Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label State Sponsored Hackers. Show all posts
VPN attack
Cisco cyber attack State Sponsored Hackers VPN attack

China-linked Hackers Exploit Critical Cisco Zero-day as VPN Attacks Surge

 

A China linked advanced persistent threat has been exploiting a previously unknown vulnerability in Cisco email security appliances, while a separate wave of large scale brute force attacks has targeted virtual private networks from Cisco and Palo Alto Networks, security researchers said. 

Cisco said on Wednesday it had identified a threat group it tracks as UAT 9686 that has been abusing a critical zero day flaw in appliances running its AsyncOS software. The vulnerability, tracked as CVE 2025 20393, carries a maximum severity score of 10 and remains unpatched. 

AsyncOS powers Cisco Secure Email Gateway and Secure Email and Web Manager products, which are used to protect organisations from spam and malware and to centrally manage email security systems. The flaw affects systems where the Spam Quarantine feature is enabled and accessible from the internet. 

Under those conditions, attackers can bypass normal controls, gain root level access and run arbitrary commands on the appliance and potentially connected systems. Cisco said the activity dates back to at least late November. 

According to Cisco Talos, UAT 9686 used the vulnerability to deploy multiple tools after gaining access, including the open source tunnelling utility Chisel and a custom malware family known as Aqua. 

The main backdoor, AquaShell, is a lightweight Python implant that is delivered as encoded data and hidden within existing system files. It is accompanied by tools designed to erase logs and maintain persistent remote access through encrypted connections. 

Talos said the group’s infrastructure and techniques overlap with known Chinese cyber espionage actors such as APT41 and UNC5174. Cisco said it has advised customers to disable internet access to the Spam Quarantine feature as a temporary measure and is working on a permanent fix. 

Separately, researchers observed a sharp spike in brute force attacks against VPN services shortly after Cisco detected the email security campaign.

GreyNoise said that within a 16 hour window, more than 10,000 unique IP addresses generated about 1.7 million authentication attempts against Palo Alto Networks GlobalProtect VPNs. 

The activity largely targeted organisations in the United States, Mexico and Pakistan. The following day, similar attacks shifted to Cisco VPN endpoints, with a significant rise in automated login attempts. 

The campaign relied on standard SSL VPN login flows and appeared aimed at identifying weak or reused credentials. The activity stopped as abruptly as it began. GreyNoise said such short lived, high volume attacks are often used to quickly map exposed systems before defenders can respond. 

The firm advised organisations to review edge device security, enforce strong passwords and enable multifactor authentication, noting that operational complexity and fear of disruption often delay such measures despite their importance.
Read more »
State Sponsored Hackers
Cyber Crime cyber espionage Daggerfly Evasive Panda State Sponsored Hackers

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

According to a Symantec investigation, the prolific Chinese espionage outfit Daggerfly (also known as Evasive Panda and Bronze Highland) has considerably modified its malware toolset, enhancing its ability to target the majority of key operating systems.

The most recent advancements indicate that the gang is employing a single framework to efficiently target Windows, Linux, macOS, and Android operating systems.

The researchers saw the group using new malware versions in recent operations against Taiwanese organizations and a US NGO operating in China.

The Evolution of Daggerfly

Daggerfly has been active for over a decade, conducting espionage operations both internationally and within China. Their primary targets have included government agencies, defense contractors, and various industries critical to national security. Over the years, Daggerfly has demonstrated a high level of sophistication in their cyber operations, continually evolving their tactics, techniques, and procedures (TTPs) to stay ahead of detection mechanisms.

Symantec reported in April 2023 on a Daggerfly campaign targeting an African telecoms business, in which the gang employed new plugins written with the MgBot malware platform.

In March 2024, ESET identified persistent Daggerfly campaigns targeting Tibetans in multiple countries and territories. The researchers observed the group using Nightdoor, a previously undocumented backdoor.

Daggerfly appears to be capable of responding to disclosure by quickly updating its toolset and continuing its espionage efforts with minimal disturbance.

The Upgraded Malware Arsenal

Symantec stated that it discovered proof that Daggerfly had created the macOS backdoor Macma. Macma was initially documented by Google in 2021, however, it appears to have been used since at least 2019.

According to Google's early study, the modular backdoor provides a variety of data exfiltration capabilities, such as device fingerprinting, command execution, screen capture, keylogging, audio recording, and file uploading and downloading.

A second version of Macma includes incremental improvements to the existing capabilities, such as more debug logging and updated modules in the appended data.

Its main module showed signs of more comprehensive changes, such as new logic to collect a file's system listing and changed code in the AudioRecorderHelper function.

Symantec linked Macma to Daggerfly after discovering two variants of the Macma backdoor connected to a command-and-control (C&C) server also used by a MgBot dropper.

Furthermore, Macma and other well-known Daggerfly malware, such as Mgbot, incorporate code from a single, shared library or framework that has been used to create threats for Windows, macOS, Linux, and Android platforms.

The researchers also noted Daggerfly's usage of the Windows backdoor Suzafk, which ESET initially identified as Nightdoor in March 2024.

Implications for Cybersecurity

Suzafk is a multi-stage backdoor that can use TCP or OneDrive for command and control. It was created using the same shared library as Mgbot, Macma, and several other Daggerfly utilities.

The researchers found a configuration indicating that the ability to connect to OneDrive is in development or exists in other malware copies.

In addition to the tools listed above, Symantec claims Daggerfly can Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting the Solaris operating system.

The Broader Context of Cyber Espionage

Daggerfly’s activities are part of a broader trend of state-sponsored cyber espionage. Nation-states invest heavily in cyber capabilities to gain strategic advantages over their adversaries. These activities often target critical infrastructure, intellectual property, and sensitive government information.

The international community has recognized the threat posed by state-sponsored cyber espionage, leading to increased efforts to develop norms and agreements to govern state behavior in cyberspace. However, the covert nature of these operations makes attribution and enforcement challenging.

Read more »
Supply Chain
Cyber Attacks Evasive Panda MgBot State Sponsored Hackers Supply Chain

China State-Sponsored Spies Hack Site and Target User Systems in Asia


Chinese threat actors strike again

Users of a Tibetan language translation app and website visitors to a Buddhist festival were compromised by a focused watering-hole malware connected to a Chinese threat group.

According to recent data from ESET, the so-called Evasive Panda hacking team's cyber-operations campaign started in September 2023 or earlier and impacted systems in Taiwan, Hong Kong, Taiwan, Australia, and the United States.

During the campaign, the attackers gained access to the websites of three different businesses: a development company that provides translations into Tibetan; an organization based in India that promotes Tibetan Buddhism; and the news website Tibetpost, which unintentionally contained dangerous applications. Specific global geographic visitors to the sites were infected with droppers and backdoors, which included Nightdoor, a relatively new backdoor application, and the group's favourite MgBot.

Adversary in the middle attacks

According to ESET researcher Anh Ho, who uncovered the attack, the organization used an astonishing range of attack vectors in the campaign, including phishing emails, watering holes, and adversary-in-the-middle (AitM) attacks via software updates that took advantage of development servers.

"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," according to him. "Nightdoor is quite complex, which is technically significant, but in my opinion, Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."

A relatively small unit called Evasive Panda is usually assigned to surveillance missions in Asia and Africa, mostly targeting individuals and organizations. As reported by SentinelOne, the organization is linked to attacks on telecom companies in 2023 under the code name Operation Tainted Love. According to Microsoft, it is also related to the attribution group Granite Typhoon, née Gallium. Symantec refers to it as Daggerfly as well, and Google Mandiant reports that it shares similarities with a group of cybercriminals and spies known as

Supply chain and watering holes compromises

The group, which has been active since 2012, is well-known for its supply chain attacks and for using stolen code-signing credentials and program upgrades in 2023 to infect users' PCs in China and Africa.

The organization commandeered a website for the Tibetan Buddhist Monlam festival in this most recent campaign, according to ESET's published analysis, to provide a backdoor or downloader tool that downloaded malicious payloads from a compromised Tibetan news site.

The hackers utilized Trojanized programs to infect Mac OS and Windows machines and also compromised a vendor of Tibetan translation software to further target consumers.

Cyber espionage links

Evasive Panda has created MgBot, a proprietary malware framework with a modular architecture that can download other components, run code, and steal data. MgBot modules can download further capabilities and spy on victims who have been hacked, among other things.

Using the MgBot downloader to deliver final payloads, Evasive Panda targeted users in India and Hong Kong in 2020, according to Malwarebytes, which connected the organization to earlier assaults in 2014 and 2018.

The organization released Nightdoor in 2020 as a backdoor that can be used to issue commands, upload data, and build a reverse shell by communicating with a command-and-control server.


Read more »
State Sponsored Hackers
Data Breach FSB Information Leak Russian Hackers Sensitive Information State Sponsored Hackers

Russian FSB Cyber Espionage: Navigating the Threat Landscape


The field of cybersecurity is always changing, and recent developments have refocused attention on Russian hackers and their purported participation in an elaborate cyber-espionage scheme. Russian security chief agency Federal Security Service (FSB) is suspected of leading a hack-and-leak operation that targeted the private communications of high-ranking officials.

The incident, as reported by various news outlets, underscores the persistent challenges faced by governments in safeguarding sensitive information and securing digital infrastructures. The timing of these revelations adds an additional layer of complexity to an already tense geopolitical environment.

The hacking campaign, attributed to the FSB by both UK and US authorities, involves the infiltration of private communications of senior politicians. The information obtained through these breaches is then strategically leaked, creating a potential minefield of diplomatic and political fallout. The targets and methods employed in these cyber-attacks reflect a level of sophistication highlighting the evolving capabilities of state-sponsored hacking entities.

As the world becomes increasingly interconnected, the consequences of cyber espionage extend far beyond individual privacy concerns. The alleged involvement of the FSB in such activities raises questions about the broader implications for international relations, trust between nations, and the need for more robust cybersecurity measures.

The Financial Times reports that Russian hackers may possess a trove of data yet to be leaked, heightening concerns about the potential impact on global affairs. The evolving nature of cyber threats requires constant vigilance and collaborative efforts on a global scale to fortify digital defenses.

"The cyber threat landscape is dynamic and complex, and defending against it requires a comprehensive approach that includes strong cybersecurity policies, advanced technologies, and international cooperation," emphasizes a statement from cybersecurity experts.

The Telegraph sheds light on the gravity of the situation, emphasizing the need for governments to reassess and strengthen their cybersecurity protocols. In an era where information is a valuable currency, protecting sensitive data from malicious actors is a paramount challenge.

As the international community grapples with the aftermath of these alleged FSB-backed cyber-attacks, one thing is clear: the landscape of global security is evolving, and nations must adapt swiftly to the changing nature of cyber threats. The recent events serve as a stark reminder that cybersecurity is not merely a technical challenge but a crucial aspect of modern statecraft, with implications that reverberate across borders.

Read more »
USA officials
Crypto Crypto Currency Crypto Market Cryptominers cryptomixer Data Breach Lazarus Group North Korean Hackers State Sponsored Hackers USA officials

U.S. Seizes Sinbad Crypto Mixer Tied to North Korean Hackers

Federal authorities in the United States have effectively confiscated the Sinbad crypto mixer, a tool purportedly used by North Korean hackers from the Lazarus organization, in a key action against cybercriminal activities. The operation, which focused on the Lazarus group's illegal financial operations, is an important development in the continuous international effort to tackle cyber threats.

The Lazarus organization, a state-sponsored hacker outfit renowned for coordinating high-profile cyberattacks, is connected to North Korea, which is how the Sinbad cryptocurrency mixer got its reputation. A crucial component of this operation was reportedly played by the U.S. Department of Treasury.

The WannaCry ransomware assault in 2017 and the notorious Sony Pictures hack from 2014 are only two of the cybercrimes the Lazarus organization has been connected to. These occurrences highlight the group's advanced capabilities and possible threat to international cybersecurity.

The Sinbad crypto mixer, seized by U.S. authorities, was allegedly used by the Lazarus group to obfuscate and launder cryptocurrency transactions. Cryptocurrency mixers are tools designed to enhance privacy and security by mixing transactions with those of other users, making it challenging to trace the source and destination of funds. However, when used for illicit purposes, such mixers become a focal point for law enforcement.

The U.S. Department of the Treasury issued a press release on the matter, emphasizing the government's commitment to countering cyber threats and safeguarding the financial system's integrity. The move is part of a broader strategy to disrupt the financial networks that support malicious cyber activities.

The US Treasury Secretary stated, "The seizure of the Sinbad crypto mixer is a clear signal that the United States will not tolerate those who use technology to engage in malicious cyber activities. We are committed to holding accountable those who threaten the security and stability of our financial systems."

This operation highlights the collaboration between law enforcement agencies and the private sector in tackling cyber threats. It serves as a reminder of the importance of international cooperation to address the evolving challenges posed by state-sponsored hacking groups.

The seizure of the Sinbad cryptocurrency mixer is evidence of the determination of authorities to safeguard people, companies, and countries from the dangers of cybercrime, particularly at a time when the world community is still struggling to contain the sophistication of cyber threats.
Read more »
State Sponsored Hackers
cyber espionage lazarus malware Malware loader State Sponsored Hackers

North Korean Links: Lazarus Group Strikes Again. This time via Unpatched Software Flaws


North Korean hackers spreading malware through legit software

North Korean hackers are spreading malware by exploiting known flaws in genuine software. The Lazarus group targets a version of an undisclosed software product for which vulnerabilities have been documented and solutions are available in a new campaign discovered by Kaspersky researchers.

Despite the vulnerabilities being disclosed and patched, the new advanced persistent threat campaign attacking companies globally used known flaws in a previous version of an unnamed software to encrypt web connection via digital certificates.

Threat actors used software to gain entry points

According to Kaspersky, hackers from the Lazarus group exploited the insecure software and used it as an entry point to breach organizations and encrypt web communication using digital certificates.

North Korea uses "cyber intrusions to conduct both espionage and financial crime in order to project power and finance both their cyber and kinetic capabilities," according to research by Google's Mandiant threat intelligence department. 

UN alleges North Korean links

Under Kim Jong Un's leadership, the DPRK is linked with a variety of state-sponsored hacking teams both at home and abroad that collect espionage on allies, opponents, and defectors, as well as hack banks and steal cryptocurrency. The UN has earlier accused North Korea of using stolen assets to fund the country's long-range missile and nuclear weapons programs, as well as enticing the country's officials.

To control the victim, hackers used SIGNBT malware and the infamous LPEClient tool, which experts have seen in attacks targeting defense contractors, nuclear engineers, and the cryptocurrency sector, and which was discovered in the infamous 3CX supply chain attack. "This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload," said experts.

According to Kaspersky, the developers of the unknown software previously became a target to Lazarus. According to the report, this repeated breach indicates a determined and persistent threat actor with the likely goal of compromising important source code or interfering with the software supply chain.

A deep look into the malware

According to Kaspersky experts, in mid-July, they noticed an increasing number of attacks on many victims utilizing the prone software, and they discovered post-exploitation activity within the genuine software's processes.

To establish and maintain efforts on hacked machines, the threat actor used a variety of techniques, including the development of a file called ualapi.dll in the system folder, which is loaded by default by the spoolsv.exe process at each system boot. According to the experts, Lazarus hackers also built registry entries to run genuine files for the purpose of malicious side-loading, assuring a durable persistence mechanism.

Lazarus used that malware loader to spread additional malware to the victim computers, such as LPEClient and credential dumping applications. The tool allows in extracting victim data as well as downloading additional payloads from a remote server for activation in memory.

As previously stated by the experts, it now uses advanced tactics to improve secrecy while preventing detection, such as deactivating user-mode syscall hooking and restoring system library memory parts.

Read more »
State Sponsored Hackers
Artifical Inteligence Conti Ransomware Cyber Security LockBit 2.0 ransomware NCC Group Ransomware Attacks. State Sponsored Hackers

Ransomware Threats in 2023: Increasing and Evolving

Cybersecurity threats are increasing every year, and 2023 is no exception. In February 2023, there was a surge in ransomware attacks, with NCC Group reporting a 67% increase in such attacks compared to January. The attacks targeted businesses of all sizes and industries, emphasizing the need for organizations to invest in robust cybersecurity measures.

The majority of these attacks were carried out by the Conti and LockBit 2.0 groups, with the emergence of new tactics such as social engineering and fileless malware to evade traditional security measures. This emphasizes the need for organizations to address persistent social engineering vulnerabilities through employee training and education.

A proactive approach to cybersecurity is vital for organizations, with the need for leaders to prioritize and invest in robust incident response plans. It's essential to have a culture of security where employees are trained to recognize and report suspicious activity.

According to a Security Intelligence article, the increasing frequency of global cyber attacks is due to several reasons, including the rise of state-sponsored attacks, the increasing use of AI and machine learning by hackers, and the growing threat of ransomware.

The threat of ransomware attacks is expected to continue in 2023, and companies need to have a strategy in place to mitigate the risk. It includes implementing robust security measures, training employees to identify and avoid social engineering tactics, and regularly backing up critical data. As cybersecurity expert Steve Durbin suggests, "Ransomware is not going away anytime soon, and companies need to have a strategy in place to mitigate the risk."

To safeguard themselves against the risk of ransomware attacks, organizations must be proactive. Companies need to focus and invest in strong incident response plans, employee education and training, and regular data backups in light of the rise in assaults. By adopting these actions, businesses can lessen the effects of ransomware attacks and safeguard their most important assets.


Read more »
Ukraine
China cyber espionage Cyber Security CyberCrime Hacking Iran Iran government Opportunistic Cybercrime Russia State Sponsored Hackers Ukraine

Cybersecurity in 2023: Russian Intelligence, Chinese Espionage, and Iranian Hacktivism


State-sponsored Activities 

In the year 2022, we witnessed a number of state-sponsored cyber activities originating from different countries wherein the tactics employed by the threat actors varied. Apparently, this will continue into 2023, since government uses its cyber capabilities as a means of achieving its economic and political objectives. 

Russian Cyber Activity will be Split between Targeting Ukraine and Advancing its Broader Intelligence Goals 

It can be anticipated that more conflict-related cyber activities will eventually increase since there is no immediate prospect of an end to the conflict in Ukraine. These activities will be aimed at degrading Ukraine's vital infrastructure and government services and gathering foreign intelligence, useful to the Russian government, from entities involved in the war effort. 

Additionally, organizations linked to the Russian intelligence services will keep focusing their disinformation campaigns, intelligence gathering, and potentially low-intensity disruptive attacks on their geographical neighbors. 

Although Russia too will keep working toward its longer-term, more comprehensive intelligence goals. The traditional targets of espionage will still be a priority. For instance, in August 2022, Russian intelligence services used spear phishing emails to target employees of the US's Argonne and Brookhaven national laboratories, which conduct cutting-edge energy research. 

It is further expected that new information regarding the large-scale covert intelligence gathering by Russian state-sponsored threat actors, enabled by their use of cloud environments, internet backbone technology, or pervasive identity management systems, will come to light. 

China Will Continue to Prioritize Political and Economic Cyber Espionage 

It has also been anticipated that the economic and political objectives will continue to drive the operation of China’s intelligence-gathering activities. 

The newly re-elected president Xi Jinping and his Chinese Communist Party will continue to employ its intelligence infrastructure to assist in achieving more general economic and social goals. It will also continue to target international NGOs in order to look over dissident organizations and individuals opposing the Chinese government in any way. 

China-based threat actors will also be targeting high-tech company giants that operate in or supply industries like energy, manufacturing, housing, and natural resources as it looks forward to upgrading the industries internally. 

Iranian Government-backed Conflicts and Cybercrimes will Overlap 

The way in which the Iranian intelligence services outsource operations to security firms in Iran has resulted in the muddled difference between state-sponsored activity and cybercrime. 

We have witnessed a recent incident regarding the same with the IRGC-affiliated COBALT MIRAGE threat group, which performs cyber espionage but also financially supports ransomware attacks. Because cybercrime is inherently opportunistic, it has affected and will continue to affect enterprises of all types and sizes around the world. 

Moreover, low-intensity conflicts between Iran and its adversaries in the area, mainly Israel, will persist. Operations carried out under the guise of hacktivism and cybercrime will be designed to interfere with crucial infrastructure, disclose private data, and reveal agents of foreign intelligence. 

How Can Organizations Protect Themselves from Opportunistic Cybercrime?

The recent global cyber activities indicate that opportunistic cybercrime threats will continue to pose a challenge to organizational operations. 

Organizations are also working on defending themselves from these activities by prioritizing security measures, since incidents as such generally occur due to a failure or lack of security controls. 

We have listed below some of the security measures organizations may follow in order to combat opportunistic cybercrime against nations, states, and cybercrime groups : 

  • Organizations can mitigate threats by investing in fundamental security controls like asset management, patching, multi-factor authentication, and network monitoring. 
  • Maintaining a strong understanding of the threat landscape and tactics utilized by adversaries. Security teams must also identify and safeguard their key assets, along with prioritizing vulnerability management. 
  • Traditional methods and solutions, such as endpoint detection and response, are no longer effective in thwarting today's attacks, so it is crucial to thoroughly monitor the entire network, from endpoints to cloud assets. However, in order to identify and effectively address their most significant business concerns, and prioritize threats in order to combat them more efficiently.  

Read more »
User Security
Cyber Attacks North Korea Ransomware State Sponsored Hackers User Security

North Korea Ransomware Attempt, Siphon Funds From an Israeli Company


Getting into financial institutions' systems and using hackers is a known tactic of North Korea, it nearly took down the Central Bank of Bangladesh by this practice. 

North Korean Hackers Strike Again

Earlier this week, North Korea tried to get access to the systems of an Israeli company that does business in the field of cryptocurrency and extracts the money that Pyongyang planned to use for its nuclear program. 

The hacking attack was done by North Koreans disguising themselves as the company's Japanese supplier. The hacking attempt was immediately caught by cybersecurity personnel from the "Konfidas" agency, which was able to stop the hack. 

Malicious files used to get control over systems

Authorities say the attempt was sophisticated and professional, unique tools were used- something that caught the eye of concerned authorities in Israel. 

The attacks do not happen overnight. There is a pattern behind the operation of most attacks, in the first step, the hacker does a conversation with the person on the other end, and gains your trust. After that, the hacker sends a malicious file containing the virus which is aimed to infiltrate the computer. 

Once the file reaches the computer, it will start spreading out on the network and access financial assets or data that the hacker wants, and in the end, can do whatever he wishes. 

Ransom motive behind the attack

Ransom demands generally happen in financial attacks, threat actors behind them are cyber criminals who intend to steal data and ask for ransom in exchange for not leaking the data and releasing the systems. 

In this particular incident, the North Korean mode of operation is a pattern in which the actors simply spy, steal money, and vanish. There is no user interaction except that he has to open the malicious files which allow the hacker to take control of the systems. 

North Korean hacking patterns

North Korean hackers are believed to be behind the theft of around $100 million in cryptocurrency from a US company earlier this year in June, as the country is trying to manage funding for its nuclear and ballistic missile programs. 

The assets were stolen from "Horizon Bridge," a Harmony blockchain service that lets assets to be sent to other blockchains. Following the theft, the activities by threat actors suggest that they may be linked to North Korea. Experts believe these actors to be highly skilled in the field of cyber penetration attacks. 


Read more »
State Sponsored Hackers
CISA Cyber Attacks Cyber Threats Iran Microsoft State Sponsored Hackers

CISA, Microsoft Warn of Rise in Cyber-attacks From Iran

The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same. 

In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft. 

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added. 

According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access. 

Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks. 

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.  

Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks. 

Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.” 

"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said. 

As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.
Read more »
State Sponsored Hackers
cyber attack Data Privacy Facebook National Security Privacy State Sponsored Hackers

NIA Starts Probe into Malware Attacks on Social Media of Defense Personnels

NIA (National Investigation Agency) has started an inquiry into the use of fake Facebook profile through which various defense personnel was contacted and their devices hacked using malware for personally identifiable information. NIA suspects that the main account was being handled from Pakistan. Vijaywada Counter Intelligence Cell first found the spying campaign in 2020, after which it registered a case under several provisions of IPC, Official Secrets Act, Information Technology Act, and UAPA (Unlawful Activities Prevention Act). 

According to the allegation, confidential information related to national security was hacked via remotely deploying a hidden malware into electronic devices, which includes mobile phones and computers, belonging to defense personnels and other defense agencies via a FB account with the profile name "Shanti Patel." Actors handling the account added concerned personnel via private Facebook messenger chats on the web. 

The victims' devices were hacked using malware to get unauthorized access to confidential data of computer resources and steal sensitive information with an aim to carry out acts of terrorism and threaten the unity, integrity, and sovereignty of India. As per the report from Counter Intelligence Cell, the threat actors distributed the malware by sending a folder that contained photos of a woman to the defense personnels. The evidence suggests that malware originated somewhere from Islamabad. A similar case happened last year where the police arrested army personnel in Rajasthan, the accused was posted in Sikkim. 

The Hindu reports "on October 31, 2020, following a tip-off from the Military Intelligence, the Rajasthan police nabbed one Ramniwas Gaura, a civilian working with a Military Engineering Services (MES) unit. The accused had been contacted using a Facebook profile by someone using pseudonyms Ekta and Jasmeet Kour. They then remained in touch on Whatsapp. "In the recent years, multiple attacks targeting defense agencies using social media have surfaced." The handlers usually send money to the information providers through the ‘hawala’ channel. Several preventive measures have been taken by the agencies concerned,” an official said," says the Hindu.

Read more »
trojan ShadowPad
China China Cyber Security Cyber Attacks Cyber Threats India Nation-State Attacks State Sponsored Hackers trojan ShadowPad

Chinese Hackers Targeted Indian State Power Grid

 

Chinese state-sponsored malicious actors launched “probing cyberattacks” on Indian electricity distribution centers near Ladakh thrice since December 2021. On Wednesday a report by private intelligence firm Recorded Future confirmed the attack. 

The hackers targeted seven Indian state centers responsible for carrying out electrical dispatch and grid control near a border area contested by the two nuclear neighbors, the report added. This attack came to light while the military standoff between the two countries in the region had already deteriorated the relationship. However, the government sources affirmed that the attacks were not successful. 

''In recent months, we observed likely network intrusions targeting at least seven Indian State Load Despatch Centres (SLDCs) responsible for carrying out real-time operations for grid control and electricity dispatch within these respective states. Notably, this targeting has been geographically concentrated, with the identified SLDCs located in North India, in proximity to the disputed India-China border in Ladakh," the group said. 

The hackers employed the trojan ShadowPad, which the experts claimed has been developed by contractors for China's Ministry of State Security, thereby concluding  that it was a state-sponsored hacking effort. 

"In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group," Recorded Future said.
Read more »
State Sponsored Hackers
APTs Cyber Attacks State Sponsored Hackers

Is Your Business At Risk From APT Threats?

 

In 2022, organizations are re-analyzing their cybersecurity measures to mitigate risks and protect against potential cyber-attacks. After budgeting, risk assessment, compliance, and more, agencies have different priorities for their safety needs. As an organization, your business should consider two things, nation-state and Advanced Persistent Threat (APT) style attacks, along with growing ransomware threats, zero-day vulnerabilities, and phishing attacks. 

How APTs select targets? 

Your company might not have suffered a cyberattack in the past year, but there are chances that your partner or vendor in the supply chain has. APTs are normally used to send attacks with national-level impacts, for instance, intellectual property theft, espionage for national intelligence, or infrastructure compromise. In the end, the threat actor's end goal affects organizations and persons of prominence. In recent times, state-sponsored attacks focused on getting intelligence. These attacks might be industry-focused, but most of them target critical infrastructure. The majority of these attacks are directed by government organizations, hackers compromise or deliver security vulnerabilities to extract out critical intelligence. 

Should your business be concerned? 
Hacking campaigns that required months of planning and computing skills to bypass security walls and penetrate networks with ease could once only be done by state-sponsored hackers. In the present scenario, these methods are available to anyone, the resources are sold on the dark web as hired services or pre-packaged malware. The style of these APT attacks has not changed, today, anyone has access to the tools required to launch such powerful attacks. 

Due to remote work culture, every organization is moving its important data over the cloud, this opens up opportunities for threat actors to target these organizations. According to HelpNet Security, "the most important way to protect against APTs is to be proactive. Assume compromise, understand what compromise may look like for your organization, and go look for it. Simultaneously, try to not over-rely on technology. This approach has backfired on a variety of occasions over the last few years."
Read more »
Subscribe to: Comments (Atom)