Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label PwC. Show all posts
SentinelOne
C++ Chinese Hackers Cyber Security Hackers IT Environment Keypluggs Microsoft Threat PwC Sandmam APT SentinelOne

Sandman APT Gains Traction: Chinese Hackers Amplify Cybersecurity Risks

 


It has been discovered that there is a strong coincidence in the targeting and tactics of Sandman, a mysterious advanced persistent threat (APT) that has been identified to use backdoors referred to as "Keypluggs," and KEYPLUG, a China-based threat cluster. 

Following this assessment, SentinelOne, PwC, and Microsoft Threat Intelligence have been working together on this since they have determined that the adversary's Lua-based malware, LuaDream, and the KEYPLUG have both been found to cohabit in the victim network alongside each other. 

Microsoft, SentinelLabs and PwC have collectively alerted consumers and businesses to the fact that threat actors who were allegedly linked to Chinese cybercriminals have deployed an advanced persistent threat (APT) referred to as Sandman to infiltrate IT environments with malware. 

An expert at SentinelOne, Aleksandar Milenkoski, said that Sandman has now been linked to STORM-0866/Red Dev 40, a threat actor aligned with the Chinese government's national interests, meaning that STORM-0866/Red Dev 40 targets Chinese companies. 

Following a series of cyberattacks carried out on telcos across the Middle East, Western Europe, and South Asia, Sandman was first identified in August. These attacks utilized a backdoor referred to as "LuaDream," which is a programming language that is based on Lua, as well as a backdoor titled "Keyplug," which is a programming language that is based on C++. 

SentinelOne revealed the existence of Sandman for the first time in September 2023, covering attacks on telecommunications providers in Europe, the Middle East, and South Asia by using an implant codenamed LuaDream that was used in its attacks. 

In August 2023, a record of intrusions was made. On the other hand, Storm-0866/Red Dev 40 refers to a cluster of APTs primarily targeting entities located in the Middle East and South Asia, such as telecommunication providers and government agencies, that represent an emerging APT network. 

Storm-0866 has several powerful tools at his disposal, one of which is KEYPLUG. This backdoor was first exposed by Google-owned Mandiant in the context of attacks conducted by the Chinese-based APT41 (also known as Brass Typhoon or Barium) actor between May 2021 and February 2022 in which he infiltrated six state government systems. 

The Recorded Future company reported earlier this month that the use of KEYPLUG was being used by a Chinese state-sponsored threat activity group it is tracking under the name RedGolf, which they claimed was "closely aligned with the threat activity produced by APT41/Barium. As part of its report, Mandiant informed the public that they first discovered the Keyplug backdoor in March 2022, which was used by a known Chinese group, APT41. 

Additionally, Microsoft and PwC teams discovered that the Keyplug backdoor was passed around to multiple other Chinese-based threat groups, according to the report. Researchers believe that the new obfuscation tools provided by Keyplug malware give the group a new advantage compared to previous versions. 

According to the report, the STORM-0866/Red Dev 40 cluster differs from the others because of specific malware characteristics, such as the unique encryption keys used to communicate with KEYPLUG command and control servers, as well as an increased sense of operational security, which can be attributed to the use of cloud-based reverse proxy infrastructure to hide the real locations where their C2 servers are hosted," says the report. 

According to the researchers, when they analyzed both the C2 configuration and the LuaDream and Keyplug malware strains, the overlaps were overwhelming, which can be interpreted as suggesting that their operators were seeking similar functional requirements. To grow, and effectively collaborate between the increasing number of Chinese APT groups, the report concluded, cyber security community members must share similar knowledge. 

There is a great deal of certainty that the constituent threat actors will continue to cooperate and coordinate, exploring new ways to enhance the functionality, flexibility, and stealthiness of their malware to further enhance the threat actors' threat. 

An influential example of how this can be applied is the adoption by developers of the Lua development paradigm. Overcoming the threat landscape requires a constant flow of information sharing between members of the threat intelligence research community. 

A few instances of espionage-motivated APTs historically considered Western or Western-aligned have been associated with Lua-based modular backdoors, such as LuaDream. This has proven to be a very rare occurrence and is often associated with APTs that are espionage-motivated. In our research on Sandman, we found that a broader set of cyberespionage threat actors are utilizing the Lua development paradigm because of its modularity, portability, and simplicity.
Read more »
PwC
Australia CIop MOVEit Attack CLOP Clop Ransomware Cyber Security PwC

PwC Caught in the Crossfire: Australian Fallout from Major Cyber Breach Deepens

 


There has been a severe scandal going on at the accounting firm PwC over the past few weeks involving a tax scam and the company was dealt another blow as Russian hackers have just managed to steal sensitive information. 

It has come to the attention of PwC that a notable cyber breach has so far affected 267 Australian companies, and would also have a significant impact on many more corporations from other countries. In a recent attack on popular file-sharing software, cybercriminals with Russian connections broke into the system, which resulted in new high-profile attacks on the system. 

During the last week of May, clop, a cybercrime group, made its first attempt to break into the MOVEit file-sharing service. The company had begun the theft of data from various institutions, including agencies of the US federal government, Shell, the BBC, and many others. As more and more companies reveal that they have been targeted by the data breach, which has affected rival consultancy EY as well, this breach is expected to grow much larger by the day. 

The cybercrime group reportedly obtained client data after hacking third-party software called MOVEit, which PwC used to transfer confidential information. 

The hackers, who have executed two other global attacks in the last three years, have told companies to pay a ransom or have their files released online. “Pay attention to avoid extraordinary measures that may negatively impact your company,” Clop’s website reads. On Monday, PwC Australia confirmed it had used the software for a “limited number” of its clients, adding to its woes stemming from the Collins tax scandal. 

PwC said its initial investigations showed that the company’s internal IT network had not been compromised. The cyberattack on MOVEit had a limited impact on PwC. 

The firm had determined its own IT network had not been compromised, saying the breach was likely to have a "limited impact." PwC has reached out to the businesses whose files were affected and is discussing the next steps. The spokesman added that data security remained a "key priority" for the firm and that it was continuing to put "the right resources and safeguards in place" to protect its network and data.

Although the company appears to have escaped significant harm, the revelation comes at a poor time as it battles to regain governments' trust following the leaking of confidential tax information. 

Former PwC partner Peter Collins allegedly distributed documents describing the government's tax plans to other staff at the firm. This led to his registration termination with the Tax Practitioners Board. It also caused a slew of governments and their agencies to terminate agreements with the company. 

Clop demanded large ransoms for data return, but senior US officials have reportedly said no such demands have been made to federal agencies. It remains to be seen if the group will seek money from either of the Australian firms caught up in the breach. Progress, the company that created and maintains MOVEit software, patched the vulnerability within 48 hours. It also said it was aiding affected clients and had drafted in some of the world's best cybersecurity firms to assist with its response. 

In the face of a cybersecurity crisis that has hit Australia, PwC finds itself at the forefront, bracing for the expanding fallout. This incident serves as a stark reminder of the urgent need for robust cybersecurity measures and collaboration between organizations and government agencies. 

As the nation grapples with the aftermath, it becomes crucial for stakeholders to fortify their cybersecurity strategies, invest in advanced technologies, and enhance incident response capabilities. Australia must come together to address the immediate challenges and lay the groundwork for a more resilient and secure digital future.
Read more »
Ransomware
Babuk Cyber Crime Extortion PwC Ransomware

Serco Affirms Babuk Ransomware Attack

 

Outsourcing giant Serco has affirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware assault from the new Babuk group, however, the parts of its operation relating to the NHS Test and Trace program are unaffected. “Serco’s mainland European business has been subject to a cyber-attack,” a Serco representative said. “The attack was isolated to our continental European business, which accounts for less than 3% of our overall business. It has not impacted our other business or operations.” 

The incident comes after security firms and insurers progressively have stressed that digital extortionists gain from other assailants' techniques, outsource a portion of their operations and depend on connections to infiltrate victim networks. Albeit the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco's wider systems were of incredible concern, and the Babuk assault uncovered “inherent weaknesses of the system”. 

“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the job while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future. In the ransom note, Babuk's operators professed to have approached Serco's systems for three weeks and to have as of now exfiltrated a terabyte of information. The cybercriminals made explicit references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). 

The attacker has demanded $60,000 to $85,000 in ransoms, however, that is “likely to increase over time as the threat actor becomes more experienced in ransomware operations,” as indicated by a private analysis from PricewaterhouseCoopers got by CyberScoop. Babuk is a long way from sophistication. Its code has contained mistakes that held it back from executing on some targeted computers, as indicated by PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute altogether in some environments,” the analysis says. 

However, while Babuk is as yet a moderately low-level threat to associations, as indicated by Liska, that could change on the off chance that they can bring in more cash from assaults and put resources into new capabilities.
Read more »
Subscribe to: Posts (Atom)