Search This Blog

Showing posts with label cyber espionage. Show all posts

Cyberattacks On Small Businesses: The US Economy’s ‘Achilles Heel’?


Small business firms play an important role when it comes to the economy, but they are more vulnerable to cyberattacks. 

At the time when Elena Graham, co-founder of Canada-based security service CYDEF, started selling cyber security software to smaller firms and businesses, business was relatively slow. However, now the demand is increasing, driven by a sharp rise in remote work that has exposed small businesses to cyberattacks. 

Since the start of the year, business at her security firm has tripled reaching an all-time high. "It was a total head-in-the-sand situation. 'It's not going to happen to me. I'm too small.' That was the overwhelming message that I was hearing five years ago. But yes, it is happening." says Elena. 

But with the booming security services, one can deduce that small businesses are comparatively at higher risk of being attacked by threat actors, than large businesses, as noted by Barracuda Networks.  

The risks were dramatically bolstered by the global pandemic. According to a report by RiskReconm, a Mastercard company that evaluated companies’ cyber-security risk, cyberattacks on small companies surged by more than 150% between 2020-21. 

"The pandemic created a whole new set of challenges and small businesses weren't prepared," says Mary Ellen Seale, chief executive of the National Cybersecurity Society, a non-profit that helps small businesses create cyber-security plans. 

In March 2020, at the peak of the pandemic, a survey of small businesses by broadcaster CNBC concluded that only 20% planned on investing in cyber-protection. 

Working remotely, during the pandemic, meant that more personal devices like smartphones, tablets, and laptops had access to sensitive corporate information.  

Lockdown, however, put a strain on budgets, curtailing the amount of money businesses could invest in security. Cybersecurity and costly in-house experts were frequently out of reach. Consequently, the weak cyber-security infrastructure was prone to cyber-attacks. 

With just one compromised supplier, cyber criminals could access networks of organizations further up the supply chain. According to Ms. Seale, "Large businesses depend on small businesses[…]They are the lifeblood of the United States, and we need a wake-up call." Small businesses account for more than 99% of companies in the US and employ nearly half of all Americans, playing a critical role in the global economy. In regard to this, Dr. Kim says they are like the economy's "Achilles heel". 

“They may be a small company but what they sell to large businesses could be very important. If they're hacked, [their product] won't be fed into supply chains and everything will be affected," Dr. Kim further adds. 

Ex-NSA Employee Charged with Espionage Case

A former U.S. National Security Agency (NSA) employee from Colorado has been arrested on account of attempting to sell classified data to a foreign spy in an attempt to fulfill his personal problems facing because of debts. 

According to the court documents released on Thursday, the accused Jareh Sebastian Dalke, 30, was an undercover agent who was working for the Federal Bureau of Investigation (FBI). 

Jareh Sebastian said that he was in contact with the representative of a particular nation "with many interests that are adverse to the United States," he was actually talking to an undercover FBI agent, according to his arrest affidavit. 

Dalke was arrested on Wednesday after he allegedly agreed to transmit classified data. "On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession. Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver,"  eventually it led to his arrest,  the DoJ said. 

Earlier he was employed at the NSA from June 6, 2022, to July 1, 2022, as part of a temporary assignment in Washington D.C as an Information Systems Security Designer. Dalke is also accused of transferring additional National Defense Information (NDI) to the undercover FBI agent at an undisclosed location in the U.S. state of Colorado. 

Following the investigation, he was arrested on September 28 by the law enforcement agency. As per the USA court law, Dalke was charged with three violations of the Espionage Act. However, the arrest affidavit did not identify the country to which Dalke allegedly provided information. 

The affidavit has been filed by the FBI and mentioned that Dalke also served in the U.S. Army from about 2015 to 2018 and held a Secret security clearance, which he received in 2016. The defendant further held a Top Secret security clearance during his tenure at the NSA. 

"Between August and September 2022, Dalke used an encrypted email account to transmit excerpts of three classified documents he had obtained during his employment to an individual Dalke believed to be working for a foreign government," the Justice Department (DoJ) said in a press release.

FancyBear: Hackers Use PowerPoint Files to Deliver Malware

 

FancyBear: Hackers Use PowerPoint Files to Deliver Malware Cluster25 researchers have recently detected a threat group, APT28, also known as FancyBear, and attributed it to the Russian GRU (Main Intelligence Directorate of the Russian General Staff). The group has used a new code execution technique that uses mouse movement in Microsoft PowerPoint, to deliver Graphite malware.
 
According to the researchers, the threat campaign has been actively targeting organizations and individuals in the defense and government organizations of the European Union and East European countries. The cyber espionage campaign is believed to be still active.
 

Methodology of Threat Actor

 
The threat actor allegedly entices victims with a PowerPoint file claiming to be associated with the Organization for Economic Cooperation (OECD).
 
This file includes two slides, with instructions in English and French to access the translation feature in zoom. Additionally, it incorporates a hyperlink that plays a trigger for delivering a malicious PowerShell script that downloads a JPEG image carrying an encrypted DLL file.
 
The resulting payload, Graphite malware is in Portable Executable (PE) form, which allows the malware operator to load other malwares into the system memory.
 
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” States Cluster25, in its published analysis.
 
The aforementioned Graphite malware is a fileless malware that is deployed in-memory only and is used by malware operators to deliver post-exploitation frameworks like Empire. Graphite malware’s purpose is to allow the attacker to deploy other malwares into the system memory.
 
 
Based on the discovered metadata, according to Cluster25, the hackers have been preparing for the cyber campaign between January and February. However, the URLs used in the attacks were active in August and September.
 
With more hacker groups attempting to carry out such malicious cyber campaigns, the government and private sectors must deploy more powerful solutions to prevent future breaches and cyber attacks to safeguard their organizations.

Iranian APT42 Launched Over 30 Espionage Attacks Across 14 Nations

 

Cybersecurity firm Mandiant has attributed over 30 cyber espionage attacks against activists and dissidents to the state-backed Iranian threat group APT42 (formerly UNC788) with activity dating back to 2015, at least. 

Based on APT42’s activities, the researchers believe the hacking group operates on behalf of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), not to mention shares partial overlaps with another Iran-linked APT group tracked as APT35 (aka Charming Kitten, Phosphorus, Newscaster, and Ajax Security Team). 

The APT group has targeted multiple industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning across 14 nations, including in Australia, Europe, the Middle East, and the U.S. 

“APT42 activity poses a threat to foreign policy officials, commentators, and journalists, particularly those in the US, the UK, and Israel, working on Iran-related projects,” reads the report published by Mandiant. "Additionally, the group’s surveillance activity highlights the real-world risk to individual targets of APT42 operations, which include Iranian dual-nationals, former government officials, and dissidents both inside Iran and those who previously left the country, often out of fear for their personal safety.” 

The Iranian hackers are primarily focused on cyber-espionage, employing highly targeted spear-phishing and social engineering methodologies to access personal and corporate email accounts, or to deploy Android malware on mobile devices. 

The APT group also has the capability of siphoning two-factor authentication codes to circumvent more secure authentication methods, and sometimes leverages this access to target employers, colleagues, and relatives of the initial victim. However, while credential theft is favored, the group has also deployed multiple custom backdoors and lightweight tools to target firms. 

Last year in September, the Iranian hackers accessed a European government email account and exploited it to send a phishing email to nearly 150 email addresses linked with individuals or entities employed by or associated with civil society, government, or intergovernmental organizations across the globe. The phishing mail embedded a Google Drive link to a malicious macro document leading to TAMECAT, a PowerShell toehold backdoor. 

Additionally, the researchers have uncovered multiple similarities in “intrusion activity clusters” between APT42 and another Iran-linked hacking group, UNC2448, which has been known in the past to scan for vulnerabilities and even deploy BitLocker ransomware. 

“While Mandiant has not observed technical overlaps between APT42 and UNC2448, the latter may also have ties to the IRGC-IO,” Mandiant explained. "We assess with moderate confidence that UNC2448 and the Revengers Telegram persona are operated by at least two Iranian front companies, Najee Technology and Afkar System, based on open-source information and operational security lapses by the threat actors.”

Chinese APT Group Target Government Officials in Europe, South America, and Middle East

 

A Chinese cyberespionage group tracked as Bronze President has launched a new campaign targeting the computer systems of government officials in Europe, the Middle East, and South America with a modular called malware PlugX. 

Threat analysts at Secureworks discovered the breach in June and July 2022, once again highlighting the hacker’s persistent focus on espionage against governments across the globe. 

The researchers have identified multiple pieces of evidence including the use of PlugX, naming schemes previously employed by the hacking group, and politically-themed lure documents that align with regions that are of strategic importance to China. 

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” Secureworks Counter Threat Unit (CTU) explained in a blogpost. 

Attack chains distribute RAR archive files that contain a Windows shortcut (.LNK) file masquerading as a PDF document, opening which executes a legitimate file present in a nested hidden folder embedded within the archive. 

Subsequently, it creates the path for installing a malicious document, while the PlugX payload sets up persistence on the exploited device. "Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities," the researchers added. 

"Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies." 

Bronze President, also known as RedDelta, Mustang Panda, or TA416 has been active since at least July 2018 and has a history of launching espionage campaigns by employing custom and publicly available tools to exploit, maintain long-term access, and exfiltrate data from targets of interest. 

The PlugX RAT continues to remain the Bronze President's preferred spying tool. The threat actor has used multiple variants of it for several years, together with other hackers originating from China. 

Earlier this year in March, the hacking group targeted Russian government officials with an updated version of the PlugX backdoor called Hodur, alongside organizations located in Asia, the European Union, and the U.S. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.

Former CIA Employee Joshua Schulte Convicted Over Massive Data Leak

 

A former Central Intelligence Agency (CIA) software engineer CIA charged with carrying out the most significant theft of classified data in the agency's history was convicted on all counts in federal court Wednesday. 

Joshua Schulte 33, was convicted by jurors in a Manhattan federal court on eight espionage charges and one obstruction charge over the so-called Vault 7 leak. He worked for the CIA's elite hacking unit and created cyber tools that could grab data undetected from computers. After quitting his job, Schulte sent the tools to the anti-secrecy group WikiLeaks. 

Vault 7 consisted of nearly 9,000 pages and shed light on a host of hacking methodologies employed by the agency. This included hacking of Apple and Android smartphones in overseas spying operations, and a bid to turn internet-linked televisions into listening devices. 

Schulte had access to "some of the country's most valuable intelligence-gathering cyber tools used to battle terrorist organizations and other malign influences around the globe," US Attorney for the Southern District of New York Damian Williams stated. 

"When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public and our adversaries.” 

He also allegedly lied to CIA and FBI investigators to conceal his tracks and was arrested in August 2017 on child pornography charges. He was indicted on the charges related to the data breach months later. 

"Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm," Williams added. “Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history." 

During the closing arguments to jurors, Schulte, who chose to defend himself at a New York City retrial, accused the CIA and FBI of making him a scapegoat for the WikiLeaks release. Schulte claimed he was made a scapegoat even though “hundreds of people had access to (the information). … Hundreds of people could have stolen it”, AP news agency reported.

Every Tenth Stalking and Espionage Attack in the World is Directed at Android Users from Russia

 

According to analysts at ESET (an international developer of antivirus software headquartered in Slovakia), commercial developers who openly offer spyware to control spouses or children are gaining popularity. 

"ESET global telemetry data for the period from September to December 2021 shows an increase in spyware activity by more than 20%. At the same time, every tenth stalking and espionage attack in the world is directed at Android users from Russia," the company's press service reported. 

ESET threat researcher Lukas Stefanko reported that unwanted stalking software, according to him, in most cases is distributed by attackers through clones of legal applications downloaded from unofficial stores. 

Alexander Dvoryansky, Director of Special Projects at Angara Security, confirms that Android spyware is very common and continues to gain popularity. According to him, it is advantageous for attackers to develop malicious software for this operating system because of its widespread use. Android smartphones accounted for 84.5% of total device sales in 2021. 

According to Lucas Stefanko, it is not uncommon for stalker software to be installed on smartphones to track them in case they are stolen or lost. Despite Google's ban on advertising stalker apps, there are apps available on Google Play that are positioned as private detective or parental control tools. In 2018, the Supreme Court allowed the acquisition and use of spy equipment to ensure their own security, so the demand for software promoted as "monitoring one's mobile devices" has increased. But many install it covertly on the phones of relatives or employees for espionage. 

If the program is installed on the phone openly and with the consent of a person, then there will be nothing illegal in tracking geolocation, as well as obtaining other information, says lawyer KA Pen & Paper by Alexander Kharin. However, secretly installing a spyware program on a phone can result in a penalty of up to two years in prison, and for a developer, the term can be up to four years. But so far, criminal cases on the fact of stalking are rarely initiated. 

Earlier, CySecurity News reported that the exact location of any Russian on the black market can be found for about 130 dollars.

Russian hackers disguised themselves as Americans to hide cyber espionage

The hacker group Nobelium, linked by information security experts with the Russian Federation, tried to disguise its activities using resident proxies — the IP addresses of mobile and home computer networks of ordinary Americans.

We are talking about a new Nobelium campaign (the group is also considered to be the organizer of the sensational cyberattack on the American software manufacturer SolarWinds) aimed at organizations associated with global IT supply chains. According to Microsoft, since May of this year, hackers have attacked more than 140 technology service providers, 14 of them they managed to compromise.

In the period from July 1 to October 19 of this year, Microsoft recorded more than 22 thousand Nobelium attacks on 609 of its customers, but most of the attacks were unsuccessful.

According to a Bloomberg source, the campaign targeted American government departments, non-governmental organizations and technology firms.

According to Charles Carmakal, senior vice president of the Mandiant information security company, hackers used resident IP proxies — IP addresses associated with a specific location that can be purchased over the Internet.

The use of such proxies makes it possible to disguise hacking attempts as traffic originating from American mobile phones or home Internet networks. For example, an attempt by a hacker to penetrate a computer network from the outside will look like a company employee logs in from a mobile phone.

Nobelium and other hacker groups use Bright Data, Oxylabs and IP Burger to obtain residential proxies.

In response to Bloomberg's request to comment on the situation, representatives of Israel-based Bright Data reported that the company carefully checks customers and found no signs of Nobelium using their networks. Lithuanian Oxylabs stated that they are conducting an internal investigation, which currently has not revealed any signs of malicious use of the service.

Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.

Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign

 

A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers. 

According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes. 

While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too. 

The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.” 

According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.” 

Modus Operandi of the Attack:

According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance. 

The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity. 

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. 

Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business. 

The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it. An information stealer is executed when the victim opens the attachment and clicks on the files it contains. 

Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus. 

A Social-Engineering Bonanza: 

According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets. 

One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions. 

Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document. 

Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”

Positive Technologies rejected accusations of the U.S. Department of the Treasury of Russia's cooperation with intelligence services

 Russian cyber security company Positive Technologies rejected the accusations of interference in the American elections, made by the U.S. Treasury Department. This was said in a statement issued by the company, which was made available on Friday, April 16.

"As a company, we reject the baseless accusations made against us by the U.S. Treasury Department: in the nearly 20-year history of our work, there is not a single fact of using the results of Positive Technologies' research activities outside the traditions of ethical information sharing with the professional information security community and transparent business conduct," the company notes.

According to the results of 2020, Positive Technologies revenue grew by 55% compared to 2019 and amounted to 5.6 billion rubles ($73.4 million). The company currently employs more than 1.1 thousand people. The firm has been creating innovative information security solutions for 18 years. Its products and services allow to identify, verify and neutralize real business risks that may arise in the IT infrastructure of enterprises. Today, more than 2,000 companies in 30 countries use the company's products. 

Recall that on April 15, the USA Ministry of Finance announced the introduction of new sanctions against Russia. Washington blacklisted 32 individuals and organizations, including six technology companies. In addition to Positive Technologies, the victims were Era military innovative technopolis, the St. Petersburg-based software developer called OOO NeoBIT, a large IT supplier of the Russian defense industry complex Advanced System Technologies (AST), the Rostov Research Institute of Specialized Computing Devices for Protection and Automation (Spetsvuzavtomatika), as well as IT- the company Pasit. They are accused of connections with the Russian special services.

After the restrictions were imposed, the U.S. Ambassador in Moscow and John Sullivan were summoned to the Russian Foreign Ministry on April 15. Russian presidential aide Yuri Ushakov outlined to him the nature of the response to the restrictions.

Moscow warned of a strong response to Washington's moves.

The Kremlin assessed the possible impact of new sanctions on the Russian economy. They stressed that the effectiveness of the country's economic bloc is internationally recognized and there is no reason to doubt it.

What is "Sunburst"? A look into the Most Serious Cyberattack in American History

 

A number of organisations have been attacked by what has been chronicled as one of the most severe acts of cyber-espionage in history named "Sunburst", the attackers breached the US Treasury, departments of homeland security, state, defence and the National Nuclear Security Administration (NNSA), part of Department of Energy responsible for safeguarding national security via the military application of nuclear science. While 4 out of 5 victims were US organisations, other targets include the UK, the UAE, Mexico, Canada, Spain, Belgium, and Israel. 
 
The attack came in the wake of the recent state-sponsored attack on the US cybersecurity firm FireEye. The company's CEO, Kevin Mandia said in his blog that the attackers primarily sought information pertaining to certain government customers.  
 
FireEye classified the attack as being 'highly sophisticated and customized; on the basis of his 25 years of experience in cybersecurity, Mandia concluded that FireEye has been attacked by a nation with world-class offensive capabilities. 

Similarly, last Sunday, the news of SolarWinds being hacked made headlines for what is being called as one of the most successful cyber attacks yet seen. As the attack crippled SolarWinds, its customers were advised to disengage the Orion Platform, which is one of the principal products of SolarWinds   used to monitor the health and performance of networks.  
 
Gauging the amplitude of the attack, the US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) described the security incident as a "serious threat", while other requesting for anonymity labelled it as the "the most serious hacking incident in the United State's history". The attack is ongoing and the number of affected organisations and nations will unquestionably rise. The espionage has been called as "unusual", even in this digital age.  
 
As experts were assessing how the perpetrator managed to bypass the defences of a networking software company like SolarWinds, Rick Holland came up with a theory, "We do know that SolarWinds, in their filing to the Security and Exchange Commission this week, alluded to Microsoft, which makes me think that the initial access into the SolarWinds environment was through a phishing email. So someone clicked on something they thought was benign - turned out it was not benign." 
 
Meanwhile, certain US government officials have alleged Russia for being behind these supply chain attacks, while Russia has constantly denied the allegations as the Russian Embassy wrote on Facebook, "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,".  
 
"Russia does not conduct offensive operations in the cyber domain." The embassy added in its post to the US.

Russia considers the accusations by the Norwegian authorities of the cyber attack as a provocation

 Russia considers the accusations by the Norwegian authorities against it in the cyber attack a deliberate provocation. This statement was made on Tuesday by the Russian Embassy in Norway on Facebook.

"We regard the incident as a serious deliberate provocation that is detrimental to bilateral relations,” said the statement.

"Millions of cyber attacks are made annually on Russian state Internet resources (including foreign institutions in Norway) from abroad (for example, 77 million attacks were made on the Foreign Ministry website in January-September 2018), but this does not give the right to accuse the authorities of the countries of their possible origin,” stressed the Embassy.

They pointed out that "in May 2020, a note was sent to the Norwegian Foreign Ministry setting out the procedure for dealing with computer incidents - there are official channels for investigating them." "There was no reaction at the time, which indicates the reluctance of the Norwegian authorities to conduct a dialogue. The question is why did we create specialized response mechanisms and create a legislative framework together with European countries? We expect explanations from the Norwegian side,” said the diplomatic mission.

The head of the Federation Council for International Affairs, Konstantin Kosachev, called the Norwegian government's accusations unsubstantiated. According to him, Oslo did not offer to discuss the incident at the expert level.

Earlier on Tuesday, Norwegian Foreign Minister Ine Eriksen Soreide claimed that Russia was behind the cyber attack on the country's Parliament in August 2020.

On September 1, the Parliament of the Kingdom reported that it had been subjected to a cyber attack, as a result of which unknown hackers gained access to the email of a number of deputies and employees of the legislative body. Later, the Norwegian Police Security Service (PST) said it would investigate whether "any state" was behind the cyber attack that occurred on August 24.

Kaspersky Lab detected a new threat to user data

 Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.

The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.

"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.

The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.

"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.

Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.

DDoS attacks from the USA, UK, Ukraine were recorded during the voting in the Russian Federation

Andrey Krutskikh, special representative of the President of Russia for international cooperation in the field of information security, said on Monday at a conference on cybersecurity that the sources of DDoS attacks on Russian government agencies during the voting on amendments to the constitution were recorded from the United States, Great Britain, Ukraine and a number of CIS countries.

He noted that in 2020, attacks with the aim of affecting critical infrastructure and electoral processes have become commonplace.

"For example, during the voting period on amendments to the Constitution of the Russian Federation (June 25 - July 1 this year), there were large-scale attacks on the infrastructure of the Central Election Commission and other state bodies of Russia. Sources of DDoS attacks with a capacity of up to 240 thousand requests per second were recorded from the United States, Great Britain, Ukraine and a number of CIS countries,” said the special representative of the President of the Russian Federation.

According to Krutskikh, in 2020, the problems that all countries face in the information space are growing like a "snowball". Thus, the volume of illegal content, including terrorist content, distributed on the Internet is increasing, and the implementation of destructive actions of states in the information space is becoming the norm.

"The concepts adopted in some countries for preemptive cyber strikes and offensive actions in the cyber sphere do not add the optimism,” stated Mr. Krutskikh.

It is interesting to note that during the six days of voting, officials reported one major attack, it occurred on the evening of June 27. Artem Kostyrko, head of the department for improving territorial administration and developing smart projects of the Moscow government, explained that hackers tried to influence the system through a service for monitoring online voting.

Chinese hackers targeted about five Russian developers of banking software

Chinese hacker group Winnti attacked at least five Russian developers of banking software, as well as a construction company. According to Positive Technologies, the names of banks and developers are not disclosed.

Positive Technologies noted that the implantation of special malicious code by hackers at the development stage potentially allows them to get access to Bank data. After the code is implemented onto the infected machine, a full-fledged backdoor is loaded to investigate the network and steal the necessary data.

Andrey Arsentiev, head of analytics and special projects at InfoWatch, explained that previously Winnti hacked industrial and high-tech companies from Taiwan and Europe through attacks on the software supply chain, but now, apparently, it has decided to switch to Russian companies.

According to him, there is a rather complex software supply chain in the financial sector, so Winnti may be interested not only in obtaining direct financial benefits but also in corporate espionage. As for the construction industry, Chinese hackers may be aimed at obtaining trade secrets, which in turn may be related to the plans of Chinese companies to expand into the Russian market. Mr. Arsentiev came to the conclusion that, in this way, hacker attacks would allow studying the strategy of potential competitors

Nikolay Murashov, deputy director of the National Coordination Center for Computer Incidents, said that organizations involved in software development and system integration accounted for about a third of all targeted attacks in the Russian Federation in recent years.

According to Mikhail Kondrashin, technical director of Trend Micro, attacks specifically on software developers for banks open up endless opportunities for subsequent attacks. The appearance of such attacks actually changes the rules of information security in the field of development: it is no longer just about developing secure code, but rather protecting the infrastructure itself.

Researchers Discover the Existence of the New APT Framework “Darkuniverse”



A new APT Framework named "DarkUniverse" was recently discovered by researchers via tips from a script that was utilized in the NSA breach in 2017 wherein the well-known hacking tools leak 'Lost in Translation' was published by shadow brokers.

Researchers believe that the "DarkUniverse" APT Framework was active in at least 8 years from 2009 until 2017, and the traces show that it's likewise tied with ItaDuke, an actor that utilized PDF exploits for dropping previously unknown malware.

There are various versions of the sample been utilized for this campaign between 2009 to 2017, and the most recent rendition of the malware utilized until 2017. The further examination uncovers that the battle is for the most part utilizing the spear-phishing emails to convey the malware through the weaponized Microsoft Office document attachment.

As indicated by Kaspersky investigate, “DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.”

The DarkUniverse campaign is said to gather different sensitive information including Email conversations, files from specific directories, screenshots, information from the Windows registry, sends a file to the C2, credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and more.

The malicious framework targeted on different nations including Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates and the victims included both non-military personnel and military associations.

The Czech Republic again accused Russia of hacker attacks


The representative of the Czech National Cyber and Information Security Agency (NUKIB) during a report to the Senate Defense and Security Committee stated that hacker attack on the network of the Czech Foreign Ministry in June this year was organized by a foreign state.

NUKIB on Tuesday provided the results of the investigation of a DDoS attack, which reported that the Russian GRU attacked the computer network of the Foreign Ministry. “The GRU and their hacker group APT28 / Sofacy are behind this attack.”

"The Czech Foreign Ministry was again attacked by hackers from the Russian GRU. Therefore, I understand that we are conducting an open hybrid war with Russia. This espionage should not go unanswered", — Chairman of the party "Elders and Independents" Vit Rakushan commented on the situation.

Prime Minister Andrei Babish said that the Czech Foreign Ministry should focus on strengthening the security of its computer network.

Czech Foreign Minister Tomas Petricek, in turn, said that he had already appealed to the Ministry of Finance of the Republic for additional funding for his Department. The requested funds will be used to implement measures aimed at strengthening cybersecurity. The Minister intends to inform the government about cyber attacks on the Foreign Ministry.

According to Babish, the topic of cyber attacks on the Foreign Ministry will be one of the topics of discussion at the next meeting of the State Security Council. It will take place after August 26, when the holidays of most members of the Cabinet of Ministers will end.

It was previously reported that a criminal case was opened on the fact of a cyber attack on the Foreign Ministry. Hackers didn't manage to steal secret information. They gained access only to a few e-mail boxes of employees of the Ministry, but could not hack the server through which official correspondence is carried out.

Recall that in 2016, the Czech Foreign Ministry was also subjected to hacker attacks. Then the hackers got access to 150 email addresses of employees of the Ministry. The June attack this year led to failures in the internal computer network of the Ministry of Foreign Affairs

US Government Issues Alert Warning against China Made Drones




As the Chinese-made drones pose a "cyber-espionage” threat to the American organizations and different businesses that utilize them the US government issued an alert cautioning against them.

The said warning does not allude to a particular organization or company but rather the notice included that those utilizing the flying aircraft for assignments identified with national security or critical infrastructure were at high risk.

Market-leader DJI, which represents over 70% of the US market in drones costing more than $500 said that it had found a way to keep its customers' information secure and gave a statement for the same, 

“We give customers full and complete control over how their data is collected, stored, and transmitted, for government and critical infrastructure customers that require additional assurances, we provide drones that do not transfer data to DJI or via the internet, and our customers can enable all the precautions DHS [Department of Homeland Security] recommends."

Chris Huhn, the Vice-President of business development of Yuneec - the second bestselling Chinese manufacturer - has additionally said that it gives users full control of their information.
"All our UAV [unmanned aerial vehicles] do not share telemetry or visual data with internal or external parties,"

As per CNN, which was the first to report the development, the notice was issued on Monday by the US's Cybersecurity and Infrastructure Security Agency. This cited the notice as saying,

"The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access,"

"China imposes unusually stringent obligations on its citizens to support national intelligence activities."


Romanian Cybersecurity firm reveals all-in-one espionage tool: RadRAT

Bitdefender, a Romanian Cybersecurity firm, has flushed out a powerful all-in-one toolkit for espionage operations dubbed “RadRAT,” which it became aware of in February this year. The toolkit is an advanced remote access tool that allows full control over seized computers.

“Buried in the malware zoo, the threat seems to have been operational since at least 2015, undocumented by the research community,” the company said in a post.

RadRAT offers powerful remote access options that allow “unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms.”

“Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations,” the post read.

Apart from its data exfiltration mechanisms, it also features lateral movement mechanisms such as credentials harvesting, NTLM hash harvesting, retrieving a Windows password, and more, and its command set currently supports 92 instructions.

These commands can be used for various malicious purposes, including file or registry operations, data theft operations, network operations, operations on processes, system information, propagation, and more.

“Unfortunately, while our information about the behavior and technical implementation of this remote access toolkit is complete, we can only guess at the original infection vector, which is most likely a spear phishing e-mail or an exploit,” the cybersecurity firm wrote in its whitepaper on the toolkit.