Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberespionage Operation. Show all posts
XSS
Cyber Attacks Cyberespionage Operation Cybersecurity CyberThreat ESET Global Hacking Global Surveillance Operation RoundPress Webmail XSS

Global Surveillance Campaign Targets Government Webmail Through XSS Exploits

 


Amid the ongoing conflict between Russia and Ukraine, the digital battlefield remains just as active as the one on the ground. Researchers have identified a sophisticated and ongoing global hacking campaign known as "Operation RoundPress" as a disturbing escalation of cyberespionage activity. As part of the campaign, high-profile government entities across multiple nations have been targeted to intercept sensitive communications via webmail servers, which have been targeted strategically. 

New research from cybersecurity firm ESET indicates that attackers have been exploiting both zero-day vulnerabilities, which were previously unknown security flaws, and n-day vulnerabilities that have been known for a long time but are still unpatched on the targeted systems, according to the report. APT28, a well-known Russian state-sponsored threat actor also known as Fancy Bear or Sednit, has been attributed to the campaign with moderate confidence by ESET. 

There is no doubt that the group, which is thought to operate under the direction of Russia's military intelligence agency, GRU, is a very well-known cyber-attack organisation known for its high-profile cyber intrusions into foreign elections and for gathering information about political and military targets. The APT28 hacker group, also known as Fancy Bear, Sednit, and Sofacy, is among the most infamous and persistent state-sponsored hacking groups in the world today.

It has been said that APT28 has been connected to numerous high-impact cyber operations over the last two decades, and it is believed to be closely related to the Russian military intelligence agency (GRU). There has previously been international scrutiny relating to this group for its involvement in the 2016 Democratic National Committee (DNC) hack, as well as the TV5Monde cyberattack and numerous cyber-espionage campaigns that target governmental institutions and defence agencies across several continents. 

Operation RoundPress, the latest campaign in which the group appears to have intensified its efforts to steal sensitive information from targeted email accounts, is the focus of the group's latest campaign. Specifically, Matthieu Faou, an ESET researcher, stated that the operation was designed to collect confidential information, particularly from organisations with significant strategic or geopolitical significance. 

The majority of victims are governmental entities and defence companies, Faou explained, whereas government officials in Africa, Europe, and South America have also been targeted. Considering the broad range of targets that APT28 has deployed and the carefully curated nature of its targeting pattern, it is clear that APT28's operation continues to advance the intelligence gathering objectives of the Russian government by using cyberspace. 

It is evident from the group's ability to adapt its techniques and pivot to new geographical regions not only that it has advanced in technological sophistication, but also how extensive modern state-sponsored cyber threats are around the world. As of 2023, Operation RoundPress has been ongoing since then, with threat actors constantly evolving their techniques and adopting new exploits to breach a wide range of popular open-source and commercial webmail platforms until 2024.

There are a number of these tools, such as Roundcube, Horde, MDaemon, and Zimbra, all widely used in government and business settings. As a result of the campaign's global reach and methodical exploitation of email infrastructure, it is clear that it is intended to obtain persistent access to important government communications. This demonstrates the persistent threat that nation-state-backed hacking groups pose in today's volatile geopolitical environment, reinforced by their adaptability and persistence.

A detailed analysis of Sednit's cyber operations reveals that it has intensified its operations against Ukrainian targets, deploying advanced intrusion techniques to gain intelligence and disrupt systems. The group has been in the news for quite some time; in 2016, the U.S. Department of Justice publicly accused the group of orchestrating the hacking of the Democratic National Committee (DNC), leading up to the U.S. presidential election—an incident which demonstrated the geopolitical consequences of cyber warfare in the twenty-first century. 

In "Operation RoundPress", the state-backed digital threats that are emerging are exemplified, showing how cyberattacks are now increasingly being deployed as strategic weapons in international conflicts. As a result of this latest cyberattack, Russia has continued to engage in aggressive cyber warfare. It is aligned closely with the Russian political objectives, reinforcing the urgent need for robust cybersecurity measures on a global scale, which is a key factor in their success. 

Researchers were first able to recognise Operation RoundPress, a sophisticated cyber-espionage campaign linked to the Russian state-linked group Sednit (also known as APT28 or Fancy Bear) in the year 2023, when they first identified it. At first, the attackers exploited a known vulnerability in the open-source webmail application Roundcube - CVE-2020-35730. However, by 2024, the attackers were able to expand the scope of the attack and the technical sophistication of the campaign by a significant amount.

In addition, the threat actors have begun exploiting other vulnerabilities, including a zero-day vulnerability (CVE-2024-11182) affecting the MDaemon webmail platform, which proves their ability to continue adapting and evolving in real-time as the attacks are evolving. It is common for attackers to use spearphishing emails embedded with cross-site scripting exploits (XSS) in order to compromise a system. 

It has been carefully crafted to trigger the execution of malicious JavaScript payloads when the email is viewed in a webmail client which is vulnerable to this attack. Through this tactic, attackers can gain long-term access to sensitive communications, such as email credentials, message content, contact lists, or even bypass two-factor authentication (2FA) protections, and this allows them long-term access to sensitive data without any detection on their part. 

As ESET researchers, who discovered and analysed Operation RoundPress with high confidence, they believe it is the result of Sednit. Based on the infrastructure overlaps, phishing techniques, and code-level similarities with previously documented operations related to Sednit, they make this conclusion with medium confidence. 

According to their research, the primary targets of this attack have been governmental agencies and defence contractors throughout Eastern Europe, particularly those involved in the ongoing conflict in Ukraine. However, the campaign has also extended its reach to include several European Union member states. In addition, incidents have been observed in Africa, South America, and several EU countries, proving that the campaign has global ambitions while reinforcing concerns about the growing threat of nation-state cyber activity. 

In the wake of Operation RoundPress, state-sponsored threat actors are exploiting a number of long-standing weaknesses in widely used webmail platforms in order to gain access to high-value targets. It is evident from this campaign's success that multiple cross-site scripting (XSS) vulnerabilities were used to stealthily inject malicious JavaScript payloads into routine email communications, which was one of the key factors in the campaign's success. 

In addition to exploiting the vulnerabilities in several commercial and open-source webmail systems, the attackers were able to gain access to sensitive data and user credentials, and even circumvent multi-factor authentication mechanisms, as well. The ESET researchers who have thoroughly analysed Operation RoundPress have identified a variety of known and unknown vulnerabilities that will be exploited in the campaign: 

CVE-2020-35730 – Roundcube: It was first exploited in 2023 to take advantage of a stored XSS vulnerability that allowed attackers to embed malicious JavaScript directly into emails' bodies. The script ran automatically whenever the user opened the message through the Roundcube interface, allowing the user to steal credentials as well as hijack their sessions. 

This CVE-2023-43770 vulnerability related to improper sanitisation of hyperlink text and improper insertion of script tags into the email content allowed the attackers to take advantage of this vulnerability in early 2024 and exploit it by inserting script tags into the email content to get the malicious code to run when it was viewed. 

MGaemon - CVE-2024-11182: Among the main targets caught by MDaemon's HTML parser in 2024 was a zero-day vulnerability identified in July 2008. The vulnerability involved creating a malicious title attribute using a noembed tag and hiding a JavaScript payload within an MGaemon file called an image onerror handler. A team of attackers used this technique in order to extract credentials, bypass two-factor authentication, and establish persistent access using App Passwords as a mechanism to defeat two-factor authentication. 

Horde - Unspecified XSS: Along with the Horde XSS issue, APT28 also attempted to exploit an older XSS problem in Horde's mail system. They used XSS (XSS exploiting XSS on an image error) to execute the attack. However, it failed due to improved input filtering in the newer Horde releases. Researchers have not yet been able to identify the exact CVE model, but the vulnerability is believed to have been fixed since then. 

A previously unknown exploit in Zimbra's calendar module has been exploited by attackers using CVE-2024-27443. The attacker exploited an XSS flaw to exploit the vulnerability. By injecting unsanitized input via the header, which is X-Zimbra-Calendar-Intended-For, APT28 was able to embed an executable JavaScript payload in calendar invitations that would execute upon viewing when the invitation was viewed. 

ESET's investigation revealed that no evidence of Operation RoundPress activity in 2025 was found, however, researchers warn that the techniques used, particularly those that utilised XSS, remain highly relevant. In an era where new vulnerabilities are constantly exposed in webmail clients, the danger of similar attacks is high as new vulnerabilities are continuously discovered. 

Throughout the campaign, it is a powerful reminder that the ongoing need for vigilant patching, secure coding, and layers of email security is essential for protecting against nation-state attacks. It is important to keep in mind that the revelations surrounding Operation RoundPress underscore an important reality: the cyber threat landscape is evolving faster than many organisations are capable of adjusting to. 

It is becoming increasingly evident that cybersecurity is not merely a technical issue anymore; it is a matter of national resilience and strategic foresight that is being exploited by state-sponsored adversaries like APT28. Since then, it has become increasingly clear that cybersecurity is more than a technical issue. The government, the defence industry, and corporations must reevaluate the robustness of their digital ecosystems, especially those underlying communication and collaboration, in light of these developments. 

There is no longer any question that proactive threat detection, meticulous patch management, and zero-trust architectures must be prioritised. Furthermore, because the sophistication of these campaigns keeps growing, we must strengthen international cooperation, share intelligence, and invest in next-generation security solutions. The launch of Operation RoundPress has acted as a wake-up call for companies operating in high-risk sectors: companies that are willing to be vigilant, quick, and adaptable have now become essential components of any serious defence against Cybercrime.
Read more »
Visual Studio Code
CyberCrime cybercriminals Cyberespionage Operation Cyberhackers CyberThreat Data Breach IT Service Operation Digital Eyes Visual Studio Code

Operation Digital Eye Reveals Cybersecurity Breach

 


It has been recently reported that a Chinese group of Advanced Persistent Threats (APTs) has carried out a sophisticated cyberespionage operation dubbed "Operation Digital Eye" against the United States.  Between the end of June and the middle of July 2030, a campaign targeting large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024 was reported by Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber. 

Several threats are targeting business-to-business IT service providers in southern Europe, according to Tinexta Cyber and SentinelLabs, both of which have been tracking these activities. As a result of assessing the malware, infrastructure, techniques used, victimology, and timing of the activities, it has been concluded that there is a high likelihood that a cyberespionage actor of the China nexus conducted these attacks. 

A group of Chinese hackers has been observed utilizing Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems at large IT service providers in Southern Europe. There is no information regarding which hacker group aligned with China is behind the attacks at this time, which is complicated by the fact that many of those aligned with the East Asian nation share a multitude of toolsets and infrastructure. 

VS Code is the latest version of Microsoft's code editor that is optimized for building and debugging modern web and cloud applications that utilize modern web technologies. VS Code is a lightweight but feature-rich source code editor that runs on your desktop and is available for Windows, Mac OS X, and Linux clients. It is available on most major platforms. In addition to these built-in support technologies, it also comes with a rich ecosystem of extensions that can be used with other languages and runtimes, including JavaScript, TypeScript, and Node.js. According to companies, most breaching chains that firms observe entail using SQL injections as a first point of access for breaching systems connected to the internet, such as web applications and databases. 

To inject code into the target computer, a legitimate penetration testing tool called SQLmap was used. This tool made it possible to detect and exploit SQL injection flaws automatically. Following gaining access to the system, PHPsert was deployed, which was a PHP-based web shell that would allow them to execute commands remotely or to introduce additional payloads once they fully established access. To move laterally, the attackers used RDP and pass-the-hash attacks to migrate from one target to another, specifically using a custom version of Mimikatz ('bK2o.exe') in addition to RDP. 

Using the 'WINSW' tool, the hackers installed a portable, legitimate version of Visual Studio Code on the compromised computers ('code.exe') and set it up as a persistent Windows service to make sure it would run on every device. VSCode was configured with the tunnel parameter, enabling remote development access on the machine, and then the tunnel parameter was configured to be enabled by default. Visual Studio Code tunnels are a feature of Microsoft's Remote Development feature. 

This feature allows VSCode developers to select files on remote systems for editing and working via Visual Studio Code's remote servers. As a powerful development tool, RemoteDeveloper allows developers to run commands and access the file systems of remote devices, which makes it a viable option for developers. With the use of Microsoft Azure infrastructure for the tunnel creation and the signing of executables, trustworthy access to the network can be assured. 

"Operation Digital Eye" illustrates the concept of lateral movement using techniques linked to a single vendor or a "digital quartermaster" operating within the Chinese APT ecosystem in the form of lateral movement. During the study, the researchers discovered that the attackers used Visual Studio Code and Microsoft Azure for command-and-control (C2) to evade detection, which they considered to be a matter of good judgment. 

There has never been an observation of a suspected Chinese APT group using Visual Studio Code for C2 operations before, signalling a significant change in what China is doing about APTs. According to recent research conducted by Unit 42, it has been discovered that Stately Taurus has been abusing popular web development software Visual Studio Code in its espionage operations targeting government organizations in Southeast Asia. Defending the Chinese government from attacks by Stately Taurus, a group of advanced persistent threats (APTs) involved in cyber espionage. It seems that this threat actor relied on Microsoft's Visual Studio Code embedded reverse shell feature to gain an entry point into the target network. 

An expert in the field of security discovered this technique as recently as 2023, which is relatively new. Even though European countries and China have complex ties, there is also a great deal of cooperation, competition, and undercurrent tension in areas like trade, investment, and technology, due to the complex relationships between them. China-linked cyber espionage groups target public and private organizations across Europe sporadically to gather strategic intelligence, gain competitive advantages, as well as advance the geopolitical, economic, and technological interests of China. 

In the summer of 2024, a coordinated attack campaign dubbed Operation Digital Eye was carried out by Russian intelligence services, lasting approximately three weeks from late June to mid-July 2024. As a result of the targeted organizations' capabilities to manage data, infrastructure, and cybersecurity for a wide range of clients across various industries, they are prime targets for cyberespionage activities.

As part of Operation Digital Eye, researchers highlight how Chinese cyberespionage groups continue to pose an ongoing threat to European entities, with these actors continuing to use high-value targets as targets of espionage. Even though the campaign emphasizes the strategic nature of this threat, it is important to realize that when attackers breach organizations that provide data, infrastructure, and cybersecurity services to other industries, they gain access to the digital supply chain, allowing them to extend their influence to downstream companies. 

This exploit relies on SSH and Visual Studio Code Remote Tunnels, which were used by the attackers to execute remote commands on their compromised endpoints by using their GitHub accounts as authentication credentials and connections. By using the browser-based version of Visual Studio Code ("vscode[.]dev"), they were able to access the compromised endpoints. Despite this, it remains unclear whether the threat actors used freshly created GitHub accounts to authenticate their access to the tunnels or if they had already compromised GitHub accounts. 

In addition to mimicking, several other aspects point to a Chinese presence, including the presence of simplified Chinese comments within PHPsert, the fact that M247 provides the infrastructure for this server, and the fact that Visual Studio Code is being used as a backdoor, the last of which has been attributed to the actor who portrayed Mustang Panda. The investigation uncovered that the threat actors associated with Operation Digital Eye demonstrated a notable pattern of activity within the networks of targeted organizations. 

Their operations were predominantly aligned with conventional working hours in China, spanning from 9 a.m. to 9 p.m. CST. This consistent timing hints at a structured and deliberate approach, likely coordinated with broader operational schedules. One of the standout features of this campaign was the observed lateral movement within compromised environments. This capability was traced back to custom modifications of Mimikatz, a tool that has been leveraged in earlier cyberespionage activities. 

These tailored adjustments suggest the potential involvement of centralized entities, often referred to as digital quartermasters or shared vendors, within the ecosystem of Chinese Advanced Persistent Threats (APTs). These centralized facilitators play a pivotal role in sustaining and enhancing the effectiveness of cyberespionage campaigns. 

By providing a steady stream of updated tools and refined tactics, they ensure threat actors remain adaptable and ready to exploit vulnerabilities in new targets. Their involvement underscores the strategic sophistication and collaborative infrastructure underlying such operations, highlighting the continuous evolution of capabilities aimed at achieving espionage objectives.
Read more »
Symantec
APT41 Atharvan RAT Blackfly Clasiopa Cyber Security Cyberespionage Cyberespionage Operation Lilith RAT Remote Access Tool Symantec

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Read more »
Iron Tiger Group
Chinese Actors Cyber Attacks Cyberespionage Operation Data threats Iron Tiger Group

Windows, Linux and macOS Users Hit by Chinese Iron Tiger

China-sponsored cyberhackers group Iron Tiger (aka LuckyMouse) has been exposed using the compromised servers of a chat application called MiMi to execute malware to Windows, Linux, and macOS systems. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines. 

Cybersecurity organizations Trend Micro and SEKOIA published a detailed report stating that the Iron Tiger organized a new cyberespionage campaign by the Iron Tiger, also known as Emissary Panda, Cycldek, Bronze Union, Goblin Panda Conimes, LuckyMouse, APT27, and Threat Group 3390 (TG-3390). This group has been active since at least 2010, victimizing hundreds of organizations worldwide for cyberespionage purposes. 

Additionally, the group has a history of working around targeted servers in pursuit of its political and military intelligence-collection objectives aligned with China. Trend Micro has identified one of the victims of this attack  a Taiwan-based gaming development firm that along with thirteen other entities was targeted. 

The advanced persistent threat (APT) group used the compromised servers of MiMi, a messaging application available on different platforms with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Windows, Android, macOS, and iOS. The desktop version of MiMi has been built using the cross-platform framework ElectronJS. 

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro. 

Trend Micro has uncovered various rshell samples, including some targeting Linux. Prior samples were uploaded in June 2021. Further Sekoia wrote in its blog post that the campaign has all elements of a supply chain attack since the hackers control the host servers of the app.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” the trend microblog post read.
Read more »
spyware and malware
Android Android Applications Android Spyware cyber espionage Cyberespionage Operation DarkMarket findlocation geolocation malware Mobile Security Mobile Spyware spyware and malware

Every Tenth Stalking and Espionage Attack in the World is Directed at Android Users from Russia

 

According to analysts at ESET (an international developer of antivirus software headquartered in Slovakia), commercial developers who openly offer spyware to control spouses or children are gaining popularity. 

"ESET global telemetry data for the period from September to December 2021 shows an increase in spyware activity by more than 20%. At the same time, every tenth stalking and espionage attack in the world is directed at Android users from Russia," the company's press service reported. 

ESET threat researcher Lukas Stefanko reported that unwanted stalking software, according to him, in most cases is distributed by attackers through clones of legal applications downloaded from unofficial stores. 

Alexander Dvoryansky, Director of Special Projects at Angara Security, confirms that Android spyware is very common and continues to gain popularity. According to him, it is advantageous for attackers to develop malicious software for this operating system because of its widespread use. Android smartphones accounted for 84.5% of total device sales in 2021. 

According to Lucas Stefanko, it is not uncommon for stalker software to be installed on smartphones to track them in case they are stolen or lost. Despite Google's ban on advertising stalker apps, there are apps available on Google Play that are positioned as private detective or parental control tools. In 2018, the Supreme Court allowed the acquisition and use of spy equipment to ensure their own security, so the demand for software promoted as "monitoring one's mobile devices" has increased. But many install it covertly on the phones of relatives or employees for espionage. 

If the program is installed on the phone openly and with the consent of a person, then there will be nothing illegal in tracking geolocation, as well as obtaining other information, says lawyer KA Pen & Paper by Alexander Kharin. However, secretly installing a spyware program on a phone can result in a penalty of up to two years in prison, and for a developer, the term can be up to four years. But so far, criminal cases on the fact of stalking are rarely initiated. 

Earlier, CySecurity News reported that the exact location of any Russian on the black market can be found for about 130 dollars.
Read more »
malware
Cyberespionage Operation Foudre & Tonnerre Iran malware

Cyber-Surveillance Operation Resumed by Iran After a Long Break

 

Iran, one of the resourceful countries in Western Asia in terms of weapons and cyber intelligence has resumed its cyberespionage operation after a two-year downtime. Cybersecurity firms SafeBreach and Check Point directed joint research to discover an Iran-linked cyberespionage operation which has resumed with the latest second-stage malware and with an updated version of the Infy malware.

Espionage, destructive attacks, and social media manipulation- three major weapons of Iranian cyber capabilities, and the evidence suggest that Iran started the cyberespionage operation way back in 2007. For the first time, in 2016 the details regarding this operation were disclosed, Foudre a type of malware was used in these operations, and by 2018 it was updated eight times.

In the fast half of 2020, the operation was resumed with the latest versions of Foudre (versions20-22) and with new documents that were designed to tempt the victims and to execute the malicious code when closed. Following the execution of malicious code Foudre links to the command and control (C&C) server and fetches a new part of the malware, called Tonnerre.

According to the cybersecurity experts, Tonnerre is designed to expand the capabilities of Foudre but it is released as a different component. Foudre may only be deployed when the situation is out of control and it poses as legitimate software that can steal files from corrupt machines, can execute commands received from the C&C server, record sound and capture the screenshots.

Domain Generating Algorithms (DGA) are used by Tonnerre to link to the C&C which then stores data about the target, steal files, download updates and get an additional C&C. Both HTTP and FTP are used by Tonnerre to communicate with the C&C server. During the investigation, SafeBreach and Check Point spotted two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). While, Romania, India, Russia, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each.

Last week, Check Point reported that the Iranian government has targeted more than 1,200 citizens in extensive cyber-surveillance operations. A blog post containing details on both Foudre and Tonnerre read, “it seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities”.
Read more »
Subscribe to: Posts (Atom)