Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber campaign. Show all posts
TARK#MULE Cyber Attack Campaign
APT37 cyber attack Cyber Attacks Cyber campaign Korean hackers TARK#MULE Cyber Attack Campaign

TARK#MULE Cyber Attack Campaign Tricking Koreans with U.S. Military-Themed Documents

A relentless cyber attack campaign has been launched, specifically targeting Korean-speaking individuals. The attackers are employing deceptive tactics, using U.S. Military-themed document lures to deceive unsuspecting victims into executing malware on their compromised systems. 

Following the incident, Securonix – a cybersecurity firm – dubbed this sophisticated cyber attack campaign as 'STARK#MULE.' The full extent of the attacks remains undisclosed, leaving uncertainty about the number of victims impacted.  As of now, it remains unclear whether any of the attack attempts have resulted in successful compromises. The situation calls for continued monitoring and vigilance to safeguard potential targets from threats posed by the ongoing campaign. 

According to the report, “these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials”.  APT37, also known as Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a nation-state actor affiliated with North Korea. Its primary focus lies exclusively on targeting entities within South Korea, particularly those involved in reporting on North Korea and supporting defectors. 

The group has utilized social engineering techniques to initiate phishing attacks, thereby delivering malicious payloads like RokRat onto targeted networks. However, recent developments indicate that adversaries have broadened their offensive capabilities, incorporating various malware families into their tactics. Among the new additions is a Go-based backdoor named AblyGo. 

The campaign exhibits a distinctive strategy, leveraging compromised Korean e-commerce websites for both staging malicious payloads and establishing command-and-control (C2) operations. This clever maneuver aims to evade detection by security solutions installed on targeted systems. 

By utilizing legitimate platforms, the threat actors attempt to fly under the radar and maintain a cloak of stealth during their activities. This innovative approach poses a new challenge for cybersecurity experts in their efforts to protect against evolving threats and reinforces the need for enhanced security measures across digital landscapes. 

As per the information, APT37 has adopted a new tactic, utilizing CHM files in phishing emails to impersonate security communications from financial institutions and insurance companies. The objective is to deceive victims and prompt them to open these malicious files, thereby deploying information-stealing malware and other harmful binaries onto their systems. This observation was made by the AhnLab Security Emergency Response Center (ASEC), shedding light on the threat actor's evolving techniques. 

Using CHM files in disguise poses a significant concern for security teams as they strive to mitigate the risks of cyber-attacks and safeguard sensitive data from sophisticated threat actors. APT37 stands among several North Korean state-sponsored groups that have garnered attention for executing sophisticated cyber attacks aimed at achieving financial theft, as evident from the recent attacks on Alphapo and CoinsPaid. 

Moreover, the group's activities also revolve around gathering intelligence to further the regime's political and national security objectives. This dual focus on financial gains and intelligence acquisition underscores the significance of countering APT37's actions to protect the interests of targeted organizations and safeguard critical national security information from falling into the wrong hands.
Read more »
Security
Backdoor Cyber campaign Cyber Security Data Rootkit Safety Security

Year-long Cyber Campaign Reveals Potent Backdoor and Custom Implant,

 

A new hacking group has targeted the government, aviation, education, and telecom industries in South and Southeast Asia as part of a highly focused campaign that began in mid-2022 and extended into the first quarter of 2023. 

Broadcom Software's Symantec is monitoring the activity under the insect-themed moniker Lancefly, with the attacks employing a "powerful" backdoor called Merdoor. So far, data suggests that the personalized implant was used as early as 2018. Based on the instruments and the victimology pattern, the campaign's ultimate purpose is intelligence gathering.

"The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News.

"The attackers in this campaign also have access to an updated version of the ZXShell rootkit."

While the precise initial intrusion vector is unknown, it is believed to have entailed the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers. The attack chains eventually lead to the distribution of ZXShell and Merdoor, fully-featured malware capable of communicating with an actor-controlled server for more commands and logging keystrokes.

ZXShell, first discovered by Cisco in October 2014, is a rootkit with several functionalities for harvesting sensitive data from affected hosts. In the past, the use of ZXShell has been linked to several Chinese actors such as APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda).

"The source code of this rootkit is publicly available so it may be used by multiple different groups," Symantec said. "The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable."

Another Chinese connection is that the ZXShell rootkit is signed by the certificate "Wemade Entertainment Co. Ltd," which Mandiant previously identified as being related to APT41 (aka Winnti) in August 2019.

Lancefly incursions have also been linked to the use of PlugX and its successor ShadowPad, the latter of which has been used by several Chinese state-sponsored entities since 2015. However, it is also known that certificate and tool sharing is common among Chinese state-sponsored groups, making identification to a specific known assault crew challenging.

"While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period," Symantec noted. "This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar."
Read more »
RedZei
Chinese Students Cyber campaign Cyber Scams Cyber Security Fraudsters RedZei

RedZei Group Targets Chinese Students in U.K.

 


Chinese students studying in the UK have been one of the most common targets of scammers. RedZei (aka RedThief) Group, a Chinese-speaking scammer group that operates online and is becoming more common these days, bypasses all the precautions that users and service providers have taken to prevent scams.  

This is how it works

Chinese students were fooled into paying millions of dollars to avoid deportation as part of a visa scam, according to a report in The Guardian.  According to researchers, this incident is likely to be the result of the RedZei campaign that began in August of last year. 

Redzepi fraudsters carefully selected their victims by researching them, they also sought out a potential victim who was wealthy enough to be a profitable target. Fraudsters would use new pay-as-you-go U.K. phone numbers for each wave of the attack to bypass the phone number-based blocking on each wave. There are several mobile carriers used by the attackers, such as Telia, Three, EE, O2, and Tesco Mobile, with which they move between SIM cards.  


The Use of Voicemail and Other Tricks

As part of the operation, a UK phone number would be used to contact each targeted student once or twice every month. An unusual automated voicemail is left if these calls are not answered. 

Students are being steered into revealing their personal information by voicemails. These voicemails impersonate China Mobile, the Bank of China, and the Chinese embassy to social engineer them into doing so. In addition, there are also voicemail messages that are posed as voicemails from Chinese government officials. 

These include the Chinese Ministry of Industry and Information Technology, the Chinese Embassy in the United Kingdom, and the Chinese Communications Administration. Additionally, courier services such as DHL and Royal Mail can be used to distribute such messages. Aside from these themes, RedZei has also adopted other themes, such as abnormally high NHS number usage and DHL international delivery of parcels. 

Keep yourself as safe as possible

It appears that RedZei started this tremendously profitable campaign in August 2019. The scam was an attempt to deceive Chinese international students by duping them into transferring enormous amounts of money. This was so that they could avoid deportation to save their lives.

If any scam of this nature is suspected by students, they are advised to report it to the university as soon as possible. This will enable them to stay vigilant against such frauds. Moreover, universities can also share information regarding scams that target international students and keep them posted on the same.
Read more »
Microsoft
Cyber Attacks Cyber campaign Digital threats Microsoft

Microsoft Disrupts Bohrium Hackers’ Spear-Phishing Operation

 

The Microsoft Digital Crimes Unit (DCU) recently conducted an operation and has successfully disrupted a spear-phishing operation which was conducted by the Iranian malicious actors. Tracked as Bohrium, the operation was victimizing customers in the U.S., Middle East, and India. 

Amy Hogan-Burney, the General Manager of Microsoft DCU has said that Bohrium targeted organizations from a wide range of industries, including transportation, Tech industries, government, and education. 

The evidence that was reported by Microsoft in court filings, read, “the Iranian hackers have been intentionally accessing and sending malicious software, code, and instructions to the protected computers, operating systems, and computers networks of Microsoft and the customers of Microsoft, without authorization." 

Following the attack, Microsoft has taken down 41 domains that were attacked in this campaign to establish a command and control infrastructure that allowed the hackers to execute malicious tools to help them gain access to targets' systems and exfiltrate stolen information from compromised systems. Also, some of the domains taken down have been used in the past to host and push malware payloads. 

However, Microsoft did not disclose the timeline of this spear-phishing operation. "Bohrium actors create fake social media profiles, often posing as recruiters. Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware..," 

“…This activity was uncovered by Microsoft's Threat Intelligence Center (MSTIC), which tracks the world's nation-state and cybercrime actors so we can better protect our customers,” Hogan-Burney said. 

Microsoft further explained that this action which was taken by the origination is part of a long series of lawsuits against malicious actors who are targeting Microsoft customers worldwide. 

"To date, in 24 lawsuits – five against nation-state actors – we've taken down more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors," Microsoft's Corporate Vice President for Customer Security & Trust Tom Burt said.

Previously, Microsoft has taken down many malicious campaigns including APT28 domains controlled by the ZLoader cybercrime gang and the Iran-backed APT35 (aka Charming Kitten, Phosphorus, or Ajax Security Team) threat actor.
Read more »
LAPSUS$
Cyber campaign Data Breach data steal LAPSUS$

Lapsus$ Targeting SharePoint, VPNs and Virtual Machines

NCC Group on Thursday released a report in which it has described the techniques and tactics of the highly unpredictable Lapsus$ attacks, along with how Lapsus$ attacks are launched and what makes it such a unique group. 

The group currently gave up its operation following the arrests of alleged members in March. The attacks launched by the group remain confusing in both their motives and their methods. The group is known for targeting world-famous companies including Microsoft, Nvidia, Okta, and Samsung. 

According to the report, Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get access into targeted systems. With this, the threat actors also scraped Microsoft SharePoint sites used by target organizations to get credentials within technical documentation. 

"Credential harvesting and privileged escalation are key components of the LAPSUS$ breaches we have seen, with the rapid escalation in privileges the LAPSUS$ group has been seen to elevate from a standard user account to an administrative user within a couple of days," the report said. 

Following the report, it has been learned that a major goal of the group is to exploit corporate VPNs, capitalizing on their increased use of them over the last few years. 

"Access to corporate VPNs is a primary focus for this group as it allows the threat actor to directly access key infrastructure which they require to complete their objectives. In our incident response cases, we saw the threat actor leveraging compromised employee email accounts to email helpdesk systems requesting access credentials or support to get access to the corporate VPN," the report further read. 

The Group has grown in just a few months from launching a handful of sensitive attacks that were designed to steal and publish the source code of multiple top-tier technology companies. Sometimes the group is referred to as a ransomware group in reports, however, Lapsus$ is also known for not deploying ransomware in extortion attempts.
Read more »
Subscribe to: Posts (Atom)