Search This Blog

Showing posts with label Spear Phishing Campaign. Show all posts

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers


ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.

Hackers Repeatedly Targeting Financial Services in French-Speaking African Countries


Over the last two years, a persistent cyber-attack campaign targeting major financial institutions in French-speaking African countries has surfaced. Check Point Research (CPR) discovered the campaign and termed it 'DangerousSavanna.' To start infection chains, it used spear phishing techniques. 

The threat actors allegedly sent malicious attachment emails in French to employees in Ivory Coast, Morocco, Cameroon, Senegal, and Togo, using a variety of file types to entice victims, including PDF, Word, ZIP, and ISO files. DangerousSavanna hackers also used lookalike domains to impersonate other African financial institutions such as Tunisian Foreign Bank and Nedbank.

Sergey Shykevich, threat intelligence group manager at CPR explained, "Our suspicion is that this is a financially motivated cybercriminal, but we don't have conclusive evidence yet. Whoever it is, this threat actor, or group of actors, is highly targeted and persistent in infecting specific victims, and right now, we are aware of at least three major financial corporations that operate in these countries that have been affected."

Furthermore, the cybersecurity expert stated that Check Point's assessment indicates that this actor will continue to try to break into its targeted companies until vulnerabilities are discovered or employees make a mistake.

"Usually, when a hacker targets financial institutions directly, their main goal is to secure access to core banking systems such as payment card issuing systems, SWIFT transfers and ATM control systems," Shykevich added.

In general, the Check Point executive stated that cyber-criminals believe that the fragile economies of some African countries are linked to a lack of cybersecurity investment.

"But the finance and banking sector is actually one of the most impacted industries worldwide, experiencing 1144 weekly cyber–attacks on average," Shykevich explained.

CPR provided companies with advice on preventing spear phishing attacks in an advisory detailing some of DangerousSavanna's recent attacks. These methods include keeping systems up to date, implementing multi-factor authentication (MFA), confirming suspicious email activity before interacting, educating employees, and testing their cybersecurity knowledge on a regular basis.

The DangerousSavanna warning comes just weeks after cybersecurity firm Vade revealed that banks around the world received the majority of phishing attacks in the first half of 2022.

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations

About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

US has Offered a $10 Million Bounty on Data About Russian Sandworm Hackers


The United States announced a reward of up to $10 million for information on six Russian military intelligence service hackers. According to the State Department's Rewards for Justice Program, "these people engaged in hostile cyber actions on behalf of the Russian government against U.S. vital infrastructure in violation of the Computer Fraud and Abuse Act."

The US Department of State has issued a request for information on six Russian officers (also known as Voodoo Bear or Iron Viking) from the Main Intelligence Directorate of the General Staff of the Russian Federation's Armed Forces (GRU) regarding their alleged involvement in malicious cyberattacks against critical infrastructure in the United States. The linkages attributed are as follows : 

  • Artem Valeryevich Ochichenko has been linked to technical reconnaissance and spear-phishing efforts aimed at gaining illegal access to critical infrastructure sites' IT networks around the world. 
  • Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, are accused of developing components of the NotPetya and Olympic Destroyer malware used by the Russian government to infect computer systems on June 27, 2017, and Yuriy Sergeyevich Andrienko, who are accused of developing components of the NotPetya and Olympic De.
  • Anatoliy Sergeyevich Kovalev is accused of inventing spear-phishing techniques and communications which were utilized by the Russian government to hack into critical infrastructure computer systems. 

On October 15, 2020, the US Justice Department charged the mentioned officials with conspiracy to commit wire fraud and aggravated identity theft for carrying out damaging malware assaults to disrupt and destabilize other countries and cause monetary damages. 

According to the indictment, GRU officers were involved in attacks on Ukraine, including the BlackEnergy and Industroyer malware-based attacks on the country's power grid in 2015 and 2016. The folks are accused of causing damage to protected computers, conspiring to commit computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft by the US Department of Justice. According to the US Department of State, the APT group's cyber actions resulted in roughly $1 billion in losses for US firms.

The Rewards of Justice has established a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" as part of the project, which may be used to anonymously submit reports on these threat actors or to communicate the information using Signal, Telegram, or WhatsApp. 

Recently, the Sandworm collective was linked to Cyclops Blink, a sophisticated botnet malware that snagged internet-connected firewall devices and routers from WatchGuard and ASUS. Other recent hacking efforts linked to the gang include the use of an improved version of the Industroyer virus against high-voltage electrical substations in Ukraine amid Russia's continuing invasion.

UNC1151 Targets Ukrainian Armed Forces Personnel with Spear Phishing Campaign


The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites. 

“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message. 

Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests. 

GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland. 

The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.

Zero-Day Vulnerability Exploited in Zimbra Email Platform to Spy on Users


As part of spear-phishing campaigns that began in December 2021, a threat actor, most likely of Chinese origin, is proactively trying to attack a zero-day vulnerability in the Zimbra open-source email infrastructure. 

In a technical report published last week, cybersecurity firm Volexity described the espionage operation, codenamed "EmailThief," stating that successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of arbitrary JavaScript code in the context of the user's Zimbra session. 

The incursions, which commenced on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the moniker TEMP HERETIC, with the attacks focused on European government and media organizations. The zero-day vulnerability affects Zimbra's most recent open-source edition, version 8.8.15. 

The assaults are said to have been carried out in two stages, with the first stage targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. Multiple waves of email messages were sent out after that to lure users into clicking on a fraudulent link. The attacker used 74 different email identities to send the messages out over two weeks, with the initial recon emails having generic subject lines ranging from invitations to charity auctions and refunds for airline tickets. 

Steven Adair and Thomas Lancaster noted, "For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook." 

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, providing constant access to a mailbox, sending phishing messages from the hijacked email account to spread the infection, and even facilitating the installation of new malware. 

The researchers stated, "None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups."  

"However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor." 

Further the company recommended, "Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15."  

To Target Security Firms, the Zinc Group Disguised as Samsung Recruiters


According to Google TAG researchers, a spear-phishing campaign targeting South Korean security organisations that market anti-malware solutions was carried out by a North Korean-linked APT group posing as Samsung recruiters. The state-sponsored hackers, according to the Google Threat Horizons report, issued false job offers to employees at security firms. In previous campaigns, the same gang, known as Zinc, attacked security experts, according to Google TAG researchers. 

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. 

According to Google, the emails included a PDF that purported to be a job description for a position at Samsung, but the PDFs were malformed and wouldn't open in a conventional PDF reader. If the targets complained that they couldn't open the job offer archive, the hackers promised to assist them by providing a link to a "Secure PDF Reader" app that they could download. 

Google, on the other hand, claims that this file was a modified version of PDFTron, a genuine PDF reader, that was altered to install a backdoor trojan on the victims' machines. 

The Zinc APT group, also known as Lazarus, increased its activities in 2014 and 2015, and its members generally utilised custom-tailored malware in their assaults. This threat actor has been active since at least 2009, and potentially as early as 2007, and has been involved in both cyber espionage and sabotage campaigns aiming at destroying data and disrupting systems. 

The threat actor's methods have baffled the security community, which believes the organisation tried to obtain unreleased vulnerabilities and exploits from some of their naive and negligent members, as tracked by Microsoft under the codename "Zinc." 

 The attacks were ascribed to the same team of North Korean hackers who previously attacked security researchers on Twitter and other social networks in late 2020 and into 2021, according to the Google Threat Analysis Group, the Google security team that discovered the malicious emails. 

 The attack against South Korean antivirus makers could be different since compromising their employees could give the group access to the tools they need to launch a targeted supply chain attack on South Korean enterprises that use their anti-malware software.

Threat Actors Target Aviation Firms Via Spear Phishing Campaign


Fortinet researchers discovered a spear-phishing campaign targeting the aviation industry with malicious download links that distribute the AsyncRAT with a well-crafted message. AsyncRAT, also known as remote access tool (RAT) is an open-source, legitimate remote administration tool, which has been used to gather browser data, steal credentials, webcam data, screenshots, and essential details about the system and network.

Threat actors targeted multiple aviation firms by sending phishing emails that appeared to be coming from the federal aviation authority using a spoofed sender address that aligns with a ‘foreign operators affairs’ email address for inquiries/approvals. The email goes through the extra step of having a signature and a logo to impersonate a federal authority. 

Attackers have designed the email so carefully that it creates a sense of urgency by resembling it like a Reporting of Safety Incident (ROSI) from Air Traffic Control. In addition, the email contains malicious Google Drive links disguised as a pdf attachment. Most of the emails in this campaign contain the strings ROSI, AOP, Incident Report, as well as the attachment name 'ROSI-AOP Incident Report Details, '.pdf.

The researchers note that all of these emails were sent from an IP address ( that was previously used in an aviation-themed campaign identified by Morphisec researchers in April and May of 2021 with the majority of victims coming from the UAE, Canada, Argentina, Djibouti, and Fiji.

Security experts have warned that the aviation and travel industry is seeing a notable increase in RAT (Remote Access Trojan) cyber attack efforts through phishing emails. Similar to other forms of malware, Remote Access Trojans are usually attached to what appear to be legitimate files, such as emails or pre-installed software. However, it has recently been observed that these dangerous threat actors are modifying their operating techniques when their methods are identified and publicly exposed. 

RAT is particularly dangerous because it can imitate trustworthy remote access apps. Victims won’t know that they have installed RAT as it doesn’t appear in a list of active programs or running processes. These attacks are less against the general public and more to gather sensitive data from the aviation industry. 

“The targeting of particular industries is now often pointing to particular malware gangs. Many gangs have become more specialized, targeting a specific industry that they have especially good experience and success in. To increase the chances of getting a potential victim to execute malware, the attacker has to make the social-engineering and phishing attack seem as close to an internal or partner communication as possible. Specializing in a particular industry helps to do this,” Roger Grimes, data analyst at KnowBe4 stated.