Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberespionage. Show all posts
US-China
CISA Cyber Attacks Cyberespionage GhostNet GhostNet attack U.S. government US-China

GhostNet: Why is the Prominent Cyberattack Still a Mystery


Among the tools used in modern warfare, Cyberespionage has made a prominent name. Cyberespionage can be used to propagate misinformation, disrupt infrastructure, and spy on notable people including politicians, government officials, and business executives. In order to prepare for physical or cyber threats, nations also engage in espionage.

While many countries actively engage in some form of warfare, the U.S. has a certain stance that China, in regard to cyberespionage, poses a significant threat. According to the United States cyber defense agency CISA, "China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks."

CISA further notes that cyberattacks based in China may also have an impact on U.S. oil and gas pipelines, as well as rail systems.

While this warning is just an overview, China is renowned for its highly advanced cyber operations. The infamous GhostNet spy system, which compromised more than 1,000 computers of military, political, economic, and diplomatic targets around the world, is largely believed to have been coordinated by the Chinese government. China was never formally blamed for the crime, though, for a number of political and legal reasons. The history of GhostNet is therefore still a mystery.

Cyber Espionage Network ‘GhostNet’

GhostNet first came to light when the office of the Dalai Lama in India invited a team of security researchers at the Munk Center for International Studies at the University of Toronto to check their computers for any indication of a hack. This prompted an inquiry that turned up a large cyberattack that had compromised 1,295 systems over the course of two years in 103 nations. The Munk Center and Information Warfare Monitor analysts released a thorough analysis in 2009 that provided insight into the extensive spying operation they called "GhostNet."

GhostNet distributed malware via emails with attachments and suspicious links. Once the malware was successfully downloaded on the victim’s system, it would take complete access to the computers, which further enabled hackers to search for and download files, and even control the victim’s external devices like webcams and microphones. 

Around 30% percent of the victims of GhostNet were of high-profile, such as foreign ministries of several nations in Southeast Asia, South Asia and Europe. Also, several international organizations were targeted, like ASEAN, SAARC, the Asian Development Bank, news organizations, and computers of NATO headquarters.

Who was Behind the GhostNet Attacks?

Researchers from GhostNet were successful in locating and connecting to the espionage network's command servers. Hainan Island in China was linked to a number of IP addresses that the attackers used to communicate with the compromised PCs. Four control servers in total were found by the investigation, three of which were in China. The fourth server was situated at an American web hosting business. Furthermore, five of the six detected command servers were found in mainland China, while the sixth was found in Hong Kong.

According to researchers, China is amongst the most obvious operators behind GhostNet, however, their reports did not directly point at the country since they were unable to provide any concrete proof of the Chinese government’s involvement. They noted that other nations could also be behind the attacks.  

Read more »
Symantec
APT41 Atharvan RAT Blackfly Clasiopa Cyber Security Cyberespionage Cyberespionage Operation Lilith RAT Remote Access Tool Symantec

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Read more »
WithSecure
Cyber Attacks Cyberespionage Cybersecurity Lazarus Group North Korea Ransomware WithSecure

Energy and Healthcare Firms Are The Focus of The Lazarus Group Once Again

 


The North Korean Lazarus Group, which was employed by the North Korean government to target medical research and energy organizations with cyberattack campaigns, was reported by security researchers on February 2.  

The campaign was discovered by threat intelligence analysts at WithSecure. They were trying to unravel a ransomware attack that they suspected had been launched against one of their customers. In the course of their investigation, they discovered evidence indicating that the Lazarus crew had committed an OpSec oversight that led to a key operational security (OpSec) slip-up, which provided them with proof that the event was part of a wider state-sponsored intelligence gathering campaign already being carried out by North Korea. 

Sami Ruohonen, the senior threat intelligence researcher for WithSecure, says his initial suspicion was that it was an attempted BianLian ransomware attack. 

Even though WithSecure had collected evidence in one direction, it quickly pointed in a different direction. Throughout the process of gathering more information, they became more and more confident that the attack had been perpetrated by a group associated with the North Korean government. Having discovered this, WithSecure concluded that it was indeed the Lazarus Group that had posed as the attack. 

The Path to Cyberespionage Begins With Ransomware 

It was the initial compromise and privilege escalation of the system that led them to the conclusion that they were engaged in this activity. In August, the Zimbra mail server was exploited using a known vulnerability that existed in an unpatched version of Zimbra. In one week, the threat actors had already accessed many gigabytes of data from the mailboxes on the server. The attacker used live-off-the-land (LotL) strategies along the way as he moved horizontally across the network by the end of October. The compromised assets began becoming connected to Cobalt Strike's command-and-control (C2) infrastructure in November, beginning the process of infiltrating almost 100GB of data from the network during the period between November and December.  

It is believed that the researchers dubbed this incident "No Pineapple" because it referred to an error message that was used in a backdoor that was used by the bad guys that replied > No Pineapple! > When the data size exceeds the segmented byte size, the operation fails. 

Based on the malware, the TTP, and a couple of unique findings, the researchers feel that there is a high degree of confidence in their identification of Lazarus group activity. Data exfiltration involves several key actions, one of which is critical. Several suspicious web pages appeared to be connected to a North Korean IP address for a short time, as a result of an attacker-controlled Web shell. Even though the country only has fewer than a thousand of these addresses, at first the researchers wondered if they had made a mistake. However, they later confirmed that they had not. 

The attacker showed exemplary tradecraft and still managed to carry out considered actions on carefully selected endpoints despite this OpSec failure, Tim West, head of WithSecure’s threat intelligence unit, commented on the actor’s performance. 

Upon digging deeper into the incident, the researchers discovered that additional victims were also identified as a result of the attack as the investigation proceeded. The victims were identified based on their connections to a C2 server that was controlled by threat actors during the attack. There are many espionage motives involved in this process, which points to a much larger effort than was first suspected as being the target. 

Among the hundreds of victims, several companies in the healthcare sector suffered losses including a company that researches healthcare. In addition, a company that manufactures technology utilized in the energy, defense, research, and healthcare sectors. 

During the third quarter of 2022, most of the breaches that have been reported occurred because of the infrastructure that researchers noticed in May. According to the victimology of the campaign, analysts consider the threat actor to have intentionally targeted the supply chain of the industry verticals of medical research and energy. This is based on the victimology of the campaign. 

Lazarus Never Remained Down for Long 

It is widely believed that the Foreign Intelligence and Reconnaissance Bureau of North Korea is responsible for the long-running Lazarus threat group that has been operating for over a decade. Researchers have confirmed that the group has been involved in hacking activities at least as far back as 2009. It has been responsible for an increasing number of attacks since then. It has only been a matter of short intervals where the man has been thrown to the ground between periods of standing. 

This anti-terrorist operation serves both a financial purpose - it is an extremely valuable source of revenue for the regime - as well as a spying purpose. As early as 2022, there were many reports of Lazarus providing sophisticated attacks against Apple of their M1 chip as well as fake job posting scams using Apple's M1. It should be noted that a similar attack took place last April. Computers were used to upload malicious files, disguised as job offers for highly attractive dream jobs, to targets in the chemical sector and information technology. 

As of last week, the FBI confirmed that the Lazarus Group, a group of cyber threat actors from the United States, was implicated in the theft of $100 million worth of virtual currency last June from the cross-chain technology created by Harmony to exchange data across blockchains, termed Horizon Bridge, owned by the blockchain company Harmony. According to estimates provided by the FBI, because of the actions of the group in the Horizon Bridge heist, the group was able to launder more than $60 million worth of Ethereum by using the Railgun privacy protocol in January. There has been a report that authorities were able to freeze "some of these funds."
Read more »
USA
Cyber Crime cyber espionage Cyber Fraud Cyberespionage DOJ FBI United States Cyber Security USA

Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.
Read more »
Vulnerability
CVE Cyberespionage Data Breach Data Theft Hacker Trojan Vulnerability

 New Confluence Remote Code Execution Flaw is Exploited by Cryptocurrency Miners

 

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company. The CVE-2022-26134 vulnerability was found as an extensively exploited zero-day towards the end of May, and the vendor issued a patch on June 3, 2022. 

Several proof-of-concept (PoC) exploits for the CVE-2022-26134 bug have been made public. Following the disclosure of the RCE, Check Point Research (CPR) researchers observed a large number of exploitation attempts, with some of the malicious payloads used in the attacks being used as part of the same campaign carried by a crypto mining gang known as the "8220 gang" by doing bulk net scans to discover vulnerable Windows and Linux endpoints to plant miners. 

Miners are special-purpose programs that mine cryptocurrency like Monero for the threat actor using the host's available computational capabilities. Reduced server performance, increase hardware wear, greater operating costs, and even business disruption are all direct consequences of this action. These actors can also improve their attack at any time and dump more potent payloads because they have access to the system.

Multiple infection chains are used to target Linux and Windows operating systems. The attack starts with a specially crafted HTTP request which exploits CVE-2022-26134 and dumps a base64-encoded payload on both Linux and Windows platforms. The payload then downloads an executable, a Linux malware injects script and a Windows child process spawner. Both scenarios try to set up reboot persistence, then delete all current devices before activating the miner. 

The miner will deplete all system resources in both circumstances, therefore the "8220 gang" is aiming for maximum profit until the malware is uprooted, rather than silently mining on infected servers and attempting to remain undiscovered by using only a portion of the available processing capacity. Eventually, the Linux script looks for SSH keys on the host in an attempt to expand to other computers nearby. 

The web shell is believed to have been used to distribute two further web shells to disk, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary files to a remote server. The news comes within a year of another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install cryptocurrency miners on compromised servers (CVE-2021-26084, CVSS score: 9.8). 

"Attackers can get direct access to highly valuable systems by exploiting such type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems can be difficult to investigate."
Read more »
Ministry of foreign affairs
Africa attacks Cyber Crime Cyberespionage Middle East Ministry of foreign affairs

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

 

Researchers unveiled a new cyber espionage group on Thursday, which is behind the series of targeted operations attacking diplomatic entities and telecommunication corporations in Africa and the Middle East since at least 2017. 

The campaign, dubbed "BackdoorDiplomacy," involves exploiting flaws in internet-exposed devices like web servers to carry out various cyber-hacking operations, including moving laterally across the network to execute a custom implant called Turian which is capable of exfiltrating sensitive data stored on removable media. 

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S." 

The cross-platform group, which targets both Windows and Linux operating systems, singles out management interfaces for networking equipment and servers with internet-exposed ports, most likely abusing unsecured flaws to implement the China Chopper web shell for initial access, which is then used to conduct reconnaissance and install the backdoor. 

F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels are among the systems affected. Victims have been identified in many African countries' foreign ministries and those in Europe, the Middle East, and Asia. Furthermore, in Africa and at least one Middle Eastern country, telecom carriers have also been hit. 

The researchers stated, "In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult."

BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating.

According to ESET researchers, apart from its features to gather system information, take screenshots, and carry out file operations, Turian's network encryption protocol is nearly identical to that used by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan at the same timeframe as BackdoorDiplomacy.
Read more »
Russia
China Chinese Hackers Cyberespionage malware Russia

Chinese APT Actors Attack Russian Defense In An Espionage Attack

An earlier anonymous backdoor malware, called PortDoor, is probably being used by Chinese APT (advanced persistent threat) hackers to attack Russian defense system, according to reports. Cybersecurity firm 'Cybereason Nocturnus' looked into hackers specifically targeting Rubin Design Bureau, an organization that builds submarines for Russian Navy Federation. The main target was director general named Igor Vladimirovich, who received a phishing mail, say experts. The attack started with "Royalroad weoponizer" aka RTF exploit builder/8.t Dropper, which, according to cybersecurity experts, is a tool used by Chinese APT's to orchestrate their attacks, like Tick, Tonto Team and TA428. 


RoyalRoad makes weaponized RTF documents that attack vulnerabilities CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Equation Editor of Microsoft. RoyalRoad's use in the attack is the reason why the victim suspects Chinese hackers to be behind the attack. Cybereason analysis said, "the accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests." 

A Subtle Spying Malware 

Experts found the malware stealing unique PortDoor sample when the corrupt RTF file is opened, which is built cautiously to stealth. It has various functions that include spying, target profiling, delivering additional payloads, process manipulation, privilege escalation, AES- encrypted data exfiltration, static detection antivirus evasion, one-byte XOR encryption and much more. If deployed, backdoor decodes strings with the help of hard-coded 0xfe XOR key in order to get configuration info. It includes C2C server address, target locator, and other trivial information. 

Cybersecurity report said, "the backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports." "Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete."
Read more »
malware
APT CIA Cyberespionage Hacking Attack Kaspersky malware

Kaspersky Discovered Purple Lambert to be a Part of the CIA

 

Kaspersky Lab, a cybersecurity company, has uncovered a new malware that analysts believe is linked to the US Central Intelligence Agency. Multiple antivirus providers obtained a series of malware samples in February 2019, according to Kaspersky experts, some of which cannot be linked to the operation of established APT classes. There were no parallels between these malware strains and malware affiliated with other APT classes.

Although an initial investigation revealed no common code with any previously-known malware samples, Kaspersky recently re-analyzed the files and discovered that “the samples have intersections with coding patterns, style, and techniques that have been used in different Lambert families,” according to the company. Lamberts is Kaspersky's internal codename for tracking CIA hacking operations.

Kasperksy has dubbed this new malware cluster Purple Lambert due to the shared similarity between these recently found samples and previous CIA malware. The malware samples seem to have been collected seven years earlier, in 2014, according to Purple Lambert metadata. Although Kaspersky has not seen any of these samples in the wild, it believes Purple Lambert samples were “most certainly deployed in 2014 and probably as late as 2015.”

“Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families. We therefore named this malware Purple Lambert.” states the APT trends report Q1 2021 published by Kaspersky. “Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert.” 

While the Lambert APT (also known as the Longhorn APT) has been present since at least 2008, the first samples were discovered in 2014. The group is extremely advanced, and it has penetrated organisations all over the world with a sophisticated cyberattack network that can hack both Windows and Mac systems. The researchers discovered and studied numerous backdoors and hacking methods that make up the cyberespionage group's arsenal over the years.
Read more »
Government
APT APT attacks China Cyber Attacks Cyberespionage Government

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Read more »
telecommunications
Chinese Hackers Cybereason Cyberespionage telecommunications

Chinese espionage campaign hit telecommunications firms around the world






Hackers have breached into the systems of more than a dozen global telecommunications companies and have to hold on a large amount of personal as well as corporate data, researchers from a cybersecurity company said on Tuesday.

Security researchers from a cybersecurity firm Cybereason, which is a collaboration of US-Israel, said that the attackers compromised companies in more than 30 countries. 

The main aim behind this espionage is to gather information about individuals who are working in government, law enforcement and politics. The group is linked to a Chinese cyber-espionage campaign.

The tools used by hackers were similar to other attacks which were carried out by Beijing, but the country denied of involvement in any kind of mischievous activity. 

Lior Div, chief executive of Cybereason. “For this level of sophistication, it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he told Reuters.

Cybereason said in a blog post. “They built a perfect espionage environment. They could grab information as they please on the targets that they are interested in.”



“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” Div said.
Read more »
Malware Report
Breaking News Cyber Security awareness Cyberespionage IT Security News Malware Report

New 'KeyBoy' malware targets users from India, Vietnam

Security researchers have discovered a new piece of malware that targets users from India, Vietnam.  The backdoor is designed to steal information from the victim.

The malware campaign uses well-crafted Microsoft word document that exploits patched vulnerability in Microsoft office to drop a new malware referred as 'KeyBoy', according to Rapid7.

The first document found by the researchers targeting users from Vietnam is written in Vietnamese and is about reviewing and discussing best practices for teaching scientific topics.

The second document found by the researchers is written in English with title "All INDIA Bharat Sanchar Nigam Limited Executives' Association".  The title suggests the document is designed to target Indians.  The report says the document pretends to be authored by someone called Amir Kumar Gupta.  


Once the crafted-documents opened, it attempts to exploit known remote code execution vulnerabilities in Microsoft office.  If successful, the documents installs a backdoor malware dubbed as 'KeyBoy'.

After analyzing the malware, researchers identified a code that is designed to steal the login credentials stored in the Firefox and Internet explorer browsers.
Read more »
Subscribe to: Posts (Atom)