known as Bronze President, Earth Preta, HoneyMyte, or Red Lich, is an espionage threat actor based in China. The group is said to be active since July 2018 and is known for utilizing malware like China Chopper and PlugX in order to obtain data illegally. 

Attributes of the Phishing Attack 

The attacks involve spear-phishing emails and messages distributed via Google accounts. The fraudulent emails enticed target users, deceiving them into downloading malicious custom malware through the Google drive links. 

During the investigation, researchers found that Mustang Panda used messages consisting of geopolitical subjects, with around 84% of the attacks being targeted at governmental/ legal organizations. 

The attached link apparently directed the target users to a Google Drive or Dropbox folder, in order to evade suspicion. Furthermore, the link directed users to download RAR, ZIP, and JAR compressed files that may include malware variants like ToneShell, Tonelns, and Pubload. 

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," says researchers Nick Dai, Vickie Su, and Sunny Lu. 

Although the hackers utilized a variety of malware-loading methods, the process mainly required DLL side-loading once the target ran the executable contained in the archives. 

“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” explained Trend Micro researchers.  "Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."    

Cyber Insurers Redefine State-Sponsored Attacks as an Act of War Amidst Legal Concerns


The U.S. government says that the consequences created by NotPetya were the result of a Russian cyberattack on Ukraine in 2017. This continues to be felt as cyber insurers alter coverage exclusions, further extending the definition of an “act of war.” One can conclude that the 5-year-old cyberattacks seem to be reshaping the cyber insurance industry. 

The parent company of brands like Cadbury, Oreo, Ritz, and Triscuit, ‘Mondelez’ was in fact impacted by NotPetya, where the manufacturing factories and production were interrupted, taking days for the companies’ staff to regain control of their computer systems. The business filed a claim for $100 million in losses to Zurich American, its property and liability insurer. Zurich, after initially agreeing to pay a portion of the claim — $10 million, later withheld payment, claiming the attack was an act of war and hence not covered by the policy. Mondelez later initiated legal action. 

Later, Mondelez and Zurich America allegedly agreed on the original claim of $100 million, but it was not until Merck's $1.4 billion lawsuit against Ace American Insurance Company for its NotPetya-related damages had been successful in January 2022. The claims made by Merck did not pertain to a cyber insurance policy, but rather to its property and casualty policy. 

Back in the year 2017, while cyber insurance policy was still a budding idea, several company giants filed claims for the exploit pertaining to NotPetya – the one due to which an exploit of an estimated $10 billion happened worldwide – against company assets and casualty policies. 

What Has Changed? 

Before the course of the COVID-19 pandemic, until 2020, these cyber insurance policies were being sold in a similar manner as that of a typical home or auto policy, where the company was the least concerned about their cybersecurity profile, or the tools they would use in order to secure and defend its network or data, or its general cyber hygiene. 

But since numerous ransomware attacks hit the organizations that were built off of lax cybersecurity, insurance carriers eventually started altering their requirements, prioritizing their requirements to acquire such policies, says Alla Valente, senior analyst at Forrester Research. 

Currently, the business model for cyber insurance is substantially distinctive from other policies, marking the cyber insurance policies of 2017 as obsolete. 

What is an “Act of War”? 

Every sort of insurance policy, including cyber insurance policies, has a "War Exclusion." A war exclusion clause generally says that no damages resulting from hostile or warlike activities by a state or its agents are covered. Usually, this exclusion is applicable to a “hot war,” like the one we have witnessed in Ukraine in recent times. Although, courts are beginning to consider cyberattacks as potential acts of war, without the declaration of war or any land troop, aircraft, or any material battlefield. The state-sponsored attacks themselves constitute a war footing, as noted by the carriers. 

The terms of cyber policies from Lloyd's of London will now change in April 2023, excluding liability losses brought on by state-sponsored cyberattacks. As stated by Tony Chaudhry, Lloyd’s underwriting director, in a Market Bulletin published in August 2022, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber-related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage." 

In regards to this, Forrester's Valente notes that businesses may have to keep their large cash deposits aside if they ever face a state-sponsored attack. Only if the insurance carriers are successful in claiming in court that a state-sponsored attack is, by definition, an act of war, no business will then have coverage unless they specifically negotiate that into the contract to eliminate the exclusion. 

Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg says that, when purchasing cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms,"

"Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms," he adds.  

Hackers Use These Five Common Ways to Hack Websites

 

Cybercriminals frequently target all websites. Data theft, remote access, and malware distribution can all occur through social media platforms, online retailers, file-sharing services, and other types of online services. Hackers employ a variety of techniques to infiltrate websites, the top 5 types of attacks are discussed in this article. 

1. Brute force attacks 

Brute force attacks employ a trial-and-error method of cryptography to allow hackers to force their way into a website. Cryptography allows data to be stored safely, but it also involves the process of code-solving, which is what cybercriminals are interested in. A hacker can use cryptography to guess passwords, login credentials, and decryption keys. This technique can even be used to locate hidden web pages.

2. Keyloggers and Spyware

An attacker can use a keylogger to record all keystrokes made on an infected device or server. It is a type of monitoring software program that is widely used in data theft. For example, if someone enters their payment card information while a keylogger is active, the malicious operator will be able to spend money without the card owner's knowledge. In the case of websites, the attacker may be able to conceal the credentials required to log in and gain access by monitoring a website administrator with a keylogger. Keyloggers are a type of spyware, and spyware can take many forms, such as adware and Trojans.

3.Man-in-the-Middle Attacks

A malicious actor eavesdrops on private sessions in a Man-in-the-Middle (MitM) attack. The attacker will place themselves between a user and an application in order to gain access to valuable data that they can exploit. Instead of simply eavesdropping, the attacker could pretend to be a legitimate party.


Because much of the intercepted data may be encrypted via an SSL or TLS connection, the attacker must find a way to break this connection in order for the data to be interpreted. If the malicious actor is successful in making this data readable, such as through SSL stripping, they can use it to hack websites, accounts, and applications, among other things.

4. Remote Code Execution 

Remote Code Execution (RCE) is a fairly self-explanatory term. It entails the execution of malicious computer code from a remote location through a security flaw. Remote code execution can take place over a local network or the internet. This enables the attacker to gain physical access to the targeted device and infiltrate it.

An attacker can steal sensitive data and perform unauthorized functions on a victim's computer by exploiting an RCE vulnerability. Because this type of attack can have serious consequences, RCE vulnerabilities are (or should be) taken very seriously.

5. Third-Party Exploits

Thousands of businesses around the world rely on third-party vendors, particularly in the digital realm. Many applications act as third-party service providers for online businesses, whether they process payments, authenticate logins, or provide security tools. However, third-party vendors can be used to gain access to their client's websites.

Attackers can take advantage of a security vulnerability, such as a bug, in a third-party vendor. Some third-party applications and services have lax security measures, making them vulnerable to hackers. This exposes sensitive data from a website to the attacker for retrieval. Even if the website has advanced security features, the use of third-party vendors can be a weakness.

Unfortunately, even when we use the proper security measures, websites and accounts are still vulnerable to attacks. As cybercriminals improve their methods, it becomes more difficult to detect red flags and stop an attack in its tracks. However, it is critical to be aware of the tactics used by cybercriminals and to employ the proper security practices to protect yourself as much as possible.


US Healthcare Department Issues Warning Regarding Venus Ransomware

 

Healthcare organizations across the United States have been warned by the Department of Health and Human Services (HHS) regarding Venus ransomware assaults following a recent breach against a healthcare provider. 

Despite the attack, no data leak site for the Venus ransomware actors has been identified, according to a report published by the Health Sector Cybersecurity Coordination Center (HC3). 

"HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time," said the report. 

Since its emergence in the middle of August 2022, ransomware has propagated throughout the networks of numerous corporate victims around the globe. 

The ransomware terminates 39 processes linked with database servers and Microsoft Office apps. It targets publicly exposed Remote Desktop Services and exploits them to secure initial access to the target endpoints. In addition, the ransomware deletes event logs, Shadow Copy Volumes, and disables Data Execution Prevention on exploited endpoints. 

Lucrative Target 

Since the outbreak of Covid-19, the healthcare industry has been a lucrative target for malicious hackers. Hospitals operate multiple computers, printers, and internet-linked smart devices, generating thousands of sensitive files. These devices are sometimes outdated and improperly secured, making them a perfect candidate for an initial entry endpoint.

Moreover, with the Covid-19 pandemic filling up every last space in hospitals, overworked healthcare workers are an easy target to prey on with phishing and social engineering attacks. 

Last month, government officials in the United States warned regarding multiple ransomware attacks targeting healthcare facilities nationwide. Warnings showed that the attackers are employing ransomware variants such as Maui and Zeppelin against healthcare and public health (HPH) institutions. 

And in February, in a data breach report, debt management firm Professional Finance Corporation, Inc (PFC) revealed that 657 healthcare organizations were impacted by a Quantum ransomware attack. 

To mitigate risks, security experts recommended healthcare organizations implement an email security solution, consider adding a banner to emails from external sources, disable hyperlinks in emails, and provide regular security awareness training to the employees.

Medibank's Hackers will be Hacked in Australia

 


Threat actors behind the Medibank hack that compromised nearly 10 million customers' private information are being hunted by the Australian government, cyber security minister Clare O'Neil said. 
A hack on Medibank's computer, which was attributed to Russian cybercriminals, was announced by the Australian Federal Police on Friday afternoon. 

AFP identified Russian criminals as the culprits without contacting Russian officials before the public announcement, as the embassy in Australia has expressed disappointment that the AFP has identified Russian-based criminals as the culprits without contacting Russian officials. 

In the statement released by the Consulate on Friday evening, the consulate mentioned that it encouraged the AFP to promptly contact the respective Russian law enforcement agencies to seek assistance. 

Combating cybercrime that adversely affects the lives of citizens and damages businesses is a complex task that demands a cooperative, non-political and responsible approach from all members of the international community. 

It was announced on Saturday that the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) have signed an agreement on the creation of a comprehensive policing model which will take into account both the Optus and Medicare data breaches and effectively deal with the criminals behind them. 

"Around 100 officers from these two organizations will be a part of this joint standing operation, and many of these officers will be physically co-located with the Australian Signals Directorate," she said.

As Ms. O'Neil pointed out, officers report to work every day of the week. The goal is to deal with these gangs and thugs in the most effective manner possible. 

Ms. Saunders explained, With this partnership, the Australian Government has formalized a standing body which will be responsible for the day-to-day pursuit and prosecution of the con men responsible for these malicious crimes against innocent people and who will, day in and day out, hunt them down. 

A group of the smartest and most determined people in Australia will be collaborating to track down the hackers. 

A New Permanent Policing Model 

In a statement, Attorney General Mark Dreyfus described the situation as "extremely distressing."

In response to the attack, the government released a statement stating that it would do everything it could to limit the impact of this horrible crime. It would also provide support and comfort to the families and friends of those who are affected. 

Dreyfus said in his remarks that the updated partnership between the AFP and the ASD aimed at fighting cyber criminals will be a permanent and formal agreement. 

The AFP, he explained, works full-time on this issue, and they are working with international partners, such as the FBI, which has done great work on this problem, with the assistance of their international partners, including the United Nations. 

As part of the investigation, AFP Commissioner Reece Kershaw on Friday said officers were also working with Interpol to track down the perpetrators of the crime. 

"We know who you are," he said. In the area of bringing overseas offenders back to Australia to face the justice system, it has been noted that the AFP has been doing a good job on the scoreboard. 

A Review of Australia's Diplomatic Relations With Russia is Currently Taking Place

There will be no slowdown in the work of the national security agencies because diplomatic channels with Russia will remain open concerning extradition, according to Mr. Dreyfus. 

According to the president of the Russian Federation, Russia should do all that it can to protect its citizens from engaging in these kinds of crimes, while within its borders. 

In a statement, Mr. Dreyfus said that his government is taking a close look at the options available to it. This is because it wants to maintain Russia's diplomatic profile in Australia. 

In regards to our diplomatic channels, we would like to maintain them as long as they are appropriate for our national interests. However, diplomatic profiles must always be consistent with that. 

A spokesman for the opposition's cyber security wing, James Paterson, said that the disclosure could have broad implications for Australia's Magnitsky regime. Those who violate the law are subject to this.

With the passage of the regime with bipartisan support, which was passed with the support of the Republican and Democratic Parties, it becomes possible to impose targeted financial sanctions and travel bans in response to serious corruption and significant cyberattacks. 

At a press conference earlier today, Prime Minister Albanese told reporters he was dismayed and disgusted by the actions of those who committed this crime. He authorized AFP officials to release the details as a matter of public interest. 

In the recent past, hackers have released more information about some of the medical records of their customers on the dark web, including information about abortions and alcoholism. 

A ransomware attack was carried out by a criminal group targeting Medibank's data, which resulted in close to 500,000 health claims, along with personal information, being stolen. 

There are several mental health and other support services available through Medibank's Resources Page, which is available to affected customers.

How Cybercrime and Cyberwar are Interlinked?


Cybersecurity experts have long debated that future conflicts will no longer be confronted just on a physical battlefield, but in a digital sphere as well. Although it is clear that the physical battlefield will not be mitigated sooner, considering the recent conflicts, we are also witnessing a rise in state-sponsored attacks like never before. It is therefore important that businesses, individuals, and governments ensure that they are prepared in combating an attack. Since, in a digital battleground, it is not just the soldiers being targeted, but everyone is in the line of fire. 

Broadly speaking, an act of cyberwar is any state-backed malicious online activity that targets foreign networks. However, as with most geopolitical phenomena, real-world examples of cyber warfare are far more complex. In the world of state-sponsored cybercrime, it is not just the government intelligence agencies that are directly carrying out attacks, but these days one can witness attacks from organized cybercriminal organizations that have ties to a nation-state. 

These organizations are known as advanced persistent threat (APT) groups. The infamous APT-28, also known as Fancy Bear, which hacked the Democratic National Committee in the year 2016 is an excellent example of this type of espionage operation. In a way, this serves as the ideal cover for malicious state actors who want to attack and disrupt vital infrastructure while lowering the potential for generating a geopolitical crisis or military conflict. 

If the Enemy Is in Range, So Are You 

Whether a cyberattack is directly linked to a foreign government agency, attacks on critical infrastructure can have devastating repercussions. Critical infrastructure does not just refer to state-owned and operated infrastructures such as power grids and government organizations - banks, large corporations, and Internet service providers all fall under the umbrella of critical infrastructure targets. 

As governments and private organizations continue to adopt advanced and connected IT networks, the risks and potential consequences will only increase. Recent research by the University of Michigan found security vulnerabilities in local traffic light systems. Although the flaw has subsequently been patched, this emphasizes the significance of robust, up-to-date inbuilt security systems to protect infrastructure against cyberattacks. 

Defend Now or Be Conquered Later 

With the rise in advancement and complexity in networks, the chance that vulnerabilities can be exploited as well increases exponentially. Every single endpoint on the network must be constantly monitored and secured if organizations are to have any chance of surviving a sophisticated state-backed attack. 

Some organizations are seen learning this lesson the hard way. For instance, in 2017, US food giant Mondelez was denied a $100 million insurance payout after suffering a Russian ATP cyberattack, since the attack was assumed to be “an act of war” and was not included in the firm’s cybersecurity policy. The conglomerate and Zurich Insurance recently rectified this issue on undisclosed terms.

Endpoint security has never been more critical than it is today. The use of personal mobile devices as a work tool has become pervasive across almost every single industry. This rise in the bring-your-own-devices policy has in part been driven by the false assumption that mobile devices are inherently more secure than desktops. 

However, for over 10 years, various governments and ATP groups with potential cyber capabilities have adapted to and exploited the mobile threat landscape with extremely low detection rates. Attacks on the state and public mobile networks can take down large parts of the workforce, impacting productivity and disrupting everything from the government’s decision-making to the state’s economy. 

IT and security managing experts may not be the ones preventing the inevitable cyberattacks or cyber war, but they can defend themselves against major setbacks. If a device is connected to the infrastructure, physically or virtually, it has become a potential back door for cybercriminals to access the data and disrupt operations. Thus, if organizations want to avoid being victims of potential cyberwarfare, endpoint security should be a priority in conducting operations, from mobiles to desktops.

Empire Company Suffered Information Technology Systems Issue

 

The Empire Company announced on Monday that some of its brand stores across Canada including Sobeys, Lawtons, Safeway, Farm Boy, IGA, Foodland, and FreshCo are facing disruptions in service due to an information technology systems issue. The technical issues the company is currently facing prevented its pharmacies from filling prescriptions and some services have been delayed and functioned only intermittently. 

A press has been released from the company in which it assured its customers that they are working to patch the glitches, however, the company further added that they are not sure when all services will be restored. "At Sobeys, exceeding the needs of our customers is always our top priority. Our sole focus right now is on getting this problem rectified and we will provide further updates as relevant information becomes available," said chief operating officer Pierre St-Laurent in the news release. 

Additionally, pharmacy staff reported to the press that they could not access their systems. However, the staff supplied its customers with a few days' medications if customers came with their empty bottles. 

Meanwhile, Maple Leaf Foods announced on Sunday that the disruption has been caused by a "cybersecurity incident". 

The organization reported that the issues came to be known over the weekend and immediately the company with its researchers, recovery experts, information systems professionals, and third-party specialists started working to investigate the outage. 

Following the incident, Sylvain Charlebois, the director of the Agri-Food Analytics Lab at Dalhousie University, disclosed that he received a number of messages from people on Friday night about problems at Empire, including copies of internal company letters. 

"The entire food system works on the basis that computers will communicate with each other. So as soon as you have a cyberattack disrupting the efficiency of supply chains, costs could go up. Even worse, access to food could also become a problem. You could see many stores without supplies for days and you don't want that to happen," he further added.

North Korea Ransomware Attempt, Siphon Funds From an Israeli Company


Getting into financial institutions' systems and using hackers is a known tactic of North Korea, it nearly took down the Central Bank of Bangladesh by this practice. 

North Korean Hackers Strike Again

Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program. 

The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack. 

Malicious files used to get control over systems

Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel. 

The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer. 

Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes. 

Ransom motive behind the attack

Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems. 

In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems. 

North Korean hacking patterns

North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs. 

The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks. 


Cyber Assaults via Microsoft SQL Server Surged by 56 percent in 2022

 

Threat analysts at Kaspersky have identified a surge in the number of assaults that employ Microsoft SQL Server processes to attempt to access company infrastructure. 

Earlier this year in September, more than 3,000 SQL servers, which are employed by organizations and small and medium-sized enterprises across the globe to manage databases, were impacted, which is a surge of 56 percent compared to the same period last year, as per the latest findings from Kaspersky’s Managed Detection and Response Report. 

According to Sergey Soldatov, Head of Security Operations Center at Kaspersky, the number gradually increased during the last year, and in April 2022, the number exceeded 3,000, only to see a slight decrease in July and August. 

“Despite the popularity of Microsoft SQL Server, companies do not pay enough attention to protecting against software-related threats. Attacks using malicious processes on SQL Server have been known for a long time, but perpetrators continue to use them to gain access to company infrastructure,” stated Sergey Soldatov. 

There had been a number recent incidents where Microsoft SQL Servers has been exploited by actors. In April, hackers were identified deploying Cobalt Strike beacons on such devices. News of attacks against MS-SQL has also popped up in May, June, as well as October, this year. 

Normally hackers search the internet for endpoints with an open TCP port 1433, and then conduct brute-force attacks against them, until they guess the password. 

Mitigation tips 

To protect against enterprise-targeted threats, cybersecurity experts recommend the following measures: 

• Always update the software on all the devices you use to prevent attackers from infiltrating your network using vulnerabilities. Install updates for new vulnerabilities immediately, because after that they can no longer be abused. 

• Employ latest information about threats to keep up to date with the tactics, techniques and practices utilized by hackers. 

• Implement an authentic endpoint security solution such as Kaspersky Endpoint Security for organizations which represents effective protection against known and unknown threats. 

• Dedicated services can help combat high-profile attacks. Service Kaspersky Managed Detection and Response can help identify and stop intrusions in the early stages, before the cybercriminals achieve their aims.

The ALMA Observatory has Suspended Operations due to a Cyberattack

 

Following a cyberattack on Saturday, October 29, 2022, the Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline. 

Email services are currently limited at the observatory, and IT specialists are working to restore the affected systems. The organization announced the security incident on Twitter yesterday, saying that given the nature of the incident, it is impossible to predict when normal operations will resume.

The observatory also stated that the attack did not compromise the ALMA antennas or any scientific data, indicating that no unauthorized data access or exfiltration occurred. In an attempt to learn more about the security incident, BleepingComputer contacted ALMA Observatory, and a spokesperson shared the following comment:

"We cannot further discuss the details as there is an ongoing investigation. Our IT team was prepared to face the situation and had the proper infrastructure, although there is no flawless defense against hackers. We are still working hard on the full recovery of services. Thanks for your understanding." - ALMA Observatory.

The ALMA observatory is made up of 66 high-precision radio telescopes of 12 m diameter arranged in two arrays and is located on the Chajnantor plateau at an elevation of 5,000 m (16,400 ft). The project cost $1.4 billion, making it the most expensive ground telescope in the world, and it was created through a collaborative effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile.

Since its normal operational status in 2013, ALMA has contributed to a pioneering comet and planetary formation studies, participated in the Event Horizon project to photograph a black hole for the first time in history, and detected the biomarker 'phosphine' in Venus' atmosphere.

The observatory is used by scientists from the National Science Foundation, the European Southern Observatory, the National Astronomical Observatory of Japan, and other organizations from around the world, so any interruption in operations has ramifications for multiple science teams and ongoing projects.

For the time being, users should keep an eye out for status updates on the NRAO's website or the ALMA Observatory's social media channels. Observers can seek assistance from the organization by using this online portal.

French Cybercriminals Opera1or Stole up to $30m from Banks

 

Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years. 

Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS. The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times. 

The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.

Group-IB has confirmed stealing $11 million from victims since 2019, but believes cybercriminals may have stolen more than $30 million. The typical Opera1er attack begins with a spear-phishing email sent to a small number of people within the targeted organisation. Access to domain controllers and banking back-office systems is the goal.

The hackers waited 3-12 months after gaining access to an organization's systems before stealing money. The cybercriminals used the banking infrastructure in the final phase of the operation to transfer money from bank customers to mule accounts, from which it was withdrawn at ATMs by money mules, typically on weekends and public holidays.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

There does not appear to be any zero-day vulnerabilities or custom malware used by Opera1er. They have exploited old software flaws as well as widely available malware and tools. The majority of the attackers' emails were written in French, according to Group-analysis, IB's and their English and Russian are "quite poor."