A recent analysis from threat intelligence analysts ESET claims that threat actors are increasing their attacks worldwide, with geographic events determining which locations are most heavily targeted. The principal author of the research recommends that CISOs to intensify their protection plans in light of the activity, even if he claims that no new attack techniques have been discovered.
The director of threat research at ESET, Jean-Ian Boutin said that current attack methods "still work well." Thus, attackers don't always need to use innovative vectors. According to Boutin, CISOs are defending against these attacks properly; they only need to fortify themselves even more.
The researchers claim that because the primary worldwide assault trends that ESET has identified have been directly impacted by regional stability difficulties, these challenges are also affecting the cyber sphere. The report focuses on activities of specific advanced persistent threat (APT) groups from October 2023 to March 2024, the experts said in the report.
Researchers from ESET also observed that organizations connected with Russia were concentrating on espionage activities throughout the European Union in addition to assaults against Ukraine.
Along with operations against Ukraine, ESET researchers also saw that entities connected with Russia were concentrating on espionage across the European Union. However, the researchers noted that several threat actors with ties to China took use of flaws in software and public-facing hardware, including firewalls and VPNs, as well as Confluence and Microsoft Exchange Server, to gain first access to targets across a variety of sectors.
Using emotions to keep the assault from being disclosed is one of the more recent strategies ESET is witnessing in North Korea; this will probably increase the tactic's usefulness and duration. According to Boutin, the method has been used for years, but North Korean APT organizations are making a small adjustment.
Under the guise of a job application, the hack targets programmers and other technical talent at numerous significant US corporations. The victim is exposed to the malware and the trap is set when the attacker poses as a recruiter for such companies and requests that the victims complete an online test to demonstrate their technical proficiency.
A cyberespionage group called XDSpy has recently attacked Russian military-industrial enterprises, as per new research.
XDSpy is said to be a state-controlled hacker, in the game since 2011, that mainly targets counties across Eastern Europe and the Balkans. In its recent November campaign, attackers tried to get entry into the Russian metallurgical enterprise systems and a research organization involved in the production and development of guided missile weapons, as per Russian cybersecurity form F.A.C.C.T.
F.A.C.C.T. — an offshoot of Singapore-based cybersecurity firm Group IB — reported earlier this week that hackers sent phishing emails to their victims, posing as a research organization dealing in nuclear weapon design.
The group's tactics were similar to those used in their earlier attack on Russian companies, which included a well-known scientific facility in July. During that event, the hackers pretended to be Russia's Ministry of Emergency Situations and sent phishing emails with malicious PDF files. Researchers did not say whether attackers could break into the victims' systems and steal data.
According to F.A.C.C.T., Russia is the major target of XDSpy hackers. According to analysts, the gang used to target the country's government, military, financial institutions, and energy, research, and mining firms.
Even though the group has been active for years, there is no proof of its strikes on Russia, particularly since many foreign cybersecurity companies fled the country following the Russian takeover of Ukraine.
ESET, a cybersecurity firm based in Slovakia, has been monitoring XDSpy's behavior since 2020, and researcher Matthieu Faou said that the group has constantly undertaken spearphishing efforts aimed mostly at important companies in Eastern Europe.
ESET lost first-hand visibility of cyberattacks occurring in Russia and Belarus after leaving these countries, both targets of XDSpy. However, the business announced last week that it had spotted the group's attack on a Ukrainian aerospace company.
Hackers utilized a breach chain nearly identical to the one described by F.A.C.C.T. in this attempt, which was not officially reported by Ukrainian security services and was likely unsuccessful. "We do agree with their analysis and also attribute this to XDSpy," stated Faou.
Despite the group's extensive history, analysts have not been able to pinpoint the country that is funding it. XDSpy may not have an exceptionally sophisticated toolbox, but "they have very good operative defense," according to Faou. "So far, we haven't found any errors that could point toward a specific country."
Because many Western corporations have little access to computer systems in the region, reports about cyberattacks against Russia are rare.
This week, on the other hand, has been jam-packed with reports from Russian cybersecurity organizations. In addition to the XDSpy attack, F.A.C.C.T. recorded a DarkWatchman malware-based strike on Russian banks, telecom providers, logistics organizations, and IT firms. A phishing email was disguised as a newsletter from a Russian courier delivery firm by the hackers. The outcome of these strikes is uncertain.
According to the Russian cybersecurity firm Positive Technologies, which has been sanctioned by the US, another cyberattack was carried out by a new hacker gang called Hellhounds. Hellhounds has already infiltrated at least 20 Russian businesses, including government institutions, technology firms, and space and energy industries.
Rare Wolf hackers were also recorded by the cybersecurity firm BI.ZONE. According to researchers, the gang has targeted approximately 400 Russian companies since 2019.
These assessments do not reveal which countries are responsible for the attacks against Russia. However, analysts at the cybersecurity firm Solar stated in a November report that the majority of state-sponsored attacks against Russia come from North Korea and China, with a primary focus on data theft.
According to ESET researcher Lukas Stenfanko who examined a sample after getting a tip from MalwareHunterTeam, it was found that one of the noteworthy new features seen in the most recent GravityRAT version is the ability to collect WhatsApp backup files.
A remote access tool called GravityRAT has been used in targeted cyberattacks on India since at least 2015 and is known to be in use. There are versions for Windows, Android, and macOS, as previously reported by Cisco Talos, Kaspersky, and Cyble. However it is still unknown who is the actor behind GravityRAT, the group has been internally defined as SpaceCobra.
Although GravityRAT has been active since at least 2015, it only began specifically focusing on Android in 2020. Its operators, 'SpaceCobra,' only employ the malware in specific targeting tasks.
According to ESET, the app is delivered via “bingechat[.]net” and other domains or distribution channels, however, the downloads require invites, entering valid login information, or creating a new account.
While registrations are currently closed, this method only enables the threat actors to distribute the malware to targeted users. Additionally, accessing a copy for analysis becomes more difficult for researchers.
Upon installation on the target's smartphone, the BingeChat app makes dangerous requests for access to contacts, location, phone, SMS, storage, call records, camera, and microphone.
Since these are some typical permissions asked of the users for any instant messaging apps, the malicious app goes unsuspected.
The program provides call records, contact lists, SMS messages, device location, and basic device information to the threat actor's command and control (C2) server before the user registers on BingeChat.
Along with the aforementioned records, files, and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, have also been compromised.
While SpaceCobra’s malware campaign is mainly targeting India, all Android users are advised to refrain from downloading APKs anywhere other than Google Play and be very careful with potentially risky permission requests while installing any app.
According to ESET experts, one of these fraudsters' tricks is related to travel services: criminals pretend to be employees of travel companies and ask victims to make an advance payment.
The second scheme popular among fraudsters is fake websites, where one can allegedly receive "New Year's payments from the state." "Hackers fake web pages under the banner of law firms or imitate the sites of popular banks, where they ask you to enter card details to receive funds," the experts explained.
Analysts also warned that the data on the expiration date of the bank card and the three-digit CVV number cannot be transferred under any circumstances. "This information is needed only for payment, but certainly not for receiving money," noted in ESET.
Experts have also recorded a serious increase in the number of fake food delivery sites. Fraudsters completely imitate the appearance of popular sites and then use them to find out the bank data of Russians and withdraw money from cards.
Domain names of real and fake sites often differ from each other by just one character. “For example, dellivery-club instead of delivery-club or eda.ynadex instead of eda.yandex,” the company explained.
Experts noted that the victims of attackers are also often fans of ski resorts. "Attackers take advantage of the desire of Russians to save money and sell fake online tickets to ski slopes," ESET stressed.
ESET experts also warned that cybercriminals often send congratulatory emails, offering to click on malicious links.
Scammers know that on the eve of the holidays, companies generously distribute bonuses and gifts to their customers, and take advantage of this. When a person clicks on such a link as a rule he gets to a phishing site where he is asked to fill in personal or banking information. Often such messages contain links to viral software.
According to a survey conducted by ESET, a company specializing in anti-virus software development and protection against cyberthreats, most Russians (77%) believe that they are being tracked via mobile devices.
Young people aged 18 to 24 expressed the least concern about possible surveillance (35%), believing it is a manifestation of paranoia. People over 35 years of age are more concerned about surveillance.
At the same time, 39.5% of respondents believe that the search history on all devices is tracked, 25.5% believe that all actions performed on the device are transmitted, 14.1% believe that they are monitored using the microphone and gadget camera, and 20.9% think that all the above means are used.
Among the main reasons why interested companies collect personal data, 65% of the study participants named the setting of targeted advertising. According to other respondents, the data is used by special services and fraudsters.
According to the study, the Russians are afraid of the use of their personal data by fraudsters, leakage of intimate videos and photos, reading correspondence and wiretapping, as well as study habits and interests based on the search history.
To avoid potential surveillance, 45% of respondents disable geolocation on their devices. Another 39% check the ability of applications to access data. 34 and 32% avoid discussing personal topics on the phone and connecting to public Wi-Fi.
In July, Pavel Durov, the founder of VKontakte and Telegram, reported about the surveillance of his mobile device with the help of a spyware program. According to him, spyware applications are able to hack any phone on the iOS and Android operating systems and there is no way to protect the device now.